Virtumonde virus

Status
Not open for further replies.

smopey

Posts: 8   +0
hello, I've been having problems with the virtumonde virus. I ran the vundofix but it didn't find anything. here's my HJT log. thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 10:49:42 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Moderator Edit:
Pasted logs removed. Logs must be attached
Note: You only need ONE post to attach these logs
Your 5 other "Hello There" replies now removed!
 
Please follow the steps here: Viruses/Spyware/Malware Preliminary Removal Instructions

You have also run an outdated version of HijackThis> Logfile of HijackThis v1.99.1
The current version will be found on the reference above in Step 7.

Please disable the Spybot Teatimer before scanning:
Disable Teatimer
* Right click the Image (Spybot -SD Resident Icon) located in your system tray
* This will bring up the Spybot options menu, uncheck Resident Protection
* Launch Spybot S&D Program
* Click on Mode at the top and make sure that Advanced is checked
* Expand the Tools tab in the left pane
* Single click on the Resident Icon also in the left pane
* Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
* Close Spybot
You can re-open the current HiJackThis and scan.*Check* the boxes next to all the entries listed below:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {52C6322C-4049-403E-ACB0-B7FE44E3C1F3} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byXQIYrq.dll
O2 - BHO: (no name) - {7FA625A8-195A-4617-91E9-53E6DFC71827} - C:\WINDOWS\system32\urqRHbAP.dll
O18 - Filter: text/html - {9bc6db65-00e4-4a6e-9185-2d21efa597ff} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll ysqvom.dll
O20 - Winlogon Notify: byXQIYrq - C:\WINDOWS\SYSTEM32\byXQIYrq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

Now proceed with running the malware cleaning programs outlined in the Steps.
When through attach all three logs. You will run HijackThis again after the other two programs.

Be sure you download this and run the current HijackThis v2.0.2 HERE

See How to post your Hijackthis log-file as an ATTACHMENT
 
I'm having trouble getting rid of the virus. I got rid of all the hijackthis entries but my computer freezes everytime I try to run a malware program, or everytime the screensaver comes on. it's not letting me go online either (I'm using a different computer now). should I turn the teatimer back on now?
 
Disable the screen saver.
TeaTimer isn't going to do you much good at this point. The malware is already on the system.

1. Do you have Malwarebytes and SuperAntispyware installed on the problem computer?
2. If so, try booting into Safe Mode and running the programs.
To get into the Windows XP Safe mode, as the computer is booting- right after the logo loads, before Windows starts to load, tap the "F8 key" continuously until you get the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

The basic Safe Mode option is usually what most users will want to choose when troubleshooting their computer. This is the most basic Safe Mode option and has no additional support.

If you can use Normal mode, but the internet doesn't work, use another machine and removable media such as USB stick drive or CDR to transport tools to, and logs from, the infected machine.

It would be helpful to have some background on the malware infection and what you did previously to try and remove it.
 
Combofix will shred virtumundo in minutes (along with a zillion other pains in the tush). Read the tutorial and download it here.
 
Since he can't get on the internet, he probably won't be reading 'tutorials'.

And telling someone to use ComboFix without any knowledge of what they have on their system is just plain very bad advice!

I have requested this:
It would be helpful to have some background on the malware infection and what you did previously to try and remove it.
I've been having problems with the virtumonde virus.
We have only the users comment- no logs showing this, no information on how he thinks he knows he has this malware. Even what was seen in the first HijackThis logs doesn't give enough information.

So don't tell someone to go to a war with a canon when a pistol might be enough!
 
Maybe, until the OP realizes that the Winlogon entries you told him to check and delete will not be deleted by HJT because it can't unless the file itself no longer exists. Winlogon entries, and files, are protected and cannot be deleted in Safe Mode or Normal Mode (this includes using tools like Killbox). The only thing that will get rid of them easily is combofix (and even then a couple of them combofix can't tackle, in which case they have to be deleted from the recovery console or an XP live CD). The reason Combofix can get them is because it reboots the computer and prevents the .dlls from being called while it zaps them.

Oh, then there's the Appinit .DLLs.. And....
 
I have superantispyware on the computer now. I'll try running it in safe mode and see if that helps.

I ran adaware, spybot search and destroy, ccleaner, superantispyware, and avg antivirus.. nothing worked so far!
 
I ran adaware, spybot search and destroy, ccleaner, superantispyware, and avg antivirus.. nothing worked so far!
Are the programs finding anything?
What is being done with the entries?

Do you have logs for us?
 
The HijackThis Log must be viewed first
Plus the Malwarebytes and SuperAntiSpyware logs need to be attached
Before deciding on best action

Combofix and its use has already been discussed as not to use until deemed necessary.
 
If after several of the standard programs fail, Combofix should be used as it tends to reveal some insights on the user's computer. Do not hesitate over using it just because another user had over-advocated its use; it is still a very powerful and helpful tool.
 
smopey, please post your logs and I will help with the malware removal. If the logs show the need for additional programs we will run them.

Please disregard the non-related posts on this thread.
 
I scanned the computer in safe mode and it seemed to get rid of the virus, but once I went back into normal mode the problems continued. here's my HJT log. thanks again!
 
You are running two antivirus programs> AVG and Symantec.
Decide which you want to keep and remove the other. For now, don't do anything about Avira-
A few of the entries:
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe

You have been asked multiple times to follow the 8 steps and to include the Malwarebytes and SuperAnitspyware logs with the HijackThis logs. See me post #4 if you need directions.

Your HijackThis logs has numerous entries to be removed. But running the other two programs first will handle most of them.
For example, some of the entries:
O2 - BHO: (no name) - {52C6322C-4049-403E-ACB0-B7FE44E3C1F3} - (no file)
O2 - BHO: (no name) - {563ACBC2-9EC5-4329-93B8-CFDE3F0027A6} - (no file)
O2 - BHO: (no name) - {7FA625A8-195A-4617-91E9-53E6DFC71827} - (no file)
 
I can't post any other logs besides HJT. everytime I scan the computer, with any program, the scan stops halfway and never finishes.
 
Okay, handle this:
You are running two antivirus programs> AVG and Symantec.
Decide which you want to keep and remove the other. For now, don't do anything about Avira-
:
Then, per Post #4:
Disable the screen saver.
Disable TeaTimer
1. Do you have Malwarebytes and SuperAntispyware installed on the problem computer?
2. If so, try booting into Safe Mode and running the programs.
To get into the Windows XP Safe mode, as the computer is booting- right after the logo loads, before Windows starts to load, tap the "F8 key" continuously until you get the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

The basic Safe Mode option is usually what most users will want to choose when troubleshooting their computer. This is the most basic Safe Mode option and has no additional support.

Please re-open HiJackThis> click on System Scan Only and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {52C6322C-4049-403E-ACB0-B7FE44E3C1F3} - (no file)
O2 - BHO: (no name) - {563ACBC2-9EC5-4329-93B8-CFDE3F0027A6} - (no file)
O2 - BHO: (no name) - {7FA625A8-195A-4617-91E9-53E6DFC71827} - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into Safe Mode.
Try and complete the scans while in Safe Mode, then attach the logs.

When through, rescan with HijackThis and include new log.
I ran adaware, spybot search and destroy, ccleaner, superantispyware, and avg antivirus.. nothing worked so far!
I ran the vundofix but it didn't find anything

IF you can include any of the logs from all the security programs you said you ran, that would be helpful.
 
k I'll try that and post whatever logs I can get. whenever I scan the computer in safe mode, everything comes back clean, but I notice it's not scanning the same amount of files it would have scanned in normal mode. then once I get back into normal mode, all the same problems are back!
 
Check the Device Manager to see if there are any errors.

Control Panel> System> Hardware tab> Device Manager> Look for a yellow triangle with black exclamation point meaning error with a driver. Expand each section if needed. The problem indicates strongly that there is a driver problem since you're okay in Safe Mode but not in Normal Mode.
 
alright the computer seems to be working much better.. I'm actually using it right now. I attached all three logs.. hopefully this did the trick!
 
Okay then! Let stop the Tracking Cookie You have one that is partucularly persistent. Otherwise, the logs are clean.

Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
Then click on the Security tab> Trusted Sites> Sites> highlight and remove ad.yieldmanage if there> Apply> OK.
Then Security> restricted Sites> Sites> type in *.ad.yieldmanage then Add> Apply> OK

Update Adobe:
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

You can remove the cleaning tools now:
Download OTCleanIt HERE & save it to your desktop.
Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
This will remove the 020 entry in HijackThis.

Clear your existing System Restore points and establish a new clean restore point:
1. Go to Start > All Programs > Accessories > System Tools > System Restore
2. Select Create a restore point, and OK it.
3. Next, go to Start > Run and type in cleanmgr
4. Select the More options tab
5.Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
Please let me know if I can be of further help.
 
thank you so much!! one thing.. the 020 entry you were talking about.. it's still coming up in my HJT log.
 
Status
Not open for further replies.
Back