Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtuemonde


  • Please log in to reply
12 replies to this topic

#1 blinn79

blinn79

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 25 January 2009 - 03:38 AM

I have windows xp sp3.

When I was infected with "virtuemonde", I had AVG running on my computer. AVG did not detect it. Adaware did and could not remove it.

I downloaded spy bot search and destroy and it detected even more then adaware, and I again tried to remove it and a few others (smityfraud or something like that). Spy bot S&D did remove all except "virtuemonde".

I then ran trend micro house call, and something shut down firefox while it was running.

I called dell for customer support and a rep logged onto my computer remotely and messed with some stuff, after a hour, he said the computer need to be completely formatted and windows reinstalled. The problem is, I am a student in college and bought Microsoft Office through a download program (no backup disk) and if I format my computer, I will lose Microsoft office (which I use for college) and have to buy it again. So I am not thrilled about formatting the HD.

So I then read somewhere that PC Tools Spyware Doctor w/Antivirus could remove virtuemonde and the "rootkits", so I tried a free trail of it, and it said it removed it (which it also detected some other programs and removed them too), but like Spybot S&D, it removed everything BUT virtuemonde.

So then I did some more research and heard that Webroot Antivirus w/Anti spyware was really good, so I bought a new version of that and updated it and ran a full sweep. It detected virtuemonde and attempted to remove it, then a warning popped up saying "virtuemonde is attempting to replicate itself using active x... etc, do you want to block it?" in which I replied "yes". Webroot also blocked a bunch of websites that my computer was trying to access. Since the installation of webroot, and a few full sweeps, my computer has speed up a lot, and is now down to ONE repeating virtuemonde. It says the memory is clean when sweeping, but finds virtuemonde in the registry, the files are also all clean. Even though webroot quarantines virtuemonde each time, and I have gone and deleted the quarantine files, it still always detects one more virtuemonde in the registry with every new scan. Again, things seem to be under control for the most part now that Webroot is running on my PC, but it can't seem to get rid of this last virtuemonde in the registry.

Also, I removed the other antispyware programs before installing the next program, so they don't conflict with each other, so now only Webroot Antivirus with Anti-Spyware is on my computer.

Any help would be greatly appreciated!

Edited by blinn79, 25 January 2009 - 03:41 AM.


BC AdBot (Login to Remove)

 


#2 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 25 January 2009 - 04:11 AM

Also I don't know if this is relevant or not, but after being infected originally, something turned off "windows auto update" and would not allow me to turn it back on. Then later the "windows firewall" also turned off and would not turn back on. Since running Webroot a few times and cleaning things up, I was now just able to turn on "windows update" and "windows firewall". Also the desktop went to a blue screen awhile back, and I was now able to put it back to my original desktop picture.

#3 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 26 January 2009 - 01:31 PM

bump... waiting for reply... thanks...

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:01 PM

Posted 26 January 2009 - 03:33 PM

Let's try this and see where we stand
-----------------------------------------

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 27 January 2009 - 05:17 AM

It asked to reboot to remove a file like you said, so I did allow it to reboot my computer. Nothing popped up on reboot, so I am ASSUMING it did it automatically w/o notifying me or confirming that the file was removed on reboot. Thank you for your help so far! Here is the log:





Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 3

1/27/2009 4:00:00 AM
mbam-log-2009-01-27 (04-00-00).txt

Scan type: Quick Scan
Objects scanned: 59978
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tjmvtu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a4f5f03-d696-42a3-ba9e-deca625492fa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0a4f5f03-d696-42a3-ba9e-deca625492fa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0a4f5f03-d696-42a3-ba9e-deca625492fa} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tjmvtu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xltfsxtl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ltxsftlx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yybdnhsg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gshndbyy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvunohfe.dll.ren (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cwavrcve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iqpbssxf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uqrtelxi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqyeyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljeglb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:01 PM

Posted 27 January 2009 - 03:26 PM

It's a start. let's keep going
-------------------------------


Please reboot the computer
Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan
After scan click Remove Selected, Post new scan log for review
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 27 January 2009 - 05:47 PM

Mbam did not ask me to reboot my computer this time. Again thank you for your help so far, you guys are life savers! Here is the new log:




Malwarebytes' Anti-Malware 1.33
Database version: 1699
Windows 5.1.2600 Service Pack 3

1/27/2009 4:39:33 PM
mbam-log-2009-01-27 (16-39-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106198
Time elapsed: 29 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\A0022089.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:01 PM

Posted 27 January 2009 - 07:50 PM

A couple more things and I think we got it
First, turn off System Restore Then run a Kaspersky scan
-----------------------------------

Run Scan with Kaspersky


If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by garmanma, 27 January 2009 - 07:52 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 28 January 2009 - 12:27 AM

Tuesday, January 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 28, 2009 00:52:15
Records in database: 1714226
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 56703
Threat name 2
Infected objects 39
Suspicious objects 0
Duration of the scan 01:05:05

File name Threat name Threats count
C:\WINDOWS\system32\mqkqpj.dll/C:\WINDOWS\system32\mqkqpj.dll Infected: Trojan.Win32.Monder.arem 30
C:\WINDOWS\System32\mqkqpj.dll/C:\WINDOWS\System32\mqkqpj.dll Infected: Trojan.Win32.Monder.arem 5
C:\WINDOWS\system32\gvcdpuoy.dll Infected: Trojan.Win32.Monder.arem 1
C:\WINDOWS\system32\jjgxpx.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gdm 1
C:\WINDOWS\system32\mqkqpj.dll Infected: Trojan.Win32.Monder.arem 1
C:\WINDOWS\system32\uiybnkut.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gdm 1
The selected area was scanned.

#10 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 28 January 2009 - 05:17 PM

bump...

#11 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:01 PM

Posted 28 January 2009 - 09:15 PM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/


Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 blinn79

blinn79
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 29 January 2009 - 07:14 AM

Well I hope your not upset, but my computer was running kind of slow again, so I decided before I tried messing with that program (after reading the lengthy process on how to use it), I would run my webroot antivirus with antispyware again since it seem to speed things up last time. Well it had a update too, so I don't know if that maybe fixed something, but anyways, I ran it, and it did like it always did and said everything was removed. I then ran Mbam immediately after webroot and it detected only one thing. I told it to remove it also, then reset my computer and ran both programs again. Webroot ran first, and like in the past, still detected virtumonde and again said it removed it, then when I ran Mbam afterward, it detected nothing. I have NO CLUE what changed, because I have ran webroot many times in the past and it would always leave one virtumonde behind. Maybe it was the update, maybe it was the combination of the two programs, maybe it was that you told me turn of system restore (I had never ran webroot with system restore off). Either way, Webroot, Mbam and Kaspersky scans all came back clean. I also updated each of them before running the scans. Please let me know if I am missing something... here are the logs for Mbam and Kaspersky:

Thursday, January 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 29, 2009 09:45:55
Records in database: 1724060
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 56707
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:12:43

No malware has been detected. The scan area is clean.
The selected area was scanned.

-----------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.33
Database version: 1699
Windows 5.1.2600 Service Pack 3

1/29/2009 12:50:54 AM
mbam-log-2009-01-29 (00-50-54).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 106458
Time elapsed: 36 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by blinn79, 29 January 2009 - 07:15 AM.


#13 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:01 PM

Posted 29 January 2009 - 05:46 PM

Please run SD Fix
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users