Virtumonde virus

By smopey
Jan 13, 2009
  1. hello, I've been having problems with the virtumonde virus. I ran the vundofix but it didn't find anything. here's my HJT log. thanks in advance!

    Logfile of HijackThis v1.99.1
    Scan saved at 10:49:42 PM, on 1/12/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)

    Moderator Edit:
    Pasted logs removed. Logs must be attached
    Note: You only need ONE post to attach these logs
    Your 5 other "Hello There" replies now removed!
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps here: Viruses/Spyware/Malware Preliminary Removal Instructions

    You have also run an outdated version of HijackThis> Logfile of HijackThis v1.99.1
    The current version will be found on the reference above in Step 7.

    Please disable the Spybot Teatimer before scanning:
    You can re-open the current HiJackThis and scan.*Check* the boxes next to all the entries listed below:
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

    Now proceed with running the malware cleaning programs outlined in the Steps.
    When through attach all three logs. You will run HijackThis again after the other two programs.

    Be sure you download this and run the current HijackThis v2.0.2 HERE

    See How to post your Hijackthis log-file as an ATTACHMENT
  3. smopey

    smopey TS Rookie Topic Starter

    I'm having trouble getting rid of the virus. I got rid of all the hijackthis entries but my computer freezes everytime I try to run a malware program, or everytime the screensaver comes on. it's not letting me go online either (I'm using a different computer now). should I turn the teatimer back on now?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Disable the screen saver.
    TeaTimer isn't going to do you much good at this point. The malware is already on the system.

    1. Do you have Malwarebytes and SuperAntispyware installed on the problem computer?
    2. If so, try booting into Safe Mode and running the programs.
    To get into the Windows XP Safe mode, as the computer is booting- right after the logo loads, before Windows starts to load, tap the "F8 key" continuously until you get the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

    The basic Safe Mode option is usually what most users will want to choose when troubleshooting their computer. This is the most basic Safe Mode option and has no additional support.

    If you can use Normal mode, but the internet doesn't work, use another machine and removable media such as USB stick drive or CDR to transport tools to, and logs from, the infected machine.

    It would be helpful to have some background on the malware infection and what you did previously to try and remove it.
  5. adweston

    adweston Banned Posts: 242

    Combofix will shred virtumundo in minutes (along with a zillion other pains in the tush). Read the tutorial and download it here.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Since he can't get on the internet, he probably won't be reading 'tutorials'.

    And telling someone to use ComboFix without any knowledge of what they have on their system is just plain very bad advice!

    I have requested this:
    We have only the users comment- no logs showing this, no information on how he thinks he knows he has this malware. Even what was seen in the first HijackThis logs doesn't give enough information.

    So don't tell someone to go to a war with a canon when a pistol might be enough!
  7. adweston

    adweston Banned Posts: 242

    Maybe, until the OP realizes that the Winlogon entries you told him to check and delete will not be deleted by HJT because it can't unless the file itself no longer exists. Winlogon entries, and files, are protected and cannot be deleted in Safe Mode or Normal Mode (this includes using tools like Killbox). The only thing that will get rid of them easily is combofix (and even then a couple of them combofix can't tackle, in which case they have to be deleted from the recovery console or an XP live CD). The reason Combofix can get them is because it reboots the computer and prevents the .dlls from being called while it zaps them.

    Oh, then there's the Appinit .DLLs.. And....
  8. smopey

    smopey TS Rookie Topic Starter

    I have superantispyware on the computer now. I'll try running it in safe mode and see if that helps.

    I ran adaware, spybot search and destroy, ccleaner, superantispyware, and avg antivirus.. nothing worked so far!
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are the programs finding anything?
    What is being done with the entries?

    Do you have logs for us?
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    The HijackThis Log must be viewed first
    Plus the Malwarebytes and SuperAntiSpyware logs need to be attached
    Before deciding on best action

    Combofix and its use has already been discussed as not to use until deemed necessary.
  11. momok

    momok TS Rookie Posts: 2,265

    If after several of the standard programs fail, Combofix should be used as it tends to reveal some insights on the user's computer. Do not hesitate over using it just because another user had over-advocated its use; it is still a very powerful and helpful tool.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    smopey, please post your logs and I will help with the malware removal. If the logs show the need for additional programs we will run them.

    Please disregard the non-related posts on this thread.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We require following the 8 Step Virus and Malware Removal Process set up by TechSpot BEFORE other programs are suggested.

    Please follow this:

    ignys, I have come behind you on three threads clarifying this issue for the member. Please refrain from this recommendation at this time. I have reported you- again.
  14. smopey

    smopey TS Rookie Topic Starter

    I scanned the computer in safe mode and it seemed to get rid of the virus, but once I went back into normal mode the problems continued. here's my HJT log. thanks again!
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are running two antivirus programs> AVG and Symantec.
    Decide which you want to keep and remove the other. For now, don't do anything about Avira-
    You have been asked multiple times to follow the 8 steps and to include the Malwarebytes and SuperAnitspyware logs with the HijackThis logs. See me post #4 if you need directions.

    Your HijackThis logs has numerous entries to be removed. But running the other two programs first will handle most of them.
  17. smopey

    smopey TS Rookie Topic Starter

    I can't post any other logs besides HJT. everytime I scan the computer, with any program, the scan stops halfway and never finishes.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, handle this:
    Then, per Post #4:
    Please re-open HiJackThis> click on System Scan Only and scan. Check the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into Safe Mode.
    Try and complete the scans while in Safe Mode, then attach the logs.

    When through, rescan with HijackThis and include new log.
    IF you can include any of the logs from all the security programs you said you ran, that would be helpful.
  19. smopey

    smopey TS Rookie Topic Starter

    k I'll try that and post whatever logs I can get. whenever I scan the computer in safe mode, everything comes back clean, but I notice it's not scanning the same amount of files it would have scanned in normal mode. then once I get back into normal mode, all the same problems are back!
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Check the Device Manager to see if there are any errors.

    Control Panel> System> Hardware tab> Device Manager> Look for a yellow triangle with black exclamation point meaning error with a driver. Expand each section if needed. The problem indicates strongly that there is a driver problem since you're okay in Safe Mode but not in Normal Mode.
  21. smopey

    smopey TS Rookie Topic Starter

    alright the computer seems to be working much better.. I'm actually using it right now. I attached all three logs.. hopefully this did the trick!
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay then! Let stop the Tracking Cookie You have one that is partucularly persistent. Otherwise, the logs are clean.

    Reset Cookies:
    Then click on the Security tab> Trusted Sites> Sites> highlight and remove ad.yieldmanage if there> Apply> OK.
    Then Security> restricted Sites> Sites> type in *.ad.yieldmanage then Add> Apply> OK

    Update Adobe:
    You can remove the cleaning tools now:
    Download OTCleanIt HERE & save it to your desktop.
    This will remove the 020 entry in HijackThis.

    Clear your existing System Restore points and establish a new clean restore point:
    Please let me know if I can be of further help.
  23. smopey

    smopey TS Rookie Topic Starter

    thank you so much!! one thing.. the 020 entry you were talking about.. it's still coming up in my HJT log.
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you referring to this?
    Did you uninstall SuperAntispyware? Does another process show?
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...