Vundo?

[gt3911]

Vundo? (mod att: please move)

Hi all, I’d really appreciate a little help on this one.

Spybot is detecting:
Virtumonde.Dll: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll

I tell it to remove it – it “looks” as if its done so, but upon a rescan it returns.

AVG runs clean.

CCleaner ran twice.

Malwarebytres runs clean.

Superantispyware runs clean.

VundoFix says its clean!

Logs attached

This all triggered, by noticing a link spamming an exe to 5 of my contact in a gmail account – I’d have presumed it used fake headers, but the actual email was in my sent box, and I definantly didn’t send it. So began scanning. This hasn’t happened since, only sent to 5 people. I have no other issues, no popups etc. Everything “feels” normal, and none of my other accounts have had any emails sent from them (including other gmail, hotmail, and outlook based addresses) The only issue is getting rid of whatever spybot is seeing.

Thanks all

 

[raybay]

Likely one of Spybot's fake infestations.
But, try one more. Remove AVG, and install either Avast or Avira free versions...
Then run in SAFE MODE, along with SuperAntiSpyware and MalwareBytes.

 

[gt3911]

Thanks I will try that.

Somehow I posted this in the wrong section. If a mod could move it to Virus & Malware removal - thanks

AVG not highly rated? anything in it between avast / avira?

 

[gt3911]

Just a bump really...

I cant PM a mod to move this, I'd really appreciate if someone could raise this to a mods attention so the post can be in the right place.

cheers

 

[Clinkzehffs]

Did you try removing it manually or by using Unlocker?

 

[gt3911]

Once spybot has removed it The file respawns under a diferent name upon reboot,

 

[Clinkzehffs]

hum, formatting seems the best way in this case, or maybe theres a fix on the internet for it, did you check?

 

[gt3911]

From my best guess the fix is vundofix which says it cant find it... Which seems a bit odd.

 

[Clinkzehffs]

Hmm, are you sure its not a fake alarm by Spybot? There have been many cases that Spybot was wrong.

 

[gt3911]

Nope - not certain at all. it could be. from what I've seen vundo seems to be popup related, and I dont have any popups.

However, the fact that the dll name changes after spybot 'removed' it, would suggest to me that something 'real' is chaning its 'own' name.

Nothing seems iffy in my logs?

 

[Clinkzehffs]

Well obviously, you got this casino popups stuff in your logs
Adware.Casino Games (Golden Palace Casino)
But you said you don't have any popups, still, try removing that Casino.exe thing and stuff as first thing to do.
And this ;
I:\Applications\VMware\VMware-workstation-6.0.0-45731&keygen\keygen.exe (Malware.Tool) -> No action taken.
Some keygens are considered as malware/virus since its illegal stuff and all, did you download that keygen and used it or you are not aware of it's existence? If you could clear this, it'd be helpful to understand what the case is.

The reason behind not having popups might be you using a popup blocker or something aswell, the malware might still exist but it might have been blocked by your blocker.

Btw you can try this tool aswell, its symantec's one
http://www.symantec.com/business/security_response/writeup.jsp?docid=2004-112210-3747-99 <- description
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixVundo.exe <- tool

 

[gt3911]

Many thanks. The casino trigger is part of online poker software I use, and is legit.

The VMware trigger is also something I'm totally aware of, and is definantly not new to the system.

I'll try those Symantec links, many thanks for them. It'll be a while until I can as Avira is now doing a on boot scan, so that'll be chewing away for a bit. Spybot also did an 'on boot up scan, and found nothing, which was interesting, unless said file hasnt had time to respawn yet, once the OS fully loads again, I'll launch spybot to see if it picks the vermin up again.

 

[Clinkzehffs]

Well since you told that both are legit, there isn't anything that is wrong, and if you don't feel a virus effect like popups or slowing of Vundo, its not a problem even if Vundo is on your system since its not working effectively anymore. You could still try the symantec's Vundo tool as you mentioned, but I believe that its a false alarm by Spybot, it happens sometimes Unless you notice that Vundo is harming your system, I guess its all fine. Good luck!

 

[gt3911]

Ok, so symantec didnt find it. And upon boot scans we are clean, then I allowed windows to load, and spybot no longer see's it. I rebooted, and scanned again, and still no spybot dection. I'll keep a close eye on it, but it seems like its shaken it off.

Any recommendations for a software firewall I can monitor to make sure nothing to weird is going on?

I canceled my cards and reset all valuable passwords on a clean machine - atm i'm not willing to login to anything on that rig, I'm not 100% happy, but essential the problem appears to be fixed

 

[Clinkzehffs]

If you aren't 100% happy, you can build a clean Virtual Machine for logging on credit cards and such, and not get in anything else than important stuff on your VM, and you can fix the rest of your stuff on your usual PC since you believe it MIGHT be still infected. As recommendations, I can recommend Zonealarm for you, it works quite clean and nice.

I understand your worries about cards and such, you can always go for a clean format in that situation if you aren't just sure, and then build a VM on that, so it'd be totally more secure!

You can download Zonealarm Free over here :
https://www.techspot.com/downloads/239-zonealarm-free.html

Good luck

 

[gt3911]

Yeh I thought about that at the time, I felt if vundo was doing any keylogging and I was working in a VM it would probably catch those keys sent to the VM also, so... I didnt bother. I'm not sure if it would work like that or not though.

I know, I really should just format the damn thing, but uh, so much to do lol.

My outlook usage is really bad - I dont have anyone in my address book, I just use the autocomplete, my inbox has 6021 emails that I find helpful to look back at and then another 3582 in archived folders.

I feel that outlook is probably being strained by all this, and would like to be started into a clean world, but - I find the emails far to handy for referencing, and the fact that I'd loose all my autocompletes would suck.

 

[Clinkzehffs]

Humm, can't you backup your autocomplete and emails by copying Application Data or something? (just an idea, I never really used Outlook)

 

[Shadowhawk]

Has anyone attempted to use *ComboFix* by chance?... It's basically Designed to run in [SAFE-MODE], in fact I've been told Not to run it "otherwise"...
Also, update your MalwareBytes and Renamae the executable and then run it.. there are some viruses that "see IT coming", and change their signature and get missed. Just make sure you change it back before updating again.
>> If you're using *Spybot* "immediately after updating initial .DAT/installation", you are going to *NEED* to *TWEAK* the settings First... There are "8 Engines" that are "off-by-default" which need to be ON/CHECKED before "effectively running" this application and several *settings* adjusted (checked box) as well.

 

[kritius]

Has anyone attempted to use *ComboFix* by chance?... It's basically Designed to run in [SAFE-MODE], in fact I've been told Not to run it "otherwise"...

I know that this is an old thread but this deserved to be resurrected for this post being so *****ic.

sUBs designed ComboFix to work at it's best in Normal mode, it will work in safe mode but only if it can't work in normal at all.