Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have Vundo/Virtumonde PLZ help clean my system up!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » August 30th, 2008, 2:38 pm

Hi Again


Did the times when a web page will take a little longer to load and such, start before you had Vundo Infection or after??
when was the last time you defragmented your harddrive.


Let's get that last McAfee line

Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop McAfeeFramework
sc delete McAfeeFramework
exit


Double click FixServices.bat. A window will open and close. This is normal.


Reboot



Post back a new HJT Log, and the info asked for please.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » August 30th, 2008, 6:20 pm

DFW,

I am not sure if the pages were sluggish before I got this malware. I do know that when I got vundo, pages like google and thottbot.com loaded extremely slowly and most of the time timed out. But now those ones work fine, however, i just started to notice the other sluggish pages that may or may not have been like that before after I got vundo because google and thottbot being slow made the others more noticeable i guess?

And I don't think I ever defragged this computer. My two 250 GB harddrives are raided together (so they make one 500 GB drive). So with this setup, can i still do the defrag?


New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:27:35 PM, on 8/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe




Hmm, I made that .bat file like you said and it looks like that McAfee entry is still in there. Can't wait for your next reply.

-Unfortunatesoul
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » August 31st, 2008, 5:13 am

Run the McAfee Consumer Removal Tool (MCPR.EXE)

Download the removal tool from HERE
  • Click Save and save the file to any folder on your computer.
  • Navigate to the folder where the file is saved.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.EXE to run the removal tool.
    • Note: Windows Vista users must right-click MCPR.EXE and select Run as Administrator.
  • Restart your computer after receiving the message CleanUp Successful.


Post A new HJT Log

I look into defragging your raid array, don't do it yet.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » August 31st, 2008, 2:49 pm

After running the MCPR program,

Please exit this session.
"McAfee Enterprise software detected.
Cannot continue. Please contact McAfee Technical Support."

I do not see any processes in my task manager with McAfee in their names. There isnt anything related to McAfee in my tray either.


EDIT

Went to their tech support and found the instruction to resolve this error:

Solution
Windows 2000, XP

1. Click Start, Run type tasks and press ENTER.
2. Right-click McAfee Cleanup and select Delete.
3. Run the McAfee Consumer Products Removal Tool (MCPR.exe) again.


Unfortunately, there isn't a "McAfee Cleanup" in my tasks. So it still does not work.
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » September 1st, 2008, 3:03 am

Hi Again


Let's get that last McAfee line again


We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN). At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode


Once in safe mode


Go to your C drive, Program Files and make sure the McAfee folder is gone, if still there right click on it and delete it



go to > Start menu > Run and type in services.msc find the McAfee Framework Service (McAfeeFramework) and double-click on it
On the "General" tab, change the startup type to "Disabled," and change the "Service Status" to "Stopped" by clicking on the "Stop" button.
On the "Recovery" tab, make sure that all options are set to "Take No Action," and that the "Reset fail count after:" option is set to 0 days
Click to save the changes and exit
If a reboot is needed for the changes to take place, make sure you reboot back into Safe Mode

Open up Hijackthis
Click on do a system scan only.
Place a checkmark next to these lines(if still present)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)


Then close all windows except Hijackthis and click Fix Checked




Do This straight after fixing line
Delete service
We will use one of the functions of HijackThis for this:
  • Open HijackThis, then click on None of the above, just start the program.
  • Click on the Config button (bottom right).
  • Click on Misc Tools, then click on Delete an NT Service.
  • Enter the this name into that field (make sure there are NO spaces before or after the name):
    Code: Select all
    McAfeeFramework
  • Click OK and select YES when asked to reboot.




When you have rebooted into normal mode run HJT and Post a new HJT Log.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » September 2nd, 2008, 3:11 pm

I tried rebooting in safe mode by hitting F8, but the menu I got when I hit F8 just asked me which drive I wanted to start from. I saw no safe mode option, so I just chose to start from my hard drive. Then after logging on, I tried your directions anyways and when I tried to click "apply" to save the options for the mcafee framework service, It came up with this message:

Services
"Unable to open service McAfeeFramework for writing on Local Computer.
Error 5: Access is denied."

So is this error coming up because I'm not in safe mode? If so, how to I get into safe mode on my computer (I have windows xp professional SP2)?



Also, I'd like to add something into this message that might be the problem. Ever since I've had this computer, after installing windows, I made my user account and set my account as the administrator. But whenever I makes certain changes such as changing my system config options to a selective startup mode, a message comes up saying that I must be the administrator to make such changes. However, when I click OK, the changes are still made. Just wondering if you could help me find out how to stop this annoying message from coming up.
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » September 3rd, 2008, 2:48 am

Hi, Lets try this, we will look into your admin rights next.



Instead of pressing F8 use F5 to get into safe mode



We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F5 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode


Once in safe mode


Go to your C drive, Program Files and make sure the McAfee folder is gone, if still there right click on it and delete it



go to > Start menu > Run and type in services.msc find the McAfee Framework Service (McAfeeFramework) and double-click on it
On the "General" tab, change the startup type to "Disabled," and change the "Service Status" to "Stopped" by clicking on the "Stop" button.
On the "Recovery" tab, make sure that all options are set to "Take No Action," and that the "Reset fail count after:" option is set to 0 days
Click to save the changes and exit
If a reboot is needed for the changes to take place, make sure you reboot back into Safe Mode

Open up Hijackthis
Click on do a system scan only.
Place a checkmark next to these lines(if still present)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)


Then close all windows except Hijackthis and click Fix Checked




Do This straight after fixing line
Delete service
We will use one of the functions of HijackThis for this:
  • Open HijackThis, then click on None of the above, just start the program.
  • Click on the Config button (bottom right).
  • Click on Misc Tools, then click on Delete an NT Service.
  • Enter the this name into that field (make sure there are NO spaces before or after the name):
    Code: Select all
    McAfeeFramework
  • Click OK and select yes when asked to reboot.




When you have rebooted into normal mode run HJT and Post a new HJT Log.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » September 3rd, 2008, 8:23 pm

Hey,

I followed your directions by hitting F5 to get to the safe mode screen. It came up with a bunch of options (three of which had the phrase "safe mode"), but I disregarded the other two safe mode options and chose the one that simply just said "Safe Mode."

Then my administrator account came up as an option to log into aside from my normal account, so I logged in as the Administrator.

Finally, I went to the McAfee service and tried to "Apply" the changes I made to it, but it once again came up with this message:

Services
"Unable to open service McAfeeFramework for writing on Local Computer.
Error 5: Access is denied."


Not sure how to surpass this message since I was in safe mode on the computer administrator account. Shouldn't I have full privileges to do whatever I want?
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » September 4th, 2008, 12:04 am

Try this


Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://downloads.malwareremoval.com/Bil ... licies.exe
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close. This will stop the Administrative warnings.


Instead of pressing F8 use F5 to get into safe mode



We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F5 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode


Once in safe mode


Go to your C drive, Program Files and make sure the McAfee folder is gone, if still there right click on it and delete it



go to > Start menu > Run and type in services.msc find the McAfee Framework Service (McAfeeFramework) and double-click on it
On the "General" tab, change the startup type to "Disabled," and change the "Service Status" to "Stopped" by clicking on the "Stop" button.
On the "Recovery" tab, make sure that all options are set to "Take No Action," and that the "Reset fail count after:" option is set to 0 days
Click to save the changes and exit
If a reboot is needed for the changes to take place, make sure you reboot back into Safe Mode

Open up Hijackthis
Click on do a system scan only.
Place a checkmark next to these lines(if still present)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)


Then close all windows except Hijackthis and click Fix Checked




Do This straight after fixing line
Delete service
We will use one of the functions of HijackThis for this:
  • Open HijackThis, then click on None of the above, just start the program.
  • Click on the Config button (bottom right).
  • Click on Misc Tools, then click on Delete an NT Service.
  • Enter the this name into that field (make sure there are NO spaces before or after the name):
    Code: Select all
    McAfeeFramework
  • Click OK and select yes when asked to reboot.




When you have rebooted into normal mode run HJT and Post a new HJT Log.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » September 4th, 2008, 6:29 pm

I tried your new procedure and it is still coming up with the same error message.

Let me try to describe some stuff that I am seeing so that maybe you can better find a way to fix this issue:

On the services window, I see McAfee listed like this:

Name: McAfee Framework Service |||||||||| Description: Shared component framework for McAfee products |||||||||| Status: (blank) |||||||||| Startup Type: Automatic |||||||||| Log On As: Local System


Ok, so my computer is set up in a network through an internet router with another computer in my home. Perhaps since this service is a "shared" component, maybe there is something to do with the network that is not allowing me to change it's settings. Like my guess would be that the other computer in my network must agree to change the settings for it as well since it applies to both systems? I don't know, that's just a wild guess with my very little computer knowledge. If it helps, cool. If not, then it didn't hurt anything.

Also here's the message that comes up again:

Services
"Unable to open service McAfeeFramework for writing on Local Computer.
Error 5: Access is denied."

Are you sure that this error message is appearing because I do not have administrative privileges? I am not sure it is since I fixed those with fix_policies.cmd and then logged in and tried as both Administrator and my Account. Maybe I am encountering another type of error?


Just some thoughts from my end, but your the important, knowledgeable end heh so take my thoughts into consideration or not, doesn't matter to me.

Thanks,
Unfortunatesoul


P.S.: I'm not sure exactly what step this happened after in our cleansing process, but there have been hidden files called "thumbs.db" that are everywhere, in my folders, on my desktop, etc. Are thee necessary or can I get rid of them somehow?

And also, I noticed that on my external hard drive, there are two new hidden folders called "system volume information" and "recycled", can I get rid of these?
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » September 5th, 2008, 4:11 am

Hi

I am going to look into this problem and will get back to you asap,

Those files and folders are fine DO NOT delete anything.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » September 5th, 2008, 3:42 pm

Ok, but am I ever going to be able to get rid of these hidden folders/files?
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » September 5th, 2008, 4:17 pm

Hi Unfortunatesoul

Here some information on "thumbs.db" that are everywhere, they are harmless, you can keep or delete
http://www.pchell.com/support/thumbsdb.shtml

The hidden folders called "system volume information" and "recycled" are system folders DO NOT DELETE THEM, will will hide them soon.


Back to this service, I am not an expert at this type of problem, and we think there is more going on here that meets the eye, as you are free of any infection now.
As the anti-virus has been removed, the service is probably not that big of an issue, but if it's important to you to get it removed
I would suggest that you go to one of the forums below that specialize in more general computer problems.
They have people that know more about this sort of problem because it does not seem to be a malware problem.

You could also check about running a CHKDSK and best way to Defragment your drive on a RAID system, which is needed


Good Hardware and Software Help Forums
Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3
or
castlecops here:http://www.castlecops.com/ Registration on right edge close to top under login.

All may require you to register free before posting for help, and post a link to this topic so they can see your clean.




You web page slowdowns

It may be that you have programs installed on your system that are searching for updates, and using up your bandwidth, Java is one of these programs,
go to control panel, and double click java icon, under updated, unselect auto update,
the java update does not work anyway, check all other programs, but leave windows update and your Security programs auto updates on.

Try to have a minimum of themes/addons in your browser, or you may be missing some add-ins that are needed for some sites
Delete all your history, so that it can start fresh with CCleaner
Look for updates for firefox or try reinstalling firefox.

If this does not help ask at the forums above, who will know why.

========================================================================



All your logs are fine now, and you are clean, we just need to clean up,


Clean Up



Open Malwarebytes' Anti-Malware
Click on the quarantine tab and click on delete all.


I would keep Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free for scanning and removing Malware, but for real-time protection you will have to pay a small one-time fee.
run weekly scans with it, or when required.



Go to add/remove programs and uninstall Highjack this, it can always
be downloaded again if needed,

Also delete it's folder

go to C:\Program Files and delete HijackThis folder.


Also delete the FixPolicies.exe and the folder it created.


Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK




UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.


Delete the FixServices.bat from your desktop.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install,
install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


You have Spybot search and destroy teatimer running, add these two programs below to shore up your defences.



Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware



MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.
Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer





Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.



Please post back just to let me know you carried out the clean up ok, and all is good.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby Unfortunatesoul » September 5th, 2008, 4:42 pm

Thank you so much DFW! My computer is finally free of infection! The clean-up went well, but one more question:

Sometime during the cleaning process this happened. Before when I would create a new text document, i could just rename the file accordingly without having to type ".txt" at the end. Now, I try to do this and I have to type .txt at the end and all my existing txt files now have .txt at the end. Any way I can change this back to how it used to be?
Unfortunatesoul
Regular Member
 
Posts: 17
Joined: August 25th, 2008, 1:05 am

Re: I have Vundo/Virtumonde PLZ help clean my system up!

Unread postby DFW » September 5th, 2008, 8:44 pm

Hi Unfortunatesoul

When we re-hind your hidden files we also set that file extensions should be shown, there is a good reason why, it enables you to see the extension of a file, many malware files look like normal files but of course or not.

If you downloaded a photo and saved it to your document folder it would be displayed by it name "PhotoFile", now if we show file extension it would show like "PhotoFile.jpg, by looking at the file extension you can tell it a jpg photo file, however if you saw this "photoFile.exe you would know that the file could be bad, no photo file needs to be a "exe" this would be a an executable file and probably Malware,

So being able to see file extensions lets you tell if it's a true extension for that file type and helps when looking for Malware files.
The trouble you are having now is when you try to rename a file you are changing/renaming the file extension, you will have to rename before the .file extension name


If you do not what this and would like to go back as before then

  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • check Hide file extensions for known file types.
  • Click OK
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 567 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware