TomZT
2009-11-11, 01:07
First allow me to thank you for the help you provide to others! I have read a number of posts by others concerning "virtumonde" malware and dread the thought of going through all that other posters have gone through with HJT, ComboFix, and DDS log postings but have resigned myself to the task if necessary.
I have also read and understand the Sticky "Before Posting" thread but really need some guidance before I start downloading any tools, creating logs, or trying fixes.
I currently have 5 computers on a local area home network that are used by myself, my wife, and children. 4 machines are running XP Pro and 1 old Windows 3.1 machine connected to 2 of the XP machines via the old Netbui protocol. 3 of the XP machines are used regularly for internet access via router, and high speed modem cable service and are protected with AVG free 8.5 and SpyBot 1.6.2(?) and SpyBot Resident Shield. All these XP machines have SP2 installed but I don't believe any have SP3. These 3 XP machines also have automatic Windows updates.
The 4th and newest XP machine IS connected to the LAN but is not used for the internet and does not share any of its drives or folders; this machine's Windows Firewall is ON but has no AVG or SpyBot installed. It is used mostly for backing up photos and other files from the other machines.
Last evening my wife clicked on a Google link reported as "Safe" by AVG and WHAM! SPyBot Resident Shield (??? Not sure if this was really Res Shield though the tray Icon showed a gray shield and Blue bar similar to the shield in SpyBot's Immunize Button.???) lit up like a Christmas tree announcing that the computer was under virus attack. This was followed shortly by a series of other warnings and popups with Red Title bars showing "Anti Virus System Pro Alert". These pop up warnings could not easily be closed or shut down. I had never seen the System Pro Alerts and never installed anything from AV System Pro and so assumed these were FAKE or FRAUD Virus warnings. They reported AVG was infected, Task Manager infected etc and intially I could not start either. IE 7 also opened spontaneously connecting to undesireable websites. I eventually got the "?bogus?" warning windows closed (I'm not really sure how) and spent most of the night running scans with SpyBot and AVG. I also disconnected the problem machine's network cable and also ran SpyBot and AVG scans on the other XP machines too. Fortunately, the other XP machines scanned clean with no signs of problems. I am posting from one of these now.
The initial SpyBot scan on the problem machine showed a number of "threats"; 2 fakes Virus Warnings - Malware Threat, One Windows Firewall Bypass - Security Threat, and Virtumonde.prx - Malware Threat. Some of these threats showed multiple entries. Before finishing the scan SpyBot hung up and became unresponsive so I could not Select Fix problems. I then restarted the SpyBot Scan and as each threat was detected I manually stopped the scan and fixed each problem as it appeared. I then started successive new scans and repeated this process until the only remaining threat was Virtumunde.prx which would report it as Fixed but still shows up on successive scans. I also ran an AVG scan which showed a bunch of tracking cookies and 6 threat warnings - Generic Trojans and Scheurs (or something like that) which were healed successfully Another AVG scan showed no problems. I gave up for the night and started again this morning with SpyBot and got the same results; Virtumonde.prx appears to be "fixed" but shows up again on the next scan and finally the same condition for Virtumonde.sdn as well.
I then tried to restart the problem machine in safe mode (holding F8) but not sure if I was successful in doing so. There was no desktop icons or Task bar and Spybot started a scan in an small window format all by itself. I let that scan run to completion reporting both Virtumonde.prx and .sdn and clicked Fix selected problems apparently with success. I then restarted the machine normally and all the original (bogus or not)SpyBot?, Anti Virus System Pro? warnings and symptoms appeared again. IE7 also opened and tried to connect but without the network cable plugged in IE7 could not do so.
I have changed one thing on the problem machine in trying to troubleshoot. I also noticed in Task Manager's process window that "alg.exe" was flashing on and off in highlight. I googled alg.exe from my own computer and read that this could be a fake virus threat if not located in the Windows\system32 folder. I searched the problem machine for this "alg" executable file and found several in Windows subfolder but another instance of the file in a Windows "prefetch" folder that showed as alg.exe followed by some random letters and numbers. I renamed this "suspect" alg.exe file with a prefix of "BAD_" just to see if that file was related to the problems before quitting last night.
I've now shut down the problem machine and looking for some guidance as to what exactly I should do next to resolve this problem. I am hesitant to reconnect this machine to the network to avoid the possibility of becoming more infected or damaging any of the other machines on the LAN. I really need some help with this!
Sorry for the length of this post!
My intent is not to "Bump" my post but rather clarify my dilemma and facillitate your assistance. Having never had to do anything like this before, I want to be sure I am doing things right and not doing things wrong; thereby causing any further problems. Also, based on starting dates of other threads and their first reply dates, I do not think anyone has yet started in on mine. I am hoping this post will help you assist me and not push me back in line but if it does, so be it.
At the time of my initial post, I was afraid to reconnect or even restart the problem computer to avoid causing any more problems or possibly infecting our other computers or anyone elses. After SpyBot and AVG successfully removed all the threats described in my original post (except virtumonde), when I next restarted (in NORMAL mode), all the Pop-ups "Your Computer is Under Attack" "Click here to Stop the Attack!" (Real? and/or Fake?) Warnings appeared again. So I just shut it down. I'm assuming that last restart in Normal Mode, allowed the lone remaining virtumonde to replicate again and recreate the other viruses, firewall bypass threats, and generic trojans that appeared initially.
Since then I have learned more about SAFE mode and what can and can't be done in SafeMode (I can access Control Panel, CD drives, write to a CD, etc) and have only restarted the machine in SAFE mode since. I have now downloaded ERUNT and HJT on another computer, copied them to CD and used the CD to install them on the problem machine. I have not yet run either of these Tools because before doing so, I'd like to know....
SHOULD I first try to get back to where I was by restarting again in Normal mode thereby letting these real and/or fake Virus Warnings start up again... THEN try to get them closed again (suggestions welcome)... and THEN Re-run my SpyBot and AVG as I did initially to remove anything present (except for virtumonde) BEFORE backing up my registry with ERUNT and running the HJT scan in NORMAL mode?
OR, SHOULD I let whatever malware is present in the machine at this time remain, and just run ERUNT and HJT in SAFE MODE and then post the HJT log?
I do look forward to your guidance and assistance.
I have also read and understand the Sticky "Before Posting" thread but really need some guidance before I start downloading any tools, creating logs, or trying fixes.
I currently have 5 computers on a local area home network that are used by myself, my wife, and children. 4 machines are running XP Pro and 1 old Windows 3.1 machine connected to 2 of the XP machines via the old Netbui protocol. 3 of the XP machines are used regularly for internet access via router, and high speed modem cable service and are protected with AVG free 8.5 and SpyBot 1.6.2(?) and SpyBot Resident Shield. All these XP machines have SP2 installed but I don't believe any have SP3. These 3 XP machines also have automatic Windows updates.
The 4th and newest XP machine IS connected to the LAN but is not used for the internet and does not share any of its drives or folders; this machine's Windows Firewall is ON but has no AVG or SpyBot installed. It is used mostly for backing up photos and other files from the other machines.
Last evening my wife clicked on a Google link reported as "Safe" by AVG and WHAM! SPyBot Resident Shield (??? Not sure if this was really Res Shield though the tray Icon showed a gray shield and Blue bar similar to the shield in SpyBot's Immunize Button.???) lit up like a Christmas tree announcing that the computer was under virus attack. This was followed shortly by a series of other warnings and popups with Red Title bars showing "Anti Virus System Pro Alert". These pop up warnings could not easily be closed or shut down. I had never seen the System Pro Alerts and never installed anything from AV System Pro and so assumed these were FAKE or FRAUD Virus warnings. They reported AVG was infected, Task Manager infected etc and intially I could not start either. IE 7 also opened spontaneously connecting to undesireable websites. I eventually got the "?bogus?" warning windows closed (I'm not really sure how) and spent most of the night running scans with SpyBot and AVG. I also disconnected the problem machine's network cable and also ran SpyBot and AVG scans on the other XP machines too. Fortunately, the other XP machines scanned clean with no signs of problems. I am posting from one of these now.
The initial SpyBot scan on the problem machine showed a number of "threats"; 2 fakes Virus Warnings - Malware Threat, One Windows Firewall Bypass - Security Threat, and Virtumonde.prx - Malware Threat. Some of these threats showed multiple entries. Before finishing the scan SpyBot hung up and became unresponsive so I could not Select Fix problems. I then restarted the SpyBot Scan and as each threat was detected I manually stopped the scan and fixed each problem as it appeared. I then started successive new scans and repeated this process until the only remaining threat was Virtumunde.prx which would report it as Fixed but still shows up on successive scans. I also ran an AVG scan which showed a bunch of tracking cookies and 6 threat warnings - Generic Trojans and Scheurs (or something like that) which were healed successfully Another AVG scan showed no problems. I gave up for the night and started again this morning with SpyBot and got the same results; Virtumonde.prx appears to be "fixed" but shows up again on the next scan and finally the same condition for Virtumonde.sdn as well.
I then tried to restart the problem machine in safe mode (holding F8) but not sure if I was successful in doing so. There was no desktop icons or Task bar and Spybot started a scan in an small window format all by itself. I let that scan run to completion reporting both Virtumonde.prx and .sdn and clicked Fix selected problems apparently with success. I then restarted the machine normally and all the original (bogus or not)SpyBot?, Anti Virus System Pro? warnings and symptoms appeared again. IE7 also opened and tried to connect but without the network cable plugged in IE7 could not do so.
I have changed one thing on the problem machine in trying to troubleshoot. I also noticed in Task Manager's process window that "alg.exe" was flashing on and off in highlight. I googled alg.exe from my own computer and read that this could be a fake virus threat if not located in the Windows\system32 folder. I searched the problem machine for this "alg" executable file and found several in Windows subfolder but another instance of the file in a Windows "prefetch" folder that showed as alg.exe followed by some random letters and numbers. I renamed this "suspect" alg.exe file with a prefix of "BAD_" just to see if that file was related to the problems before quitting last night.
I've now shut down the problem machine and looking for some guidance as to what exactly I should do next to resolve this problem. I am hesitant to reconnect this machine to the network to avoid the possibility of becoming more infected or damaging any of the other machines on the LAN. I really need some help with this!
Sorry for the length of this post!
My intent is not to "Bump" my post but rather clarify my dilemma and facillitate your assistance. Having never had to do anything like this before, I want to be sure I am doing things right and not doing things wrong; thereby causing any further problems. Also, based on starting dates of other threads and their first reply dates, I do not think anyone has yet started in on mine. I am hoping this post will help you assist me and not push me back in line but if it does, so be it.
At the time of my initial post, I was afraid to reconnect or even restart the problem computer to avoid causing any more problems or possibly infecting our other computers or anyone elses. After SpyBot and AVG successfully removed all the threats described in my original post (except virtumonde), when I next restarted (in NORMAL mode), all the Pop-ups "Your Computer is Under Attack" "Click here to Stop the Attack!" (Real? and/or Fake?) Warnings appeared again. So I just shut it down. I'm assuming that last restart in Normal Mode, allowed the lone remaining virtumonde to replicate again and recreate the other viruses, firewall bypass threats, and generic trojans that appeared initially.
Since then I have learned more about SAFE mode and what can and can't be done in SafeMode (I can access Control Panel, CD drives, write to a CD, etc) and have only restarted the machine in SAFE mode since. I have now downloaded ERUNT and HJT on another computer, copied them to CD and used the CD to install them on the problem machine. I have not yet run either of these Tools because before doing so, I'd like to know....
SHOULD I first try to get back to where I was by restarting again in Normal mode thereby letting these real and/or fake Virus Warnings start up again... THEN try to get them closed again (suggestions welcome)... and THEN Re-run my SpyBot and AVG as I did initially to remove anything present (except for virtumonde) BEFORE backing up my registry with ERUNT and running the HJT scan in NORMAL mode?
OR, SHOULD I let whatever malware is present in the machine at this time remain, and just run ERUNT and HJT in SAFE MODE and then post the HJT log?
I do look forward to your guidance and assistance.