TechSpot

Virtumonde Trojan removal

By fuvirtumonde
Jan 1, 2009
  1. Okay... I have a couple of viruses. I have been trying all day to get rid of these. The big one seems to be virtumonde (comes up virtumonde.generic). This seems really nasty. It will not allow me to do a system restore. Also it will not allow me to get on to certain antispyware websites such as adaware, superantispyware, etc.

    I have repeatedly run McAffee, Avira, Malwarebytes, and a couple others. None work. Attached is my Hijackthis list. Will some kind soul give me some advice?! Any files I should fix or kill?



    View attachment 40539

    sorry here is my Malwarebytes log

    View attachment 40547
     
  2. adweston

    adweston Banned Posts: 242

    Run this program. Then report back.

    The easiest, no fuss, no muss way to clean ANY computer is this:

    Download Combofix. Rename the executable to random characters such as 5235cf.exe.
    Download install and update Malwarebytes. Rename the setup executable to MB.exe
    Download, install and update AVG8.

    Run Combofix, then a full system scan with Malwarebytes. AVG will pick up the stragglers as MBAM does it's thing. If it fails in normal mode, reboot into Safe Mode (Press F8 after the BIOS screen) and do it there.

    In the Combofix log, it gives you the recently created programs. Go to tools > options in My Computer. On the view tab, check "show hidden files and folders", uncheck "hide extensions for known file types" and "Hide system files". Click ok on the warning, then click ok in the options window.

    Look for the entries Combofix shows you (I find the easiest way is to go to C:, C:\Windows and C:\Windows\System32, right click and "arrange by > modified")

    Google any that you're not sure of. Usually it's the .dll files with random characters for file names, but not always. If they refuse to go, download Killbox and use it to get rid of them. This WILL fail if they're being called by the winlogon entry in the Registry. If that happens, make a note of the file name, then manually delete it in the Recovery Console.

    Run HijackThis to pick up any stragglers and old entries.

    Of course, at the end, use CCleaner to delete temp files, useless registry entries (make a backup of the registry first before you clean it...It will ask you).. and voila.. No 30 page threads and 3 weeks to clean up infections.

    We do cleanups at least a half a dozen times a day.. Formatting is not an option. This strategy has been tried and tested on hundreds of machines. On very, very rare occasion you may have to do a repair install at the end. Also be aware that ANY cleanup on a defective hard drive (a drive with MFT errors, etc, on it) may result in you having to do a CHKDSK C: /R at the Recovery Console to repair the drive. It's rare, but it does happen.

    There are other decent programs, like Superantispyware.. But it's a tad redundant. Still decent. There are also useless ones like Spybot and Adaware that are just a waste of time.

    Final note: Bear in mind that there are the RARE exception when you have to use more advanced tools.

    Some issues I've seen:

    - Deleting the HOSTS file (C:\Windows\System32\Drivers\etc) to remove entries looped back to the local host (a favorite trick of some malware is to loop back known antivirus and microsoft sites, resulting in a "page cannot be displayed" error)
    - Resetting Winsock and the TCP/IP stack with WinsockXP Fix
    - Removing rogue LSPs (Layered Service Provider) with LSP Fix
    - Going into the Recovery Console to delete baddies attached to the Winlogon registry entry. They're a real pain in the tush.
    - Using a Hook Analyzer to look for hidden baddies hooking onto legitimate system processes. :)
    - Deleting the upper and lowerfilters for the optical drives in the Registry so they reappear again on reboot.
    - Removing the hard drive and scanning it remotely before we could work on it.
    - Removing the hard drive and replacing the registry with an archived copy from the System Volume Information folder before we could work on it. You can do it from the Recovery Console, followed by Safe Mode, as well... Detailed instructions exist out there.

    And.. of course.. Hand grenades.
     
  3. fuvirtumonde

    fuvirtumonde TS Rookie Topic Starter

    I cannot get access to Combofix, AVG8, or bleeping computer... I am assuming it blocks those. This is not looking good...
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Try running the update in "Safe Mode With Networking" (just press F8 key before Windows startup to get to this menu)
    Oh and remove AVG8
     
  5. adweston

    adweston Banned Posts: 242

    Delete your HOSTS file.. But do not reboot, or it will be reset back again. The infection will be monitoring it. Then try to access the links.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well obviously we do things differently adweston
    In my view, I would never say download AVG (anyway he has that horrible Antivirus installed already)
    Nor would I say download any other tools from any other site

    But, to save your reply, with you know best! I'll just sit back and watch how it pans out, who knows, maybe your way (different to how I've ever done this) will work
    It's no good having two support members giving two different instructions to one user
     
  7. adweston

    adweston Banned Posts: 242

    lol. Feel free to take over at any time.. I'm not the resident guru. I do it for a living, but that doesn't mean my way is THE way or the ONLY way. It's just a way that works well for me. It took me almost 3 years to hammer out an efficient system.... But I'm always open to suggestions.

    The point of having the AVG there is to pick up stuff that MBAM happens to miss. The Resident Shield does a fine job of picking up misc infections during the scan.

    One more thing.. Final notes. How do you help protect your computer AFTER you clean it?

    These three downloads will be of great help:

    A custom HOSTS file to block most of the jerks who like infecting your computer.

    Spyware Blaster that looks for typical actions and blocks them.

    And, of course, a list of sites for your Restricted Zone.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well at the moment:

    BitTorrent
    AVG
    Avira
    McAfee
    SpybotSD

    Are all installed !

    Plus a whole bunch of other strange stuff in HJT log

    So go for it ;)
     
  9. adweston

    adweston Banned Posts: 242

    lmao.. True true. :) BitTorrent won't really hurt anything by itself. It can sure bring nasties into your computer if you download the wrong thing though. I leave that one alone.

    I would uninstall Avira and Spybot.

    I would use this tool to get rid of that McAfee garbage.

    The rest I can address after those cleanups have been run and we see final logs from Combofix and HJT.. :)

    By the way, can we attach exe files to our posts? Like, can we attach the latest combofix to a post so the poster can grab it?
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  11. fuvirtumonde

    fuvirtumonde TS Rookie Topic Starter

    Virtumonde

    Okay... I am a true novice so you may have to spell things out for me.

    Again, I am not able to download really any of these items a lot of you are telling me to download and run. It seems like the trojan or adware has blocked the websites where I can download these. Anny suggestions? Are there mirror sites where I can download these?

    I really do appreciate your help!
     
  12. adweston

    adweston Banned Posts: 242

  13. fuvirtumonde

    fuvirtumonde TS Rookie Topic Starter

    No, it does not work either. I get "Failed to Connect" on both Firefox and IE.
     
  14. adweston

    adweston Banned Posts: 242

    Try this one instead. Right click on it, click on "Save as". Do NOT left click on it, or it will show a bunch of gibberish.

    Save it to your computer, then rename it to 0209jan.exe and execute it, preferably in safe mode.
     
  15. fuvirtumonde

    fuvirtumonde TS Rookie Topic Starter

    Okay, not sure what to do with this. It looks like a weird txt file. How would I open this in safe mode? What am I supposed to do with this?
     
  16. Lovy

    Lovy TS Rookie

    Virtumonde Killer

    Thanks very much for providing the file for removing the Virtumonde trojan. I came across this trojan last night and was up until 4.00am trying to remove it with no success. I came across your posting this morning and ran your file in safe mode as you suggested. I got a couple of messages during the process that made me think that it wasn't working, but I'm very happy to say that it seems to have worked perfectly, and I can now access my pages that were being blocked, and the trojan is no longer being reported on my system.
    I've registered today just to thank you, because I do appreciate the support that you, and other like you, provide to people like myself.
    Thanks again, and keep up the good work!
     
  17. adweston

    adweston Banned Posts: 242

    Awesome! Glad I could help. Thanks very much for that input. :)

    As posted previously:

    Right click on it, click on "Save as". Do NOT left click on it, or it will show a bunch of gibberish.

    Save it to your computer, then rename it to 0209jan.exe and execute it, preferably in safe mode.

    :)

    Please note: These instructions are for Internet Explorer.
     
  18. fuvirtumonde

    fuvirtumonde TS Rookie Topic Starter

    AWESOME! It looks like it worked. I ran the combofix and was able to get super anti spyware so I downloaded and ran that, mbam, avira. Now nothing is coming up when I scan, no popups, and I am able to go to any site.

    THANKS!!!
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    By the way adweston, the ComboFix.exe file you supplied was old, it required auto updating
     
  20. adweston

    adweston Banned Posts: 242

    I downloaded it that day from Bleeping Computer, rather than use my copy, because they do time out. In most cases, any version over a couple of days old will ask to update, yet for some reason most the time, even if you agree to let it, it won't update. Meh. The job was done. I'm pleased. Your customer is happy. Bonus.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...