virtumonde trojan is wiping me out

hello everyone i have been infected with this damn trojan. i have followed the malware removal guide. attached is my hijackthis log

I have a bunch of temp files in my doc folder and on my c:\ drive as a result of this trojan. All the names of the temp files begin like so POS1xxx.
It has also placed a red X nect to the C:\ when i view it under my computer.

Your help is greatly appreciated.

By the way i renamed the hijackthis log as suggested in a previous post.

:confused

 

Hi kinglayus!
Welcome to Major Geeks!

By following the instructions in the READ & RUN ME FIRST you will be able to get some relief from the symptoms of this particular infection. Please attach the requested logs (Combofix, AVG-Antispyware 7.5 and the MGlogs.zip) when you finish so we can see what still has to be done to make sure your computer is clean.
Thanks.
abri

 

Thank for responding Abri. Sorry for not getting back sooner but i work some crazy hours. I have followed all of your suggestions attached are the logs you requested. as you will see AVG has found infections any ways I'm sure you can see it all in the logs.. here goes nothing.

 

Hi kinglayus!

A question. You have around 6500 .tmp files directly under C:\ with names of this structure: C:\pos1974.tmp

Are these files you put in your computer? If these files belong to you, please move them into a directory. If they do not belong to you, can you find them in Windows Explorer and delete them directly from there? They are mainly directly under C:\, but they are also in My Documents. If you can't find them, just tell me.

Now please do the following:

1) I would like for you to begin by disabling Teatimer which should be turned off because it can block all of the fixes. Please disable Spybot's Teatimer as follows:


Disable Spybot's TeaTimer. This is a two step process.
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

2) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2_03
- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Global Startup: Digital Line Detect.lnk.disabled
O4 - Global Startup: Filseclab Messenger.lnk.disabled
O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - Winlogon Notify: pghwczgi - C:\WINDOWS\SYSTEM32\pghwczgi.dll

Are you using McAfee for anything anymore? If not, please fix the below entry as well.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

After you click fix, just close hijackthis.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Make sure you tell me how things are working now!

7) Install the current version of Sun Java from: Sun Java Runtime Environment It's important that your computer rebooted between uninstalling the old Java at the beginning of these instructions now. It should have rebooted with Avenger. If not, reboot it before installing the new version of Java.

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how things went?

abri

 

hello again abri

the 6500 temp files that you saw just appeared out of know where with these two fake icons on my desktop and a red X next to my C: when viewing it under explorer. Previously to you mentioning it i was unable to delete it this time i was able to delete the files without them reappearing. I uninstalled java and reinstalled the current version from the link. I then ran avenger After doing so i kept recieving an error message saying that i was giving an invalid script. As a result I did not go forward with the rest of the instructions. I will wait for you to get back to me. I don't want to do anything that would take away from our progress

here is the error log that was created from avenger

please let me know if i should move forward

Thanks

 

Hi Kinglayus!

1) There are another 500 or so of the same files in your My Documents folder as well. If you haven't deleted those and can, please do so as it will greatly reduce the size of the logs we are looking through.

Since Avenger isn't working, we will try another tool. Please do the following:

2) Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.


3) Now copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\uccspecb.sys
C:\WINDOWS\system32\pghwczgi.dll
C:\WINDOWS\system32\xlpqvdil.dll
C:\WINDOWS\system32\agofnify.ini
C:\WINDOWS\system32\ahfggcar.ini
C:\WINDOWS\system32\ahqqiqfs.ini
C:\WINDOWS\system32\dtjgamop.ini
C:\WINDOWS\system32\gaoybqbq.ini
C:\WINDOWS\system32\jwglngma.ini
C:\WINDOWS\system32\kvucgtih.ini
C:\WINDOWS\system32\liuxccmo.ini
C:\WINDOWS\system32\lqnxbble.ini
C:\WINDOWS\system32\mqatwoed.ini
C:\WINDOWS\system32\nphgrnlk.ini
C:\WINDOWS\system32\oaqtsxsf.ini
C:\WINDOWS\system32\olutchsy.ini
C:\WINDOWS\system32\qppycyil.ini
C:\WINDOWS\system32\tqmxmwhg.ini
C:\WINDOWS\system32\xejsrsor.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates
That log is under C:\

abri

 

Hello Abri ,

i tried to search for those tmp files but didn't find any i even searched for them.

followed your instructions to "T" here are the logs. By the way that red "X" is still next to the C: instead of the icon of a harddrive.

 

Hello Abri,

As far as any changes are concerned upon reboot i noticed that my quick launch toolbar disappeared as well as my url toolbar on the start bar. I have also noticed that the red X Icon is still next to the C:\

Here are the logs

 

Things seem to be working great. Both Spybot S&D and Ad Aware have not found anything. A virus scan with AVG has found no infections My HD Icon is back to normal. No more popups, everything seems great.

Abri Thanks For your help this has been a great learning experience for me. I think we are done. Please let me know if my logs say otherwise.

thanks
Ricky

 

Hi KingLayus,

One of the files is still there. I would like for you to try Avenger again and see if you still get the same error message. Rather than running Avenger as it is, I would like for you to reinstall it. If you get a warning that you will overwrite the existing one, allow it to install over the old one (assuming the old one is in the correct location). I will post the instructions for you again here:

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

If it runs this time, please run CCleaner again and then post a fresh MGlogs.zip for us to verify. If it doesn't run, please post the error message from Avenger again.

Thanks.
abri

 

I did not get any errors this time.

 

Hi Kinglayus!
Your logs look good! I have one last question about one of your hijackthis entries. Did you install and want this? The company is JetBrains. If you put it in, it's fine.

O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - C:\Program Files\JetBrains\Omea Reader\IexploreOmeaW.dll

If you're not having any further malware symptoms please do the following which will include removing our tools and logs and setting a clean restore point:

abri

 

OK Done!!

Thank you so much for all of your help. I thought i would never get this thing out. It feels good to have my PC back.

Thanks Abri
Thanks Major Geeks

Have a great New Year

 

You're welcome Kinglayus!
Have a good year yourself and Happy Surfing!