Virtumonde Virus. Need help

[Asianagentalex]

Hi Guys,

I'm new to this site and need some help with the virtumonde virus. I just did the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" by Julio and have attached the txt/log with this post. I only attached 2 (one .txt from Malwarebytes and a log from Hijackthis) because nothing came back on the SuperAntiSpyware scan.

I'm wondering if I finally got rid of the virus 100%. I did a scan with Spybot and the Virtumonde did not show up but during the last few minutes of the scan I noticed that Spybot was scanning files in "Virtumonde.dll", Virtumonde.sci" and Virtumonde.sdn".

Any advice for me on how to check if I got rid of the Virus would be awesome.

Thanks,

~Alex~

 

[SpiritWind]

Vundofix

Hi :

As a Precaution, I recommend you run a scan from the FREE VundoFix,
available at http://vundofix.atribune.org/ .

 

[Asianagentalex]

SpiritWind,

I ran VundoFix and nothing came back on the scan. /

One of my close friend gave me this advice: "Virtumonde is a known ad program that spawns popup ads. However, don't worry about seeing those popup in Spybot - all it's doing is listing what it's -looking- for, not what it's found. It'll list its findings AFTER it's done with the scan."

Nothing has been coming up in my scans. I think I'm ok?

 

[rf6647]

.....
Any advice for me on how to check if I got rid of the Virus would be awesome.
Thanks, ~Alex~

Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scanner.

• Update both MBAM & SAS. Rerun them both.
  
  
• This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
  • Typically extra repeat scans are not needed
  .

Since the scan with VundoFix came back clean, the steps above should be a confirming 'clean'.

Optional if symptoms are still present

• Scan with HJT.
  
  
• Posts logs. Report progress & what changes are observed. Include logs that found infections.

 

[Asianagentalex]

Took your advice and 1 infection was detected with SAS:

Adware.Vundo Variant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL

and 2 was detected with MBAM:

Trojan.Vundo.H
Trojan.BHO

I have attached the findings as well as the HJT log.

I get an error massage every time my computer start up (this module could not be found):

"Error Loading c:\windows\system32\vogujesi.dll"

Any advice from here?

 

[rf6647]

Most surprising! Somewhat perplexing.

Overview of next steps

1. Uninstall old versions of ComboFix – if used previously
2. Download ComboFix
3. Disconnect from local network (router / modem).
4. Turn off all Internet security programs, including FW, AV, AS
5. 2 runs of combofix. Each run followed with a restart.
6. Turn on appropriate Internet Security programs.
7. Protect from contamination
   • Disconnect all other computers from router / modem (local network)
   • Power cycle router / modem
   • Power cycle infected computer.
8. Attach only infected computer to local network.
9. Reply with logs.
10. Restore other computers to the local network.

Details -

1. Uninstall old versions of ComboFix
   

   Uninstall Combofix

2. Download ComboFix
   

   Simplified Instructions for ComboFix + link to download
   [*]How-to-use instructions - full version

3. Disconnect infected computer from local network (router / modem).
   
   
4. Turn off all Internet security programs, including FW, AV, AS
   • SpybotSD TeaTimer
   • Avira\AntiVir
   • avast! Antivirus
   • COMODO Firewall
   
   
5. 2 runs of combofix
   • Follow ComboFix instructions referenced before.
     
     
   • Examine the last few lines in the log for ‘Completion time:’ ……. ‘machine was rebooted’
     
     
   • Restart the computer, if first run of ComboFix did not concluded with ‘reboot’.
     
     
   • Repeat ComboFix.
     
     
   • Restart the computer
     
     
   • Scan with HJT. (part of instructions for ComboFix)
     
   
   
6. Turn on appropriate Internet Security programs.
   • Choose only one antivirus program
   
   
7. Protect from contamination of unknown origin- . This is where I grasp at straws. Folklore…
   
   I offer some consideration of the folklore. Power cycle (poc) of the router is different than the ‘hard reset’ using the microswitch somewhere on the router. The latter technique forces factory defaults & it a guaranteed cleaning. POC cleans volatile memory on the router. Once the exploits alter router settings, the hard reset is indicated. Passwords assigned by user are better than leaving it defaulted.​
   Skip this if it is not practical.
   • Disconnect all computers from the router (local network).
   • Power cycle the router (remove power, restore power).
   • Power cycle the infected computer.
   
   
8. Attach only infected computer to local network.
   
   
9. Reply with logs.
   
   
10. Restore other computers to the local network.

 

[Asianagentalex]

Downloaded ComboFix and did all the steps. I attached the log from ComboFix and a new scan from HJT.

Please let me know where to go from here.

Thx

 

[rf6647]

Asianagentalex,
I think it’s time for another specialist to look at this problem. ComboFix and VundoFix agree with each other, but disagree with MBAM & SAS.

Is your computer free of symptoms that you’ve observed? Are any of the protection programs loaded on your computer now complaining of anything?

I have used ComboFix to decide things in the past. If you have no findings of an infection, other than MBAM & SAS, then I would not pursue this further.

Please advise.

Recap symptoms & progress
… help with the virtumonde virus…I'm wondering if I finally got rid of the virus 100%. … scan with Spybot and the Virtumonde …Spybot was scanning files in "Virtumonde.dll", Virtumonde.sci" and Virtumonde.sdn"….Any advice for me on how to check if I got rid of the Virus would be awesome.

I ran VundoFix and nothing came back on the scan….. Nothing has been coming up in my scans. I think I'm ok?

SAS: Adware.Vundo Variant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL

MBAM: Registry Values Infected: >> same as initial log
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6384787f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Error Loading c:\windows\system32\vogujesi.dll"


Please let me know where to go from here


Latest combofix log >> restored
"CPM6384787f"="c:\windows\system32\vogujesi.dll" [BU]

Latest HJT >> restored
O2 - BHO: (no name) - {ce8f80c0-2435-48e8-b947-8e5d012aeb52} - (no file)
O4 - HKLM\..\Run: [CPM6384787f] Rundll32.exe "c:\windows\system32\vogujesi.dll",a
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)