Can't get rid of virtumonde.sdn- please help

By marge
Feb 15, 2010
Topic Status:
Not open for further replies.
  1. Hi!
    I have been trying to get rid of virtumonde.sdn. I have run 4 different anti-virus or spyware programs and it keeps showing up. I have attached hijack-this log file. Please tell me what is going on. View attachment hijackthis.log
  2. Broni

    Broni Malware Annihilator Posts: 45,175   +242

  3. marge

    marge Newcomer, in training Topic Starter

    I will try to post all the logs. Thanks for responding.SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/15/2010 at 08:38 PM

    Application Version : 4.33.1000

    Core Rules Database Version : 4584
    Trace Rules Database Version: 2396

    Scan type : Complete Scan
    Total Scan Time : 00:26:28

    Memory items scanned : 646
    Memory threats detected : 0
    Registry items scanned : 6755
    Registry threats detected : 0
    File items scanned : 19674
    File threats detected : 2

    Adware.180solutions/Seekmo/Zango
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0016811.EXE

    Adware.MyWebSearch
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0016810.EXE
    View attachment hijackthis.log
  4. marge

    marge Newcomer, in training Topic Starter

    malware log

    I can't find the log for the malware.
  5. marge

    marge Newcomer, in training Topic Starter

  6. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  7. marge

    marge Newcomer, in training Topic Starter

    I would like to have the logs analyzed before doing anything else. Could someone please respond to the logs? Thank you very much.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Marge, Broni would not have told you to run Combofix is he had not open the logs and checked them. While we do recommend that program, it is only after checking the logs.

    In a nutshell- you are being told that the logs indicate you will need to run Combofix due to their content.

    Edit: I would only add that you should have disabled TeaTimer per the steps: Please do that before more scanning:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
  9. marge

    marge Newcomer, in training Topic Starter

    ok, I ran the combo-fix. I will try to attach the logs.
    Bobbye, thanks for the reply. I do not know a whole lot about computers. I can't find the tea timer exe. thanks for all your help![/ATTACH]

    Attached Files:

    • log.txt
      File size:
      18.5 KB
      Views:
      7
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Give this a try:
    • Launch Spybot Search & Destroy [​IMG]
    • In the Menu: Select Mode> choose Advanced Mode
    • Click Yes in the confirmation dialogue box
    • Click on Tools to expand the menu. Make sure that Resident is checked and then click Resident in the left pane.
    • In the right pane uncheck Resident "Tea timer" (Protection of over-all system settings) to disable it.
    • UncheckTeaTimer> OK any prompts.
    • If Teatimer gives about changes> click "Allow Change".
    • Exit Spybot S&D when done.
    • (Once you are clean, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
    It's important that you know how to disable any security as that is required to run some scans.
  11. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\DCEBoot.exe
    
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  12. marge

    marge Newcomer, in training Topic Starter

  13. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  14. marge

    marge Newcomer, in training Topic Starter

    how do I save things to my desktop?
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    [​IMG]

    Change the Save In dialog box to Desktop

    It now shows My Documents. Hold left mouse button down on down-arrow to right of box and select Desktop from drop down menu.
  16. marge

    marge Newcomer, in training Topic Starter

    here is the log for the tdsskiller I couldn't copy and paste because it was too long. Hope the attachment works. Thank you


    View attachment TDSSKiller.txt
  17. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Please, re-run Combofix and HJT.
    Post fresh logs.
  18. marge

    marge Newcomer, in training Topic Starter

    why are things getting worse everytime I try something that is suggested? My computer has never been this messed up. What is going on??????
  19. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    You can't judge your computer behavior until it's declared clean.
    We're far from there.
  20. marge

    marge Newcomer, in training Topic Starter

    can't even log on anymore. Taking it in to get it cleaned and reinstalled. What a pain. It seemed like after I ran the tdssliller, I had trojans, worms, spyware that had never showed up before.
  21. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Are you saying, that you're taking computer to the shop?
  22. marge

    marge Newcomer, in training Topic Starter

    yes I took it to the shop. Can you tell me what you were seeing?
  23. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    You have a rootkit to start with.
  24. marge

    marge Newcomer, in training Topic Starter

    thanks for all your help. didn't know what else to do when I couldn't log on.
  25. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    That's OK, as long, as it got fixed :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.