Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumondo.prx has disabled my firewall & Anti V Updates


  • Please log in to reply
13 replies to this topic

#1 SoSassy

SoSassy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 25 August 2010 - 03:07 PM

Hi there

I've just posted a quick intro, then bobbed over to your Spyware removal section.

I was about to follow all intructions, to remove this virus from my laptop, but I'm stumbling at the 1st hurdle.

This trojan has disabled my firewall, plus it wont let microsoft essentials run its update.

I've just spent 14 hours trying to get rid of this and am pulling my hair out.

I ran Malwarebytes anti-malware deep scan 1st of all. This came up with a virus, which was removed. I then ran Spybot, and it immediately came up wtih the Virtumondo trojan with 2 entries. So deleted and as intructed allowed it to reboot, then it ran with nothing else on the desk top for what must have been 3 hours. Still one entry showing. Deleted and rebooted. Ran Malwarebytes deep scan again..... Nothing!

Thinking I may have done it and got rid, felt dead chuffed, but to be on the safe side, I've then run Microsoft essentials on a deep scan, this came up with 3 entries, one of them was yet another trojan, but appeared to be attached to Java..... So, am gutted again

I've rebooted and the rundlll.exe is back again, so am currently running Spybot again.

I'm contacting you through my old PC, rather than the laptop, as I'm scared to use the internet on that now the firewall is disabled and worried about infecting anything or anyone elses computer with this thing. I am ripping my hair out in frustration at this!

Just in case it helps, the infected laptop is a Sony Vaio, BX61MN running XP Pro SP 3.

Hope someone can help!

Thanks guys

A very desperate and soon to be hairless Annie :thumbsup:

PS: When I try to enable the Firewall, I get a box popping up saying
"Windows firewall settings cannot be displayed because the associated server is not running. Do you want to start the windows firewall /internet connection sharing (ICS) service?"

The options are yes or no so I click yes

Then I get a box saying "Windows cannot start the windows firewall /internet connection sharing (ICS) service"

similarly when I try to run the update on Microsoft essentials

Edited by SoSassy, 25 August 2010 - 03:12 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 PM

Posted 25 August 2010 - 03:49 PM

Hello ,before you join the "Hairless Club" let's try this. Is this XP,Vista etc...?

We need to disable Spybot S&D's "TeaTimer" if running.
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


How are things now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 25 August 2010 - 04:46 PM

Sorry, had to go get supper. I'm on with your list of tasks now.

I followed the Spybot instructions, but teatimer wasn't there.

I've forwarded this page link from the old PC to my laptop now and downloading superantispy and ATF. This doesnt install, just has a box with a list of unticked items. Is this correct?

One thing that is happening thats strange is when I click to open a hyperlink in an e-mail, firefox addons opens immediately and starts running xmarks. I can;t close it unles I do it through the task manager. Firefox then opens afterwards, despite me having clicked to open IE. I presume the virus has changed my default browser too?

I've never run in safe mode before, but I'll give it a go.

Back to you sooon.

Blimey, my eyes are on stalks now!

thanks everso

A balding and boggle eyed Annie

#4 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 25 August 2010 - 04:59 PM

Hey again

Just a quickie

I've managed to restart in Safe mode. Id did say that the administrator wasnt permitted to carrry out certain tasks, so I checked the user accounts and there is an administrator and Annie, but both are named as administrators.

Plus, despite saving AFT to my desktop,. its not there in safe mode. Should I do it again and choose my own user account, whcih AFT was downloaded from?

Blimey this is confusing. Sorry.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 PM

Posted 25 August 2010 - 07:14 PM

Yes run from your account Annie. Some times you have to move the icon to the top left before you reboot to safe. This should leave it in a viewablre spot as the Safe Mode display is much larger.

If you stiill have grief use ATF in normal.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 26 August 2010 - 07:38 AM

Hi Again

WEll I've done everything as instructed and also ran Spybot in safe mode, but no virus showing from either Super ASor Spybot , but my firewall still gives me the same error and will not connect, neither will MSE update its spyware / virus definitions. Last week my DVD RW Drive stopped being recognised either, despite the troubleshooter in device manager saying all was ok. It will play and record to CD's, but not to DVD. Could this also be connected?

Here is the log file from Super

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/26/2010 at 00:57 AM

Application Version : 4.41.1000

Core Rules Database Version : 5405
Trace Rules Database Version: 3217

Scan type : Complete Scan
Total Scan Time : 01:54:33

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 9971
Registry threats detected : 0
File items scanned : 24854
File threats detected : 0

I then ran it again in safe mode, but connected my 2 USB flashdrives, but again no virus. This is the log from that scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/26/2010 at 11:08 AM

Application Version : 4.41.1000

Core Rules Database Version : 5408
Trace Rules Database Version: 3220

Scan type : Complete Scan
Total Scan Time : 02:09:03

Memory items scanned : 218
Memory threats detected : 0
Registry items scanned : 9971
Registry threats detected : 0
File items scanned : 24891
File threats detected : 0

I've just found a different thread on one of your other tutorials re removing this virus, so have also just downloaded and am running VundoFix.

However, it doesnt appear to be showing itself on any scans, yet my firewall and MSE are still disabled, DVD inoperable and firefox is still opening as the default browser and strange things happening with the addon box popping up before firefox and runs XMarks......

Any more ideas for me to try?

Heres hoping

Kind regards

Yours bewildered and confused

Annie

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 PM

Posted 26 August 2010 - 01:53 PM

OK Annie,Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 26 August 2010 - 04:21 PM

Hi there

Done all that and still getting the same error report as above for the Firewall and MSE virus update and still no DVD drive beig recognised, despite it being there!

Any more ideas please? I'm worried that I'm facing a full reinstallation if I can't resolve this.

Thanks again

Gosh, I do believe a bit of gin related stress relief may be called for........ again!!!

Annie

#9 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 26 August 2010 - 07:02 PM

Hi Again
So Sorry to be a pain, and I know that there are lots of other people needing help, but if you could get back to me when you have a minute, I'd be eternally grateful

Cheers

Annie

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 PM

Posted 26 August 2010 - 07:23 PM

Hi, we won't have to reformat, we can still move to the speciali tool section. I am trying to clean this here though as the wait there is 3-4 days right now. There is just too much mlaware out there. I have a good idea on what we have ,we just need to crack it.
We are going to run a deep and long scan next.
Drweb-cureit

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the anti-virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 26 August 2010 - 07:59 PM

You're a star!

Thanks everso much.

I'm on with it and will log my results.

Thank you so much for your time. I really do appreciate it.

Kind regards

A very knackered and frustrated

Annie

#12 SoSassy

SoSassy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire UK
  • Local time:12:12 AM

Posted 31 August 2010 - 09:32 AM

Hi Again

So Sorry for the delay in getting back to you. Had a bit of a bug, so been floored in bed.

However, I am delighted to say that my laptop appears to be virtually cured by the Dr CureIT program. It found a few more viruses whcih had been missed by spybot, malwarebytes superantispy, vundo, Rkill etc etc. However, the one thing which still doesnt work is my DVD drive. I can play and burn CD's, but it wont recognise the DVD drive. I even tried to use Roxio and Cheetah, just to make sure, but they both show the drive as unrecognisable.

I checked in device manager and it shows the Vaio optical drive and appears to show no problems, but still, its not recognised. On the plus side I am SO SO SO grateful to you for leading me through the process of eliminating the trojans found. Here is a copy of the Dr Web CureIT log as requested.

tcpip.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
isdocanz.dll;c:\windows;BackDoor.Tdss.3961;Deleted.;
RegUBP2b-Annie.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
npCouponPrinter.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Coupons.34;Incurable.Moved.;
A0308654.dll;C:\System Volume Information\_restore{8CD95FC1-F6F5-4724-9BA8-B6AFFA37C44C}\RP909;BackDoor.Tdss.3961;Deleted.;
A0308655.reg;C:\System Volume Information\_restore{8CD95FC1-F6F5-4724-9BA8-B6AFFA37C44C}\RP909;Trojan.StartPage.1505;Deleted.;

If you have any ideas about the DVD situation, I'd be grateful to hear it, but thanks again for your help getting the firewall and MSE anti virus working again.

A hugely relieved

Annie :thumbsup:

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 PM

Posted 31 August 2010 - 01:39 PM

Hi Annie,busy day for me.. While I lok up the CD issue do a quick scan so I can be sure that end is done.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


EDit: That last infection removed ... steals passwords etc. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Edited by boopme, 31 August 2010 - 01:41 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:12 PM

Posted 31 August 2010 - 01:51 PM

If the CD is there in Device Manger then run this. L@@K

To access Device Manager, use any of the following methods:

- Click Start, click Run, and then type devmgmt.msc
- Right-click My Computer, click Manage, and then click Device Manager.
- Right-click My Computer, click Properties, click the Hardware tab, and then click Device Manager.
- Type the following command at a command prompt: start devmgmt.msc
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users