[John2005]

Hello Geeks to Go. I last used you guys with great success in 2005. Unfortunately my computer has become infected with the Virtumonde malware. I am in the process of of following your instructions "You must first do this...", and got as far as running the ATF Cleaner. When I went to the System Restore section, I received the following message when trying to run the SysRestorePoint software:

SysRestorePoint.exe - >NET Framework Initialization Error
To run this application, you first must install one of the following versions of the >NET Framework:
V2.0.50727
Contact your application publisher for instructions about obtaining the appropriate version of the .NET Framework.

I'd appreciate it if you could assist me here. Thanks.

[Advertisements]

Hello John2005

Welcome to G2Go.
=====================

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[kahdah]

Hello John2005

Welcome to G2Go.
=====================

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[John2005]

Hi kahdah,

I've attached tthe DDS.txt, Attach.txt (zipped), and GMER.txt files as requested. Thanks for your assisance.

John2005

Attached Files

•  DDS.txt   13.87KB   186 downloads
•  Attach.zip   3.54KB   194 downloads
•  GMER.txt   3.27KB   202 downloads

[kahdah]

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[John2005]

Hi kahdah,

I ran ComboFix and apparently the Windows Recovery Console was already installed, as I received no prompts to install it. A session was created, and the program ran through several "stages", deleting some files and folders. I'm presently "stuck" at "Completed Stage_17" with a blinking cursor, and no log produced. What should I do next?

John2005


Update: I attempted to close the session, as my PC fan kept cycling on every ~10 minutes. The PC was locked up, and I had to pull the plug from the wall to get it to power down. The was no log produced.

John2005

Edited by John2005, 25 January 2009 - 01:33 PM.

[kahdah]

Hi please delete the version of Combofix that you have and then do the following:
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Double click the Combofix icon to begin it then follow the prompts.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[John2005]

Hi kahdah,

(Sorry for the delay in responding.) I've run ComboFix again and was successful this time. The program produced a log file, which I've attached.

John2005

Attached Files

•  ComboFix.txt   15.29KB   214 downloads

[kahdah]

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========
Post that log and a new dds log and then let me know how things are running?

[John2005]

Hi kadah,

I've attached the mbam log and the new dds log. Dds created a new attach file, which I've also included.

John2005

Attached Files

•  mbam_log_2009_02_03__12_11_00_.txt   1.7KB   224 downloads
•  DDS2.txt   12.64KB   607 downloads
•  Attach2.zip   3.63KB   218 downloads

[John2005]

Hi kahdah,

Just for fun, in addition to the Malwarebytes' Anti-Malware "Quick Scan", I also ran a "Full Scan". It picked up an additional 18 infections, which were quaranteened and deleted. I've attached the second mbam log created today. Please advise how it and the other logs look. Thanks.

John2005

Attached Files

•  mbam_log_2009_02_03__20_07_34_.txt   3.19KB   219 downloads

[kahdah]

Hi those other items are in Combofix's quarantine and in the system restore points which we will clean in a bit.
No more threats are showing in your logs.
=======================
I see that you have Ares,Limewire installed.
Having P2p programs such as these raise the possibility of getting infected again.
See here for information on P2P's.
I will leave it up to you if you want to remove it.
To remove it just simply uninstall it then delete this folder>C:\Program Files\ares and Limewire
===============
Also uninstall Viewpoint then reboot and delete this folder if it is present C:\Program Files\ Viewpoint
=============
Additionally uninstall these below as well

• J2SE Runtime Environment 5.0 Update 11
• Java 2 Runtime Environment, SE v1.4.2_05
• Java™ 6 Update 7

===========
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Delete\uninstall anything else that we have used.


System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingc...143.html#manual
=====================================
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

[John2005]

Hi kahdah,

I've removed the Ares, LimeWire, and Viewpoint applications from my PC, as well as the old Java apps. I downloaded cleanit and ran CleanUp. Then I turned off my sytem restore point and turned it back on again. I will load Spybot Search & Destroy, Spyware Blaster and Spywareguard as well as the Windws system updates. Can I ask a few questions with regard to applications I have on my PC?

My Norton AntiVirus will not do a live update. The last update I have is from 19 December 2008. When I try to do a live update, Norton says it failed and to re-install LiveUpdate. In the Symantec file folder there is an Lsetup.exe file which says it will load LiveUpdate. OK to proceed at this point and run a fresh virus scan?

Also, I have additional apps which may be redundant at this point:

ewido Security Suite
HijackThis 1.99.1
PC-Doctor for Windows
PopSubtract
SpamSubtract
AdAware

Stuff I like and would propose to keep on my PC:

CleanUp! (Different from the cleanit/cleanup you had me install and run.)
Window Washer
Malwarebyte's Anti-Malware

Also, I understand that Symantec has slipped a bit in recent years and that there are very good competing anti-virus products out there (e.g. AVG Anti-Virus Free Edition). Do you have a free anti-virus software recommendation?

John2005

[kahdah]

OK to proceed at this point and run a fresh virus scan?

IF you get the Live Update to work then yes that is fine.

Also, I have additional apps which may be redundant at this point:

ewido Security Suite
HijackThis 1.99.1
PC-Doctor for Windows
PopSubtract
SpamSubtract
AdAware

If you have a license key for PopSubtract and SpamSubtract and you like the product then keep those but if not they are simply useless applications.
Ewido can go and ad aware can go as it doesn't do a very good job anymore.
Not sure about PC doctor but that seems kind of useless to me I would remove it.
Basically keep it light as to not have too many unnecessary items running at startup.

I would personally recommend AVG free edition over Norton any day.
Here are the links to some free antivirus programs:

AVG free 8.0
Note this is free antispyware protection and Antivirus protection.

or

Antivir
this is just antivirus protection.

CLeanup and Window Washer basically do the same thing.
But you can still keep them if you like them.

[John2005]

Hi kahdah,

I think I'm finally there. Got the Symantec live update to run. One question, I've loaded the Spywareguard and done a live update as well. The deinitions date is 1/22/04. Is this correct? Is the application still useful with such old definitions?

A final question on the PopSubtract and SpamSubtract. Why do you say they are useless applications?

Thanks.

John2005

[kahdah]

I said they were useless if you do not pay for them they are only a trial version put on the system.