Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

REMOVE virtumonde


  • Please log in to reply
22 replies to this topic

#1 WhiteWood

WhiteWood

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 23 November 2008 - 04:16 AM

I won't get into super detail. basically my story in the same as everyone elses. I have virtumonde on my comp and Spyware S&D won't remove just. Just recognizes it, SAIS it removed it and it comes right back. What do I do?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:07 PM

Posted 23 November 2008 - 06:14 AM

Super Antispyware may remove Virtumonde. After using the program, post its log.


http://www.superantispyware.com/

Download and install SUPERAntiSpyware Free from the link above.

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates". (If you encounter
any problems while downloading the updates, manually download them from
here and
unzip into the program's folder.)
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 23 November 2008 - 04:54 PM

I have virtumonde on my comp


it appears you need this tool

Automated Removal Instructions for the Vundo or Virtumonde infection using VundoFix:

I suggest you take note of this too

Please print these instructions as they will be needed later when Internet access is not available.


Save these instructions in word or notepad to the Desktop where they can be easily found
.



http://www.bleepingcomputer.com/malware-re...undo-virtumonde

maybe let us know how you get on?

#4 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 24 November 2008 - 08:53 AM

Super Antispyware may remove Virtumonde. After using the program, post its log.


http://www.superantispyware.com/

Download and install SUPERAntiSpyware Free from the link above.

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates". (If you encounter
any problems while downloading the updates, manually download them from
here and
unzip into the program's folder.)
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.



I downloaded SUPERAntiSpyware, restarted my computer and it refused to start. I had to restart my comp 4 times and run a system restore to get rid of it for it to return. I believe THAT was spam itself.

#5 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:07 PM

Posted 24 November 2008 - 09:07 AM

SAS is not your problem. It is a great program for removing the Vundo malware.

Need some more info. Did you INSTALL SAS after downloading and BEFORE rebooting into "safe mode"?

Have you uninstalled SAS?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:07 AM

Posted 24 November 2008 - 03:04 PM

I

downloaded SUPERAntiSpyware, restarted my computer and it refused to start. I had to restart my comp 4 times and run a system restore to get rid of it for it to return. I believe THAT was spam itself.



are you suggesting that Superantispyware is a spam program?
it is a well- known and much used program but maybe it is conflicting with something on your computer?
please try my suggestion at this entry which is listed as a tool for the job for you http://www.bleepingcomputer.com/forums/ind...t&p=1017210

#7 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 November 2008 - 09:33 PM

Yeah, I uninstalled it, it stopped my comp from starting. What do you think THAT was about?

#8 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 01 December 2008 - 07:25 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/01/2008 at 01:39 AM

Application Version : 4.22.1014

Core Rules Database Version : 3640
Trace Rules Database Version: 1623

Scan type : Complete Scan
Total Scan Time : 02:23:43

Memory items scanned : 216
Memory threats detected : 0
Registry items scanned : 7053
Registry threats detected : 12
File items scanned : 226164
File threats detected : 13

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{B40B865D-B0D3-4ED1-A8CB-9EF352BC6EA9}
HKCR\CLSID\{B40B865D-B0D3-4ED1-A8CB-9EF352BC6EA9}
HKCR\CLSID\{B40B865D-B0D3-4ED1-A8CB-9EF352BC6EA9}\InprocServer32
HKCR\CLSID\{B40B865D-B0D3-4ED1-A8CB-9EF352BC6EA9}\InprocServer32#ThreadingModel
C:\USERS\JOHN\APPDATA\LOCAL\TEMP\JKKHYONG.DLL
HKCR\CLSID\{B40B865D-B0D3-4ED1-A8CB-9EF352BC6EA9}

Adware.Tracking Cookie
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@wmvmedialease[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@friendlytrack[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@adinterax[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.pointroll[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@msnportal.112.2o7[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@atdmt[2].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@www.findstuff[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@trafficmp[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@cache.trafficmp[2].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\john@ad.yieldmanager[1].txt
C:\Users\john\AppData\Roaming\Microsoft\Windows\Cookies\Low\john@friendlytrack[2].txt

Adware.Vundo Variant/Rel
HKU\S-1-5-21-4101745007-2501054904-2340747516-1000\Software\Microsoft\Windows\CurrentVersion\Run#MSServer [ rundll32.exe C:\Users\john\AppData\Local\Temp\hgGWmnME.dll,#1 ]
HKU\S-1-5-21-4101745007-2501054904-2340747516-1000\Software\Microsoft\Windows\CurrentVersion\Run#cmds [ rundll32.exe C:\Users\john\AppData\Local\Temp\nnNgfFYQ.dll,c ]

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{3F267D2D-15A9-441E-9D4B-22E6621317B5}#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{F9CF5FB7-EF37-46EC-AD03-882274123B86}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{3F267D2D-15A9-441E-9D4B-22E6621317B5}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{F9CF5FB7-EF37-46EC-AD03-882274123B86}#NAMESERVER

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-4101745007-2501054904-2340747516-1000\SOFTWARE\Microsoft\fias4013

Trojan.Unknown Origin
C:\X

#9 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:07 PM

Posted 01 December 2008 - 07:32 AM

The version of SAS you scanned with is out of date. Update SAS run another FULL scan in safe mode. Post the results.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 26 December 2008 - 10:22 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/26/2008 at 05:35 AM

Application Version : 4.22.1014

Core Rules Database Version : 3685
Trace Rules Database Version: 1662

Scan type : Complete Scan
Total Scan Time : 02:05:23

Memory items scanned : 241
Memory threats detected : 0
Registry items scanned : 6615
Registry threats detected : 3
File items scanned : 231347
File threats detected : 39

Adware.Tracking Cookie
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@ad.yieldmanager[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@atdmt[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@adinterax[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@wmvmedialease[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@apmebf[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@questionmarket[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@mediaplex[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@trafficmp[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@content.yieldmanager.edgesuite[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@content.yieldmanager[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@richmedia.yahoo[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@content.yieldmanager[3].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@ads.pointroll[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\officemax@doubleclick[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@ad.yieldmanager[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@adopt.euroclick[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@adopt.specificclick[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@adrevolver[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@ads.ak.facebook[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@ads.pointroll[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@advertising[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@atdmt[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@bs.serving-sys[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@doubleclick[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@dynamic.media.adrevolver[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@interclick[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@media.adrevolver[1].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@richmedia.yahoo[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@serving-sys[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@specificclick[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@specificmedia[2].txt
C:\Users\OfficeMax\AppData\Roaming\Microsoft\Windows\Cookies\Low\officemax@zedo[2].txt

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Rogue.Component/Trace
HKU\S-1-5-21-1051937583-4224277036-431392144-1000\Software\Microsoft\CS41275

Trojan.Fake-CATSRVPS
C:\USERS\OFFICEMAX\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\4YA3UFZ3\UENOOCT[1].HTM

Trojan.Unknown Origin
C:\USERS\OFFICEMAX\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\4YA3UFZ3\VPPCQDEI[1].HTM
C:\USERS\OFFICEMAX\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\UUX5M8L5\TDNAOOCP[1].HTM
C:\USERS\OFFICEMAX\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ZPONFHQ5\VOYLMMAA[1].HTM

Trojan.Dropper/Gen
C:\USERS\OFFICEMAX\APPDATA\LOCAL\TEMP\TEMP1_MAGICISO.MAKER.5.5.BUILD.265.KEYGEN.READ.NFO-SND.ZIP\MAGICISOMAKERKEYGEN.EXE
C:\USERS\OFFICEMAX\APPDATA\LOCAL\TEMP\WZSE0.TMP\SETUP.EXE
C:\Windows\Prefetch\SETUP.EXE-3634F8EC.pf

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:07 AM

Posted 26 December 2008 - 11:22 AM

Please run the ATFCleaner with SAS

http://www.bleepingcomputer.com/forums/ind...p;#entry1050976

Also run MBAM

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

there's no point in trying to disinfect a computer if you can't concentrate on it in a timely manner

You can't do any good when it's being constantly reinfected with cracks, keygens and other illegal files downloaded from P2P

:thumbsup:

TEMP1_MAGICISO.MAKER.5.5.BUILD.265.KEYGEN.READ.NFO-SND.ZIP\MAGICISOMAKERKEYGEN.EXE


Chewy

No. Try not. Do... or do not. There is no try.

#12 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:07 PM

Posted 26 December 2008 - 11:26 AM

Run another scan with SAS after updating. Follow the directions below for blocking the Ad/tracking third party cookies before running the scan.

In the link below are instructions for using MBAM. Best to use more than one program to find and remove malware.
http://www.bleepingcomputer.com/forums/ind...st&p=944365

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that SAS deletes)
Click OK to exit
Then just run another quick scan with SAS to remove the third party cookies that were installed before changing the settings.

If both scans come up with no new malware, then proceed with the cleanup described below.
Click start, All programs, Accessories, System tools, Disk Cleanup, Put a check next to all items except "compress old files".
Click on the more options tab, click on the "cleanup" button next to "system restore" (this will remove all of the restore points but the last one as many are infected) click OK and allow cleanup to run.

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.

Using p2p programs to download music, videos, cracks is a sure way to get infected with malware.
Using Firefox Browser with the NoScript addon will protect you from driveby downloads of malware.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:07 AM

Posted 26 December 2008 - 11:45 AM

C:\Windows\Prefetch\SETUP.EXE-3634F8EC.pf


I have never found anything concrete on the prefetch but ATFCleaner empties it
Chewy

No. Try not. Do... or do not. There is no try.

#14 WhiteWood

WhiteWood
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 26 December 2008 - 06:59 PM

Please run the ATFCleaner with SAS

Also run MBAM


What do SAS and MBAM mean?

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:07 AM

Posted 26 December 2008 - 08:10 PM

SuperAntiSpyware and MalwareBytes AntiMalware
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users