Question

Locked

Virtumonde infection on WinXPsp3

By jdclyde ·
Working on an HP pavilion laptop that was infected and running slow.

After running through the normal checks, I have only one infection left, Virtumonde.

System Restore is off.

Only S&D finds it, and only in safe mode. It removes it, but is right back after a reboot.

The infection has disabled AVG. I uninstalled, reinstalled and ran scans. It found nothing, and then was disabled again.

Lavasoft AdAware was listed in a google search of being able to remove this, but nothing.

Webroot spy sweeper, no deals.

Spyware blaster, no deals.

A writeup on symantecs site was of zero help as I went through the registry to find the entries.

Has anyone dealt with this infection?

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Yeppers

by BFilmFan In reply to Virtumonde infection on W ...

See http://www.auditmypc.com/virtumonde-remove.asp. Essentially, you need to an inplace reinstall of Windows.

Collapse -

Well, aren't you just a ray of sunshine.....

by jdclyde In reply to Yeppers

this does not look fun. I will tackle it tomorrow and see how it goes. (monday)

Thanks, I hope this will be the right fix, I have sure tried enough non-fixes.

Collapse -

Removal Tools

by willcomp In reply to Virtumonde infection on W ...

Both ComboFix and MBAM should remove the critter. Start with ComboFix. Download on another PC, rename (I use CFX), copy to a flash drive and then copy to desktop of afflicted PC. After ComboFix works its magic, install and run MBAM.

Disable all non MS services and startup items using msconfig prior to running ComboFix. It's not absolutely necessary but helps.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.malwarebytes.org/mbam.php

These are the two best adware/spyware removal tools currently available.

Collapse -

will get back on how that works

by jdclyde In reply to Removal Tools

couldn't sleep, so took a peek in here.will try it in the morning.

Collapse -

There is a trick to it to hide from Virtumonde......

by ThumbsUp2 In reply to will get back on how that ...

Virtumonde hides from all of the tools, but there is a way around it.

You need to (1) be in safe mode, (2) rename the MBAM install file to any other name (I called mine FindThisSucker.exe), (3) start the install while disconnected from the internet and don't run the program on completion of the install, (4) find and rename the MBAM.EXE file to any other file name (I called mine FindThisOneToo.exe), then (5) run what you just renamed and don't allow it to try to update itself.

When it runs, it will find the critter which is intelligent enough to recognize MBAM.EXE running and hide from it, but it won't know what you've named it to. After that initial run of MBAM, you can rename the exe file back to the original name, mbam.exe and reboot to normal mode, let it update itself and run a full system scan.

Once that 2nd scan has been run, you can safely run the rest of your arsenol of programs to clean up the system....

Collapse -

amazing

by jdclyde In reply to There is a trick to it to ...

the hoops that I had to jump through....

Collapse -

Oh yeah!

by ThumbsUp2 In reply to amazing

It's not a 'purdy' one! In and of itself, it doesn't do that much damage, other than hard to pull out and acts like a cloaking device. Just wait till you see how many of the 'others' are allowed in because of it being present on the system and how much damage THEY actually do.

On the last system I pulled this thing out of, once disabled, the scanning tools found 35 different critters, all hiding behind the cloak!

Collapse -

That seems to have resolved the issue

by jdclyde In reply to Virtumonde infection on W ...

It is amazing the steps that were required to kill this beast, though.

renaming the install file, installing, renaming the exe file, and then running in safe mode. what will be next?

All traces seem to be gone, so I am just running all of the utilties again to make sure it is gone.

I DID have to uninstall and reinstall AVG again because the @#$@#$ had disabled it again.

This was the first time a symantec write-up failed to do the trick for me.

How is it possible a four year old malware could be so hard to remove?

Why is @Q#$@#'en Windows still vulnerable to the same infection after 4 years? And yes, this was a fully patched XPsp3 system, used by a little old lady that doesn't do much other than email.

Collapse -

At least those steps fixed it for you.....

by ---TK--- In reply to That seems to have resolv ...

HAHA... I just got that virus last week. I took those steps above, and a few other I found on the net.... didn't work... I'm thinking there is a new version of the sucker! Blew it all away, problem solved....

interestingly enough, I didn't get popups, my system was not slow in the least bit, its like it didn't know what to do with Vista... I couldn't even tell my system was infected till I ran Spybot S&D (I run a scan once a week)

Collapse -

Vundo Morphs

by willcomp In reply to That seems to have resolv ...

Vundo is updated periodically and becomes nastier with each iteration. The original Vundo malware is several years old but what you encountered is recent. Vundofix does not usually remove the newest versions.

I recommend you get well acquainted with MBAM and ComboFix. They remove stuff including rootkits that nothing else will. Symantec is rather lame at adware/spyware removal.

A lot of the newer malware exploits ActiveX vulnerabilities and is transmitted simply by visiting an infected site --- sites may be perfectly innocent sites (e.g. recipe site) and not know they are infected.

Back to Malware Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Security Forums