Questions

Virtumonde infection on WinXPsp3

+
0 Votes
Locked

Virtumonde infection on WinXPsp3

jdclyde
Working on an HP pavilion laptop that was infected and running slow.

After running through the normal checks, I have only one infection left, Virtumonde.

System Restore is off.

Only S&D finds it, and only in safe mode. It removes it, but is right back after a reboot.

The infection has disabled AVG. I uninstalled, reinstalled and ran scans. It found nothing, and then was disabled again.

Lavasoft AdAware was listed in a google search of being able to remove this, but nothing.

Webroot spy sweeper, no deals.

Spyware blaster, no deals.

A writeup on symantecs site was of zero help as I went through the registry to find the entries.

Has anyone dealt with this infection?
  • +
    0 Votes
    BFilmFan

    See http://www.auditmypc.com/virtumonde-remove.asp. Essentially, you need to an inplace reinstall of Windows.

    +
    0 Votes
    jdclyde

    this does not look fun. I will tackle it tomorrow and see how it goes. (monday)

    Thanks, I hope this will be the right fix, I have sure tried enough non-fixes.

    +
    0 Votes
    willcomp

    Both ComboFix and MBAM should remove the critter. Start with ComboFix. Download on another PC, rename (I use CFX), copy to a flash drive and then copy to desktop of afflicted PC. After ComboFix works its magic, install and run MBAM.

    Disable all non MS services and startup items using msconfig prior to running ComboFix. It's not absolutely necessary but helps.

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.malwarebytes.org/mbam.php

    These are the two best adware/spyware removal tools currently available.

    +
    0 Votes
    jdclyde

    couldn't sleep, so took a peek in here.will try it in the morning.

    +
    0 Votes
    ThumbsUp2

    Virtumonde hides from all of the tools, but there is a way around it.

    You need to (1) be in safe mode, (2) rename the MBAM install file to any other name (I called mine FindThisSucker.exe), (3) start the install while disconnected from the internet and don't run the program on completion of the install, (4) find and rename the MBAM.EXE file to any other file name (I called mine FindThisOneToo.exe), then (5) run what you just renamed and don't allow it to try to update itself.

    When it runs, it will find the critter which is intelligent enough to recognize MBAM.EXE running and hide from it, but it won't know what you've named it to. After that initial run of MBAM, you can rename the exe file back to the original name, mbam.exe and reboot to normal mode, let it update itself and run a full system scan.

    Once that 2nd scan has been run, you can safely run the rest of your arsenol of programs to clean up the system....

    +
    0 Votes
    jdclyde

    the hoops that I had to jump through....

    +
    0 Votes
    ThumbsUp2

    It's not a 'purdy' one! In and of itself, it doesn't do that much damage, other than hard to pull out and acts like a cloaking device. Just wait till you see how many of the 'others' are allowed in because of it being present on the system and how much damage THEY actually do.

    On the last system I pulled this thing out of, once disabled, the scanning tools found 35 different critters, all hiding behind the cloak!

    +
    0 Votes
    jdclyde

    It is amazing the steps that were required to kill this beast, though.

    renaming the install file, installing, renaming the exe file, and then running in safe mode. what will be next?

    All traces seem to be gone, so I am just running all of the utilties again to make sure it is gone.

    I DID have to uninstall and reinstall AVG again because the @#$@#$ had disabled it again.

    This was the first time a symantec write-up failed to do the trick for me.

    How is it possible a four year old malware could be so hard to remove?

    Why is @Q#$@#'en Windows still vulnerable to the same infection after 4 years? And yes, this was a fully patched XPsp3 system, used by a little old lady that doesn't do much other than email.

    +
    0 Votes
    ---TK---

    HAHA... I just got that virus last week. I took those steps above, and a few other I found on the net.... didn't work... I'm thinking there is a new version of the sucker! Blew it all away, problem solved....

    interestingly enough, I didn't get popups, my system was not slow in the least bit, its like it didn't know what to do with Vista... I couldn't even tell my system was infected till I ran Spybot S&D (I run a scan once a week)

    +
    0 Votes
    willcomp

    Vundo is updated periodically and becomes nastier with each iteration. The original Vundo malware is several years old but what you encountered is recent. Vundofix does not usually remove the newest versions.

    I recommend you get well acquainted with MBAM and ComboFix. They remove stuff including rootkits that nothing else will. Symantec is rather lame at adware/spyware removal.

    A lot of the newer malware exploits ActiveX vulnerabilities and is transmitted simply by visiting an infected site --- sites may be perfectly innocent sites (e.g. recipe site) and not know they are infected.

    +
    0 Votes
    Kenone

    I used vundofix and it worked like a charm. Probably depends on which version you catch.

    +
    0 Votes
    harryolden

    I use the malisiussoftware removaltool from microsoft, and Malware
    Malware did no find the virus but Mallicius did find the virus I had 1400 files infected drove me nuts, I get a new one free from Microsoft.
    Cheers Harry

  • +
    0 Votes
    BFilmFan

    See http://www.auditmypc.com/virtumonde-remove.asp. Essentially, you need to an inplace reinstall of Windows.

    +
    0 Votes
    jdclyde

    this does not look fun. I will tackle it tomorrow and see how it goes. (monday)

    Thanks, I hope this will be the right fix, I have sure tried enough non-fixes.

    +
    0 Votes
    willcomp

    Both ComboFix and MBAM should remove the critter. Start with ComboFix. Download on another PC, rename (I use CFX), copy to a flash drive and then copy to desktop of afflicted PC. After ComboFix works its magic, install and run MBAM.

    Disable all non MS services and startup items using msconfig prior to running ComboFix. It's not absolutely necessary but helps.

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.malwarebytes.org/mbam.php

    These are the two best adware/spyware removal tools currently available.

    +
    0 Votes
    jdclyde

    couldn't sleep, so took a peek in here.will try it in the morning.

    +
    0 Votes
    ThumbsUp2

    Virtumonde hides from all of the tools, but there is a way around it.

    You need to (1) be in safe mode, (2) rename the MBAM install file to any other name (I called mine FindThisSucker.exe), (3) start the install while disconnected from the internet and don't run the program on completion of the install, (4) find and rename the MBAM.EXE file to any other file name (I called mine FindThisOneToo.exe), then (5) run what you just renamed and don't allow it to try to update itself.

    When it runs, it will find the critter which is intelligent enough to recognize MBAM.EXE running and hide from it, but it won't know what you've named it to. After that initial run of MBAM, you can rename the exe file back to the original name, mbam.exe and reboot to normal mode, let it update itself and run a full system scan.

    Once that 2nd scan has been run, you can safely run the rest of your arsenol of programs to clean up the system....

    +
    0 Votes
    jdclyde

    the hoops that I had to jump through....

    +
    0 Votes
    ThumbsUp2

    It's not a 'purdy' one! In and of itself, it doesn't do that much damage, other than hard to pull out and acts like a cloaking device. Just wait till you see how many of the 'others' are allowed in because of it being present on the system and how much damage THEY actually do.

    On the last system I pulled this thing out of, once disabled, the scanning tools found 35 different critters, all hiding behind the cloak!

    +
    0 Votes
    jdclyde

    It is amazing the steps that were required to kill this beast, though.

    renaming the install file, installing, renaming the exe file, and then running in safe mode. what will be next?

    All traces seem to be gone, so I am just running all of the utilties again to make sure it is gone.

    I DID have to uninstall and reinstall AVG again because the @#$@#$ had disabled it again.

    This was the first time a symantec write-up failed to do the trick for me.

    How is it possible a four year old malware could be so hard to remove?

    Why is @Q#$@#'en Windows still vulnerable to the same infection after 4 years? And yes, this was a fully patched XPsp3 system, used by a little old lady that doesn't do much other than email.

    +
    0 Votes
    ---TK---

    HAHA... I just got that virus last week. I took those steps above, and a few other I found on the net.... didn't work... I'm thinking there is a new version of the sucker! Blew it all away, problem solved....

    interestingly enough, I didn't get popups, my system was not slow in the least bit, its like it didn't know what to do with Vista... I couldn't even tell my system was infected till I ran Spybot S&D (I run a scan once a week)

    +
    0 Votes
    willcomp

    Vundo is updated periodically and becomes nastier with each iteration. The original Vundo malware is several years old but what you encountered is recent. Vundofix does not usually remove the newest versions.

    I recommend you get well acquainted with MBAM and ComboFix. They remove stuff including rootkits that nothing else will. Symantec is rather lame at adware/spyware removal.

    A lot of the newer malware exploits ActiveX vulnerabilities and is transmitted simply by visiting an infected site --- sites may be perfectly innocent sites (e.g. recipe site) and not know they are infected.

    +
    0 Votes
    Kenone

    I used vundofix and it worked like a charm. Probably depends on which version you catch.

    +
    0 Votes
    harryolden

    I use the malisiussoftware removaltool from microsoft, and Malware
    Malware did no find the virus but Mallicius did find the virus I had 1400 files infected drove me nuts, I get a new one free from Microsoft.
    Cheers Harry