Problem with Virtumonde

[xLOBO11x]

hey guys, i recently ran into the virtumonde trojan and had run avg and spybot with no avail. i got lucky and was pointed in this direction,read the 8 steps and followed through. haven't had problems so far.. here are my logs. also, would i have to keep all the programs downloaded in the 8 steps or is it ok to remove and if so which ones would be the best to keep? thank you so much again for all your help.

-xlobo11x

 

[kimsland]

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab) Your Malwarebytes was not updated either
Then do the above quoted message, but this time "Remove all found issues"

By the way, you will need to then restart, and run (and attach) a new HJT log and Malwarebytes log


Once Malwarebytes has been done, and all Malwares manually removed by you
You could do this too.

1. Download VundoFix; Trojan.Vundo Removal Tool; VirtumundoBeGone and ComboFix.
2. Go Offline - pull the cable network, turn off wireless card, turn off your modem.
3. Restart computer and press F8 to run Windows in Safe Mode
4. Run VundoFix.. Click on the Scan for Vundo. Scanning will begin, which takes a long time. In the white box will display the names of infected files. After the scan is complete click Remove Vundo, removal will begin. Confirm by clicking Yes. The application should ask for permission to restart your computer - click Yes. Start Windows in Safe Mode again.
5. Run FixVundo. Click Start, and then follow the instructions. It should be noted that this application can deal only with older mutations Vundo (Virtumonde).
6. Run VirtumondoBeGone. Click Continue and wait for the report.
7. Run ComboFix. Then, in the two windows that appear click Yes, and start scanning and removal of any Vundo (Virtumonde) infection. During this operation, you are not allowed to move the mouse or perform other actions. After the scan is complete, program will show a text file - a report from the program's action.
8. Restart computer and run Windows normally.
9. Attach the report

 

[xLOBO11x]

almost there

thank you for your quick reply kimsland, i really appreciate it. I followed your guide and got as far as step #7. when i try to run the combofix it will not let me saying it cannot name the file combofix, this is after the installation where i am given the run the application option... thats as far as i get with that... but here is the malaware and hijack reports so far... once again thank you

 

[kimsland]

oh, I haven't checked the logs yet
But with Combofix, as you select download, rename Combofix (still in the save as box) to Combo-Fix, or any name you like, ie just rename it to CF

Then try running it
You can also run it in Normal mode, but if you have screen savers and Power Management and Tasks going on, it can interfere with it

Ok, just checked the logs, and what a log

Please run HJT Scan and tick all of the following, then select Fix all
Make sure any\all Internet Browsers are closed first

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://85.17.166.131/go//?cmp=vm_tr...68440&lid=winlogon.exe&rid=zdez&v=1176&m=ish6
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3758246d-3722-4063-8d88-39d07c02c98b} - (no file)
O2 - BHO: (no name) - {38654472-0201-4907-A643-792FD28C09D9} - (no file)
O2 - BHO: (no name) - {3E9203D0-5497-4422-9296-C052D8C433E6} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {93411C70-1446-4181-9D96-CE0EC03E6167} - (no file)
O2 - BHO: (no name) - {95EF57EF-E44A-4156-B2EB-2188921A90F0} - C:\WINDOWS\system32\khfDtTmJ.dll (file missing)
O2 - BHO: (no name) - {9774C244-6D5F-4807-80C6-AE03D45E975D} - C:\WINDOWS\system32\wvUlmnKC.dll (file missing)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {ABB63DB2-2873-4334-A5B4-2A3DDF06860F} - (no file)
O2 - BHO: (no name) - {abebb09f-05e5-4246-b676-dfc703aa02d9} - (no file)
O2 - BHO: (no name) - {B4131401-5C9A-448C-92B1-01050FE8BD2C} - (no file)
O2 - BHO: (no name) - {BB79CFC8-82F0-4CA3-9557-190D5F51290F} - C:\WINDOWS\system32\vtUmKBRi.dll (file missing)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O20 - Winlogon Notify: byXQgFyA - byXQgFyA.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

 

[xLOBO11x]

followed your instructions, everything was smooth. i re-did step 3 before rescanning things just in case, dunno if i had to but figured why not, here are the logs from that, once again thank you very much.

ps. do you recommend i keep all the programs downloaded?

 

[kimsland]

No, we will remove all those programs later

Vongo is still starting with Windows
We need to stop it from running then remove it

KillBox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.

Download KillBox: http://www.killbox.net/downloads/KillBox.exe
Run it, and copy and paste this line into the path: C:\Program Files\Vongo\Tray.exe
Click the Red X (delete button)

Restart back to SafeMode
Locate: C:\Program Files\Vongo folder and delete it

Startup HJT scan still in Safe Mode
Tick and fix the following entries:

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

Restart back to Normal mode
Provide another HJT scan log (I want to see if it's now removed )

 

[xLOBO11x]

i followed your instructions..C:\Program Files\Vongo\Tray.exe and C:\Program Files\Vongo supposedly did not exist... i went through it manually and deleted all these... the nly thing left is the vongo in the add/remove programs which won't let me delete it because its in 'safemode'(but it won't show on normal mode) and/or because the installer is not 'correctly installed'. thank you very much and here is my log

 

[kimsland]

I'm a bit confused about your log, it seems incomplete

Uninstall Symantec (Norton) Antivirus
Run the Norton Removal tool

Install Avira free AntiVirus

And run a full scan