Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post-virtumonde Cleanup


  • This topic is locked This topic is locked
4 replies to this topic

#1 tropicana

tropicana

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 11 July 2008 - 09:54 AM

Hi,

I've just finished cleaning up a bad case of Virtumonde infection (thanks to [topic="http://www.bleepingcomputer.com/forums/index.php?showtopic=18610&st="]How To Remove Virtumonde[/topic] and no thanks to Ad-aware!). I just want to confirm that I am clean before I re-connect to my other home machines (which I have quite a few of).

My DSS output files are attached.

thanks! :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 14 July 2008 - 01:57 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please don't attach your logs to your post; instead copy/paste them in your reply.

Looking quite good, but there are still a few things to clean up.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.
  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • Close CCleaner.
Step 2

Open HijackThis, perform a scan and put a check next to the following items (if present):

O21 - SSODL: fsrpknov - {8BF0004B-74AB-4E2A-96FB-94244BA9124B} - (no file)
O21 - SSODL: fdxbameg - {353C4F47-B770-43EB-B225-BED78A2F3FB4} - (no file)


Close all programs except HijackThis and click on Fix checked.

Step 3

Please download OTMoveIt2.exe by OldTimer and save it to your desktop.
  • Double click on OTMoveIt2.exe to run it.
  • Untick the option to Unregister Dll's and Ocx's.
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard.
C:\WINDOWS\system32\uxdvinhu.dll
C:\WINDOWS\system32\jjvcou.dll
C:\WINDOWS\system32\aplndftp.dll
C:\WINDOWS\system32\MnVFOXbc.ini2
C:\WINDOWS\system32\kebbhrje.dll
C:\WINDOWS\system32\ygddqsqo.dll
C:\WINDOWS\system32\hkusyy.dll
C:\WINDOWS\system32\GNpXIkkj.ini2
C:\WINDOWS\system32\wHiPYyxx.ini2
C:\WINDOWS\system32\eeOqsBeg.ini2
C:\WINDOWS\wbxdpgfepen.dll
C:\WINDOWS\gpefaowr.exe
C:\WINDOWS\esnm.exe
C:\Documents and Settings\tropicana\Application Data\rhc5muj0en5r
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\@
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers.

Step 4

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
Step 5

Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
Then download and install Java Runtime Environment (JRE) 6 Update 7.

Step 6

In your next reply, please post:
  • the JavaRa log (C:\JavaRa.log)
  • the OTMoveIt log (C:\_OTMoveIt\MovedFiles\date_time.log
  • the Malwarebytes' Anti-Malware log
  • a HijackThis log

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 18 July 2008 - 02:28 PM

Do you still need help?
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#4 tropicana

tropicana
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 20 July 2008 - 01:22 AM

No. not any more. thanks!

#5 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 PM

Posted 20 July 2008 - 08:46 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a new topic.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users