Virtumonde / Vundo infestation

[the Jack]

Abra Academy
Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Ancient Mosaic
AquaPark
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Aveyond
AVG Free 8.0
Azteca
Bengal: Game of Gods
BigFix
Bliss Island(TM)
Boggle® Supreme
Buzzy Bumble
CDisplay 1.8
Charm Tale
Conexant AC-Link Audio
Cosmic Stacker
Digital Media Reader
Dragon Maze 1.0
Dream Chronicles(TM)
Elven Mists
Fairy Jewels
Feeding Frenzy® 2: Shipwreck Showdown
Fiber Twig 2: Restoration of Magic Garden
FizzBall
Game Maker 7.0
Glyph(TM)
Google Toolbar for Internet Explorer
GTK+ 2.10.6-1 runtime environment
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Inform 7
J2SE Runtime Environment 5.0 Update 2
KeyTweak - Keyboard Remapper (remove only)
Luck Charm Deluxe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2005
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.18)
Mozilla Firefox (3.0.4)
Mozilla Thunderbird (1.5)
Napster
Napster Burn Engine
Nero 7 Ultra Edition
Nero BurnRights
neroxml
Oasis(TM)
Ocean Express
PowerDVD
QuickTime
RealPlayer
Reaxxion
Rhye's of Civilization Expanded
Rocket Mania® Deluxe
Sandlot Games Client Services
Sandlot Games Client Services 1.2.2
SandScript(TM)
Sid Meier's Civilization III Complete
Snapshot Adventures: The Secret of Bird Island
Soft Data Fax Modem with SmartCP
Sonic Encoders
Sproink(TM)
Spybot - Search & Destroy
Super Granny 2: Granny in Paradise(TM)
Super Granny® 4
Super Granny™ 3
Super Slyder™
Synaptics Pointing Device Driver
Talismania(TM) Deluxe
The Endless Forest launcher
The GIMP 2.2.13
Tradewinds(TM) Legends
TriJinx: A Kristine Kross Mystery™
Trillian
Turtle Odyssey
Turtle Odyssey 2
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Water Bugs
WindowBlinds
Windows Backup Utility
Windows Frotz (remove only)
Windows Media Format Runtime
WinRAR archiver
Word Monaco
Zodiac

[peku006]

Hi the Jack

Have you both AVG 7 and AVG 8?

Have you tried uninstalling AVG 7 ?

A link to AVG`s own removal tool. http://www.avg.com/download-tools

disable AVG 8

To do this:
open AVG User Interface
double-click on the Resident Shield
un-tick the option "Resident Shield active"
save the changes

Don't forget to activate it again after online-scan........

[the Jack]

Well, this is weirder and weirder.

I'd already had Resident Shield disabled -- as previously mentioned, it slows my system down far too much. But when I went in to double-check following the instructions you gave, even though it said it was disabled and the box was unchecked, there was also a message saying "Resident Shield has been running for: 19 hour(s) 41 minute(s) __second(s)" (the seconds changed constantly, obviously). This is the length of time since I rebooted.

It looks like one of the programs you advised me to download and run inadvertently caused some weird interaction with AVG, possibly as a result of expecting AVG 7.x rather than the significantly different AVG 8. That seems the most likely explanation.

Since AVG won't give me a straight answer as to whether Resident Shield is really on or not (or in some halfway state) and there's also still that weird AVG systray icon which may represent the sort-of-on Resident Shield, I'm going to try doing a normal (user/manual) reboot and see if that normalises things.

Installing AVG 8 nicely uninstalls previous versions of AVG for you -- I had had AVG 7.5, yes, but it's already been uninstalled, as you should be able to see from my uninstall list -- but I did have a folder still in my Program Files with the original AVG 7.5 installer and EULA text file. I've deleted that folder.

Hopefully after reboot I can proceed with the next part of your instructions from yesterday. Thanks for your patience. (:

[the Jack]

Apparently AVG just displays the length of time the entire program has been running (or how long the CPU has) regardless of whether Resident Shield has been on or off during that time, according to friends who also run AVG 8. Lazy coding on AVG's part, which will hopefully be tackled in a future patch.

The tray icon referring to the apparently non-existent scan vanished after I rebooted.

From what you're saying, all I need to do to "disable AVG" is disable the Resident Shield component? The Anti-Virus and Anti-Spyware components are still active; I couldn't find a way to disable them, or to exit the program entirely, as opposed to exiting the User Interface window. If Resident Shield is the only thing that needs to be disabled, I'm all set.

I'm going to re-disable TeaTimer (which has been catching a few changes, mostly browser page redirect attempts, and which I've been allowing or disallowing based on whether the change seemed to replace a malicious redirect with a valid page or the opposite; I've checked 'remember this change' in every case, whether I denied or allowed the changes, so everything is logged) now and get started on the download, scan and online scan you asked for.

[the Jack]

1 - Clean temp files
* Download and Run ATF Cleaner
Under Main choose:
o Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

This part was no problem.

if you use Firefox:
o Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program

The 'Firefox' menu option (and the one for Opera, which I don't use anyway) was greyed out and could not be used. I tried clicking on it anyway; no dice. As the program seems to be more of a convenience tool than a hardcore computer cleaner (and since just a few days ago during my solo troubleshooting I cleared pretty much everything in my Firefox "Private Data" including cookies but not passwords) I figured that if anything was in there, or you felt it was important, we could get rid of the stuff ATF Cleaner would've cleared out of Firefox the old-fashioned way.

When I went to start the online scan and found that the site doesn't support Firefox, I went to open Internet Explorer... and found that it had been set as my default browser. I corrected my default browser setting back to Firefox (2.0.0.18 -- I have Firefox 3 installed also but haven't tried it out yet) and re-opened ATF Cleaner to see if that was why it couldn't find my Firefox temp files etc., but the Firefox menu was still greyed out.

2 - F-Secure Online Scan
1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
3. Click on Accept to accept the License Agreement.

I opened IE to do the F-Secure scan, since viewing the page in Firefox produces a message that IE is the supported browser. I was not prompted to install anything. Instead, this error message was displayed: "Insufficient rights to use ActiveX controls! Please check your user rights and Internet Explorer security settings."

I might be able to figure out what the site needs in order to be able to proceed despite my unfamiliarity with IE (comparative to Firefox, anyway) but thought it would be much better to ask what to do rather than bumbling around with security settings in a notoriously vulnerable browser while all my browsing protection is turned off.

[peku006]

Hi the Jack

lets try this

Please make sure that all programs are closed when installing Java.

1. Click here to visit Java's website.
2. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
3. Select Windows from the drop-down list for Platform.
4. Select Multi-language from the drop-down list for Language.
5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
6. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
7. Double click on jre-6u6-windows-i586-p.exe to install Java.
8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
9. Read through the requirements and privacy statement and click on Accept button.
10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
11. When the downloads have finished, click on Settings.
12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
13. Click on My Computer under Scan.
14. Once the scan is complete, it will display the results. Click on View Scan Report.
15. You will see a list of infected items there. Click on Save Report As....
16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
17. Please post this log in your next reply.

[the Jack]

1. Click here to visit Java's website.
2. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.

Are you keeping your instruction sets for C&P up to date? The latest JRE update is Java Runtime Environment (JRE) 6 Update 10. In fact the only other JRE download available on that page is JRE 6 Update 7 for Intel Itanium® (which I don't have). Previous releases still available at java.sun.com only go up to JRE 5.x. I proceeded on the assumption you meant for me to install the most recent version.

7. Double click on jre-6u6-windows-i586-p.exe to install Java.

The install file was jre-6u10-windows-i586-p.exe but installation went mostly according to your instructions otherwise.

There was an error message displayed during install which said

" Error: could not open 'C:\Program Files\Java\jre.1.5.0_02\lib\i386\jvm.cfg' "

In the ...\jre.1.5.0_02\ folder, the 'lib' sub-folder is apparently empty -- trying to look in it produces a long system lag and then the error message

" The disk in drive C is not formatted. Do you wish to format it now? "

(That was kind of unnerving, as C is my hard drive!) I clicked "No" on the format error-message box and "OK" (the only option) on the Java launcher error-message box, and the Java update appears to have installed correctly despite the missing file(s)/folders.

8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
...
17. Please post this log in your next reply.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 25, 2008 22:56:48
Records in database: 1416848
--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:

C:\
D:\
E:\

Scan statistics:

Files scanned: 95258
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 04:52:20

File name / Threat name / Threats count
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

One other thing
While I was waiting for you to respond to my last message, I disconnected the laptop computer from the internet since all its browsing protection was disabled, and checked via the (uninfected) desktop computer for your reply. I'd forgotten that AVG was scheduled to run a scan (you told me to disable Resident Shield, which I did, but said nothing about scheduled scans) yesterday afternoon, however, and since the laptop computer was offline but not powered down, the scan proceeded, identified several threats, and quarantined them. Here is a transcript of the AVG scan results:

Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0023054.exe
Detection name __ Trojan horse Generic12.HOO
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault

Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0022844.dll
Detection name __ Trojan horse Downloader.Delf.BPB
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault

Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0025161.dll
Detection name __ Virus found Win32/Heur
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault
Action history __ Moved to virus vault

Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0028336.dll
Detection name __ Trojan horse Generic12.OXE
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault

Object name ____ C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP376\A0028338.dll
Detection name __ Trojan horse Generic12.OXE
Object type _____ file
SDK Type _______ Core
Result __________ Moved to virus vault

Should it be safe to let AVG delete these quarantined files, or might doing so cause them to reinfect my computer? (It appears one of them was previously quarantined yet somehow escaped.) If that's a possibility, what steps should I take to purge/destroy the quarantined files? AVG will automatically delete them in 29 days if I do nothing in the meantime.

[peku006]

Hi the Jack

Sorry about that Java Runtime Environment (JRE) 6 Update 6.

Please delete this file

D:\i386\Apps\App00577\comps\toolbar\toolbr.exe

the scan proceeded, identified several threats, and quarantined them

Those items are being held in your System Restore points and are safe unless you perform a System Restore. Best way to clean them is to flush out your System Restore points and create a new one. (we Will do it a bit later.)

it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Please reply with

a fresh HijackThis log

Thanks peku006

[the Jack]

Please delete this file
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe

I hope there's a way for me to delete it without having to wait hours for another Kapersky scan? The D drive on my computer is a recovery partition; it's set up so end users can't even view the drive contents. I suppose the Kapersky scan would probably take about 2.5 hours if I have it scan only the D drive (E is an empty CD/DVD drive)...

If I can't delete the file using Windows Explorer (and it seems I can't) which program should I use? I have Spybot Search & Destroy (including the File Shredder utility), ComboFix, HijackThis, Malwarebytes' Anti-Malware, Random's System Information Tool, and of course AVG, though it doesn't recognise that file as even possibly dangerous.

A program that will let me specify the exact folder the bad file in would be preferred. Please tell me specific instructions for the program you want me to use (i.e. I think when using HJT to fix/kill files it's necessary to close all other programs and then reboot, and some programs would require me to disable AVG's Resident Shield and Spybot's TeaTimer) to delete the file from my D drive.

you don't have any evidence of a third party firewall

You don't see a firewall on my computer because I'm protected via the built-in firewall on our 2Wire DSL modem-router. The desktop computer serves as local network hub; we've found that trying to run an additional firewall on the laptop leads to problems accessing files that are shared via the local network. I know I'd need a firewall when travelling with the laptop, but I haven't done any. If you think it's necessary to have an additional firewall residing on my laptop, I suppose I could just turn it off when I need to access files on the network, i.e. in order to use the printer. I access files via the network on a nearly daily basis, though, so if an additional firewall is likely to interfere with this (or if turning it off all the time would render it useless) maybe I should skip it? Or maybe I should skip it since my internet connection is firewalled already?

Please reply with
a fresh HijackThis log

I presume you want me to post a new HJT log *after* I remove the file from the D drive partition.

[peku006]

Hi the Jack

Sorry about that: D:\i386\Apps\App00577\comps\toolbar\toolbr.exe
That actually is part of AOL, comes pre-installed on many systems. - not considered malicious.

I'm protected via the built-in firewall on our 2Wire DSL modem-router.

OK....it´s enough

I presume you want me to post a new HJT log *after* I remove the file from the D drive partition

It's not necessary

the scans are fine and it looks like your machine is clean

Next we remove all used tools.

Delete RSIT from your desktop, also delete this folder C:\rsit.

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check *Turn off System Restore*.
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.


Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here


Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.


Happy safe surfing!