Hello,
I believe my problem is Virtumonde and I got it during Windows update. I have Zone Alarm, Spybot, Avast and Adaware and ZoneAlarm and Avast run all the time. The computer was acting up so I ran Spybot, Avast and Adaware. Spybot found Virtumonde, Web Trends and Statcounter and I thought removed them. Adaware found Virtumonde and 81 cookies (way more than usual) and said it removed them. And at the beginning Avast found malware and moved it to the chest. I cannot access Avast, Zonealarm, adaware or spybot via the internet for updates although my versions although they are all pretty current. I also tried to look at other spyware or antivirus internet addresses and it won’t let me.
I just ran the programs in SAFE mode and now Adaware only showed 11 cookies. Spybot waited for a reply for C:Program Files/Spybot_Destroy\Includes\Trojans.spi and said to see inlude errors.log but after that didn’t find any malware.
Avast showed no virus’s but were unable to scan three:
Disk C Boot Record - unable to scan, no more data is available.
C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Recovery\Virtumonde.zip\removalfile.bat
and
C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Recovery\Virtumonde.zip\sbRecovery.ini
and both are showing unable to scan archive is password protected.
I had looked at Kim Komando and it said to turn on the Windows Firewall (which was off), so I did.
Any suggestions? It is hiding in there somewhere and I am not very computre oriented.
do not worry about spybots recovery files
can you create a folder C:\suspicious
can you go to the avast chest and copy the spyware (not the system- leave-em alone) files to C:\suspicious
then go online to virustotal and upload the files ?
post the results
since I cannot tell which sites are blocked or whatever I’ll post up some choices
Spybot is a good choice for Virtumond but there are a lot of variants
can you download Malware Bytes Anti Malware, update, scan and click REMOVE on any hits
if that works also run MAlware Bytes Rogue Remover
post up the logs if any hits
I can’t get to anything you asked me to try. I either get “not a valid Win32 application” or a can not display page. I could copy the Avast chest onto a c:Suspicious file by running a scan but I can’t email out stuff although I can receive emails. I did try getting to the websites in different ways (ie through dogpile or through a mirrror download site or whatever they call them. Sometimes I could get to the first website page but once I pick download I couldn’t download. Any other suggestions? Thanks for all your help.
If ad-aware works could you see if the remover is included or optional- I do not know with new ad-aware
even in safe mode
I think the best thing to is to download VUNDOFIX on a friends computer and either copy to a pen drive or burn a CD It’s only 116kb so it would fit on a floppy
Can you see the instructions on line?
http://vundofix.atribune.org/
the advantage of this is that it does not require an “install” or an “update”
and is ready for the latest nasty versions of Vundo
If you can get the hits into C:\suspicious you do NOT have to email
go to Virus total and use the search button to navigate to your folder
Perhaps polonus is lurking and will have another idea
I take it none of the online AV scanners work or have you tried any
try Dr Web Cure It
HJT would be excellent if she can get to it
otherwise
SuZam
read the stickie about hjt at the top of this forum
download to your cd or pen drive and instll from there -but not to a TEMP file or desktop
Create a new folder C:\SuZamHJT and download there
Happy-Dude is giving you links to the complete update files which you could DL to a CD or pen drive and do manual updates
let’s hope vundofix works
then/ or
Post a HJT scan only- DO NOT FIX anything
I see you ran Ad-aware in safe mode
did you try a safe mode Spybot scan? It looks as if you did
Do not run HJT in safe mode unless that’s the only way it will run
Your HJT version is out of date you also don’t have HJT installed in its own folder but dumped in the desktop folder. Download the latest version and install that in its own folder, the installation file should do that for you and remove the old version.
HJT ACTIONS (note not to be done until you have the latest version installed and removed old version)
Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)
Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.
Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
Sorry it took a while. I couldn't do anything on Wyrmrider post 3, or Happy-Dude post 4, I could run my hijack and email it to myself and look at it on another computer....so here it is:
Logfile of HijackThis v1.99.1
Your HJT version is out of date you also don't have HJT installed in its own folder but dumped in the desktop folder. Download the latest version and install that in its own folder, the installation file should do that for you and remove the old version.
DavidR, I don’t think she can actually DL stuff … ? Looks like she’s having problems with it …
Think someone can use 7-zip, compress the package to be less than 200 KB, and upload it to the forums ?
It would be better if she could phone a friend so to speak and have them download to CD possibly better than a flash drive if the system is infected we want to avoid the risk of infecting the flash drive and the friends system.
The file types are limited, .txt and .log so the file type would have to be changed from .zip or .7z, etc. That however would still technically require a ‘download’ from the forums ???
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here: http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe
* Double-click FixPolicies.exe.
* Click the “Install” button on the bottom toolbar of the box that will open.
* The program will create a new Folder called FixPolicies.
* Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
* A black box will briefly appear and then close.
* This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
After running FixPolicies, logoff and restart system, and try logging in to normal mode. Let me know if you can.
We’ll we have everyone working on this now
which is good
DavidR will read the whole post
Polonus will look at the HJT
V1.99 works just fine on the things it works on so do the Fix
if you can get a v2.02 to your machine create a folder
I use C:\HJT but the auto installer puts in program files
repeated use of hjt from the desktop will pollute your desktop with back-up files
Whatever you do not install to TEMP as back up files may be “cleaned up”
It is a good practice to first try and get the right policies back on the infected computer, and this was an advised proposal from an advanced helper’s site. The tools we use will vary according to the malware at hand, and the trend at this moment is that we have need of a tool like this. If you are not familiar with a particular phase in the cleansing routine, you should not doubt it. Anti-malware tools and I mean the reliable ones were developed for a reason.
I give you an example Smitfraud tool fix works in case of the following malware:
It is a limited list:
It is an ever evolving battle. At the moment MBAM cleans Virtumondo, but sometimes you need a way to get it working on an infected machine. That is what we are doing here.
Okay, I read everything although I didn’t understand it all
I am going to be gone for 3 hours and don’t want to start my computer until I have time.
But then, I am going to start it, make sure zone alarm comes up (it doesn’t always), check and make sure Windows Firewall is on (it keeps turning off) and then try Polonus’s short term thing to allow downloads.
Then I need to ???Download Hijack This?
Thanks,
Su
"make sure zone alarm comes up (it doesn’t always), check and make sure Windows Firewall is on (it keeps turning off) "
turn either zone alarm or windows firewall off while we work on this
keep whichever one is working best
they will conflict big time
with some OS windows will turn off the windows firewall automatically, with some it will not
read Polonus HJT stickie at the top of the page
the first most important thing is not to install on a temp file (by clicking “open”)
do not save to your desktop
create a folder (where you can find it) if the downloader does not do it for you
second most important thing is to close all browser windows- including this one