also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot

Virtumonde Trojan - logs attached

Discussion in 'Virus and Malware Removal' started by AcrylicAce, May 1, 2009.

Thread Status:
Not open for further replies.

  1. AcrylicAce Newcomer, in training

    I had this trojan a long time ago.... i remember it being very difficult to get off of my computer. Now I get the pleasure of having it again!

    Would really appreciate some help.

    Thanks!
    AcrylicAce, May 1, 2009
    #1

  2. touch Newcomer, in training

    Hello AcrylicAce

    You have Viewpoint running on your computer -

    Viewpoint is considered foistware and is not needed on your computer.


    Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

    Run ViewpointKiller.exe

    Reboot.

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    touch, May 2, 2009
    #2

  3. AcrylicAce Newcomer, in training

    Thanks so much for the help so far!

    Here is the log after combofix.
    AcrylicAce, May 2, 2009
    #3

  4. touch Newcomer, in training

    P2P software/programs are a major contributor to your infections.

    We reserve the right to withdraw our support:
    If such programs are found in your logs
    Should you not agree to their removal.
    As they are normally set to bypass your Firewall and Anti-Virus software
    Filesharing/P2P Programs serves as a constant threat to your computer

    Uninstall:
    c:\program files\Vuze - you decide ;)

    If you remove it, reboot, attach new combofix log
    touch, May 3, 2009
    #4

  5. AcrylicAce Newcomer, in training

    Hm... i read the rules... i thought that I deleted it. I guess I missed part of it. Sorry about that.

    Here it is after I deleted the P2P software.
    AcrylicAce, May 3, 2009
    #5

  6. touch Newcomer, in training

    No problem :)

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    touch, May 3, 2009
    #6

  7. AcrylicAce Newcomer, in training

    New combofix log.
    AcrylicAce, May 3, 2009
    #7

  8. touch Newcomer, in training

    It looks clean.


    Please attach new hijackthis log, and tell how things are running ?
    touch, May 3, 2009
    #8

  9. AcrylicAce Newcomer, in training

    Seems to be running good today. Thanks a ton!
    AcrylicAce, May 3, 2009
    #9

  10. touch Newcomer, in training

    Sounds good, and hijackthis log looks clean :)

    Now your computer problems are solved, it is time for the cleanup procedure -

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony KleinĀ“s guide:
    How did I get infected in the first place

    Happy and safe surfing :wave:
    touch, May 4, 2009
    #10

  11. AcrylicAce Newcomer, in training

    hm... my virus protection software picked up that the trojan is still on my computer. It won't delete it however... it just keeps showing up.
    AcrylicAce, May 7, 2009
    #11

  12. touch Newcomer, in training

    Where are the trojan located - Filename and path ?
    touch, May 7, 2009
    #12

  13. AcrylicAce Newcomer, in training

    C:\system volume information\_restore{9904F6A4-F24E-40A9-8677-3B670F9D1213}\RP253\A0022440.exe

    and another one with everything the same except the end is A0022441.exe
    AcrylicAce, May 8, 2009
    #13

  14. touch Newcomer, in training

    Ok.

    Right-click the My Computer icon on desktop, and then click Properties.
    Click the System Restore tab.
    Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
    Click Apply.
    When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    Click OK.

    Reboot.


    Right-click My Computer, and then click Properties.
    Click the System Restore tab.
    Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
    Click Apply, and then click OK.

    Run new scan with your antivirus, and see if it still find them ?
    touch, May 9, 2009
    #14
Thread Status:
Not open for further replies.