also @ TechSpot: EU, US approve Google's $12.5 billion buyout of Motorola Mobility
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.
Go Back   TechSpot OpenBoards > Tech Support > Virus and Malware Removal
Reload this Page Been wrestling with this: Virtumonde & sagipsul

Collaborate in the cloud with Office, Exchange, SharePoint, and Lync

Been wrestling with this: Virtumonde & sagipsul
Thread Tools Search this Thread
  #1  
Old 01-04-2009
Newcomer, in training
  
Member since: Jan 2009, 3 posts
Been wrestling with this: Virtumonde & sagipsul
I noticed something amiss when Security Center would not enable. Then, if I tried to go out to McAfee, Norton, or any other virus product site, my browser wouldn't go there. Other behavior made me suspicious. So, after hours of researching and working on the problem, I've found and followed the suggested 8-step program leading to the attached (combined) logfiles. Please note, all three logfiles are in the attached file.

I don't know if I'm clean yet, but want somebody with a trained eye to tell me if things are back on track.

Thanks in advance!

(Oh, and I had some rootkit installed that was found and removed using Avenger. After that, other efforts began to uncover malware. )
Attached Files
File Type: txt Malware Reports 090104.txt (15.5 KB, 2 views)
Last edited by tlfromva; 01-04-2009 at 04:42 PM..
  #2  
Old 01-04-2009
TechSpot Addict
  
Location: Illinois, USA
Member since: Feb 2007, 931 posts
System specs
Code:
C:\WINDOWS\system32\lgoxtu.dll (Trojan.Vundo) -> Delete on reboot.
MBAB did not handle all that it found until the computer restart.

Rescan with MBAB & SAS (run as pairs) until clean or something that cannot be cleaned.

HJT scan informs what has not been handled (computer restart before HJT scan)

Caught by HJT.
Code:
O20 - AppInit_DLLs: ……. lgoxtu.dll
It appears that the infection is mostly handled. Following clean scans establish a clean restore point.

Establish a new clean restore point and Clear your existing System Restore points:
  • New
    • Go to Start > All Programs > Accessories > System Tools > System Restore>
    • Select Create a restore point> OK.
  • Clear Old
    • go to Start > Run > cleanmgr > Select the More options tab >
    • Choose the option to clean up System Restore > OK
      • This will remove all restore points except the new one you just created.
  #3  
Old 01-06-2009
Newcomer, in training
  
Member since: Jan 2009, 3 posts
Thanks!
After reading this yesterday, I got two clean scans in a row and set a new restore point. Things look like they're operating pretty normally now. Thank you.

Should I continue to keep SAS installed and running? I'm also running Spybot S&D as well as NOD32.
  #4  
Old 01-06-2009
TechSpot Addict
  
Location: Illinois, USA
Member since: Feb 2007, 931 posts
System specs
Code:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
This application can be setup NOT to run on startup. As freeware this is how they advertise. As freeware it only cleans on demand.

I scan with updated MBAB & SAS about once a month. So far they confirm my resident protections are working.

I think it is very risky not to use a firewall. Your experiences may indicate it is not needed.

I do not feel comfortable recommending particular applications.
  #5  
Old 01-06-2009
Newcomer, in training
  
Member since: Jan 2009, 3 posts
I firewall mostly at my router, actually. And recently fired up the one built in Windows.
Closed Thread

Similar Topics
Topic Replies Forum
Virtumonde 30 Virus and Malware Removal
Solution to sagipsul, virtumonde, etc. 0 Virus and Malware Removal
Virtumonde.dll please help 8 Virus and Malware Removal
Virtumonde? 6 Virus and Malware Removal
Wrestling with Vista64 Sound 3 Audio and Video

Thread Tools Search this Thread
Search this Thread:

Advanced Search
All times are GMT -4. The time now is 10:47 AM.