Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan - Virtumonde - How To Proceed?


  • Please log in to reply
4 replies to this topic

#1 Vexyn

Vexyn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 16 March 2008 - 09:59 AM

Dear all,

I believe I have a rather pernicious infection in my computer which answers to Virtumonde - I hope I will not be putting you all off if I give you more of a backstory and I hope that at the end you can offer some assistance.

I have over the past few months experienced a gradual slowdown in the performance of my PC (which is a fairly old one I must admit Pentium 4 280GHz.)

I am running Windows XP Home and this was initially fine and even now is maintained to the newest update.

I had upto about a year and a half ago a McAfee suite running on my PC - I can't remember the vintage but if I said I installed it about two and a half years ago that would be about right - it had Anti-Virus software and Firewalls etc. (I'm embarrassed to say that I really can't pull out the full details on it but I'm hoping it's not too important..) In any event, McAfee ran just fine and did the business apparently.

About six months ago however my licence expired and what with moving house and dealing with new mortgages and a new baby etc.. well it didn't get renewed for over six months and this is when things started to slow down.

The other day I decided to buy the latest version of McAfee ( the 10 in 1 version) with:

Security Centre v8.0
Anti-Virus v12.0
Firewall v9.0
Privacy Service v10.0
Easy Net 2.0
SiteAdvisor 2.1

This appears not to be a good move as my computer has now become staggeringly slow and in addition as soon as I installed the programme Internet Explorer started to pop open new advertising windows periodically - something that never happened under the older version of McAfee.

Okay, that was where I was at and unfortunately with McAfee fully updated, its Anti-Virus scanner was findingabsolutely nothing wrong at all!

Suffice it to say I knew fairly well that something was wrong so I started looking about for help on the net.

I installed SpyBot S&D 1.5.2.20 fully updated which identified various problems that McAfee failed to find. Mostly these were tracking cookies and in any event were quickly removed without any problems.

The problematic entries however were three cases in the registry of Virtumundo.

These entries according to SpyBot S&D are:
[SBI $42352499] User Settings
HKEY_USERS\S-1-5-21-1078081533-362288127-839522115-1004\Software\Microsoft\rdfa

[SBI $47E741CD] Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

[SBI$7342F9D9] Settings
HKEY_USERS\S-1-5-21-1078081533-362288127-839522115-1004\Software\Microsoft\aldd

Now SpyBot can fix these but as soon as I scan again one Virtumundo has returned:

[SBI$7342F9D9] Settings
HKEY_USERS\S-1-5-21-1078081533-362288127-839522115-1004\Software\Microsoft\aldd

SpyBot can then delete this entry and further scans show a clear system.

If I reboot after that it is quite obvious from the grinding and clanking from the Hard drive over several minutes that serious rewriting is taking place and another Spybot scan after this shows that all three initial entries have returned.

This really is one of the most galling things in that the PC that once took about a minute from pressing the on button to be ready to go now takes about seven minutes before you can even play solitaire.

Anyhow. After I realised that SpyBot S&D couldn't fix things permanently, I looked deeper into things.

I ran various programmes to clear out cookies and temporary files etc (CCleaner and ATF Cleaner) I suspect that they worked but the computer is undoubtedly too raddled for it to make much of a difference.

I have ensured that everything I use is as updated as I can make it (Java, Acrobat and my printer drivers etc..)

I even tried other programmes such as Windows Defender and AVG Anti-Spyware amongst others and these programmes don't even detect the Virtumonde infection. I also tried Vundofix but that couldn't even see the problem.

I then got to the point of looking into my registry - cautiously as I'm no whizz at this sort of thing and I started to clean out all sorts of references to former programmes and installations that I just simply don't use at all anymore - That's as far as I went with that.

The final serious action I took was to run HijackThis and identified a BHO running called qomnmno.dll with and associated winlogon notify of the same name. Is this the chap I wonder and so those entries are excised. Well that had no effect whatsoever good or bad thankfully but the three Virtumonde entries are still there.

Before I get to posting HIjackThis logs and possibly wasting people's time, is there anything else I can try short of a reformat to get my PC's performance back to normal?

Thanks for your consideration and apologies for the length of the post.

BC AdBot (Login to Remove)

 


m

#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:18 AM

Posted 16 March 2008 - 11:23 AM

Hello and welcome Vexyn


Have a look Here on How to Remove Vundo

Lets us know how you get on

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:18 AM

Posted 16 March 2008 - 11:53 AM

Note though that VirtuMondebegon has not be updated for some time now and may not be safe to use.

#4 Vexyn

Vexyn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 16 March 2008 - 01:00 PM

Thank you for the replies - I had tried the specified approach previously with no luck - Vundofix didn't spot what was there unfortunately.

That having been said I can report a sucess.

I ran Kaspersky and scanned memory which revealed 49 processes with crocked .dll files.

The files were

ridwfaug.dll
eqbeistl.dll

and were riddled through and being used by practically every process running as far as I can see. Obviously this meant that I couldn't just kill them off so I rebooted in safe mode with command prompt, shifted to C:\Windows\system32 and renamed the files to

ridwfaug.vir
eqbeistl.vir

then I ran SpyBot S&D again and killed the offending three registry items, rescanned to confirm then rebooted.

On rebooting into normal mode I ran Spybot one last time to confirm and bingo no more Virtumonde. :thumbsup:

One slightly worrying issue is that some process reported that the .dll files were absent in a dialogue box as I started windows. The process didn't identify itself but everything seems to be working at the moment so I'll probably next check up on what those two files actually were next to confirm that I haven't crippled something in the process.

Windows start up is still a little slow for me now but I suspect that this is to do with programmes that technically I do need but not actually on start up - Such as InCD (for DvD writing) from Nero I think although I can't specifically remember installing it and so I'll prune them off if I can.

Initial crisis is over though as my wife can get onto eBay again now.

Regards,

Vexyn

Thanks for your replies again, hope the issue has helped others a little bit too.

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:18 AM

Posted 16 March 2008 - 01:45 PM

Those are randomly name files so very likely malware crap, probably could use a litle cleaning out still

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users