Cannot remove Vundo/Virtumonde

Hi, I wonder if you might be able to help me? Despite having used three or four tools to remove virtumonde, i'm still getting windows popping up in my browser offering me free malware scans etc..
Virtumonde.exe actually said it had removed byxuspn.dll and hasnt been able to find anything else when I've used it to re-scan.
I would be very grateful if you could help with. Many thanks
James

 

Hi jimmy5000!

Welcome to the Malware Forum!

Please start by following the instructions in the READ & RUN ME FIRST

This will help get rid of some of the infection. Attach the requested logs to us so we can complete this process.

abri

 

Thanks very much for your help. I've done everything in the 'Read and Run Me First' and have attached the logs to this note. Things seem to be working ok, but I'm not entirely sure yet so would appreciate a look at the logs to see if there's anything suspicious in them. Thanks again.
James

 

Hi Jim,
I was wondering about a key you have in your registry for making InternetShortcuts. Is this a tool you know about and use?

InternetShortcut
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"=""


Now, please do the following:


1) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player
- Java 2 Runtime Environment, SE v1.4.2_01


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {1322C3BF-9315-48DA-BD2E-F0D8FB146D54} - C:\WINDOWS\System32\byvtq.dll
O2 - BHO: (no name) - {490928DD-87B9-4724-BF93-92F7C6D92B2A} - C:\WINDOWS\System32\fcccd.dll (file missing)
O2 - BHO: (no name) - {E4A3A819-5EA7-4612-94DF-46F3D5398067} - C:\WINDOWS\System32\fcyax.dll (file missing)
O20 - Winlogon Notify: fccdbxu - fccdbxu.dll (file missing)


Do the following two entries belong to programs you know or want to keep? (This is just one of the entires for Visteon. There are a lot of them and I would not want you to delete it if this is a program you need.)

O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} (Nsload Control) - https://vconnect.visteon.com/vpns/scripts/nsload.ocx

O23 - Service: MarimbaNode - BMC Software, Inc. - C:\program files\marimba\tuner\Tuner.exe

After you click fix, just close hijackthis.


3) Download and install Erunt. Use it to create a backup of your registry.

4) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Install the current version of Sun Java from: Sun Java Runtime Environment

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Also, let me know if the registry patch was successful.


Let me know how things are running now?

abri

 

hey Abri, thanks for the rapid response !!

Just a couple of things before I go through the procedure:

Firstly, I don't use any tool for creating internet shortcuts.

Secondly, I need to keep anything to do with Visteon. This is a laptop that I use to access a company called Visteon's VPN through either a weblink or a remote access dial up application using one of those number generating fob things. I guess the application you mention is to do with this.

Thirdly, what is Marimba ? I noticed it a little while back and I don't think it's anything that I need or want, but I'm just a but sceptical about deleting it - do you know what it is or does??

So, with all that in mind, which of your procedures would I need to skip or include?

Thanks again for your help, I'm very grateful.
Jim

 

I think I know what Marimba is - it's a piece of software that the systems people at Visteon use to deploy upgrades etc. to my laptop when I'm connected to the network, so I guess I probably shouldnt delete it.

Cheers
Jim

 

Hi jimmy!

Thanks about Visteon and Marimba. Everything can be done in the instructions except for deleting the two entries under Step 2 that I asked you about. You can leave those two. They're the 016 and 023 entries. I'll come back to the internet shortcuts key question later. I'm not sure what it is and want to ask about it. The idea of it is great, but not if it's malware.

abri

 

Hi Abri,
Well, things seem to be much faster... I guess that means that something's worked !! I haven't seen any issues which would suggest I have registry problems at the moment..
Please see attached logs as requested.

Many thanks again for your help. Do I need to do anything else at this stage ?

Jim

 

Hi Jimmy!

I'm not sure what the internet shortcut registry key is, but I don't think it has anything to do with the infections in your computer and I would just leave it alone and see if anything new develops.

I noticed that you don't have much in the way of Windows updates and you don't have SP2. SP2 incorporates a lot of previous updates and is therefore useful. I recommend after you complete our final cleaning instructions which includes setting a clean restore point, that you try and get that on your computer as it will close up a lot of vulnerabilities. If you have problems with it, you can simply return to the clean restore point we'll have you set. There's a special article from Microsoft about this:

Get Your PC Ready for Windows XP SP2


Also, I don't know if your McAfee has a two-way firewall, but I don't see a firewall listed in your logs. If you don't have one, it is important to get one, even if you're sitting behind a router. A hardware firewall helps but is not enough. It's important for you to be able to see which of your programs are trying to connect to the internet.

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {8BD70A1C-D692-4B32-A3E1-CE4EC0F80B0E} - C:\WINDOWS\System32\byvtq.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

When you finish fixing the above items, run the analyse.exe again and allow it to produce a log. Check if the above three items have been removed. The 02 entry above is a vundo file, but you can see it's damaged already, so you should be able to get it out this time. The other two are startup items you don't need. If the entries (mainly the 02 entry) are gone, you can continue with the final instructions which I will post below:

abri

 

Hi Abri,

I followed all the instructions and everything seems to have been removed, just as you said. I gave it a few days to see if any issues cropped up, but all seems fine ! Thanks very much once more for your help, it was greatly appreciated. I'll look at the updates as you suggest to help avoid future problems, however, I can't perform windows updates myself as it appears to be locked somehow, presumably by the system administrators at Visteon who control where and when to roll out updates and software installations.

Cheers
Jim

 

It might be worth asking, because it leaves every known vulnerabilty open to the world at large.

I'm glad things are working better.
Many happy endeavors (and work) to you and your computer!
abri