Can't get rid of virtumonde.sdn- please help

[marge]

Hi!
I have been trying to get rid of virtumonde.sdn. I have run 4 different anti-virus or spyware programs and it keeps showing up. I have attached hijack-this log file. Please tell me what is going on.View attachment hijackthis.log

 

[Broni]

Please, follow these steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[marge]

I will try to post all the logs. Thanks for responding.SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2010 at 08:38 PM

Application Version : 4.33.1000

Core Rules Database Version : 4584
Trace Rules Database Version: 2396

Scan type : Complete Scan
Total Scan Time : 00:26:28

Memory items scanned : 646
Memory threats detected : 0
Registry items scanned : 6755
Registry threats detected : 0
File items scanned : 19674
File threats detected : 2

Adware.180solutions/Seekmo/Zango
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0016811.EXE

Adware.MyWebSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP58\A0016810.EXE
View attachment hijackthis.log

 

[marge]

malware log

I can't find the log for the malware.

 

[marge]

found log

View attachment mbam-log-2010-02-15 (20-06-19).txt
Attached is the malware log. I have completed the 8 steps. thanks for responding.

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[marge]

I would like to have the logs analyzed before doing anything else. Could someone please respond to the logs? Thank you very much.

 

[Bobbye]

Marge, Broni would not have told you to run Combofix is he had not open the logs and checked them. While we do recommend that program, it is only after checking the logs.

In a nutshell- you are being told that the logs indicate you will need to run Combofix due to their content.

Edit: I would only add that you should have disabled TeaTimer per the steps: Please do that before more scanning:

• Right click the TeaTimer icon in the system Tray
  
• Then click Exit Spybot-S&D Resident
• (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

 

[marge]

Ok, I ran the combo-fix. I will try to attach the logs.
Bobbye, thanks for the reply. I do not know a whole lot about computers. I can't find the tea timer exe. thanks for all your help![/ATTACH]

 

[Bobbye]

Give this a try:

• Launch Spybot Search & Destroy
  
• In the Menu: Select Mode> choose Advanced Mode
• Click Yes in the confirmation dialogue box
• Click on Tools to expand the menu. Make sure that Resident is checked and then click Resident in the left pane.
• In the right pane uncheck Resident "Tea timer" (Protection of over-all system settings) to disable it.
• UncheckTeaTimer> OK any prompts.
• If Teatimer gives about changes> click "Allow Change".
• Exit Spybot S&D when done.
• (Once you are clean, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

It's important that you know how to disable any security as that is required to run some scans.

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\DCEBoot.exe


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[marge]

Here is the new combofix log and the new hijack log. Thanks for responding. What are you seeing?View attachment hijackthis.log

View attachment log2.txt

 

[Broni]

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[marge]

how do I save things to my desktop?

 

[Bobbye]

Change the Save In dialog box to Desktop

It now shows My Documents. Hold left mouse button down on down-arrow to right of box and select Desktop from drop down menu.

 

[marge]

Here is the log for the tdsskiller I couldn't copy and paste because it was too long. Hope the attachment works. Thank you


View attachment TDSSKiller.txt

 

[Broni]

Please, re-run Combofix and HJT.
Post fresh logs.

 

[marge]

why are things getting worse everytime I try something that is suggested? My computer has never been this messed up. What is going on??????

 

[Broni]

You can't judge your computer behavior until it's declared clean.
We're far from there.

 

[marge]

can't even log on anymore. Taking it in to get it cleaned and reinstalled. What a pain. It seemed like after I ran the tdssliller, I had trojans, worms, spyware that had never showed up before.

 

[Broni]

Are you saying, that you're taking computer to the shop?

 

[marge]

yes I took it to the shop. Can you tell me what you were seeing?

 

[Broni]

You have a rootkit to start with.

 

[marge]

thanks for all your help. didn't know what else to do when I couldn't log on.

 

[Broni]

That's OK, as long, as it got fixed