Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Fix


  • Please log in to reply
3 replies to this topic

#1 Dutchly

Dutchly

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 17 May 2007 - 04:13 AM

I just used this yesterday to remove a very stubborn trojan.

http://www.atribune.org/content/view/24/1/

Apparently, Virtumonde resides in memory so it can't be deleted
by conventional means. As soon as you delete it it replicates. This
program above worked when nothing else did.

I have current McAfree Security Center 7.2.147 and either Virtumonde or
something else waltzed right in and lowered my security setting from
"medium" to "trusting" and proceeded to rewrite registry entries. This
trojan also installs a keystroke mapper. Its nasty and will drive you
bonkers with rogue webpages popping up and slowing down your
system. Vundofix.exe zapped it totally.

I have no connection to this above website. It just worked.

Dutchly

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:04:46 PM

Posted 17 May 2007 - 06:56 AM

Please download VirtumundoBeGone.exe and save the file to your Desktop.
  • Close ALL running programs including your Internet Browser.
  • Double-click VirtumundoBeGone.exe to launch.
  • Read the introductory information, and then click "Continue".
  • Click "Start".
  • When asked if you want to continue, click "Yes" to run the fix.
  • Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
  • When finished it will create a log named VBG.TXT on your desktop.
  • Reboot your PC and post the VBG.TXT along with a fresh hijackthis log in your next reply.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:46 AM

Posted 17 May 2007 - 08:57 AM

Hello Dutchly

We link to the same tool in BC's self-help tutorial "How To Remove Winfixer/Virtumonde/Msevents/Trojan.vundo" and yes it is effective and we're glad to hear it worked for you.

If your not having any further problems, you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system if you use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Dutchly

Dutchly
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 19 May 2007 - 09:04 AM

I don't have any "highthis" log. Don't know what it is, don't have it.

Did the VundoBeGone and this is the log:


[05/19/2007, 6:11:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dutch\Desktop\VirtumundoBeGone.exe" )
[05/19/2007, 6:11:36] - Detected System Information:
[05/19/2007, 6:11:36] - Windows Version: 5.1.2600, Service Pack 2
[05/19/2007, 6:11:36] - Current Username: Dutch (Admin)
[05/19/2007, 6:11:36] - Windows is in NORMAL mode.
[05/19/2007, 6:11:36] - Searching for Browser Helper Objects:
[05/19/2007, 6:11:36] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[05/19/2007, 6:11:36] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/19/2007, 6:11:36] - BHO 3: {089FD14D-132B-48FC-8861-0048AE113215} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[05/19/2007, 6:11:36] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[05/19/2007, 6:11:36] - BHO 4: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - Checking for HKLM\...\Winlogon\Notify\byxussq
[05/19/2007, 6:11:36] - Found: HKLM\...\Winlogon\Notify\byxussq - This is probably Virtumundo.
[05/19/2007, 6:11:36] - Assigning {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} MSEvents Object
[05/19/2007, 6:11:36] - BHO list has been changed! Starting over...
[05/19/2007, 6:11:36] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[05/19/2007, 6:11:36] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/19/2007, 6:11:36] - BHO 3: {089FD14D-132B-48FC-8861-0048AE113215} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[05/19/2007, 6:11:36] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[05/19/2007, 6:11:36] - BHO 4: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} (MSEvents Object)
[05/19/2007, 6:11:36] - ALERT: Found MSEvents Object!
[05/19/2007, 6:11:36] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/19/2007, 6:11:36] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/19/2007, 6:11:36] - BHO 6: {549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - No filename found. Continuing.
[05/19/2007, 6:11:36] - BHO 7: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/19/2007, 6:11:36] - BHO 8: {61800A3D-1170-43B1-86A1-96402FB33F21} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - Checking for HKLM\...\Winlogon\Notify\ssqrr
[05/19/2007, 6:11:36] - Key not found: HKLM\...\Winlogon\Notify\ssqrr, continuing.
[05/19/2007, 6:11:36] - BHO 9: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[05/19/2007, 6:11:36] - BHO 10: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[05/19/2007, 6:11:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:36] - No filename found. Continuing.
[05/19/2007, 6:11:36] - Finished Searching Browser Helper Objects
[05/19/2007, 6:11:36] - *** Detected MSEvents Object
[05/19/2007, 6:11:36] - Trying to remove MSEvents Object...
[05/19/2007, 6:11:37] - Terminating Process: IEXPLORE.EXE
[05/19/2007, 6:11:38] - Terminating Process: RUNDLL32.EXE
[05/19/2007, 6:11:38] - Disabling Automatic Shell Restart
[05/19/2007, 6:11:38] - Terminating Process: EXPLORER.EXE
[05/19/2007, 6:11:39] - Suspending the NT Session Manager System Service
[05/19/2007, 6:11:39] - Terminating Windows NT Logon/Logoff Manager
[05/19/2007, 6:11:39] - Re-enabling Automatic Shell Restart
[05/19/2007, 6:11:39] - File to disable: C:\WINDOWS\system32\byxussq.dll
[05/19/2007, 6:11:39] - Removing HKLM\...\Browser Helper Objects\{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}
[05/19/2007, 6:11:45] - Removing HKCR\CLSID\{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}
[05/19/2007, 6:11:45] - Adding Kill Bit for ActiveX for GUID: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}
[05/19/2007, 6:11:46] - Deleting ATLEvents/MSEvents Registry entries
[05/19/2007, 6:11:46] - Removing HKLM\...\Winlogon\Notify\byxussq
[05/19/2007, 6:11:46] - Searching for Browser Helper Objects:
[05/19/2007, 6:11:46] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[05/19/2007, 6:11:46] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/19/2007, 6:11:46] - BHO 3: {089FD14D-132B-48FC-8861-0048AE113215} ()
[05/19/2007, 6:11:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:46] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
[05/19/2007, 6:11:46] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
[05/19/2007, 6:11:46] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/19/2007, 6:11:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:46] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/19/2007, 6:11:46] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/19/2007, 6:11:46] - BHO 5: {549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
[05/19/2007, 6:11:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:46] - No filename found. Continuing.
[05/19/2007, 6:11:46] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/19/2007, 6:11:46] - BHO 7: {61800A3D-1170-43B1-86A1-96402FB33F21} ()
[05/19/2007, 6:11:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:46] - Checking for HKLM\...\Winlogon\Notify\ssqrr
[05/19/2007, 6:11:46] - Key not found: HKLM\...\Winlogon\Notify\ssqrr, continuing.
[05/19/2007, 6:11:46] - BHO 8: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[05/19/2007, 6:11:46] - BHO 9: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[05/19/2007, 6:11:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2007, 6:11:46] - No filename found. Continuing.
[05/19/2007, 6:11:46] - Finished Searching Browser Helper Objects
[05/19/2007, 6:11:46] - Finishing up...
[05/19/2007, 6:11:47] - A restart is needed.
[05/19/2007, 6:11:47] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[05/19/2007, 6:11:58] - Attempting to Restart via STOP error (Blue Screen!)

Thanks for the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users