Virtumonde, Smitfraud-C Partially Removed

Hello.
I hope all of you at MajorGeeks enjoyed the holidays

You have helped me greatly in the past. For nearly two years, I have had no significant malware or spyware issues! Unfortunately, I encountered an apparent Virtumonde and Smitfraud-C infection earlier tonight. It occurred while in the process of a single song download, however I am pretty sure the actual file I downloaded was not the problem, but rather the site itself which uses a format similar to YouTube and is a multimedia search site.

I followed the instructions in the READ & RUN ME, and then followed the Windows XP Cleaning Procedure almost entirely. I'll briefly describe my results:

SUPERAntiSpyware - Scanned full system, it found many infections, could not delete any, and got blue screen fatal stop error.

SpyBot - Search & Destroy - Scanned full system, it found many Virtumonde and Smitfraud-C infections, apparently deleted them, but I do not think it was effective.

Malwarebytes Anti-Malware - Quick system scan, found many Virtumonde and Smitfraud-C infections, deleted them. I think this is a very effective scanner.

combofix.exe - I did not run this. I read the instructions at the link provided, but - to me - they were very complicated, and I felt very uncomfortable attempting this.

MGtools.exe - Ran this tool, zip logs attached.

It appears most of the infection has been removed, but I think some remnants remain. I am not getting the silent pop-ups that I was getting immediately after the infection, Windows now is shutting down normally without a message saying that explorer.exe is not responding, and the computer seems to be running normally now. However, the clock at the lower right-hand corner of the screen is awkward in that usually it displays the time as "3:50AM", but now it is displaying it as "03:50" So I suspect a problem still exists.

Please review these logs and provide any assistance you can. Thank you very much.

 

Hey Tim,
I ran into a few issues as I was attempting to perform the registry repairs, so I will wait for your reply before re-attempting to do so.

First, I disabled all anti-virus and anti-spyware programs. I have several anti-spyware programs now installed, so I opened each one to see if it was running so I could temporarily disable it. When I went to open Malwarebytes Anti-Malware, a very strange small message window opened up that said that it could not configure i-tunes and was looking in the downloaded history files for a missing dll or something. I do not have this installed (and have no intention of ever doing so again), but did have quicktime a few years ago, and several months ago I thoroughly removed every trace of the i-tunes/quicktime tentacles that I could find. If there are any that remain, I want to eliminate them once and for all. Now when I open Malwarebytes Anti-Malware, it opens without incident and the message does not pop up.

Second, I ran C:\MGtools\analyse.exe and did not find any of the three entries you said to fix. I did find some entries that I am concerned about and would appreciate if you could tell me if they are legit or not, and if they can be removed:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
I do not have any toolbars (Unless the Screenshot program is considered such, but I doubt it) installed on my browsers.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - h**p://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
I uninstalled all McAfee applications several months ago.

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

I also want to add that halfway through the SpyBot - Search & Destroy scan performed earlier, as it was looking for Virtumonde infections, it stopped and a window came up that suggested stopping the scan and re-starting the computer. There were also two buttons, one to stop and one to continue, at the bottom of that window. As I saw no way to continue without using the buttons, I chose to continue, and the scan did so. Was this, most likely, prompted by the spyware to defend against its removal?

I will wait for your reply before attempting any repairs. The computer continues to run normally, with the only exception I see being the clock formatted with a 24hr. reading over the usual AM/PM display. However, I want to eliminate all possible remnants of this problem. All anti-virus and anti-spyware programs are currenly re-enabled.

Thank you again.

 

Tim,

Registry Patch has been applied. Clock remains in 24hr. mode with a single Windows tone sounding at Hr:00. New C:\MGLogs.zip log attached.

 

Hey Tim,

Registry Patch has been applied. Clock remains in 24hr. mode with a single Windows tone sounding at Hr:00. Otherwise, the computer is running normally. No other unusual performance issues.

Regarding the Anti-Virus protection, I am considering either AntiVir or AVG 8.0 Free. Do you know which one, or if both of them, offer automatic updates and real-time protection? I checked each programs description page, but they didn't completely answer the question.

 

Tim,

I uninstalled ComboFix, and restarted the computer. That did not restore the time display.

I then followed your instructions for resetting the clock. Again, I restarted the computer. While it now appears normal, the Windows XP Critical Stop tone is still sounding on the top of the hour (ex.: 9:00 PM). This is not normal.

I will wait for your reply before flushing and re-enabling System Restore.

 

I don't see any "box under program events", only one main box. I also don't want to disable ALL windows sounds, just the Windows XP Critical Stop tone sounding on the top of the hour.

Another problem I just noticed now. When I check files and folders, it no longer displays the time in hh:mm:ss like it used to. It displays it as hh:mm.
Essentially, I want the times on this computer to be as they were before the infection. Which is hh:mm tt on the taskbar and hh:mm:ss on files/folders. I screwed up trying to download that file from the site a week ago that started all this, but I want to get rid of the entire virtumonde/smitfraud-C infection.

 

Tim,

Since my last post, I looked into the files and folders issue and have apparently fixed it.

Before I post this issue in the Software section, there is one other thing I have to mention. Ever since this infection occurred, under "Windows Task Manager" in "running processes" there is an entry that has been in the top five, usually the first, called "rundll32.exe" in SYSTEM with a Mem Usage of 1208 K. Is this entry normal (not malware), and if it is, should it be the top process running?

I understand the plethora of insidious malware issues you all deal with here everyday. Thanks again for your assistance.

 

Tim,

I followed your instructions for identifying the Rundll32 modules. Interestingly, when I first attempted this no such process was identified and, sure enough, I checked running processes and it was not running. Shortly afterwards, I heard the Windows XP Critical Stop tone sounding on the top of the hour, I checked running processes again, and there it was. Apparently, Rundll32.exe is automatically starting. I re-attempted your instructions, and got the following log. I reviewed it, but I am really not sure if everything listed is legit. I have attached the Rundll32.txt log. Please review it and let me know if there is anything you see in it that is unusual.

Thank you so much, again.