Virtumonde / Vundo infection.

Discussion in 'Malware Help (A Specialist Will Reply)' started by confusedboy, Nov 6, 2008.

  1. confusedboy

    confusedboy Private E-2

    Hello, after having Virtumonde on my computer, I read and followed the instructions for the Read and Run Me First page. I just completed the ComboFix instructions and I have some logs I would like someone to please review to let me know if Virtumonde is finally deleted from my computer. I'm not exactly sure what you're looking for in the logs, I have pretty much no computer skills in this regard, so bare with me. Thanks in advance.
     

    Attached Files:

    confusedboy, Nov 6, 2008
    #1
  2. confusedboy

    confusedboy Private E-2

    Fourth log, mg log.

    This is the mg log.
     

    Attached Files:

    confusedboy, Nov 6, 2008
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to Major Geeks, confusedboy

    Please be patient while I look over your logs.
     
    dr.moriarty, Nov 7, 2008
    #3
  4. confusedboy

    confusedboy Private E-2

    Thanks, I hope it's gone. My computer seems a bit slow still.
     
    confusedboy, Nov 8, 2008
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, confusedboy

    * It may be helpful to print these instructions, or save them into a text document.

    Step 1:
    Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed
    Step 2:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Step 4:
    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\system32\g5.exe
c:\windows\system32\ykupymwvmx.exe
C:\WINDOWS\System32\smart.dll.tmp
C:\WINDOWS\System32\fweilpmh.ini
C:\WINDOWS\System32\asksyhrd.ini
C:\WINDOWS\System32\ibafysjr.ini
c:\docume~1\BENJAM~1\LOCALS~1\Temp\nya.exe

Folder::
c:\windows\system32\vb 
c:\windows\system32\OT2 
c:\windows\system32\im
c:\windows\system32\FPX 
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 5:
    Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    Step 6:
    Run Ccleaner


    Step 7:
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).


    Then attach the below logs to your next reply:
    • C:\MGlogs.zip
    • C:\combofix.txt

    Make sure you tell me how things are working now!
     
    Last edited: Nov 9, 2008
    dr.moriarty, Nov 9, 2008
    #5
  6. confusedboy

    confusedboy Private E-2

    I followed your instructions but the file " O20 - AppInit_DLLs: hytpyy.dll " could not be found. I have the logs though.
     

    Attached Files:

    confusedboy, Nov 10, 2008
    #6
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    ;)

    While I go over your new logs, please give me a quick reply to: How is your machine running now?

    Thanks!
     
    dr.moriarty, Nov 10, 2008
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    dr.moriarty, Nov 10, 2008
    #8
  9. confusedboy

    confusedboy Private E-2

    My computer still seems to be slow at loading youtube links. Other than that, everything seems fine. :)
     
    confusedboy, Nov 10, 2008
    #9
  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, confusedboy

    Pre-Instructions:
    1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
    2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

    Step 1:
    We need to use ComboFix to remove some more malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 2:
    Run Ccleaner

    Step 3:
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).


    Step 4:
    Attach the below logs to your next reply:
    • C:\MGlogs.zip
    • C:\combofix.txt

    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Nov 13, 2008
    dr.moriarty, Nov 13, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds