Virtumonde Trojan - logs attached

[AcrylicAce]

I had this trojan a long time ago.... i remember it being very difficult to get off of my computer. Now I get the pleasure of having it again!

Would really appreciate some help.

Thanks!

 

[touch]

Hello AcrylicAce

You have Viewpoint running on your computer -

Viewpoint is considered foistware and is not needed on your computer.


Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
C:\WINDOWS\system32\yubuguyi.dll

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[AcrylicAce]

Thanks so much for the help so far!

Here is the log after combofix.

 

[touch]

P2P software/programs are a major contributor to your infections.

We reserve the right to withdraw our support:
If such programs are found in your logs
Should you not agree to their removal.
As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer

Uninstall:
c:\program files\Vuze - you decide

If you remove it, reboot, attach new combofix log

 

[AcrylicAce]

Hm... i read the rules... i thought that I deleted it. I guess I missed part of it. Sorry about that.

Here it is after I deleted the P2P software.

 

[touch]

No problem

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::

Snapshot::

File::
c:\windows\system32\harazawi.dll.tmp
c:\windows\system32\wiheledo.dll.tmp

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[AcrylicAce]

New combofix log.

 

[touch]

It looks clean.


Please attach new hijackthis log, and tell how things are running ?

 

[AcrylicAce]

It looks clean.


Please attach new hijackthis log, and tell how things are running ?

Seems to be running good today. Thanks a ton!

 

[touch]

Sounds good, and hijackthis log looks clean

Now your computer problems are solved, it is time for the cleanup procedure -

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place

Happy and safe surfing :wave:

 

[AcrylicAce]

hm... my virus protection software picked up that the trojan is still on my computer. It won't delete it however... it just keeps showing up.

 

[touch]

Where are the trojan located - Filename and path ?

 

[AcrylicAce]

C:\system volume information\_restore{9904F6A4-F24E-40A9-8677-3B670F9D1213}\RP253\A0022440.exe

and another one with everything the same except the end is A0022441.exe

 

[touch]

Ok.

Right-click the My Computer icon on desktop, and then click Properties.
Click the System Restore tab.
Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
Click Apply.
When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
Click OK.

Reboot.


Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
Click Apply, and then click OK.

Run new scan with your antivirus, and see if it still find them ?