Virtumonde

[sauron4]

I have somehow got this virus/spyware on my machine and i have tried everything to get rid of it. I have even formatted my drive and it still hasn't gone. I have used loads of programs and they still haven't dont anything. I have also tried to do regedit but nothing was there. The programs i have used are.

- SpyBot
- VundoFix
- VirtumondoBeGone
- ParetoLogic Anti-Spyware
- SDFix
- ComboFix
- SpyHunter
- SuperAntiSpyware
- Spyware Doctor
- FixVundo
- Malware Bytes
- Ad-Aware

I have probably missed some of the programs out. Does anyone have any other suggestions?

 

[kimsland]

Yes remove all those programs ! (except - SuperAntiSpyware and MalwareBytes)

And do this: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

 

[sauron4]

Ok thanks, I will try that when i am on the computer which has virtumonde. I will post back here and let you know if it removed it or not.

 

[kimsland]

Thanks

 

[sauron4]

Done them and SUPERAntiSpyware picked it up but not sure if it removed it.

I have attached the MalwareBytes log and Hijack This

 

[kimsland]

Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Install Avira free AntiVirus
Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

Please note during the Scan Avira may popup with found Viruses, please select quarantine, and make it the default action for all found Viruses (that way you won't get anymore popups)

Once finished
Restart
Then run another HJT Scan log (to be attached)

Supply the
Malwarebytes Scan log
SuperAntiSpyware log
Avira Log
HJT log

Doing the above will rid your computer of most, if not all, Malwares

 

[sauron4]

I have tried to uninstall AVG and it wont uninstall. This is the error message i get.

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

 

[kimsland]

Then run the removal tool

Note: You may need to run the removal Tool in Safe Mode (but normally you don't have to)

 

[sauron4]

Here are all the logs.

 

[kimsland]

Malwarebytes' Anti-Malware
Scan type: Quick Scan
Time elapsed: 2 minute(s)

Best to update MalwareBytes (it updates often) and run a Full scan

Please run the Norton Removal tool as traces of Norton Antivirus still exist

You may also now remove SuperAntiSpyware (your choice)

Clear & Reset System Restore's Cache

Then go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

-------------

Then download Combofix
Lots of info on its use h e r e
Direct download h e r e

Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
Log into your Administrator account
Locate the previously downloaded Combofix
Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

Once Combofix has finished, save the log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

Whilst waiting for my reply, you may want to re-open Malwarebytes; update it again; and then run another full scan (I'm thinking there may still be more uncovered malwares to remove) I would do this

 

[sauron4]

Here is the ComboFix Log.

I am running a Full Scan of Malwarebytes Anti-Malware at the moment.

Thanks for all the help by the way.

/edit - Malwarebytes Scan finished - have attached the log.

 

[kimsland]

Please uninstall:
uTorrent
SUPERAntiSpyware
Combofix (Start->Run-> combofix /u)
Run the AVG removal tool again
Run the Norton Removal tool

Restart

Provide a new HJT scan log after restart

 

[sauron4]

Done all that. Here is the new HiJackThis Log.

 

[kimsland]

You have 2 Printers starting up.
If this is correct, leave as is. If not please remove one, through Add\Remove Programs
Reference here:

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

Please do another scan with HJT, and tick all the following entries
Before selecting Fix all, close all open programs including your Internet Browser

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Design\Adobe Creative Suite 3\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\Music Apps\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: bddgsg.dll uyrgsd.dll qfvbjj.dll

Restart
Clear & Reset System Restore's Cache

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Then please advice how your computer seems to be running
Also I notice that Malwarebytes is starting with Windows, I suspect you must have bought it to allow resident protection

 

[sauron4]

Ok - i have done that, and it is still running slow.

Yeah we use it at work, so borrowed it from them to try and get rid of this virus.

 

[kimsland]

still running slow.

Still?

Ok, try this:

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
Log into your Administrator account
Locate the previously downloaded Combofix
Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

Once Combofix has finished, save the log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

 

[sauron4]

Ok, here is the ComboFix Log.

When i ran it in safemode - it came up saying that AVG and Avira were still running. I don't see how AVG can still be running because i have removed it with that AVGRemover tool you directed me to.

 

[kimsland]

That's strange.
I see Combofix states that too

Please try this other AVG removal tool:

# download the archive avg8.zip
# unpack all files from the archive avg8.zip into one folder
# run the file KLeaner.exe
# wait until the utility finishes its work
# restart your PC

 

[sauron4]

When i double click on it, it doesn't do anything.

I swear that its a Kaspersky Lab Cleaner anyway not AVG.

 

[kimsland]

Download the following 4 tools, and print these instructions

1. Download VundoFix; Trojan.Vundo Removal Tool; VirtumundoBeGone and ComboFix.
2. Go Offline - pull the cable network, turn off wireless card, turn off your modem.
3. Restart computer and press F8 to run Windows in Safe Mode
4. Run VundoFix.. Click on the Scan for Vundo. Scanning will begin, which takes a long time. In the white box will display the names of infected files. After the scan is complete click Remove Vundo, removal will begin. Confirm by clicking Yes. The application should ask for permission to restart your computer - click Yes. Start Windows in Safe Mode again.
5. Run FixVundo. Click Start, and then follow the instructions. It should be noted that this application can deal only with older mutations Vundo (Virtumonde).
6. Run VirtumondoBeGone. Click Continue and wait for the report.
7. Run ComboFix. Then, in the two windows that appear click Yes, and start scanning and removal of any Vundo (Virtumonde) infection. During this operation, you are not allowed to move the mouse or perform other actions. After the scan is complete, program will show a text file - a report from the program's action.
8. Restart computer and run Windows normally.
9. Attach the report

 

[sauron4]

Here are the logs.

None of them found anything.

 

[kimsland]

Your last HJT log still had Symantec starting up
The removal tool was run?

Also this entry:

O20 - AppInit_DLLs: bddgsg.dll uyrgsd.dll qfvbjj.dll

Please re-scan with HJT and tick that box and select Fix (with your Internet Browser closed

Restart

Then scan with HJT again and provide the log once more
Also reporting on how it still is

 

[sauron4]

That wasn't on there.

But here is the log.

 

[kimsland]

There's nothing wrong with HJT log (except maybe too many Adobe startups)
Are there still issues with your computer?

 

[sauron4]

Yeah it still runs slow.

Do you think its worth formatting it and rebooting windows again?

Also the adobe startups - could that be because i have the master suite?