Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop With Dual Os Infected With Virtumonde That I Can't Get Rid Of.


  • Please log in to reply
7 replies to this topic

#1 thkeeler

thkeeler

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 29 May 2008 - 07:55 PM

I have an hp dv8000 laptop with an AMD Turion 64 1.8GHz processor, 2GB RAM, 80GB HDD. It has Widows XP Pro 2005 and Windows XP x64 both installed on the single HDD. XP Pro has Norton 360 installed and it is, and always has been up to date. XP x64 does not have an antivirus program installed on it because I could not find one that would work with it. The XP x64 installation is protected only by the Windows firewall, SpyBot S&D, and Microsoft's malware removal tool. In case your wondering why I have dual OS, or might suggest I remove one, I use the laptop extensively with 3D CAD & graphics programs, Inventor, AutoCAD Architecture 2008, AutoShip, SketchUp, and Revit and the Laptop does not have sufficient resources to operate these programs, when a design nears completion, with XP Pro, but does quite well with XP x64. I can't use only XP x64 because many drivers do not seem available in versions compatible with XP x64, most notably a driver for the sound card, so I don't have sound when running XP x64.

About 2 months ago XP Pro became infected with Virtumonde. I do not know how, but it seems to have become infected when I installed FireFox browser. That is the only thing I am aware doing, or installing at about that time, and the FireFox browser was impossible to use almost from the time of installation. It constantly brought up pop-ups, went to rogue web sites, est. IE never became nearly as bad, but does sometimes go to rogue web sites. I do not know if it is possible for the virtumonde virus to have gotten into XP Pro through XP x64, since XP x64 does not have an antivirus program, but XP x64 has never shown any indication of infection and behaves quickly and normally, including browsing the Internet (with IE x64 browser). I removed firefox several days ago. I have no idea why I left it on the machine that long, as it took, literly minutes to open and was totaly unusable for contantly going to rogue web sites, and the home page was different each time I tried to use it. Since I removed FireFox IE works better, i.e. loads essentialy instantly and only very occationaly goes to a rogue web site. I really could hardly believe it was the fireFox browser as I have heard so many good things about the security of FireFox, and so many bad things about IE.

As mentioned above, Norton 360 was installed and up to date at the time of infection, and never seemed to find any problems, even though the machine became unusable for a while with XP Pro. I was able to get the virtumonde "under control" and "mostly removed" with SpyBot S&D in Safe Mode. Now XP Pro works fairly well as long as SpyBot Immunize and Tea Timer are run, but some virtumonde files are still on the machine. I had another computer, also with Norton 360, that became infected with virtumonde, but I was able to completely remove it with SpyBot and instructions from Semantics website on removing virtumonde. It was difficult and time consuming, but has been working well and normally for about 3 months now, so I think I was able to remove virtumonde successfully. Norton 360 never gave any indication of any problem on that machine either. I believe the reason I am unable to remove virtumonde from the Laptop is that it has installed files in the registry (and possibly other places) of both OS.

I have been letting SpyBot S&D run each time XP Pro starts, and each time it comes up with at least the following problems:

Virtumonde

(SMI $050FD60A) Library
C:\WINDOWS\system32\awtsr.dll

Virtunomde.dll

(SBI $960C7A04) Browser helper object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB92A0E6-6EC7-453B-A272-FC19A94A676E}

(SBI $960C7A04) Class ID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB92A0E6-6EC7-453B-A272-FC19A94A676E}

(SBI $960C7A04) Browser helper object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB92A0E6-6EC7-453B-A272-FC19A94A676E} (64 bit)

(SBI $960C7A04) Class ID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB92A0E6-6EC7-453B-A272-FC19A94A676E} (64 bit)

It always says it has removed everything except the last two, that end with (64 bit). I have removed all the rest manually also, but can't even find the two with the (64 bit) ending.

One other thing that I had trouble with on the machine before was installing Windows updates. I spent 5 hours on the phone with hp and Microsoft tech support and finally got that problem straightened out. The machine became infected with Virtumonde shortly after the agonizing day on the phone with hp and Microsoft tech support. I think it is coincidental, but am not certain of that. I called Microsoft tech support and they said absolutely it was coincidental. They also said they could not help me with removing the Virtumonde problem.

Do you have any suggestions how I might get rid of virtumonde completely on this machine? I am also wondering whether anyone else has had problems with malware when Norton 360 was installed? I have 5 machines that I use regularly, and 2 more that are mine but I do not use personally, and the only two with Norton 360 are the only two I have ever had any major malware problems with.

I think this is irrelevent but I might mention that I have been using this machine with Ubuntu amd64, booting from a CD. The machine works equaly well with Ubuntu and Windows XP x64, but the sound works with Ubuntu. Unfortunatile my 3D CAD programs are not compatible with linux, or I would just install Ubuntu, or another linux distro, and be done with it. The machine was infected with Virtunonde before I recieved my Ubuntu CD, so that has nothing to do with it.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:11 AM

Posted 29 May 2008 - 08:08 PM

I would reload MCE, your original OS, there's no point in messing with linux or xp 64 bit and that laptop

If you have hosed the recovery partition you might call HP and request some disks
Chewy

No. Try not. Do... or do not. There is no try.

#3 thkeeler

thkeeler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 29 May 2008 - 08:29 PM

As I said in the post, I need Windows XP x64 the most as that is the only OS that I can satisfactorily run the 3D CAD programs with on this machine. I was actually surprised to find the 3D CAD programs ran as well as they do on this, very minimal, machine when running within Windows XP x64. Windows XP Pro slows to a total crawl, or freezes up completely, when using 3D CAD programs and using fly-through, est. I use this machine mostly for presentation to clients so the designs are large files and I use fly-through, walk-around, est. a lot on this machine.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:11 AM

Posted 29 May 2008 - 11:41 PM

there's no reason for 3D cad, a 32 bit app to do any better at all with xp64 bit and only 2 gigs of ram

unless your xp32 bit is crippled
Chewy

No. Try not. Do... or do not. There is no try.

#5 thkeeler

thkeeler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 03 June 2008 - 12:09 PM

All the AutoDesk, AutoShip and Adobe software installed in XP 64 are 64 but architecture programs. SketchUp is not yet available in a 64 bit version but, for some reason which I can't explain, fly-through and walk-around work well in the 64 bit environment but are essentially unusable in XP Pro 32 bit environment on this machine. Discussions in the SketchUp Community Forum indicate other users have found the same to be true (albeit with Vista x64 version) (http://www.sketchucation.com/forums/scf/viewtopic.php?)
I really want to try to get the Vundo removed as I don't want to reinstall the OSs and all the programs, settings, est. AutoDesk installed there programs on this machine and I can't ask them to go through that again. There is never any sign of Vundo when in XP x64. XP Pro is working satisfactorily, as long as SpyBot immunize and TeaTimer are on, so if worst-comes-to-worst I will use it as it is. Actually, I'm leaving for China in 2 days, and will be working there 3 months, so it looks as though that is what I will be doing anyway, at least for now.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:11 AM

Posted 03 June 2008 - 12:16 PM

run MBAM, it should remove any older infection

you might want to unload teatimer as it will interfer with the fixes

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#7 thkeeler

thkeeler
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 03 June 2008 - 12:33 PM

Thanks DaChew, I'll try that this evening and let you (& everyone, obviously :thumbsup: ) know if it seemed to work.

One other thing; I have not tried VundoFix or VirtumundoBegone as I was told, by a CS professor that they were malware themselves. (or at least VundoFix, & possibly loading variants of Vundo) Now I see references to using them on bleepingcomputer.com. Can anyone tell me for certain whether they are truly valid Vundo removal tools or not?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:11 AM

Posted 03 June 2008 - 01:36 PM

VundoFix or VirtumundoBegone



are both good programs but vundo is a broad classification of witches brew of malware components and often takes a couple of other programs more broadly supported
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users