Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 samino_the_basenji

samino_the_basenji

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 22 July 2008 - 11:14 AM

I was having problems removing virtumonde trojan using spybot. I came across this site that suggested using ComboFix.
Spybot said it got rid of it but kept coming back after reboot. I ran Combofix as described in the tutorial provided by bleepingcomputer.
I got rid of a lot more things than spybot did. lots more dll's and ini's ect. But trojan was still there when I ran spybot.

I had to manually delete additional dll's in my windows\system32 folder in recovery mode due to access denied issues.
The file names i deleted were ...
khfeVlKA.dll
fvhicxgp.dll
aqvcomvh.dll
mphxjd.dll
eclamccv.dll

There are probably a few people in the world that can appreciate clever coding and I am one of them. Whoever came up with this virtumode trojan definitely knew there stuff. very impressive trojan it just would not go away. Though I would like to kick that person in the jaw for writing the thing it was impressive nonetheless.

I ran spybot one more time to clear out any remaining registry entries and misc files it found pertaining to virtumonde.
Rebooted and ran spybot oncemore for good measure and it appears to be finally gone. :thumbsup:

Also congrats to whoever wrote combofix (just as impressive as virtumode itself) it did well minus the few deletions i made manually and some help from spybot. But that can prolly be tweaked in time. This things seems to mutate everyday.

i'll post my combofix log for anyones reference.

Thanks bleepingcomputer and combofix :)

Attached Files


Edited by samino_the_basenji, 22 July 2008 - 11:17 AM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:27 PM

Posted 07 August 2008 - 11:49 AM

Hi and welcome :)

Sorry it took long to reply to you. We are currently backlogged.
Sounds like you got most if not all of it cleaned up.
Nice work. :thumbsup:

If you want to double check everything is still OK please do the following:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts. (On Vista; right click dss.exe and choose run as administrator)
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

-- If dss.exe hangs up anywhere during scan, please note where in scan it hung up and let me know.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:27 PM

Posted 14 August 2008 - 03:39 PM

Hello,

Due to lack of feedback this topic is closed.
If you still need help please PM a member of the moderating team with a link to your topic.

All others please begin a new topic.

Thanks

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users