Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtumonde And Other Trojans

  • Please log in to reply
1 reply to this topic

#1 JiveCritter


  • Members
  • 1 posts
  • Local time:03:09 AM

Posted 26 February 2008 - 09:01 PM

I made the mistake of lending my laptop to my father-in-law. He paid no attention to my one requirement; do not download ANYTHING onto it. At the very least, he installed Limewire. Also Bearshare, newer versions of Windows Media Player, IE, and porn are under his directory. :flowers: I reinstalled Spybot S&D, Ad-aware, and Antivir on my computer. All three were present went I lent him the laptop. Upon its return, the directory files were still there but the executable file had disappeared in each instance. Spybot found one trojan and removed it for me. I do not remember the name of it. Ad-aware found almost 700 spyware items. Antivir found Virtumonde; this is when my major problems started.

I attempted to remove Virtumonde on my own. I can figure out almost anything with enough time or directions... well usually. I followed the directions from www.computing.net/security/wwwboard/forum/19365.html . If you look at the directions; I only found relevant files from the step 9 search. All other steps came up empty handed. It appears I 'set off' Virtumonde when I tried to remove it. It has continued to replicate like crazy and is no longer hiding. The detection alerts from Antivir are all located in c:/windows/system 32 .... they included: \aqkojsuv.dll, \easngkke.dll, \hbrlxhec.dll, \xtpaumvy.dll, \yuauodkl.dll, \wxsfewxy.dll, \iveenkps.dll. The previous list were all labled either TR\Vundo.GEN or TR\Vundo.DUP

I was following the guidelines requested before posting, but ran into a problem when I attempted to run Sd-aware. I updated the definitions (last updated 2 days prior) and set it to a full scan. I noticed that after almost 2 hours it had only run a fifth of the entire scan. I closed Ad-aware completely and attempted to run a new scan. I repeatedly was given a "Core Engine Busy" error. I googled it and learned the only way to fix it is to reinstall Ad-aware. When I tried to re-install Ad-aware it gets about 95% completed and then it back tracks erasing some of its files and gives me an message. "Installation ended prematurely because of error."

While in the registry I noticed a few suspicious folders under HKLM\software. These included: {9F5FBC24-EFE2-4F90-B498-EC0FB7D47D15}, Belkin, C07FT5Y, and Magnet. My C-drive now has 3 new folders: 7cb646ea1a1e3d7c5226c70f98, 371bed7ac7c15cd7ad4384927dca495d, af9bdd5aa107a5a21v76a3d422e66dc0.

I have not downloaded the Hijack This application yet. Since I'm unable to run ad-aware again I'm not sure what you would like me to do next. My OS is XP SP2. It's a legitimate copy, but I can't find my disks. :thumbsup: So, wiping my computer is highly tempting but not even an option now.

Thank you for any help you can offer.

Edited by rigel, 26 February 2008 - 10:01 PM.
Mod edit - Moved to a more appropriate forum

BC AdBot (Login to Remove)


#2 Queen-Evie


    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Members
  • 16,485 posts
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:03:09 AM

Posted 26 February 2008 - 09:46 PM

Hello JiveCritter, welcome to Bleeping Computer.

We have malware removal experts who can help you get rid of the bad things on your computer.
While waiting on one of the experts to review your log, do not make any changes to your system.

Read the information

HERE:Preparation Guide For Use Before Posting A Hijackthis Log

Prior to posting a HJT log, we ask that you please read and
follow all instructions in the pinned topic titled
Preparation Guide For Use Before Posting A Hijackthis Log.
Following the steps in this Guide will allow the HJT Team
to quickly help you with specific fixes for what may
remain on your system.

Please complete all the steps in the Guide.
If you have performed some of them already, then
just continue with the next. If you can't perform a step,
then skip it and continue with the next. The last step will
include downloading and using the most current version of
HijackThis if the first line of your log does not appear as follows:

Logfile of Trend Micro HijackThis v2.0.2

Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log.

The log should be posted in

HijackThis Logs and Malware Removal

Please DO NOT post your log to this topic, or post a log in the wrong forum.

Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.

Please be patient while you wait for a reply, the malware removal team is very busy and they will get to your log as soon as possible.

Thanks for your cooperation and good luck.
The BC Staff

Edited by Queen-Evie, 26 February 2008 - 10:13 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users