TechSpot

Trojan.Virtumonde - Can't get rid of it

By Radian444
Nov 8, 2007
Topic Status:
Not open for further replies.
  1. Hello Everyone,

    Working on an infected client's machine. Performed all of the steps listed in the "Viruses/Spyware/Malware, preliminary removal instructions" and ran all of the tools and Trojan.Virtumonde keeps showing back up.

    Attached are my hijackthis, AVG Antispyware, VundoFix and Combofix log files. The Panda Antirootkit didn't find any unknown rootkits. By the way I already updated to the latest version of Java 6 version 3.

    There are no longer any symptoms or popups occuring on the machine, but I'm worried that the Trojan.Virtumonde will open ports and start downloading additional files to the computer. Any help would be greatly appreciated.

    My best guess based on the hijackthis log would be the three entries: wpkggnlt.dll, awtqq.dll, and nixhevgv.dll, but I haven't used HijackThis and don't want to screw something up.

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:

    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :wave: :wave:

    This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Radian444

    Radian444 TS Rookie Topic Starter

    Thanks for the quick reply!

    Thank you for the quick reply. I lost remote access to the computer, but will perform the instructions you listed tomorrow and attach the new HiJack This log file. By the way the LogMeInRescue entry is for the software that we use to connect remotely.
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok, no problem.

    I have removed the Logmeinrescue from the script. That`s one very badly infected system you have there.

    Regards Howard :)

    This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. Radian444

    Radian444 TS Rookie Topic Starter

    Attached are the latest combofix and HJT logs.

    Thanks for the help

    Attached Files:

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    It appears you`re running two AV programmes, Yahoo and Symantec/Norton. This is not recommended, will slow your system down and can cause serious conflicts. I suggest you uninstall one antivirus programme.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:




    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Please open notepad and and copy and paste next bold in it:
    (don't forget to copy and paste REGEDIT4)

    Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

    Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

    Regards Howard :)

    This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. Radian444

    Radian444 TS Rookie Topic Starter

    Disabled Yahoo Antivirus in msconfig. Here are the new combofix and hijackthis log files.

    Thanks again

    Attached Files:

  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That all looks pretty clean.

    I still recommend you uninstall one AV programme.

    Delete the following bold folders/files.

    C:\qoobox
    C:\fix.reg
    C:\WINDOWS\LMI2A.tmp
    C:\WINDOWS\LMI4.tmp
    C:\WINDOWS\LMIB.tmp
    C:\WINDOWS\LMI21.tmp

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Radian444 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. Radian444

    Radian444 TS Rookie Topic Starter

    Ran another scan of Spybot S&D and this time it didn't find the Virtumonde infection! Thanks again!

    This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

    Only the original thread starter can do this. Anyone else, will be ignored.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.