Virtumonde.sdn

[RallyReal]

I purged/restored system update as instructed.

Everything is running much better than it was before the computer virus. (I have to be careful how I put that or I might seem to need to post in another kind of forum!) I feel like I have my computer back. I'm just very grateful that I found some help. Thank you again and again.

 

[ken545]

Thats great, glad things are running better for you.

Lots of nasty stuff going around so be careful on the internet, I am linking you to some free programs to install to help keep you more secure. Stay away from any file sharing programs like Limewire or the torrents, there infections waiting to happen.


ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

• 
  How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.6
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

 

[RallyReal]

A few loose ends

So, I just wanted to thank you again Ken for helping me with my computer issues. Also, I noticed that it seems Kaspersky has changed their online scan, because by accident I logged onto the website with firefox without noticing and it started to download the program and looked as if it would start scanning. So I guess that's a good thing.

I'm having some issues being able to use the Windows Automatic updates. I've tried to troubleshoot it on their website, and I can't seem to restart it on the services.msc program. I get an Error 2 message.

Is this something to do with the spyware...do you have any suggestions or things to try?

I'm looking at the other changes you suggested in your previous post, and going about making them. Thanks again!

 

[ken545]

Hi,

Remove this with HJT, reboot and try windows updates again.
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\

Open up IE and go to Tools> Windows updates and give it a try.

There is some malware that will disable that feature but your log is clean now, if you still cant get it to work I will direct you to some support sites that deal with this type of issue.

Ken

 

[RallyReal]

So I did as you suggested, using HJT to delete the autoupdate file. I run a scan only, checkmark the specified file, click fix selected, reboot my computer, try to run autoupdate from the IE tab, all as per your instructions, and I get the same error. So i run HJT again and the same file appears in the scan.

I guess I need the address of those other resources. Thank you for all your help. i really appreciate not having that trojan on my pc.

 

[ken545]

The file appears to be missing, try this
Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.

• Click Start>Run
• Type in sfc /scannow, hit Enter.
• Note: there is a space between sfc and /scannow
• This should replace any corrupted/missing system files and will hopefully fix things.

Then try Windows Updates again and if still a no go then do this

If you removed Combofix, redownload it.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop





Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Fcopy::

FCopy::
c:\windows\ServicePackFiles\i386\wups2.dll | c:\windows\system32\wups2.dll

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




Let me know if it helped , if not I will direct you to some windows support sites.

 

[ken545]

Due to inactivity, this thread will now be closed.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.