virtumonde - unremovable, tried everything

Hello,
I've got infected with virtumonde and tried every possible sw + tried to remove manually. It only got worse. I have symantec antivirus and firewall, but it doesn't see anything at all.

I've used Hijackthis, ewido, spybot, spysweeper, ad-aware, panda online scan, etc, etc. Spybot finds virtumonde, says it's removed but browser hijack continues. Vundofix didn't find anything at all. I also tried to follow instructions on other threads in this forum.
I did identified one dll and registry keys but these are unremovable. Win logon is using them, even in safe mode.

Someone - please, help!!!

 

Hi alexgg,
Welcome to Major Geeks!

Virtumonde requires a set of tools and some manual removal to be gotten rid of. In order to help you, we need the logs which are produced by the scans in the READ & RUN ME FIRST. Please run through these procedures and attach the logs when you're done. If you've already done Spybot, you don't have to do it again, but be sure that Teatimer has been disabled. To do this, open Spybot and make sure the Mode (at the top) is set to advanced. Then look for the tools button on the left side towards the bottom and click on that. In the window that opens up, click on the Resident shield and you will see two items in the middle of the page. Be sure that Teatimer is unchecked.

abri

 

Hi Abri,

Thanks very much for helping me out.

I am attaching here spybot report, hijackthis log and VundoFix(didn't find anything). Every time I reboot, there are more virus dll files and registry entries.

Thank you again,

Alex

 

Sorry, I must have been following the wrong link. After following the instructions exactly as they are, in the same order, I think it's gone. I'll start a new thread if it returns.

Thank you for your support, I really appreciate your help. God bless you,

Alex

 

Hi alexgg,

I wanted to add to Chaslang's comment, that the tools you used will help to dampen the infection on your computer, but unless the remaining files are removed manually, it will just come back. Ultimately it will get files into all your programs and your computer will be unusable. If you would like us to help you we will as you've already put in a lot of the work that needs to be done anyway and it would be a shame to waste it.

abri

 

Oh, it's not over yet? I attach here then the logs, I hope I got it right this time:

1. Super Anti Spyware scan log
2. spybot check log
3. mbam log
And in the next reply
4.combofix log
5.MGlogs.zip


Many thanks,
Alex

 

Remaining two logs

 

Hi alexgg,

1) What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\Program Files\XlsToOra
C:\Program Files\Quest Software

2) Please upload the following file(s) to either
jotti or VirusTotal and let me know the scan results.

C:\WINDOWS\system32\ibmgp.dll


3) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files. For those which are already there, you can go to C:\ and just delete them.

C:\
sq13b8~1.sqm Apr 22 2008 244 "sqmnoopt10.sqm"
sq2fa0~1.sqm Apr 21 2008 244 "sqmnoopt06.sqm"
sq2fa4~1.sqm Apr 21 2008 244 "sqmnoopt07.sqm"
sq2fa8~1.sqm Apr 21 2008 244 "sqmnoopt04.sqm"
sq2fac~1.sqm Apr 21 2008 244 "sqmnoopt05.sqm"
sq3fa8~1.sqm Apr 21 2008 244 "sqmnoopt08.sqm"
sq3fac~1.sqm Apr 21 2008 244 "sqmnoopt09.sqm"
sqa368~1.sqm Apr 22 2008 268 "sqmdata10.sqm"
sqa37a~1.sqm Apr 21 2008 232 "sqmdata04.sqm"
sqa38a~1.sqm Apr 21 2008 232 "sqmdata08.sqm"
sqa77a~1.sqm Apr 21 2008 232 "sqmdata05.sqm"
sqa78a~1.sqm Apr 21 2008 268 "sqmdata09.sqm"
sqab7a~1.sqm Apr 21 2008 232 "sqmdata06.sqm"
sqaf7a~1.sqm Apr 21 2008 232 "sqmdata07.sqm"
sqmdat~1.sqm Mar 5 2008 268 "sqmdata00.sqm"
sqmdat~2.sqm Apr 21 2008 268 "sqmdata01.sqm"
sqmdat~3.sqm Apr 21 2008 232 "sqmdata02.sqm"
sqmdat~4.sqm Apr 21 2008 232 "sqmdata03.sqm"
sqmnoo~1.sqm Mar 5 2008 244 "sqmnoopt00.sqm"
sqmnoo~2.sqm Apr 21 2008 244 "sqmnoopt01.sqm"
sqmnoo~3.sqm Apr 21 2008 244 "sqmnoopt02.sqm"
sqmnoo~4.sqm Apr 21 2008 244 "sqmnoopt03.sqm"


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0D42DD3D-81DB-4981-8D9D-D3571048472A} - C:\WINDOWS\system32\ddcAtsrp.dll (file missing)
O2 - BHO: (no name) - {1051B79C-D143-431D-8DBC-E86DD374BB20} - C:\WINDOWS\system32\byXNhGWq.dll (file missing)
O2 - BHO: (no name) - {39DE6507-CB49-40A1-8439-772D906358D8} - C:\WINDOWS\system32\opnnmJyv.dll (file missing)
O2 - BHO: (no name) - {3B575DF4-77AA-43CA-A2F5-E05756816CA1} - (no file)
O2 - BHO: (no name) - {587FDECF-F21C-4CAA-A94C-A00CF63BCBFB} - C:\WINDOWS\system32\efcYoMfC.dll (disabled by BHODemon)
O2 - BHO: (no name) - {5EE3A431-B685-47FA-BF49-59C9FA0DDB12} - C:\WINDOWS\system32\iifgEUKc.dll (file missing)
O2 - BHO: (no name) - {63EE08A7-9643-4E9E-953A-3C88E695FD84} - C:\WINDOWS\system32\awtturqo.dll (disabled by BHODemon)
O2 - BHO: (no name) - {6A9662B3-D154-42D3-8A12-A357D52A5203} - (no file)
O2 - BHO: (no name) - {DCD2F9E1-65D5-467C-8979-E5F5D563A27B} - (no file)
O2 - BHO: (no name) - {DE3F5E4E-F7E4-4224-B508-8721010E0AE0} - C:\WINDOWS\system32\byXQIXNH.dll (file missing)
O2 - BHO: (no name) - {E5BAD3F9-3B11-48B7-BCC6-3FC80FCD0DE5} - C:\WINDOWS\system32\opnopQkj.dll (file missing)

After you click fix, just close hijackthis.



5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

abri,

Here are the answers -

1. XlsToOra and Quest are respectable companies. I am running Oracle server on my machine and their SW helps accessing and transforming the database.

2. I uploaded ibmgp.dll on the VirusTotal and got

File ibmgp.dll received on 04.24.2008 09:51:58 (CET)
Current status: finished

Result: 0/32 (0%)

I guess it must be OK then.

The requested logs are attached here. I think it's running faster now. Pop ups disappeared already before. This virus was everywhere. I really don't understand what's the point of creating this adware. It's not like I am going to use the companies that come in pop ups. On the contrary I hate them so much that I will never visit 888.com or other companies I noticed because it will remind me of popups. May be they had tracking cookies and were getting provision for that, which I find hard to believe.

After running so many anti spyware applications I noticed my profile was moved from the <user> to <user>.<computer name>. Do you think I can move it back now?

Thank you very much for your help.

 

No, not necessarily. This only means that if it's malware, it's not yet been identified. I think this file might be an ibm file. There's not much information about it, but I found it on another ibm computer.

Could you attach a screen shot of your Windows Explorer so I can see what you're talking about?

abri

 

Attaching a screenshot. Before there was only administrator, now administrator.<comp name> was created and all moved there.

 

Hi alexgg,

I have a question about the user names. Is it normal that your copy of WINDOWS is in that directory? Do you now have two copies of Windows - one under each user name? Did the information get copied to the new user name or did it get moved to the new user name?

I need for you to check for a certain infection called AWF.

First, please begin by running CCleaner.

When you finish, I would like for you to download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

After you finish the above, I would like for you to run C:\MGTools\GetLogs.bat by doubleclicking on it and attach a fresh MGlogs.zip along with the AWF log.

Thanks.
abri

 

The first windows profile was under administrator, so it was normal. Then after running all the anti-spyware a new profile administrator.<comp name> was created, which is not normal at all and almost all stuff was copied from administrator, but not everything. E.g. explorer favorites were not copied. It is the new default profile now, when I open MSDOS prompt the path is this new profile. So it is new to you also. I don't know which program did this.

Otherwise the logs are clean. I attach them here.

 

Yes, I agree. But it wasn't me who created this account. It was created by some other anti spyware I ran before. I am absolutely 100% sure I never created this account voluntarily.

Thanks.

 

I changed the registry path and returned to my old settings(almost).
This virus infection was a very traumatic experience and I want to thank you for helping me through it.

 

All done, thanks