Another Virtumundo Problem

Hey guys,

I seem to have the popular Virtumundo problem on my laptop. Ive tried spybot and adaware with no luck, and from what Ive read in other threads, these wont help. I just downloaded HJT and unzipped it to its own folder. I am using an IBM laptop with Win XP Pro. I guess Im decent with computers so with your guys help I hppe to get rid of this crap. Thanks.

-Steve

 

Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal


If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

also please visit our collection of Virtumondo links that resulted in clearing the problem.
http://forums.majorgeeks.com/showthread.php?t=46356

 

Heres what Ive done so far:

Cleaned out Temp Internet Files, cleared cookies, deleted history

Ad-aware SE Professional - Normal Mode - Found 4 critical objects, 2 reg keys and 2 reg values, 2 Virtumundo Regkeys, 2 Virtumundo RegValues.

Ad-aware SE Professional - Safe Mode - same thing as above

Spybot S&D - Normal Mode - 9 problems found - 4 ATLEvent.ATLEvents, 5 DSO Exploits

SpyBot S&D - Safe Mode - same as above

Symantec Antivirus Corporate Edition - Normal Mode - Finds nothing

Symantec Antivirus Corporate Edition - Safe Mode - Finds nothing

All programs were run at least twice in each mode with the most current updates.

 

follow the tutorial and read some of the links.. seriously .. trust me.. it will help you. Either that or an infected machine..

 

well I followed the tutorial, downloaded and ran all those progs. The Trend Micro scan found: TROJ DLoader.R which was deleted. Other than that Adaware keeps finding the same 2 Virtumundo Regkeys, 2 Virtumundo RegValues. I didnt run HiJackThis yet because I dont know what to have it delete and you havent instructed me to upload a log so..... Please help!!! My Internet Explorer is pretty much useless right now cuz its so slow and its pissin me off!!

btw, I dunno if this helps, but when i go into the task manager I noticed my cpu usage is going back and forth from 100% to 1% while im not doing anything.

 

Hi Steve,

It looks like you've pretty much exhausted the Tutorial's options, so go ahead and send us a HijackThis Log. Please follow the instructions below.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance. Please note that I am currently working on about 10 - 12 of these StopGuard/Virtumundo threads and I'm just a regular forum member without a lot of free time - so, please be patient

Best,
PP

 

Heres my log. I think I did it right. I really appreciate ur time and help. Please tell me theres a way to get rid of this without having to reimage. Just so you know, and I dunno if this makes any difference, but this laptop is used for school and Im on their network so I know they install a special image on this thing before they gave it to us so I dunno if it will damage any of the settings for school. Thanks.

 

Hi Steve,

There are some things in your log that look iffy - But, I think that they were put there by your school. I will leave them alone and just deal with the StopGuard/Virtumundo crap. Hang on for a few minutes.

PP

 

Hi Steve,

This is my generic fix for Stopguard-related malware infections. Please note that this particular Malware mutates on reboot, so if you have rebooted subsequent to attaching your HJT Log, the file names may have changed.

As I mentioned, this is just the StopGuard/Virtumundo stuff.

ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete kbcmd.exe ( or any kbcmd or dmcbk entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

NOW:
Run HijackThis and Check the Boxes for the Following:

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\CREANZ~1\LOCALS~1\Temp\dmcbk.dat

O4 - HKLM\..\Run: [*kbcmd] C:\WINDOWS\Cursors\kbcmd.exe

O4 - HKLM\..\RunOnce: [*kbcmd] C:\WINDOWS\Cursors\kbcmd.exe rerun

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Cursors\kbcmd.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if it remains:

C:\WINDOWS\Cursors\kbcmd.exe

THEN:
Use Windows Explorer to run a search of your computer for:

bkinst
kbcmd
dmcbk

and DELETE the related files. (We especially want to get rid of dmcbk.ini & dmcbk.dat & dmcbk.bak AND kbcmd.ini & kbcmd.dat & kbcmd.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Best luck
PP

 

Ok just finished..... Doesnt look like anything changed . The log still has those same entries in it that you said to delete the first time. I cleared out the entire prefetch folder (didnt delete the folder itself). I rebooted into safe mode without networking. I didnt get an error when I rebooted. I went to delete C:\WINDOWS\Cursors\kbcmd.exe and the "cannot delete access denied" window came up. When I searched in windows explorer it found 2 kbcmd files, I deleted one, but the other was the Cursors folder file and it wouldnt let me delete. No bkinst or dmcbk came up when i searched. Spybot came up with 3 DSO Exploits and 4 ATLEvents.ATLEvents which were fixed. This sucks.....

 

Hi Steve,

Try running through the procedure again. Be especially careful with this part:

Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Cursors\kbcmd.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

This is the heart of the fix - Deleting this before it even gets a chance to run!

Give it another shot and let me know how you do.

Best luck
PP

 

same thing man, wouldnt let me delete. I followed the instructions exactly. When i rebooted into safe mode my computer was so slow i couldnt even finish the instructions. Just tried to delete the kbcmd.exe then restarted cuz it was too slow. I notice when i reboot into safe mode the kbcmd.exe is already running in the task manager. What kinda asshole creates this bullshit..... Heres a new log.....my comp is soooo slow right now

 

Hi Steve,

I don't know what the problem is! Half the time these steps work like a charm. The other half of the time . . . Well, I guess you know.

Is there more than one user account on this computer?

Obviously, we need to kill that file. Try downloading this tool:

http://www.downloads.subratam.org/KillBox.zip

Either the normal kill or delete on reboot setting may work to nail this baddie. You may have to try them more than once. I've seen cases where this has worked well.

Good luck
PP

 

Hey,

I think I've got some good news!!! I think its finally gone!!! I tried one more time. This time after I deleted the prefetch folder, I got curious and went into the C:\WINDOWS\Cursors folder just to look around and see if there was anything else in there besides the kbcmd.exe. I noticed 2 hidden dmcbk.bak files so all I did was delete those with right click delete, then I ran HiJackThis and followed the rest of the instructions. I noticed right away when I rebooted into safe mode that the little hard drive indicator wasnt blinking constantly like before and it wasnt nearly as slow. I went back into the cursors folder and there was no sign of any dmcbk or kbcmd files. I ran a search in windows explorer, nothing. Followed the rest of the instructions and when I rebooted into normal windows everything was running like normal. Checked task manager, no sign of kbcmd.exe anymore. Just ran Ad-aware again and it didnt find anything!!! . So it looks like Virtumundo is gone....I hope forever. I really really appreciate your help, can't thank you enough for your help and time. BTW I did all of this before I saw your most recent post, so i never used that KillBox program, but again I appreciate all the ideas and help. Ive attached another recent HJT log. Thanks again!!

-Steve

 

EXCELLENT!!! Good Job!

Your log looks good - Though, remember that I left a lot there that I thought was put there by your school.

But, the Virtumundo is gone! That's why I put that bit in the instructions about using Windows Explorer to run a search of your machine to find those hidden files. I've just started asking people to look in the folders. Thanks for the feedback!

Please take a look at Chaslang's recommendations: How to Protect yourself from malware!

Happy I could help you nail this baddie!

Best,
PP