Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde, Please Help!


  • Please log in to reply
10 replies to this topic

#1 help_a_brother

help_a_brother

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 02 April 2009 - 01:31 PM

I have Virtumonde on my computer and I'm having a lot of trouble removing it. ESET doesn't even detect it on a full disk scan. I have since purchased PC Tools' Spyware Doctor, since there were some indications that this tool was effective. The tool does detect the virus, claims to have successfully removed the virus, but the same virus is detected on successive scans. I have run the tool in Safe Mode with a full disc scan, as suggested by PC Tools' FAQ, to no avail. Seems like something remains that is keeping this thing alive on my computer. Thanks for any help you can provide.

Cheers

BC AdBot (Login to Remove)

 


#2 help_a_brother

help_a_brother
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 04 April 2009 - 03:26 PM

I guess no one that can help has read the previous post? In hopes of getting some help, I've posted my own reply with more information: I'm running Windows XP SP 3 and I get the typical Virtumonde/Vundo pop-ups when accessing the internet. The scans that I have run with Spyware Doctor (PC Tools) have yielded some results, but there is something that it is missing because the same old registry entries and .dll's keep popping up after "fixing" the detected problems.

#3 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 04 April 2009 - 03:31 PM

  • Please print these instructions as they will be needed later when Internet access is not available.
  • Save these instructions in word or notepad to the desktop where they can be easily found.
  • Download Vundo Fix and save it to your desktop.
  • When it has completed downloading, double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click the OK button.
  • When the computer has shutdown, turn your computer back on.
  • Please do a quick scan with MBAM, then post your results of the Vundo fix (did it go successfully?), and the log of MBAM.
...

#4 help_a_brother

help_a_brother
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 04 April 2009 - 06:30 PM

Before I saw your post I actually ran MBAM and attempted to have it remove the infections. Then I read your post and followed the instructions. Vundo Fix didn't find any sign of infection (good job MBAM?). I re-ran a full scan with MBAM and the following log was generated:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 4:22:16 PM
mbam-log-2009-04-04 (16-22-01).txt

Scan type: Full Scan (F:\|)
Objects scanned: 186115
Time elapsed: 1 hour(s), 0 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\vatotosa.dll (Trojan.Vundo) -> No action taken.


Something else I noticed... there is a hidden file in F:\WINDOWS\system32 called "vehesese" that constantly gets regenerated no matter how many times it is removed. This is a little disconcerting, I can't even find anything about it on Google. Could it be something new?

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:18 PM

Posted 04 April 2009 - 06:53 PM

Just double-checking, Your operating system is on your F: drive?

Did you reboot your computer when mbam finished?
Please Update mbam and run a FULL scan
Please post the results
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 help_a_brother

help_a_brother
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 04 April 2009 - 07:02 PM

Oh yeah, my operating system is on F: (kinda weird). I had MBAM remove the infections listed in the last post. I ran the update for MBAM and I'm re-running the full scan and keeping my thumbs crossed. Back in a couple hours

#7 help_a_brother

help_a_brother
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 04 April 2009 - 08:05 PM

So I ran the full scan and nothing was found (suhweet!). Also, that mysterious "vehesese" file was no longer there either. Here is the log from the latest scan:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 5:57:40 PM
mbam-log-2009-04-04 (17-57-40).txt

Scan type: Full Scan (F:\|)
Objects scanned: 186150
Time elapsed: 59 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 04 April 2009 - 09:21 PM

One last check...

Please right click this file and click Scan with Malwarebytes' Anti-Malware
F:\WINDOWS\system32\vatotosa.dll

If you cannot find the file, please show hidden files by going in to any folder, clicking the tools menu, and clicking folder options. Click on the view tab. Make sure the radio button next to Show Hidden Files and folders is selected. Click apply then ok. After you have found the file and scanned it or deleted it -- make sure you reset that folder options to Show Hidden Files and folders.




(Note to fellow helpers: HijackThis readout: O4 - HKLM\..\Run: [cc44d15c] rundll32.exe "C:\WINDOWS\system32\vatotosa.dll")

Edited by Jay-P VIP, 04 April 2009 - 09:21 PM.


#9 help_a_brother

help_a_brother
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 04 April 2009 - 09:34 PM

I used Explorer and set it to show hidden files and I opened a command prompt and ran a "dir /AH" -> nothing there and no pop-ups so far. I'll keep on top of it, though. Thanks for the help!

Cheers!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 04 April 2009 - 10:03 PM

One last check...

(Note to fellow helpers: HijackThis readout: O4 - HKLM\..\Run: [cc44d15c] rundll32.exe "C:\WINDOWS\system32\vatotosa.dll")



Jay how did you know this?? Whose HJT log is that ?



Vundofix is an outdated tool...

Edited by boopme, 04 April 2009 - 10:08 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 05 April 2009 - 05:16 AM

I have read HJT logs before and took note of quite a few details. Research...good stuff!

(edit: it belonged to no one, I knew the phrase in HJT)

Edited by Jay-P VIP, 05 April 2009 - 05:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users