Question

  • Creator
    Topic
  • #2168268

    Virtumonde infection on WinXPsp3

    Locked

    by jdclyde ·

    Working on an HP pavilion laptop that was infected and running slow.

    After running through the normal checks, I have only one infection left, Virtumonde.

    System Restore is off.

    Only S&D finds it, and only in safe mode. It removes it, but is right back after a reboot.

    The infection has disabled AVG. I uninstalled, reinstalled and ran scans. It found nothing, and then was disabled again.

    Lavasoft AdAware was listed in a google search of being able to remove this, but nothing.

    Webroot spy sweeper, no deals.

    Spyware blaster, no deals.

    A writeup on symantecs site was of zero help as I went through the registry to find the entries.

    Has anyone dealt with this infection?

All Answers

  • Author
    Replies
    • #2765259

      Clarifications

      by jdclyde ·

      In reply to Virtumonde infection on WinXPsp3

      Clarifications

    • #2765241

      Yeppers

      by bfilmfan ·

      In reply to Virtumonde infection on WinXPsp3

      See http://www.auditmypc.com/virtumonde-remove.asp. Essentially, you need to an inplace reinstall of Windows.

      • #2768969

        Well, aren’t you just a ray of sunshine…..

        by jdclyde ·

        In reply to Yeppers

        this does not look fun. I will tackle it tomorrow and see how it goes. (monday)

        Thanks, I hope this will be the right fix, I have sure tried enough non-fixes. 😀

    • #2768963

      Removal Tools

      by willcomp ·

      In reply to Virtumonde infection on WinXPsp3

      Both ComboFix and MBAM should remove the critter. Start with ComboFix. Download on another PC, rename (I use CFX), copy to a flash drive and then copy to desktop of afflicted PC. After ComboFix works its magic, install and run MBAM.

      Disable all non MS services and startup items using msconfig prior to running ComboFix. It’s not absolutely necessary but helps.

      http://www.bleepingcomputer.com/combofix/how-to-use-combofix

      http://www.malwarebytes.org/mbam.php

      These are the two best adware/spyware removal tools currently available.

      • #2768945

        will get back on how that works

        by jdclyde ·

        In reply to Removal Tools

        couldn’t sleep, so took a peek in here.will try it in the morning.

        • #2768943

          There is a trick to it to hide from Virtumonde……

          by thumbsup2 ·

          In reply to will get back on how that works

          Virtumonde hides from all of the tools, but there is a way around it.

          You need to (1) be in safe mode, (2) rename the MBAM install file to any other name (I called mine FindThisSucker.exe), (3) start the install while disconnected from the internet and don’t run the program on completion of the install, (4) find and rename the MBAM.EXE file to any other file name (I called mine FindThisOneToo.exe), then (5) run what you just renamed and don’t allow it to try to update itself.

          When it runs, it will find the critter which is intelligent enough to recognize MBAM.EXE running and hide from it, but it won’t know what you’ve named it to. After that initial run of MBAM, you can rename the exe file back to the original name, mbam.exe and reboot to normal mode, let it update itself and run a full system scan.

          Once that 2nd scan has been run, you can safely run the rest of your arsenol of programs to clean up the system….

        • #2763197

          amazing

          by jdclyde ·

          In reply to There is a trick to it to hide from Virtumonde……

          the hoops that I had to jump through….

        • #2763012

          Oh yeah!

          by thumbsup2 ·

          In reply to amazing

          It’s not a ‘purdy’ one! In and of itself, it doesn’t do that much damage, other than hard to pull out and acts like a cloaking device. Just wait till you see how many of the ‘others’ are allowed in because of it being present on the system and how much damage THEY actually do.

          On the last system I pulled this thing out of, once disabled, the scanning tools found 35 different critters, all hiding behind the cloak!

    • #2763198

      That seems to have resolved the issue

      by jdclyde ·

      In reply to Virtumonde infection on WinXPsp3

      It is amazing the steps that were required to kill this beast, though.

      renaming the install file, installing, renaming the exe file, and then running in safe mode. what will be next?

      All traces seem to be gone, so I am just running all of the utilties again to make sure it is gone.

      I DID have to uninstall and reinstall AVG again because the @#$@#$ had disabled it again.

      This was the first time a symantec write-up failed to do the trick for me.

      How is it possible a four year old malware could be so hard to remove?

      Why is @Q#$@#’en Windows still vulnerable to the same infection after 4 years? And yes, this was a fully patched XPsp3 system, used by a little old lady that doesn’t do much other than email.

      • #2763191

        At least those steps fixed it for you…..

        by —tk— ·

        In reply to That seems to have resolved the issue

        HAHA… I just got that virus last week. I took those steps above, and a few other I found on the net…. didn’t work… I’m thinking there is a new version of the sucker! Blew it all away, problem solved….

        interestingly enough, I didn’t get popups, my system was not slow in the least bit, its like it didn’t know what to do with Vista… I couldn’t even tell my system was infected till I ran Spybot S&D (I run a scan once a week)

      • #2762986

        Vundo Morphs

        by willcomp ·

        In reply to That seems to have resolved the issue

        Vundo is updated periodically and becomes nastier with each iteration. The original Vundo malware is several years old but what you encountered is recent. Vundofix does not usually remove the newest versions.

        I recommend you get well acquainted with MBAM and ComboFix. They remove stuff including rootkits that nothing else will. Symantec is rather lame at adware/spyware removal.

        A lot of the newer malware exploits ActiveX vulnerabilities and is transmitted simply by visiting an infected site — sites may be perfectly innocent sites (e.g. recipe site) and not know they are infected.

    • #2763169

      The last time I came across this one

      by kenone ·

      In reply to Virtumonde infection on WinXPsp3

      I used vundofix and it worked like a charm. Probably depends on which version you catch.

      • #2997082

        I use Malisiussoftwareremovaltool from microsoft it works well

        by harryolden ·

        In reply to The last time I came across this one

        I use the malisiussoftware removaltool from microsoft, and Malware
        Malware did no find the virus but Mallicius did find the virus I had 1400 files infected drove me nuts, I get a new one free from Microsoft.
        Cheers Harry

Viewing 4 reply threads