Question
-
CreatorTopic
-
February 22, 2009 at 6:30 pm #2168268
Virtumonde infection on WinXPsp3
Lockedby jdclyde · about 15 years, 1 month ago
Working on an HP pavilion laptop that was infected and running slow.
After running through the normal checks, I have only one infection left, Virtumonde.
System Restore is off.
Only S&D finds it, and only in safe mode. It removes it, but is right back after a reboot.
The infection has disabled AVG. I uninstalled, reinstalled and ran scans. It found nothing, and then was disabled again.
Lavasoft AdAware was listed in a google search of being able to remove this, but nothing.
Webroot spy sweeper, no deals.
Spyware blaster, no deals.
A writeup on symantecs site was of zero help as I went through the registry to find the entries.
Has anyone dealt with this infection?
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
February 22, 2009 at 6:30 pm #2765259
Clarifications
by jdclyde · about 15 years, 1 month ago
In reply to Virtumonde infection on WinXPsp3
Clarifications
-
February 22, 2009 at 8:05 pm #2765241
Yeppers
by bfilmfan · about 15 years, 1 month ago
In reply to Virtumonde infection on WinXPsp3
See http://www.auditmypc.com/virtumonde-remove.asp. Essentially, you need to an inplace reinstall of Windows.
-
February 22, 2009 at 8:53 pm #2768969
-
-
February 22, 2009 at 9:09 pm #2768963
Removal Tools
by willcomp · about 15 years, 1 month ago
In reply to Virtumonde infection on WinXPsp3
Both ComboFix and MBAM should remove the critter. Start with ComboFix. Download on another PC, rename (I use CFX), copy to a flash drive and then copy to desktop of afflicted PC. After ComboFix works its magic, install and run MBAM.
Disable all non MS services and startup items using msconfig prior to running ComboFix. It’s not absolutely necessary but helps.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.malwarebytes.org/mbam.php
These are the two best adware/spyware removal tools currently available.
-
February 22, 2009 at 11:01 pm #2768945
will get back on how that works
by jdclyde · about 15 years, 1 month ago
In reply to Removal Tools
couldn’t sleep, so took a peek in here.will try it in the morning.
-
February 22, 2009 at 11:10 pm #2768943
There is a trick to it to hide from Virtumonde……
by thumbsup2 · about 15 years, 1 month ago
In reply to will get back on how that works
Virtumonde hides from all of the tools, but there is a way around it.
You need to (1) be in safe mode, (2) rename the MBAM install file to any other name (I called mine FindThisSucker.exe), (3) start the install while disconnected from the internet and don’t run the program on completion of the install, (4) find and rename the MBAM.EXE file to any other file name (I called mine FindThisOneToo.exe), then (5) run what you just renamed and don’t allow it to try to update itself.
When it runs, it will find the critter which is intelligent enough to recognize MBAM.EXE running and hide from it, but it won’t know what you’ve named it to. After that initial run of MBAM, you can rename the exe file back to the original name, mbam.exe and reboot to normal mode, let it update itself and run a full system scan.
Once that 2nd scan has been run, you can safely run the rest of your arsenol of programs to clean up the system….
-
February 25, 2009 at 10:52 am #2763197
amazing
by jdclyde · about 15 years, 1 month ago
In reply to There is a trick to it to hide from Virtumonde……
the hoops that I had to jump through….
-
February 25, 2009 at 7:51 pm #2763012
Oh yeah!
by thumbsup2 · about 15 years, 1 month ago
In reply to amazing
It’s not a ‘purdy’ one! In and of itself, it doesn’t do that much damage, other than hard to pull out and acts like a cloaking device. Just wait till you see how many of the ‘others’ are allowed in because of it being present on the system and how much damage THEY actually do.
On the last system I pulled this thing out of, once disabled, the scanning tools found 35 different critters, all hiding behind the cloak!
-
-
-
February 25, 2009 at 10:51 am #2763198
That seems to have resolved the issue
by jdclyde · about 15 years, 1 month ago
In reply to Virtumonde infection on WinXPsp3
It is amazing the steps that were required to kill this beast, though.
renaming the install file, installing, renaming the exe file, and then running in safe mode. what will be next?
All traces seem to be gone, so I am just running all of the utilties again to make sure it is gone.
I DID have to uninstall and reinstall AVG again because the @#$@#$ had disabled it again.
This was the first time a symantec write-up failed to do the trick for me.
How is it possible a four year old malware could be so hard to remove?
Why is @Q#$@#’en Windows still vulnerable to the same infection after 4 years? And yes, this was a fully patched XPsp3 system, used by a little old lady that doesn’t do much other than email.
-
February 25, 2009 at 10:57 am #2763191
At least those steps fixed it for you…..
by —tk— · about 15 years, 1 month ago
In reply to That seems to have resolved the issue
HAHA… I just got that virus last week. I took those steps above, and a few other I found on the net…. didn’t work… I’m thinking there is a new version of the sucker! Blew it all away, problem solved….
interestingly enough, I didn’t get popups, my system was not slow in the least bit, its like it didn’t know what to do with Vista… I couldn’t even tell my system was infected till I ran Spybot S&D (I run a scan once a week)
-
February 25, 2009 at 9:29 pm #2762986
Vundo Morphs
by willcomp · about 15 years, 1 month ago
In reply to That seems to have resolved the issue
Vundo is updated periodically and becomes nastier with each iteration. The original Vundo malware is several years old but what you encountered is recent. Vundofix does not usually remove the newest versions.
I recommend you get well acquainted with MBAM and ComboFix. They remove stuff including rootkits that nothing else will. Symantec is rather lame at adware/spyware removal.
A lot of the newer malware exploits ActiveX vulnerabilities and is transmitted simply by visiting an infected site — sites may be perfectly innocent sites (e.g. recipe site) and not know they are infected.
-
-
February 25, 2009 at 11:50 am #2763169
The last time I came across this one
by kenone · about 15 years, 1 month ago
In reply to Virtumonde infection on WinXPsp3
I used vundofix and it worked like a charm. Probably depends on which version you catch.
-
August 23, 2009 at 6:55 am #2997082
I use Malisiussoftwareremovaltool from microsoft it works well
by harryolden · about 14 years, 7 months ago
In reply to The last time I came across this one
I use the malisiussoftware removaltool from microsoft, and Malware
Malware did no find the virus but Mallicius did find the virus I had 1400 files infected drove me nuts, I get a new one free from Microsoft.
Cheers Harry
-
-
-
AuthorReplies