TechSpot - PC Technology News and Analysis

Asianagentalex · #1 12-03-2008

Hi Guys,

I'm new to this site and need some help with the virtumonde virus. I just did the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" by Julio and have attached the txt/log with this post. I only attached 2 (one .txt from Malwarebytes and a log from Hijackthis) because nothing came back on the SuperAntiSpyware scan.

I'm wondering if I finally got rid of the virus 100%. I did a scan with Spybot and the Virtumonde did not show up but during the last few minutes of the scan I noticed that Spybot was scanning files in "Virtumonde.dll", Virtumonde.sci" and Virtumonde.sdn".

Any advice for me on how to check if I got rid of the Virus would be awesome.

Thanks,

~Alex~

SpiritWind · #2 12-04-2008

Hi :

As a Precaution, I recommend you run a scan from the FREE VundoFix,
available at http://vundofix.atribune.org/ .

Asianagentalex · #3 12-04-2008

SpiritWind,

I ran VundoFix and nothing came back on the scan.

/

One of my close friend gave me this advice: "Virtumonde is a known ad program that spawns popup ads. However, don't worry about seeing those popup in Spybot - all it's doing is listing what it's -looking- for, not what it's found. It'll list its findings AFTER it's done with the scan."

Nothing has been coming up in my scans. I think I'm ok?

rf6647 · #4 12-05-2008

Quote:

Originally Posted by Asianagentalex

.....
Any advice for me on how to check if I got rid of the Virus would be awesome.
Thanks, ~Alex~

Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scanner.

Update both MBAM & SAS. Rerun them both.
This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
- Typically extra repeat scans are not needed
.

Since the scan with VundoFix came back clean, the steps above should be a confirming 'clean'.

Optional if symptoms are still present

Scan with HJT.
Posts logs. Report progress & what changes are observed. Include logs that found infections.

Asianagentalex · #5 12-06-2008

Took your advice and 1 infection was detected with SAS:

[COLOR="Blue"]Adware.Vundo Variant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# SSODL[/COLOR]

and 2 was detected with MBAM:

[COLOR="Blue"]Trojan.Vundo.H
Trojan.BHO[/COLOR]

I have attached the findings as well as the HJT log.

I get an error massage every time my computer start up (this module could not be found):

[COLOR="Blue"]"Error Loading c:\windows\system32\vogujesi.dll"[/COLOR]

Any advice from here?

rf6647 · #6 12-06-2008

Most surprising! Somewhat perplexing.

Overview of next steps

Uninstall old versions of ComboFix – if used previously
Download ComboFix
Disconnect from local network (router / modem).
Turn off all Internet security programs, including FW, AV, AS
2 runs of combofix. Each run followed with a restart.
Turn on appropriate Internet Security programs.
Protect from contamination
- Disconnect all other computers from router / modem (local network)
- Power cycle router / modem
- Power cycle infected computer.
Attach only infected computer to local network.
Reply with logs.
Restore other computers to the local network.

Details -

Uninstall old versions of ComboFix

Quote:

Originally Posted by Blind Dragon

Uninstall Combofix
Download ComboFix

Quote:

Originally Posted by Blind Dragon

Simplified Instructions for ComboFix + link to download
How-to-use instructions - full version
Disconnect infected computer from local network (router / modem).
Turn off all Internet security programs, including FW, AV, AS
- SpybotSD TeaTimer
- Avira\AntiVir
- avast! Antivirus
- COMODO Firewall
2 runs of combofix
- Follow ComboFix instructions referenced before.
- Examine the last few lines in the log for ‘Completion time:’ ……. ‘machine was rebooted’
- Restart the computer, if first run of ComboFix did not concluded with ‘reboot’.
- Repeat ComboFix.
- Restart the computer
- Scan with HJT. (part of instructions for ComboFix)
Turn on appropriate Internet Security programs.
- Choose only one antivirus program
Protect from contamination of unknown origin- . This is where I grasp at straws. Folklore…
I offer some consideration of the folklore. Power cycle (poc) of the router is different than the ‘hard reset’ using the microswitch somewhere on the router. The latter technique forces factory defaults & it a guaranteed cleaning. POC cleans volatile memory on the router. Once the exploits alter router settings, the hard reset is indicated. Passwords assigned by user are better than leaving it defaulted.
Skip this if it is not practical.
- Disconnect all computers from the router (local network).
- Power cycle the router (remove power, restore power).
- Power cycle the infected computer.
Attach only infected computer to local network.
Reply with logs.
Restore other computers to the local network.

Asianagentalex · #7 12-07-2008

Downloaded ComboFix and did all the steps. I attached the log from ComboFix and a new scan from HJT.

Please let me know where to go from here.

Thx

rf6647 · #8 12-08-2008

Asianagentalex,
I think it’s time for another specialist to look at this problem. ComboFix and VundoFix agree with each other, but disagree with MBAM & SAS.

Is your computer free of symptoms that you’ve observed? Are any of the protection programs loaded on your computer now complaining of anything?

I have used ComboFix to decide things in the past. If you have no findings of an infection, other than MBAM & SAS, then I would not pursue this further.

Please advise.

Quote:

Recap symptoms & progress
… help with the virtumonde virus…I'm wondering if I finally got rid of the virus 100%. … scan with Spybot and the Virtumonde …Spybot was scanning files in "Virtumonde.dll", Virtumonde.sci" and Virtumonde.sdn"….Any advice for me on how to check if I got rid of the Virus would be awesome.

I ran VundoFix and nothing came back on the scan….. Nothing has been coming up in my scans. I think I'm ok?

SAS: Adware.Vundo Variant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad# SSODL

MBAM: Registry Values Infected: >> same as initial log
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6384787 f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Error Loading c:\windows\system32\vogujesi.dll"

Please let me know where to go from here

Latest combofix log >> restored
"CPM6384787f"="c:\windows\system32\vogujesi.dll" [BU]

Latest HJT >> restored
O2 - BHO: (no name) - {ce8f80c0-2435-48e8-b947-8e5d012aeb52} - (no file)
O4 - HKLM\..\Run: [CPM6384787f] Rundll32.exe "c:\windows\system32\vogujesi.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

Similar Topics
Topic	Category	Replies	Last Post
Virtumonde?	Virus & Malware removal	6	09-17-2008 02:17 AM
Virtumonde	Virus & Malware removal	2	09-11-2008 10:37 AM
Virtumonde/privacyremover/every virus under the sun	Virus & Malware removal	1	08-25-2008 11:39 AM
'Virtumonde' Virus	Virus & Malware removal	2	06-26-2008 04:13 PM
Need help finishing of virtumonde virus infection	Virus & Malware removal	0	08-08-2007 01:45 PM

TechSpot - PC Technology News and Analysis

Virtumonde Virus. Need help