Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • Please log in to reply
13 replies to this topic

#1 KJLue

KJLue

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:30 AM

Posted 17 April 2008 - 01:43 AM

Hi.

I am using Windows Vista and have a virtumonde infection. I was just searching and opened a seemingly innocent website and it downloaded lots of trojans and viruses and whatnots on my laptop. AVG and Windows Defender caught some. Norton did nothing. So I downloaded AVAST and later ad-aware2007 and spybot s&D. Avast caught everything Kaspersky online scan showed with one more infected file. The two antispywares caught two completely different files of virtumonde. Avast had caught six. But eveyrtime the computer restarts, it keeps coming back and I keep getting popups that I can't block. I think these popups may download other threats. Spybot S&D said that virtumonde puts itself on winlogon and is resistent to removal. It also caught a registry which I deleted. Please help me remove it. I don't have a restore poing or a recovery disk yet because the laptop is brand new.

Also, is there a way to ensure this doesn't happen again? Is there a web guard or a firewall I can use? Preferably freeware? I have Internet explorer 7 and just downloaded oracle but haven't used it yet because it said it was more secure.

Please please help me! Preferably in an easy risk free way? Thanks in advance. I am also not logging on to that computer or using it to go online currently becuase it recreates some virtumonde files on startup and those popups appear and the cycle starts again. Other stuff caught was downloader.obfuskated, Win32:Agent.qlx and some other things I can't remember. But the antiviruses and antispywares said they removed them. Also norton caught Downloader.mislead. something.
Help would be much appreciated. :thumbsup: Edit: There was also a something.zlob, probably downloader.zlob? But I think AVG removed it. By the way I move these threats to the quarantines and delete them.

I haven't posted hijackthis or used DSS becuase it says it uses the same code as combofix which we are not supposed to use without supervision. In addition I am using Vista and not XP. Also I believe that Vundofix and Virtumondebegone are outdated as the virtumonde was probably altered during the march14th massive attacks. Plus they have poor ratings. Since no one is replying I am going to go ahead and try to install and run an antirootkit. Again, please don't forget about me! I don't know how long I can wait.

Edit: Ok I didn't find any antirootkit except icesword (can't make heads or tails of it). But I did find a new present: Trat bho trojan. and one other that I can't remember. One instance of virtumonde did appear. something like Wer..... there have been some sounding like that before. I think avast has antirootkit. If it does, it might not be working? I'm completely at a loss. The computer is starting to crash and freeze up at times (but that may be because of too many security programs? or threats?) well anyway, still waiting on you to help me or tell me to use do something vista-friendly. Can't even post a log without that.

Edited by KJLue, 17 April 2008 - 06:20 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 17 April 2008 - 09:10 AM

Hello KJLue

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.
  • Please copy & paste the contents of that text file into your next reply.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:30 AM

Posted 19 April 2008 - 06:12 AM

I only have one account. How do I check if this is the administrator account? I'm confused because Spybot S&D wont complete immunization because it says that I'm not an administrater. How is that possible? This account is the only account and it was made during setup. So what do I do? Continue with this account and run VundoFix? Thank you for your timely reply.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 19 April 2008 - 08:03 AM

How do I check if this is the administrator account?

How to Determine if You Have Administrative Rights in Windows XP
How to Determine if You Are Using An Administrator Account on Windows 2000/XP

I'm confused because Spybot S&D wont complete immunization because it says that I'm not an administrater....Continue with this account and run VundoFix?

Don't worry about Spybot. I did not ask you to perform a scan with that program. Just follow the steps I indicated above for using MBAM and vundofix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:30 AM

Posted 19 April 2008 - 03:12 PM

Here is the VundoFix log. Don't know what it means. It was popping up till yesterday. Also I now get messages from Rundll that two dlls that were in temp are missing. Those were infected with tratbho so I deleted them. The system seems to be running fine without them plus they were in temp so they couldn't have been important system files. Anyway to get rid of that headache?

VundoFix V7.0.3

Scan started at 12:38:58 AM 4/20/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Posting the MBAM log. Are those registries relevent to virtumonde and trat or is that another problem?
Malwarebytes' Anti-Malware 1.11
Database version: 656

Scan type: Quick Scan
Objects scanned: 31560
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Well, here it is! :thumbsup:

Edited by KJLue, 19 April 2008 - 03:34 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 19 April 2008 - 03:50 PM

Also I now get messages from Rundll that two dlls that were in temp are missing


It's not unusual to receive such an error after using specialized fix tools.

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. A RunDLL "Error loading..."..."specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup has been deleted and it becomes an orphaned registry entry. Windows is trying to load this file(s) but cannot locate it since the file was removed during an anti-virus or anti-malware scan. However, the associated registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:30 AM

Posted 20 April 2008 - 04:48 AM

After I ran MBAM and posted the log, I restarted and rundll didnt show up with the error messages. I thought that it could be that the registries caught by MBAM could be for them (the tratbho files) but they didn't look like it. So I followed your advice. I don't think its there. The only strange thing I found was: NwlnkFltIPX Traffic Filter Driver File not found: system32\DRIVERS\nwlnkflt.sys
NwlnkFwdIPX Traffic Forwarder Driver File not found: system32\DRIVERS\nwlnkfwd.sys

But that doesn't look like that. It was xxyywvUsometing and esomething and it was in Temp.

So what I'm worried about is what happened to the virtumonde. Did it just disappear? Or were tratbho and virtumonde using the same registries. That doesn't seem like its possible. All I was doing was scanning the same folder (AppData) every day and deleting virtumonde which kept recreating itself.

But the computer seems fine now. No pop ups, avast not finding any virtumonde, no rundll. Updated from Java 6 update4 to 5 and I think I may have gotten the april vista updates (since its april :D). Again thanks for being so helpful. You're awesome. A few more questions. MBAM says that it quaranteened and deleted the registries. I checked the quaranteen folder and the files are there. Should I delete these files? If I deleated MBAM would the registries popup and cause trouble again?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 20 April 2008 - 08:54 AM

Win32:tratbho [trj] is a generic name for vundo but you didn't specify the actual file name associated with the threat. If the rundll errors are gone, then the related entries were probably removed from the registry by MBAM. In some cases you need to restart the computer after using MBAM so the malware can be fully removed.

When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. MBAM is an excellent program and one you should consider keeping.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then use Disk Cleanup to remove all but newly created Restore Point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:30 AM

Posted 21 April 2008 - 09:18 AM

Ok but I want to delete the quaranteened files just for peace of mind. Is it ok or is it not advisable?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 21 April 2008 - 09:36 AM

Yes you can delete the quarantined files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:30 AM

Posted 22 April 2008 - 07:42 AM

I deleted the files, created a restore point and deleted any old ones. Thanks a bunch! :thumbsup:

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 22 April 2008 - 09:00 AM

You're welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 bcrest

bcrest

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 22 April 2008 - 01:56 PM

I have vondo infecting my laptop running windows xp. I did a hijack this log how do i attach it for someone to look at it. It keeps coming back

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:30 AM

Posted 22 April 2008 - 02:01 PM

Welcome to BC bcrest

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users