Help please virus (virtumonde)

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

Hi computerguy, do the following;
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program. AND Spybot TeaTimer if it is running.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot the computer

Download HiJackThis. Run a full system scan with it and save the log.
Post back here with all three logs.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

WOW sounds like alot of things..! why cant i remove it with one program only???i hate viruses!
Anyway, im on it...ill do it step by step and post the logs, if youre interested i already have a hijack this log from last night maybe i can post that?

Thanks,

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

No, we would need a new HJT log done AFTER the computer is cleaned or, we hope will be cleaned, those other two scans.
With these infections today it is very rare that only one program will remove them. Right now there are only two programs you need to run and HOPEFULLY that will be all, but I cannot make promises on that either.
virtumonde is a trojan not a virus. Probably one reason the two programs you have run will not remove it though they CAN detect it, which is good because hopefully it was found early enough that no permanent damage has been done. Trojans usually are NOT removed by an antivirus program, why? because it is not a virus. Virtumonde usually comes onto a computer because of outdated java programs, though there can also be other reasons too. Trojans usually need specialized tools for removal, one of these IS MBA-M, which right now seems to be the best program available for removal of trojans and malware. Take a look at the majority of threads here right now, the bulk of them have had MBA-M as one of the tools we recommend most because it does a superior job of removal today. We request the ESET online antivirus scanner or several others also because if there is one infection on a computer then chances become more likely there are others too, because the system defenses are weakened which can allow viruses onto the computer too. We need to cover ALL bases here to be certain your computer gets clean.
Neither of these two programs should take extraordinarily long to run and clean but even if they do if you choose NOT to run them what will happen for certain is more and more infections until finally the computer could suffer severe damage to key operating system files, possible loss of very important personal files, then your only option would be reformat.
So you choose.
Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

WOW, ok this sounds more serious than i thought.

I am running the malware scan as we speak now, then i will restart and run online scan. Then i will restart and run hijackthis and post the log as well as the other logs also.
Is there a chance malware program will remove it?
If not, you mentioned IS-MBAM i really dont know what it stands for....but it seems good. Would that remove it?

Thanks alot...
will post logs soon..:)

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

WOW, ok this sounds more serious than i thought.

I am running the malware scan as we speak now, then i will restart and run online scan. Then i will restart and run hijackthis and post the log as well as the other logs also.
Is there a chance malware program will remove it?
If not, you mentioned IS-MBAM i really dont know what it stands for....but it seems good. Would that remove it?

Thanks alot...
will post logs soon..:)

MBA-M stands forMalwarebytes' Anti-Malware
That is the first program I noted that you should run. When I capitalized the IS I meant it "IS" one of the best, didn't mean to make it part of the name. It takes care of hundreds of nasty items now and hopefully will do the trick for you. It is a super program and you should keep it and use it, updating before each scan, at least once a week. Remember though, it is not the "end all and be all" of removal programs, just one of the better ones out there today and it DOES remove many of the trojans out there now. You would still need a good, onboard anti-virus program and firewall too.
I will wait for you to post the three logs requested and we can better see where things stand.
Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

ok cool thanks,

just wanted to let u know i ran spybot after malwarebytes finished and it didnt detect anything when it always used to detect virtumonde. However, im still getting weird virus popups and slowdowns.

I have avg internet security on my computer. It has a firewall and lots of other things...but i guess it does not detect vitumonde. Malwarebytes is not free is it? i thought i saw buy now when i was downloading, not very sure.

posting logs later today
thanks

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

I have to ask that you ONLY run the programs requested here until told otherwise. Spybot is a great program but right now let's work with the two requested.
Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

Malwarebytes' Anti-Malware 1.28
Database version: 1270
Windows 6.0.6001 Service Pack 1

10/15/2008 8:36:23 PM
mbam-log-2008-10-15 (20-36-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 255592
Time elapsed: 2 hour(s), 47 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Amr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KMGQND8O\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Amr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV31OOMM\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Amr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV31OOMM\nd82m0[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Amr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV31OOMM\upd105320[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Amr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZVZVZOOG\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Amr\Favorites\Free MP3 Search.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Start Menu\Free MP3 Search.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Favorites\Free Porn.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Start Menu\Free Porn.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Favorites\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Start Menu\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Favorites\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Amr\Start Menu\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Windows\System32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

running online scan now

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

I will be away for the next four days. Crunchie will be checking on threads. Please follow any instructions he may give you.
Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

Hey, sorry for the delay...The online scan finished with no threats found but i cant seem to locate a log. It doesnt open a log or anything....so thats it for that.

Ill do the hijack this now and hope to get a reply from you soon.,

Thanks,

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:56 PM, on 10/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\DupeEliminator\DupeEliminator.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9894 bytes

This is the last step of what you asked me to do right?

Please tell me of anything else i need to do.

Waiting your reply,
thanks...

Light Poster

30 posts since Oct 2008

Reputation Points: 10

Solved Threads: 0

Can you please do the following.

===============

Can you disable Windows Defender as it may interfere with the removal process. Please leave it disabled until your PC has been given the all clear.Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender

===============

Scan with HijackThis and then place a check next to all the following, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O13 - Gopher Prefix:

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985