Virtumonde

cocoabutter · Jun 16, 2008

Hey,

I had problems with Virtumonde trojan removal. I went through READ & RUN ME FIRST. Now, everything seems fine, but I'm not really sure if I got rid of the trojan. I'm posting you required logs. Thank you for your help.

cocoabutter · Jun 16, 2008

I'm also attaching MGlogs.zip

And I forgot to tell you, that Vundofix didn't find anything, so after that, I went through READ & RUN ME FIRST.

Thanks!

TimW · Jun 16, 2008

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F0 - system.ini: Shell=Explorer.exe c:\windows\system32\winlog.exe
F1 - win.ini: run=c:\windows\system32\winlog.exe
O2 - BHO: (no name) - {3491A6AD-B264-4824-98E2-64D9B16560E3} - C:\WINDOWS\system32\opnkliHY.dll (file missing)
O2 - BHO: (no name) - {51FF4FD0-E89E-4DBA-889A-D31E442E1732} - (no file)
O2 - BHO: (no name) - {5FA6BE5F-039C-4C75-8500-A265F14F4510} - C:\WINDOWS\system32\byXOeBrS.dll (file missing)
O2 - BHO: (no name) - {6AEE1696-B509-4B5F-BFCE-2D729F591BA9} - C:\WINDOWS\system32\rqRJCVNh.dll (file missing)
O2 - BHO: (no name) - {9D31CD00-04E4-4384-B011-9476567BF34C} - C:\WINDOWS\system32\pmnLDVoP.dll (file missing)
O2 - BHO: (no name) - {A633AB65-729B-449E-934D-20344D2DD1A2} - (no file)
O2 - BHO: (no name) - {E17B36BC-004A-43C1-9B44-7C7EEC3E12D4} - C:\WINDOWS\system32\mlJAqpon.dll (file missing)
O2 - BHO: (no name) - {F41DA8BB-23EF-41EA-BE2B-53AB76E2757E} - C:\WINDOWS\system32\opnOHyVM.dll (file missing)
O2 - BHO: (no name) - {FB9462E7-83DB-4FD8-B631-48520CD1D4B0} - C:\WINDOWS\system32\mlJAsSKA.dll (file missing)
O2 - BHO: (no name) - {FDEF862B-EED4-4007-BFB1-064A08785221} - C:\WINDOWS\system32\rqRKASiG.dll (file missing)
O4 - HKLM\..\Run: [9c5318e1] rundll32.exe "C:\WINDOWS\system32\atcalyyl.dll
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"9c5318e1"=-
"SunJavaUpdateSched"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3491A6AD-B264-4824-98E2-64D9B16560E3}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51FF4FD0-E89E-4DBA-889A-D31E442E1732}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FA6BE5F-039C-4C75-8500-A265F14F4510}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6AEE1696-B509-4B5F-BFCE-2D729F591BA9}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D31CD00-04E4-4384-B011-9476567BF34C}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A633AB65-729B-449E-934D-20344D2DD1A2}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E17B36BC-004A-43C1-9B44-7C7EEC3E12D4}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F41DA8BB-23EF-41EA-BE2B-53AB76E2757E}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB9462E7-83DB-4FD8-B631-48520CD1D4B0}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDEF862B-EED4-4007-BFB1-064A08785221}]
Click to expand...

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

cocoabutter · Jun 16, 2008

I did what you said and I'm posting you MGlogs.

After running GetLogs.bat I enabled NOD32. Should I do it before?

TimW · Jun 16, 2008

Sweet....Your logs look clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
2. Click START then RUN
* Now type "%userprofile%\Desktop\cf" /u in the runbox and click OK.
* Note: The space between the cf and the /U, it must be there.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
How to Protect yourself from malware!

cocoabutter · Jun 17, 2008

Thank you soooo much! Although it took a lot of time, it worked, what's the most important.

Before continuing to How to protect yourself from malware:

May I now delete these two? (I'll keep Spybot due to the instructions in How to protect yourself from malware)

SUPERAntiSpyware
Malwarebytes' Anti-malware

Currently I have NOD32 as anti-virus program. Should I remove it and download e.g. Avast! ? Is it better?

And there in the instructions, it is written that I should have SP2, but I already have SP3. Is that ok?

TimW · Jun 17, 2008

cocoabutter said: ↑

Thank you soooo much! Although it took a lot of time, it worked, what's the most important.
Click to expand...

You are most welcome!

cocoabutter said: ↑

Before continuing to How to protect yourself from malware:

May I now delete these two? (I'll keep Spybot due to the instructions in How to protect yourself from malware)

SUPERAntiSpyware
Malwarebytes' Anti-malware
Click to expand...

If you wish to.....I keep both on hand for backup scans when I sense trouble.

cocoabutter said: ↑

Currently I have NOD32 as anti-virus program. Should I remove it and download e.g. Avast! ? Is it better?

And there in the instructions, it is written that I should have SP2, but I already have SP3. Is that ok?
Click to expand...

No anti-virus will catch 100% ...just the nature of the beast. Choice of anti-virus is a personal decision relating to how the user feels with the program: i.e. does it slow the system, is it easy to use, etc.

SP3 just came out, so the reference is really for the many posters who have not downloaded even SP2. So you are fine.

Log in or Sign up

Virtumonde

cocoabutter Private E-2

Attached Files:

SASlog.txt

MBAMlog.txt

COMBOFIXlog.txt

cocoabutter Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

cocoabutter Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

cocoabutter Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member