Help removing virtumonde

**Cypher** · 2010-04-17, 17:04

Hi oxpride85.

Good news! Looks like the redirects have stopped.

Good work it looks like that last ComboFix script got it

Lest get one more check with the Kaspersky Online Scan.

Please run ATF Cleaner again it should still be on you're desktop.

Next.

Disable AVG9

Open AVG User Interface.
Double-click on the Resident Shield.
Un-tick the option Resident Shield active.
Save the changes.
Note: Don't forget to re-enable it after the below scan.

Next.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go to the Kaspersky website and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
Click on My Computer under Scan. * This will take a while. Please be patient *.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

This online tutorial will help explain how to use the aforementioned online scan.

Logs/Information to Post in your Next Reply

Kaspersky log.
Please give me an update on your computers performance.

**oxpride85** · 2010-04-18, 07:40

Computer is looking good! No more signs of funny business

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, April 17, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, April 17, 2010 17:51:00
Records in database: 3949485
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
L:\

Scan statistics:
Objects scanned: 101200
Threats found: 11
Infected objects found: 19
Suspicious objects found: 0
Scan duration: 04:34:34

File name / Threat / Threats count
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP483\A0045963.dll Infected: Trojan.Win32.Stuh.anyl 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP483\A0045964.dll Infected: Trojan.Win32.Stuh.anyl 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP491\A0046740.dll Infected: Trojan.Win32.Monder.desq 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP491\A0046741.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP491\A0046742.dll Infected: Trojan.Win32.Stuh.anzj 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP492\A0046784.dll Infected: Trojan.Win32.Monder.detk 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP492\A0046785.dll Infected: Trojan.Win32.Monder.desv 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP492\A0046786.dll Infected: Trojan.Win32.Monder.detm 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP499\A0050994.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP500\A0057109.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP500\A0057160.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP501\A0057161.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP501\A0057189.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP502\A0060330.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0061327.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0061328.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0062708.exe Infected: Trojan.Win32.Fraudpack.aqix 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0062714.exe Infected: Packed.Win32.Katusha.j 1
C:\WINDOWS\system32\drivers\etc\hosts.20090715-030606.backup Infected: Trojan.Win32.Qhost.mcf 1

Selected area has been scanned.

**Cypher** · 2010-04-18, 12:06

Hi oxpride85.

Computer is looking good! No more signs of funny business.

Great news

Most of what the Kaspersky scan found will be cleared when we flush you're system restore points.
One last thing to do before i give you final instructions.

Download HostsXpert and unzip it to your computer, somewhere where you can find it but don't run it yet.

Next.

Re-run OTM

Double-click OTM.exe to run it.
Right-click then copy the following code, Do not include the word Code.
Code:
```
:Files
C:\WINDOWS\system32\drivers\etc\hosts
:Commands
[emptytemp]
[start explorer]
[Reboot]
```
- Return to OTM, right-click then paste the code into the blank box below
- Push the large button.
- OTM may ask to reboot the machine. Please do so if asked.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Double click on HostsXpert.exe to launch the programme.
When prompted with:
HOSTS file does not exist, press OK to create HOSTS file, Cancel to quit.
Select OK.
Check to see if top button on left hand side says Make Writable?
- If it does. click on it then proceed to next instruction.
- If not, just proceed to next instruction
Click on Restore MS Hosts File to restore your Hosts file to its default condition
When prompted to confirm, click OK.
Click on the Download button (lower left hand side)
- Click on MVPs Hosts... button.
- Click on Replace button.
- Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
When finished.
- Click on File Handling button.
- Click on Make Read Only? to secure it against infection.
Exit the programme.

Logs/Information to Post in your Next Reply

OTM log.
Please give me an update on your computers performance.

**oxpride85** · 2010-04-19, 08:17

Everything's looking good!

heres the OtM log:
All processes killed
========== FILES ==========
C:\WINDOWS\system32\drivers\etc\hosts moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SAMUEL
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 685 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 8202 bytes

User: Owner
->Temp folder emptied: 104259365 bytes
->Temporary Internet Files folder emptied: 108178562 bytes
->Java cache emptied: 136773 bytes
->Flash cache emptied: 8178 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 110 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 203.00 mb

OTM by OldTimer - Version 3.1.10.1 log created on 04182010_230313

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DF83BE.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XRU023RJ\showthread[1].php moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

**Cypher** · 2010-04-19, 11:25

Hi oxpride85 your latest set of logs appear to be clean!

This is my general post for when your logs show no more signs of malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Time for some housekeeping

Click on Start >> Run...
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next.

Clean up with OTM

Double-click OTM.exe to start the program, This tool will remove all the tools we used to clean your pc.
Close all other programs apart from OTMoveIt3 as this step will require a reboot
On the OTM main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

You can now delete any tools we used if they remain on your Desktop.

Next.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Here are some free programs I recommend that could help you improve your computer's security.

I recommend you keep Malwarebytes' Anti-Malware, keep it updated and run it once a week.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

**oxpride85** · 2010-04-19, 13:08

Thank you so much for all your help Cypher!! Saved me from bashing in my computer...

lol

Couldn't have done it without you.

ps:my computer thanks you too

I'll do my best to keep my computer safe, hopefully I wont need to come back here again!

**Cypher** · 2010-04-19, 13:31

Hi oxpride85.

Originally Posted by oxpride85

Thank you so much for all your help Cypher!!

You're most welcome glad we could help.
Good luck and stay safe

**Cypher** · 2010-04-19, 13:33

As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D!

Thread: Help removing virtumonde

Thread Tools

Display

Thank You!!!

Posting Permissions