Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: hazedaze
« on: 02. December 2010., 14:39:50 »

YOU WILL NEED A SPARE PC/LAPTOP FOR THIS PROCEDURE.

But Just to point out that if anyone has trouble cleaning any of the latest virus's/trojans,

then the best trick you can always do is to pop the HDD out of the infected machine and connect it to what I class as a donar machine via a SATA or IDE to usb cable or equivelent.

MAKE SURE THE DONAR MACHINE IS FULL PROTECED A/V WISE AND IF POSS ENSURE NOTHING CAN WRITE TO THE C: DRIVE, (i.e McAfee Access Protection - all boxes ticked!!) THIS WILL STOP THE LITTLE NASTYS FROM JUMPING FROM ONE INFECTED DRIVE TO YOUR NICE CLEAN DONAR MACHINE.

Once you know that your donar machine is fully protected and up to date definition wise you can connect you infected drive and let it perform a complete scan. (Mcafee or NOD32 + SuperAntispyware + Malware Bytes) run it several times just in case!!

This tends to works alot better than trying to run any of the clean up software on the infected drive itself as the files that would normally report back as being locked or in use by another process will not be live as the drive is only connected essentually as a data drive, this will almost always get rid of the clone files too. (the ones that write themselves back after they have been so say cleaned)

You should find that you can clean your drive up to 99 - 100% using this method and is my prefered method for getting rid of some of the hard to eradicate payloads.

Obiously it's always worth having a clean backup stored on DVD or portable HDD as you never know what backdoors some of these payloads leave open. I know what it's like though and having a complete clean backup is sometimes easier said than done.  :-X

Hope this helps some of you out there...

Regrads

HD

 :up:
Posted by: kn1ghtm4r3
« on: 15. October 2010., 07:16:07 »

i used malwarebytes anti-malware and that has helped me heaps.
Posted by: manual2100
« on: 12. October 2010., 12:06:32 »

spybot search and destroy detects and removes many variants of virtumonde.. worked for me
Posted by: Samker
« on: 24. December 2008., 21:12:00 »

Hi friend, thanks for this nice word about our work. :thumbsup: Hope you will also recommend us to your friends etc.  

Don't know about reformatting it's your decisions, in my opinion we will clean this but if you have some other difficulties reformatting is best solution.  

For security related question, first I need information did you think about some Free programs or you are ready to buy some security softwares??

Maybe it will be more appropriate to open new topic about best security solution in General Security Discussions & Advices section  ;) : http://scforum.info/index.php/board,10.0.html  

Regards from Europe,

Samker
Posted by: jdykstra
« on: 24. December 2008., 20:18:10 »

Hey Samker. I was thinking of just reformatting my computer instead of trying to fix the virus. There's so much crap on my computer, it's overwhelming. I don't feel like organizing it, and I'm pretty OCD about my hard drive. You've been a great help, man. I'm definitely going to stay as a part of scforum. When I do reformat my computer, what security should I install? I want a really clean computer!
Posted by: Samker
« on: 22. December 2008., 08:58:02 »


Snowboarding! :bih:

If you want, provide us some photos in Chit Chat Caffe.

Hope, soon we will also have some "bigger" snow in BiH. >:D


Related to logs, this Weekend I was have more time to investigate "your case".

As I think, this is our main problem and this "hook" start all malware in your PC:

Quote
O20 - AppInit_DLLs: gaynbi.dll rcywjf.dll zauhck.dll cqjmkp.dll mqkgxu.dll ogoyxw.dll pgqlhq.dll ibywlh.dll poscyv.dll jhwtjb.dll lopunr.dll xefduu.dll bmvsjq.dll


Because of that We will make small changes in instruction:

This is very dangerous (re)move and you will need to follow my instruction exactly as I write.

1. Download, install, update & run full scan with Malwarebytes' Anti-Malware: http://scforum.info/index.php/topic,2201.0.html

2. Uninstall Java through Control Panel/Add-Remove Programs, after that download and install latest version: http://www.java.com/en/download/windows_xpi.jsp?locale=en&host=www.java.com:80

3. Restart your PC in to Safe Mode, run HJT and fix only this item:

Quote
O20 - AppInit_DLLs: gaynbi.dll rcywjf.dll zauhck.dll cqjmkp.dll mqkgxu.dll ogoyxw.dll pgqlhq.dll ibywlh.dll poscyv.dll jhwtjb.dll lopunr.dll xefduu.dll bmvsjq.dll

4. Download, install, update & run full scan with latest version of AVG Antivirus: http://www.avg.com/filedir/inst/avg_free_stf_en_8_176a1400.exe

4. Uninstall again AVG and try to install again Kaspersky. If you success this time update them and run full scan.

5. Update your Spybot Search and Destroy and run also full scan.

6. After you finish all this, in any case provide me new logs: HJT and don't forget Kaspersky Online Scan log


That's all for now. :police:.

Regards,

Samker

Posted by: jdykstra
« on: 21. December 2008., 22:04:46 »

sorry, I've been out of town for a bit (snowboarding :D) anyway, I wanted to provide a fresh HJT before I do this, and tell me if there's anything else I need to 'fix'.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:41 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Posted by: Samker
« on: 14. December 2008., 17:51:31 »

Hi again J.

You see, this is very hard infection but We will kick ass to this craps. >:D

Please follow next instruction:

1. Run HJT, check this items and "fix" them (before that close all other programs):

Quote
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Atomic Email Hunter - {491A6C2B-1046-486b-8A8F-7D26BCB79A9B} - C:\Program Files\AtomPark\Atomic Email Hunter\ie.htm (file missing) (HKCU)
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://kungfuchess.com/activex/web665.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

After that restart your PC in to Safe Mode, run HJT and fix only this:

Quote
O20 - AppInit_DLLs: gaynbi.dll rcywjf.dll zauhck.dll cqjmkp.dll mqkgxu.dll hwyvps.dll

2. Uninstall Java through Control Panel/Add-Remove Programs, after that download and install latest version: http://www.java.com/en/download/windows_xpi.jsp?locale=en&host=www.java.com:80

3. Download, install, update & run full scan with latest version of AVG Antivirus: http://www.avg.com/filedir/inst/avg_free_stf_en_8_176a1400.exe

4. Uninstall again AVG and try to install again Kaspersky. If you success this time update them and run full scan.

5. Update your Spybot Search and Destroy and run also full scan.

6. After you finish all this, in any case provide me new logs: HJT and don't forget Kaspersky Online Scan log


That's all for now my friend, I'll wait your reply.

Regards,

Samker



Posted by: jdykstra
« on: 13. December 2008., 22:36:10 »

I tried Vundo Fix, it found nothing. I tried installing Kapersky again, but it said AVG 8 was still present. So I downloaded VirtumondoBeGone and restarted in safemode. It said it would restart if Vundo was found, and it did. So I go back into safemode and try Virtumonde again, and it provided me with a log and did not restart. So I try to install Kapersky, but it says 'administrator has set policies to not allow this type of software to be installed' or something similar. So I restart and go into normal mode and install Kapersky, but it said, once again, that AVG 8 was present. :( :(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:37 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
~
--
End of file - 9161 bytes
Posted by: Samker
« on: 13. December 2008., 01:25:21 »

It's look like there isn't anything from AVG.

Before downloading Kaspersky AV let we try something else:

   1.   Please print these instructions as they will be needed later when Internet access is not available.

   2. Save these instructions in word or notepad to the desktop where they can be easily found.

   3. Download Vundo Fix and save it to your desktop: http://www.atribune.org/ccount/click.php?id=4

   4. When it has completed downloading, double-click VundoFix.exe to run it.

   5. Click the Scan for Vundo button.

   6. Once it's done scanning, click the Remove Vundo button.

   7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

   8. When completed, it will prompt that it will shutdown your computer, click the OK button.

   9. When the computer has shutdown, turn your computer back on.

 
Now try to install Kaspersky AV and follow my earlier instruction, if you are still having a problem then please perform the following steps:

Note: This step should only be used if the instructions in the previous steps did not help.


   1. Download VirtumundoBegone and save it to your desktop: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

   2. Now reboot into Safe Mode.

Quote
         1. This can be done tapping the F8 key as soon as you start your computer

         2. You will be brought to a menu where you can choose to boot into safe mode.

         3. Select safe mode with networking using your arrow keys on the keyboard and then press enter.

         4. When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

   3. Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

   4. Exit when it has finished, and reboot back to normal mode.


Now try again to install and run scan with Kaspersky AV... finaly in any case please provide me new HJT and Kaspersky Online Scan logs.

Regards,

S.
Posted by: jdykstra
« on: 13. December 2008., 00:11:02 »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:12 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
~~
--
End of file - 9155 bytes
Posted by: Samker
« on: 12. December 2008., 21:40:42 »

Please check again Control Panel / Add & Remove Programs to see is there some traces of some other AVG services (which also need to uninstall)??

If you don't find anything please provide me new HJT log. After that I'll give you instruction to manualy delete AVG traces (but that is in some time risky job).

Posted by: jdykstra
« on: 12. December 2008., 21:33:05 »

I deleted AVG, but when I try to install Kapersky it keeps telling me AVG is still installed.
Posted by: Samker
« on: 11. December 2008., 21:14:27 »

As I said earlier J. don't worry, I always love to make double check ;). Now please follow next steps:

1. Uninstall AVG AntiVirus through Control Panel/Add or Remove Programs 

2. Download, Install & Update Kaspersky AntiVirus (Trial version): https://kaspersky-uk.esd.arvato-systems.de/arvato/downloadDemo.do?product=21640044

3. Start again your PC in Safe Mode

4. Run Full Scan with Kaspersky AV

5. After all please provide us new HJT & Kaspersky logs

I'll wait your next reply,

S.

Posted by: jdykstra
« on: 11. December 2008., 20:36:40 »

Unfortunately, I followed your directions twice, and they still couldn't get rid of these viruses!
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising