Vitrumonde Infection

[Majubo87]

I just got my acer laptop back from an acer repair shop about a week ago (it had a hardware failure and the motherboard and hard drive were replaced). Well within this week period I managed to get this horrid thing on my computer.. I've never had any problems removing anything before this and I've tried a few fixes that are on the net - such as running the laptop in safe mode and scanning with Spyware Doctor, Spybot Search & Destroy, Superantispyware, and VundoFix. To no avail it is still on my machine, just not noticeable like it previously was. Spybot catches variations of it every time it runs, and when I did the pre-scans that yall ask the Malwarebytes picked it up too.

I've pretty much given up on doing this myself, and could use some help from yall.

~Matt

 

[Archean]

1. O2 - BHO: (no name) - {79f4b1e2-622d-407d-ac33-8fd3216a34c1} - gujipeku.dll (file missing) <== Virtumondo entry;
2. O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll <== ACTIVETOOLBAND.DLL is Trojan/Backdoor.
Kill the file ACTIVETOOLBAND.DLL and remove ACTIVETOOLBAND.DLL from Windows startup.
3. O4 - Global Startup: Acer VCM.lnk = ?
4. O4 - Global Startup: Bluetooth.lnk = ?
5. O4 - Global Startup: Empowering Technology Launcher.lnk = ?; all of these links are broken so getting rid of them will be appropriate.
6. O20 - AppInit_DLLs: yeyivufu.dll c:\windows\system32\gokukizi.dll <= (Trojan.Vundo.H)

Mbam:
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) <== infected key, probably by virtumondo
Files Infected:
C:\Windows\System32\bazujege.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\peyuwuwu.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\takefibi.dll (Trojan.Vundo.H) -> No action taken.
C:\Windows\System32\vufayigu.dll (Trojan.Vundo.H) -> No action taken.

Re-run Hijackthis; once it done scanning; check the above listed entries and click on Fix Checked.

Also re-run mbam and let it clean out all the infections it found.

Then repost your logs again; once we are sure that your system is clean; we will then have to ensure that all infected restore points be discarded and create a new cleaner one.

 

[Majubo87]

Ok, I ran the sweeps and it seems that everything is removed.

Here's the new logs

 

[Archean]

Well as far as I understand there is nothing suspicious in these logs anymore.

Now we need to complete this whole process by getting rid of your older/infected restore points; and creating a new cleaner one. Here is the process:

i. Go to Start > All Programs > Accessories > System Tools and click "System Restore".
ii. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
iii. Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
iv. Click "OK" to select the partition or drive you want. (probably C:\ as it is OS partition in most cases)
v. Click the "More Options" Tab.
vi. Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Goodluck and safe computing

 

[Archean]

One more thing; I think you'll be better of dumping Norton altogether; and using Avira or Avast for AV solution; and Comodo or Outpost for firewall (both have free versions which are pretty cool)

 

[Majubo87]

thank you for all the help.. seems like everything is fixed and back to normal.

I was planning on removing norton from the computer, just hadn't had time yet since i just got it back. Today when i went to remove it. it tells me a don't have access to a HKEY to perform the removal. I was using the windows add/remove program feature. I'm going to play around with it a bit more. If you have any ideas of how to help with that i'd appreciate it,

Again, thanks for the help

~Matt

 

[Archean]

Are you using administrator account for uninstalling it?

 

[Majubo87]

Yes I am, I only have that one user account on the machine. I found a website that shows how to do it manually, but I'll have to do that another later today or tomorrow unless you can think of anything else. I'm wondering if the virus did something to block its use, because norton won't open either.

 

[Archean]

You may have a look at this site for removing it.

 

[Bobbye]

Matt, if you're still around, it's a good idea to run an online virus scan to make sure nothing was missed:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Follow with new HJT scan.

If the Eset log is clean and HJT has no more entries that need removing, you can remove the cleaning tools:
Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

I'd like to check the 2 logs first.

 

[Majubo87]

Thank you for the help archean and bobby. I think archean's approach removed everything. I ran the online scanner and it didn't pick up anything. I did a new hijack this scan, and I don't think I saw anything bad in it, then again I'm not that good at that - that's pretty much why I came here in the first place lol.

 

[Bobbye]

HijackThis log is clean. Go ahead and remove the cleaning tools and old restore points.

 

[Archean]

I'll add couple of more things:

1. Be bit more diligent about what media you stick into your computer's USB ports/ and or sites you visit.
2. Keep your Anti-Virus and Firewall updated.

If you do so, I am sure you wont be facing any such problems in future.

Goodluck, and let me know if you need any further advice. Regards.

 

[Majubo87]

Thanks for all the help. I'll be honest this is the first true virus I've had to really deal with. I've had a few trojans here and there over the past ten years, but nothing like this. I'm assuming I got the infection when I was searching for and installing old programs and removing some that acer had put onto the computer when they replaced the dead hard drive. I was also doing research for a college class in the middle of that stuff so that could have been the cause too.

All is well now and I'm using the free anti-virus and firewall you suggested. I had been paying for McAfee and after reading up on avast and comodo, decided to give them a try

thanks again,
Matt