Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thanks Bleeping Computer


  • This topic is locked This topic is locked
7 replies to this topic

#1 schale

schale

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 14 November 2007 - 03:39 PM

We were running trend micro smb server client for networks. We were hit with the infamous winfixer virus aka virtumundo. It disguised itself as winshow.exe and tons of other fieles. I would remove this in the registry numerous times and try to combat it in safe mode.


However, in safe mode this virus took over. The crazy thing was that I was surfing on cnn.com is where I picked up this virus. It came from one of those ads that pops up when you scroll over it. I have never seen something do this ever. It opened a command window and started executing files. After that adds were all over the cpu and this cpu was inoperable for some time. I came here, followed your virus instructions and we are much more confident in our virus clearing now. We really wanted to thank you for such a thorough explanation and guidance for helping us remove this nasty virus.


If need be, after all this scanning is complete we will post log files. But this virus went through trend micro like it didn't even exist. I have never seen a virus do something like that before. I caught it as iit was happening but it further infected everything. We are now at a point where it is not popping up anything.

A big thanks!

Edited by boopme, 15 November 2007 - 10:50 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:30 PM

Posted 14 November 2007 - 04:56 PM

Hello and thanks. May I ask what apps did you use for removal?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 14 November 2007 - 09:04 PM

Ok we followed the general directions with the virtimundo be gone directions. This did not remove any of the files. I could watch in the registry entries that were just deleted reappear. We then followed all removal tool methods outlined on the front page of this forum. Spybotsd, adaware 2007, mcafee stinger. We lasted scanned today and 2 of 3 cpus have no viruses. All popups have ceased since this was done. However, a few remnants are lurking in the registry. I will try and get some stuff up tommorow in the proper section once I am near all the file info. This seems like its a more annoying virus being that I found it opening itself in safe mode. We run trend micro smb for servers and I plugged in every virus name I found on this cpu from every log from all of the above stated programs into the trend site. None showed up. Not one file showed up on their database systems. We bought this software a week ago and we are debating wether to change software for a 5 user server.

Trend micro didn't find any of it but these free programs did. Thanks for the site guys it is really appreciated!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:30 PM

Posted 14 November 2007 - 10:21 PM

Hello again and thank you
I just want to be certain you have run these. If not Run them or athe one you haven't.

Bc Tutorial
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.

SUPERAntiSpyware
Use the free Home User version. Download, Install,Update then run from Safe Mode

Let us know
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 15 November 2007 - 10:03 AM

Well we spoke too soon. We followed all methods outlined here.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Logged in this morning and this file replicated itself and opened a command prompt again and started executing about 50 registry entries. Spy bot catches it but it replicates so many that 100% cpu usage is happening and the cpu is still freezing.

I cannot get on the finected cpu to do a hijack this log.


This is bad. This program removed all the antivirus free scans that we installed on it to run these programs such as hijackthis, stinger, and its trying to remove spybot search and destroy. I will try and get some logs up soon.

Right now here are some of the files associated with whats is going on.

All scans recognized these files and virtimundobegone was used and supposedly it was all removed. Now its back again.

The command prompt is loading a file called ntvdm.exe.


here are files in the registry as well as location for where it is placing them. Internet explorer was removed from the cpu just in case but its still in there somewhere.

HKCU/software/microsoft/ internet explorer/ explorer bars/--

win32beagle.dz
win32beagle.exe
win32 beagle...
popunder.com
winshow.exe
ff2d4e.exe
urclqecd.exe
hg43e3.exe
qrjatydi.exe
qdf10a.exe
ff2d4.exe
ssqrpoo.dll
ekwarvwm.dll.
d3dupdate.exe
bonus.com
popunder.pypopup.com

The files hijack this could not remove during the initial startup scan are as follows. It was called simfraud-C. HKLM/system/controlset001/service/core

I didn't catch the other command files that were opening. I will try and reinstall everything and get a hijack this log. The cpu is as slow as it was before. Everythign was working smoothly yesterday even with reboot.


{Mod edit: Cleaned out extra text~boopme}

Edited by boopme, 15 November 2007 - 10:20 AM.
{moved to more appropriate forum}


#6 schale

schale
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 15 November 2007 - 10:22 AM

Ok nothing is starting up in safe mode. I am running spybot sd now. But for some reason, it deleted virtimundo and all other antivirus free versions. The trend micro smb is worthless at this point. It isn't recognizing anything.

Boopme, thanks for your help. We ran all those instructions as well removing vertimundo. We will do all steps again and post a few log entries from hijack this once it is reinstalled.

Thanks for moving the topic.

One other detail left out was this. All cpus and servers were shut off overnight.

Edited by schale, 15 November 2007 - 10:33 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:30 PM

Posted 15 November 2007 - 01:10 PM

Important: Some variants of vundo malware will hide certain entries in a hijackthis log to prevent detection so you need to rename HijackThis before using it.
  • After installing HijackThis, open My Computer or Windows Explorer and navigate to the HijackThis Folder.
  • Inside the folder, right-click on the HijackThis.exe file and rename it Scanner.exe.
  • Double-click on Scanner.exe (which is still HijackThis) run a scan, save the logfile and copy/paste it into a new topic in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts.
Give your topic, a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:30 PM

Posted 15 November 2007 - 03:20 PM

I have moved your Hijackthis log to the Misplaced HJT Logs forum. You posted your log in a forum not intended for these logs analysis and probably missed the directions we provide to those who require assistance.

Your log can be found here.

Please follow all directions that I posted as a reply to your log. Following these instructions will ensure that your hijackthis log is properly posted so it can be reviewed in a timely manner.

If you have any questions please respond in that thread. To avoid confusion, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users