Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

> How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

 
Reply to this topicStart new topic
> How to remove Virtumonde Stopguard CATLEvents Trojan.Vundo, Self-Help Guide
Grinler
post Oct 11 2004, 02:21 PM
Post #1


Bleep Bleep!
******

Group: Admin
Posts: 31,509
Joined: 24-January 04
From: USA
Member No.: 3

This self-help guide will allow you to remove Virtumonde - DEL-457 (StopGuard, VIPFares, Hostx.exe)




What this program does:

May modify the cookies on your machinea s well as display popups.

Tools Needed for this fix:

Related Tutorials:

Symptoms in a HijackThis Log (May be different file names):

O2 - BHO: CATLEvents Object - {77849D67-5672-4B68-93E2-CCEFF1E3949E} - C:\WINDOWS\TEMP\DAAVAJ.DAT
O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE
O4 - HKLM\..\RunOnce: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\FONTS\WINCAB.EXE ren

How to spot the infection:
  • There will be entries with the rerun argument or a ren argument as shown above.

  • The O2 entry will be named CATLEvents Object and the filename for it will be an anagram for one of the O4 entries.

  • The names of the O4 entries will be preceded by a *. Some entries with are a preceeding start are valid. See the warning below.

  • This infection will always install a file called c:\windows\system32\bkinst.exe and sometimes a file called c:\windows\system32\host.exe that will not show via HijackThis.



Warning: If you are using Windows ME you may see the following entry in your log

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

This is a valid entry and should be left alone.
 Below are some example file names you may find associated with this infection. Please be aware, that there may be some legitimate programs that use these names, so you must see if the other symptoms exist as well.

keybas.exe
avmsvc.exe
bkinst.exe
hostx.exe
dvdcat.exe
tapinet.exe
hardcab.exe
oledisk.exe
asras.exe
keyiis.exe
vbcab.exe
srvwin.exe
cabmfc.exe
pctcp.exe
acxml.exe
svcsys.exe



Instructions:

Updated Information 11/29/04 : A new tool has been released by Symantec that has the ability to remove this infection in some cases. It is advised that you use this utility first when attempting to remove this infection. Download the utility from the following link:

Symantec Virtumonde Removal Tool

Once it is downloaded, run the tool and and let it scan your machine. It will remove any files that it finds. If you are still having a problem after running this tool, then follow the manual removal method below.

 

Manual Removal:
  1. Download HijackThis from the above link and extract it to c:\hijackthis.

  2. Navigate to the c:\hijackthis directory and double-click on HijackThis

  3. When the program starts, double-click on the HijackThis icon and then click on the Scan button.

    1. Examine the log for those entries that look like they apply to this infection. Use the criteria given above to do so.

    2. Write the filenames in these entries down on a piece of paper, including the pathname. For example C:\WINDOWS\APPPATCH\JAVAAD.EXE.

    3. Now download and extract killbox from the above link. Extract the program to your desktop and double-click on its folder for it and then double-click on Killbox.exe to start the program.

      1. In the killbox program, select the Delete on Reboot option.

      2. In the field labeled Full Path of File to Delete enter the name of the first file found in Step 2. For example, C:\WINDOWS\TEMP\DAAVAJ.DAT

      3. Press the button that looks like a red circle with a white X in it. When it asks if you would like to Reboot now, press the NO button.

      4. Redo steps a through c for each of the other files found in step 2.

      5. When those files are completed, do steps a through c again and enter the file c:\windows\system32\hostx.exe as the filename to delete. When it asks to reboot you should press NO this time.

      6. No do steps a through c again but this time enter the last file c:\windows\system32\bkinst.exe as the filename to delete. When it asks to reboot you should press YES this time.

    4. After the computer reboots run HijackThis again and press the Scan button.

    5. Put a checkmark next to each of the entries found in Step 2 and then press the Fix button.

    6. Reboot your computer and confirm that it is working properly.



Now your computer should no longer be infected with the Virtuomonde malware.

 

This is a self-help guide. Use at your own risk.



BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


--------------------
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Go to the top of the page
 
+Quote Post
« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 8th November 2009 - 05:17 AM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.