Virtumonde et al -- a question or two ...

[amigan_1]

Hi,

My Acer laptop got infected with the Virtumonde program (in each of its incarnations). I tried ridding the thing using Lavasoft's Ad Aware and AVG, and your Spybot S & D. I decided to check if there was additional info about the bot. Indeed, the info said I should log into the S & D forum to find the cure.

I have so far printed out the instructions to rid myself of the blasted thing. While I was looking at all of the other postings about others' troubles, I started wondering whether re-installing MS Win on that partition, might be a better idea?

I ask this more because I have made it a point to have as little as possible on my boot partition. For instance, I keep my office suite on a different partition, and I use, yet another partition for the browser temporary files. By also having my E-Mail go to a removable drive, as well as major downloads which are first saved before being run, I end up having about five gigs of free RAM out of twenty, which I provided for the boot partition. So, for me, I would not lose that much, and, because I do have DSL, reloading a lot of the updating files should go much faster.

My question is, "Will re-installing Win (by reformatting, etc.) get rid of the pesky program? Or, can it survive even that?" I ask this to have an idea of what I can do if following your advice in ridding my computer of that program does not fully work.

BTW, Virtumonde also attached itself to Firefox. What is interesting is I think I got it by visiting a site using Opera, and, I believe Opera is not infected.

Thank you for your time and attention, in advance.

Regards,

Amigan_1

[Rorschach112]

Reformatting will get rid of it

Although we can remove it without reformatting if you wish to

Let me know what you decide

[amigan_1]

Hi,

As a further thought, is it better to download and install the required tools (HJT, anti virtumonde program, etc.) as stated, by Tashi, from the Internet, or from a drive (like a USB pendrive, or CD ROM which I created) which has all the current versions?

I ask the question because as long as my computer is connected to the Internet, virtumonde continues to try to hijack me, via Firefox. Once sent to that site, a download starts almost immediately, which I do not want. When I am not connected, it tries to further infect my computer. It seems to only care about my boot partition, because AVG, Ad Aware, and Spybot S&D only have shown infections in directories in my boot partition, so my other partitions and attached other drives appear clean. So I believe it might be safer to download those programs from a disk than from the Internet. Am I correct?

Thanks, in advance.

BTW, I am using an older Thinkpad until I fix my Acer Travelmate 4220.

Regards,

Amigan_1

[amigan_1]

Hi,

As a further thought, is it better to download and install the required tools (HJT, anti virtumonde program, etc.) as stated, by Tashi, from the Internet, or from a drive (like a USB pendrive, or CD ROM which I created) which has all the current versions?

I ask the question because as long as my computer is connected to the Internet, virtumonde continues to try to hijack me, via Firefox. Once sent to that site, a download starts almost immediately, which I do not want. When I am not connected, it tries to further infect my computer. It seems to only care about my boot partition, because AVG, Ad Aware, and Spybot S&D only have shown infections in directories in my boot partition, so my other partitions and attached other drives appear clean. So I believe it might be safer to download those programs from a disk than from the Internet. Am I correct?

Thanks, in advance.

BTW, I am using an older Thinkpad until I fix my Acer Travelmate 4220.

Regards,

Amigan_1

[Rorschach112]

Whatever way is easier for you

[amigan_1]

Hi,

First, I thank you, Rorschach112, for your fast reply to me. I believe I do understand all the instructions posted, to rid myself of virtumonde, but, I am not one hundred percent sure.

Am I correct that there are actually two programs needed to fully get rid of Virtumonde: Combofix and Vendufix? If I am not correct, then what other programs do I need to rid myself of Virtumonde? Am I also correct the main purpose for some of the other programs is more for producing a log file which can then be sent to this forum?

If I am correct, then my copying that script and having Combofix run it, is also crucial? Lastly, should I run Venufix before I run Combofix, or after I run Combofix?

Thank you, all, in advance.

Regards,

Amigan_1

[Rorschach112]

VundoFix is the main tool for it, but it often can't get rid of every piece as the malware is constantly changing, that is why people need to post on this forum

Am I also correct the main purpose for some of the other programs is more for producing a log file which can then be sent to this forum?

Yes, the logs show an in depth scan of your PC, helps us remove malware

then my copying that script and having Combofix run it, is also crucial?

Running CFScripts yourself is a bad idea. These scripts are different for everyone. Doing this yourself will only make it likely that you wreck your own PC


You should only run these tools if a helper tells you to, otherwise you can destroy your PC


Do you want me to help or are you going to reformat ?

[amigan_1]

Hi Rorschach112,

I am convinced. Yes, please help. I figure, if I can get the blasted thing going well, doing it the anti-viral way, then that is better than reformatting. Reformatting would be the last option. :-(

FWIW, the script file to which I alluded is one which was stated in one of the posts in this forum. From what I read of it, it seemed more of a generic search and destroy, which could be used for others. I will defer to your wisdom.

Thank you.

Regards,

Amigan_1

[Rorschach112]

It is safer this way

Few things for you, post all the logs in the one go please(may need two posts for them though)





Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




CLICK HERE to download the HijackThis Installer:

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[amigan_1]

Hi Rorschach112,

First, if we are going to be in touch with each other, why not call each other by our real first name? My name is Julian. I will sign off as such.

Second, since the Virtumonde seems to be interested in Firefox, as it tries to hijack that, immediately, would it be a bad idea to first uninstall both Firefox and Opera, before allowing the computer to be connected to the Internet (DSL)? I ask this also because the various programs which will report how and where Virtumonde is affecting my computer will mostly depend on IE, and, I figure it might be easier for these programs to work if they have less to check out.

I can always reinstall the two browsers after I know that my computer is clean.

What do you think.

Regards,

Julian.