Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde keeps rearing its ugly head in Explorer.exe and System32 folder


  • This topic is locked This topic is locked
1 reply to this topic

#1 trishtehdish

trishtehdish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 07 September 2010 - 02:44 PM

REPOST (Please don't hurt me!)

Hi, I'm going to try and be as succint and clear as possible about my issue. Normally I would not bother you wonderful forum gurus, but I can't do this alone.

I'm running XP Pro. V. 2002 with SP3 on a lenovo thinkpad. I was (before the problem started) running Spybot S&D and AVG Free. Like an idiot, I neglected to scan a file (file type=file) before opening, and KABOOM! Antimalware popped up and started giving me warnings, wouldn't let me run my browser, and when I went to open AVG, all windows closed so I hard-booted my laptop (the computer was totally unresponsive and I got scared). I restarted XP normally and Antimalware did its thing again, so I tried removing it through Control Panel, but couldn't find it.

I rebooted into safe mode and ran a command line scan with AVG, which removed some but not all of the "Trojan Horse" files... unfortunately I did not log this info, but I do recall some files being in my "Local Settings\Temp" folder, which were removed, and also it had hijacked explorer.exe, svchost.exe and rundll32.exe, which AVG couldn't fix. I didn't realize that at the time, so I tried restarting Windows normally, and downloaded Malwarebytes' Anti-Malware, ran some scans, and it found a couple of Trojan files but seemed to be able to get rid of them. I ran another scan with Spybot which found "Virtumonde". That's when I knew I was in trouble.


I looked up removal instructions for Virtumonde (that may have been from this forum, can't recall), and manually removed Antimalware Doctor files from C:\WINDOWS\System32 including "enemies-names.txt" and related Antimalware Doctor files within the same folder. I then used regedit to remove the following:
HK_CU\Software\Microsoft\Windows\Current Version\Uninstall\Antimalware Doctor
HK_CU\Software\Antimalware Doctor (and all entries within that folder)

THEN... Spybot S&D came up and told me a global entry had been added of "lseyerisub" (it's probably different between individual cases) as a System Startup entry. I believe it was in the directory C:\WINDOWS\afiyomeb.dll. I denied the change, but it kept coming back, so I told S&D to remember the decision. It continued to block this change in the background. My brother and I then searched for afiyomeb and found it in the WINDOWS directory but it could not be deleted. We scanned again with AVG and managed to delete a bunch of new rundll32 prefetch files AS WELL AS rundll32.exe itself (DURR). And then, of course, emptied the recycle bin. I also attempted, around this point, to run System Restore, but the dirty *&*$ had deleted all my restore points. Not that System Restore ever DID work on my computer, but STILL!

Finally, reluctantly, I downloaded and ran VUNDOFIX, which scanned and found nothing. I was also attempting to find rundll32.exe, (using Paretologic Data Recovery) but it had already been rewritten.


So I thought I was out of the woods, maybe. BUT... I went into Tools in S&D and under System Startup found a reg entry:
HK_LM:Run(Current System) with the Value "lseyerisub" under C:\WINDOWS\afiyomeb.dll. I tried searching the registry for this entry but couldn't find it so I got S&D to disable it and restarted the computer. The darn value came back after rebooting and I'm still getting random browser windows open. I tried deleting the reg entry (through Spybot) again, and am currently running scans with AVG, Malwarebytes' Anti-Malware AND S&D. As of yet, I have some infections found with AVG which are Trojan horse Adload_r.AKC files found at:
C:\WINDOWS\System32\svchost.exe (1328):\memory_001a0000
C:\WINDOWS\System32\svchost.exe (1328)
C:\WINDOWS\Explorer.EXE (1212):\memory_001a0000
C:\WINDOWS\Explorer.EXE (1212)

~AVG could not fix the infections, the objects are inaccessible. Malwarebytes didn't find anything malicious, nor did Spybot.

I FEEL SO SCREWED wacko.gif > Right now I'm going to try downloading and using Virtumundobegone and see if that works. Let me know if anyone can provide any insight or suggest some better course of action. My brother had used VundoFix and successfully ridden his system of the bug, but I am not so fortunate. I'm assuming I'll need to upload a HJT file at some point.

AH Almost forgot. To bypass the fact that I had deleted rundll32.exe and Windows Security couldn't run without it, I copied the file from my brother's computer and just plopped it back into the System32 folder. That seems to have worked. I am considering reinstalling the OS (I have backed up all my data), but I will likely not be able to get a disc for XP from my maintenance providers (they aren't very.... giving).

*SIGH* Where should I go from here?


Sincerely,

DISH

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 AM

Posted 07 September 2010 - 08:57 PM

Closed ,I replied to other thread.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users