Particularly Nasty Virtumonde Infection

Status
Not open for further replies.
I've been trying to clean up (over the phone) a nasty virtumonde infection.
After several hours of scanning and frustration, the computer is being driven up from LA to Sant Barbara so I can get hands on with it.

This thing did some fun stuff, such as deleting msconfig.exe (bypassing windows system file protection).

The damned thing seems to be MORE aggressive in safe mode, and it looks like it's hooking into lsass.exe.

The computer should arrive in about 90 minutes, so I'll start from there.

So far I've tried the typical Spybot, HJT, VundoFix, VirtumundoBeGone, and a few other things. Nothing seems to help, the damned random.dlls keep coming back on reboot.

This is the worst Virtumone infection I've ever seen.



I'll be stripping away every unnecessary program and service when the computer gets here, and following the general guidelines and posting logs.

If anyone is reading - want to check back in around 4 or 5 hours (the machine's slow, so scans take a while...)?
 
If you are the person fixing it, then can you plug it in as Slave to another computer and scan from there ?
Obviously make sure the other computer has all the Antivirus signatures updated first.

This will help if you have a virus in the bootup files

Also doing it this way has two issues
1. Registry entries are not scanned
2. passworded accounts are not scanned
 
Seems like a reinstall is the only option now.
I can no longer log into the machine - I get the "Unable to log you on because of an account restriction" error.
This is due to nul passwords, and even the administrator account under safe mode and safe mode with command prompt gives this error.

It is impossible to log into this box.
 
System Restore from Xp CD boot to first R screen
c:\windows\system\restore\rstrui.exe

Or Windows system Repair
Still using the Windows CD bootup
Using the second R prompt
 
No system restore points, and repair is not an option because I only have XP Pro, the computer has XP Home.

I googled around and apparantly, once you hit repair, you can get a command line by hitting shift+F10. Then you can alter the passwords for users. I also had (many years ago) an XP Password Reset Disk (a linux floppy that you could boot to and use to set the admin password on XP). Too bad I didn't keep it around. This PC even has a working lfoppy drive.

I'm just formatting it and throwing XP Pro on it.
I'll have to hunt down drivers and stuff, but it'll be a lot less frustrating this way. I'm going to lock it down as tight as possible so they don't get into this kind of situation again...
 
Re-Install of Windows will fix any software fault :)

Anyway that floppy and that password reset, Cd still exist for download.
I use to use the Admin floppy one but ended up going to the bootable CD password reset disc; it's very handy to have and free !

Just Google it, probably get a million links.

I take it, that this thread is now closed, seeming your going to a whole new OS

If you have further issues please post a new thread.
Try to include as many system specs as possible in the innitial post though if you do

Goodluck :)
 
Status
Not open for further replies.
Back