TechSpot

Virtumonde Virus. Need help

By Asianagentalex
Dec 3, 2008
  1. Hi Guys,

    I'm new to this site and need some help with the virtumonde virus. I just did the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" by Julio and have attached the txt/log with this post. I only attached 2 (one .txt from Malwarebytes and a log from Hijackthis) because nothing came back on the SuperAntiSpyware scan.

    I'm wondering if I finally got rid of the virus 100%. I did a scan with Spybot and the Virtumonde did not show up but during the last few minutes of the scan I noticed that Spybot was scanning files in "Virtumonde.dll", Virtumonde.sci" and Virtumonde.sdn".

    Any advice for me on how to check if I got rid of the Virus would be awesome.

    Thanks,

    ~Alex~
     
  2. SpiritWind

    SpiritWind TS Rookie Posts: 164

  3. Asianagentalex

    Asianagentalex TS Rookie Topic Starter

    SpiritWind,

    I ran VundoFix and nothing came back on the scan. :eek:/

    One of my close friend gave me this advice: "Virtumonde is a known ad program that spawns popup ads. However, don't worry about seeing those popup in Spybot - all it's doing is listing what it's -looking- for, not what it's found. It'll list its findings AFTER it's done with the scan."

    Nothing has been coming up in my scans. I think I'm ok?
     
  4. rf6647

    rf6647 TS Maniac Posts: 829

    Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scanner.


    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
      • Typically extra repeat scans are not needed
      .

    Since the scan with VundoFix came back clean, the steps above should be a confirming 'clean'.

    Optional if symptoms are still present
    • Scan with HJT.

    • Posts logs. Report progress & what changes are observed. Include logs that found infections.
     
  5. Asianagentalex

    Asianagentalex TS Rookie Topic Starter

    Took your advice and 1 infection was detected with SAS:

    Adware.Vundo Variant
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL


    and 2 was detected with MBAM:

    Trojan.Vundo.H
    Trojan.BHO


    I have attached the findings as well as the HJT log.

    I get an error massage every time my computer start up (this module could not be found):

    "Error Loading c:\windows\system32\vogujesi.dll"

    Any advice from here?
     
  6. rf6647

    rf6647 TS Maniac Posts: 829

    Most surprising! Somewhat perplexing.

    Overview of next steps
    1. Uninstall old versions of ComboFix – if used previously
    2. Download ComboFix
    3. Disconnect from local network (router / modem).
    4. Turn off all Internet security programs, including FW, AV, AS
    5. 2 runs of combofix. Each run followed with a restart.
    6. Turn on appropriate Internet Security programs.
    7. Protect from contamination
      • Disconnect all other computers from router / modem (local network)
      • Power cycle router / modem
      • Power cycle infected computer.
    8. Attach only infected computer to local network.
    9. Reply with logs.
    10. Restore other computers to the local network.
    Details -
    1. Uninstall old versions of ComboFix
    2. Download ComboFix
    3. Disconnect infected computer from local network (router / modem).

    4. Turn off all Internet security programs, including FW, AV, AS
      • SpybotSD TeaTimer
      • Avira\AntiVir
      • avast! Antivirus
      • COMODO Firewall

    5. 2 runs of combofix
      • Follow ComboFix instructions referenced before.

      • Examine the last few lines in the log for ‘Completion time:’ ……. ‘machine was rebooted’

      • Restart the computer, if first run of ComboFix did not concluded with ‘reboot’.

      • Repeat ComboFix.

      • Restart the computer

      • Scan with HJT. (part of instructions for ComboFix)

    6. Turn on appropriate Internet Security programs.
      • Choose only one antivirus program

    7. Protect from contamination of unknown origin- . This is where I grasp at straws. Folklore…
      I offer some consideration of the folklore. Power cycle (poc) of the router is different than the ‘hard reset’ using the microswitch somewhere on the router. The latter technique forces factory defaults & it a guaranteed cleaning. POC cleans volatile memory on the router. Once the exploits alter router settings, the hard reset is indicated. Passwords assigned by user are better than leaving it defaulted.​
      Skip this if it is not practical.
      • Disconnect all computers from the router (local network).
      • Power cycle the router (remove power, restore power).
      • Power cycle the infected computer.

    8. Attach only infected computer to local network.

    9. Reply with logs.

    10. Restore other computers to the local network.
     
  7. Asianagentalex

    Asianagentalex TS Rookie Topic Starter

    Downloaded ComboFix and did all the steps. I attached the log from ComboFix and a new scan from HJT.

    Please let me know where to go from here.

    Thx
     
  8. rf6647

    rf6647 TS Maniac Posts: 829

    Asianagentalex,
    I think it’s time for another specialist to look at this problem. ComboFix and VundoFix agree with each other, but disagree with MBAM & SAS.

    Is your computer free of symptoms that you’ve observed? Are any of the protection programs loaded on your computer now complaining of anything?

    I have used ComboFix to decide things in the past. If you have no findings of an infection, other than MBAM & SAS, then I would not pursue this further.

    Please advise.


     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...