Help Pleeeez!: Virtumonde is killing me!!!

Hello,

I have spent the past few days reading as much as possible here about the Virtumonde/virtumondo/stopguard trojan. I have tried so much and still seem to have this trojan. Here is a recap of what I have tried:

1st, I followed Major Attitude's "DO NOT POST UNTIL YOU READ THIS: How to: Spyware, Trojan and Virus Removal" thread. I am using Windows XP Home Edition and I disabled system restore, enabled viewing of hidden files, unchecked hide file extensions, unchecked hide protected operating system files.

I did an online scan at Trend Micro's online Scan - found nothing.
I did an online scan at Symantec Security Check, which found the Vundo items. I had Norton Internet Security ("NIS") 2004 that came with this new pc, but it expired in 10/2004. It appeared that NIS could fix this, so I decided to renew and upgrade my NIS and I purchased the download of NIS 2005. I have not been able to install this and won't go too much into this, because I will go on forever...... taht seems to be another problem I need to figure out.

I ran AVERT Stinger - found nothing.

I rebooted in "Safe mode with networking" and cleaned the hard drive with CCleaner ("Delete Index.dat" was checked)

I ran Ad-Aware SE (Ad-Aware VX2 plugin was installed) and Spybot (Immunize feature was turned on)

Nothing completely removed the Virtumonde trojan.

Before I came here to post this request for help, I browsed through the threads related to this and see that Symantec has a Removal Tool. I was very excited when I saw this. I tried that and it claimed to have removed it, but I reboot and ran Ad-Aware and it is still there!!! UGH!

I have attached my HJT log (made after fresh reboot, with no applications or browser windows open and I exited the apps in the System Tray). I would be extremely greatful if someone would take a look and help me out.

Thanks

 

if you still suspect that trojan, then i would try/run another anti-virus to see if it finds it and/or deletes it? i normally use my dos scan 1st, then follow the instructions posted in the "DO NOT POST UNTIL YOU READ THIS:", and it normally goes alot smoother. i have found that different antivirus (like spyware programs), find different things, meaning that one might not find anything, but the other(s) pick up on something else. - sosaman

http://majorgeeks.com/download1968.html <-- avast home edition. this normally does a dos scan in-between reboot (1st setup).

Removed <-- this is a program that i got from mcafee, (it's a dos scan) and have it hosted on my site.


instructions for dos scan (in case your interested):

Check for Viruses Using Scan

1. Go to Removed
2. A File Download box appears. Click OK.
3. Save DOS-Scan.zip to your Desktop.
4. Once downloaded, close all windows.
5. Right-click dailyscan.zip on your desktop.
6. Click Extract to or double-click the file and click Extract.
7. In the 'Extract to' field, type C:\SCAN
8. Click Extract.
9. Restart the computer.

Windows 2000/XP

1. You can get to a command prompt in Windows 2000 by going into Safe Mode with Command Prompt.
2. If the computer is on: select Start | Shutdown | Restart.
3. If the computer is off, turn it on.
4. When you see the opening splash screen, hold down F8 on the top row of the keyboard or hold down the CTRL key. NOTE: On some computers if you press F8 too soon you'll get a keyboard error if this happens hit the F1 key to continue.
5. The Windows 2000 (or XP) Advanced Options Menu will come up. Choose Safe Mode with Command Prompt.
Login.

Scan Instructions

1. Type CD\
2. Press the Enter key
3. At the C:\ prompt, type CD SCAN
4. Press the Enter key.
5. At the C:\SCAN prompt, type SCAN /ADL /CLEAN /ALL /REPORT REPORT.TXT
6. Press the Enter key.
Note: The scanner will look at all files on all local drives and attempt to clean the files. An activity report called REPORT.TXT will also be created in the C:\SCAN directory. To view the report in DOS, type REPORT.TXT and press Enter.
7. Once the scan finishes, exit DOS and restart the computer.



what i change:

i normally run it in "safe mode" without command prompt (and have had no problems).

start --> run --> type "command" (and follow the scan instructions that i posted here)

also, i normally rename the file if i think i'm going to run it more than once, so i don't accidentally erase the original .txt file.

C:\SCAN prompt, type SCAN /ADL /CLEAN /ALL /REPORT REPORT.TXT
^
this is the file name

C:\SCAN prompt, type SCAN /ADL /CLEAN /ALL /REPORT Report1.txt <-- (then if you run it again, just name the 2nd one "Report2.txt, etc.)

 

Hi Jets,

If Sosaman's suggestions don't do the job, I'll whip up a generic fix for you when I get a chance tonight.
I suggest trying Symantec's removal tool again, as well. They may have updated it - Did you visit their site for more info? Let us know where you stand & we'll get you fixed up!

Best luck
PP

 

oops, i didn't notice that my arrow to file name got messed up!

REPORT REPORT.TXT <-- after REPORT "REPORT.TXT" is the file name that gets created (that's what i rename), like what i said earlier! the whole line (command) is not the file name. - sosaman

 

Sosaman and Phillie, thanks a ton for your response.

Sosaman - I downloaded Avast and ran the DOS scan. After the DOS scan, the pc launched into Windows and I ran a scan again from there. It did not show any problems.

I downloaded the second DOS scan (the one from Mcafee) per your instructions and the reslt is:

Summary report on C:\*.*
File(s)
Total files: ........... 57900
Clean: ................. 57880
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

Phillie: I went to the Symantec Vundo tool link and re-downloaded the tool to the desktop. I noticed that Symantec said to disconnect from the internet if you have an always-on connection like DSL or cable. I have cable and did not do this before, so I pulled the ethernet cable from the pc before running the tool. The tool reported that my pc did not have the vundo trojan.

I then ran Ad-aware to see if it still reports the Virtumonde malware and it does. This is what Ad-aware reports:

Virtumonde - Malware - Regkey - Location:atlevents.atlevents.1
Virtumonde - Malware - RegValue - Location:atlevents.atlevents.1 ""
Virtumonde - Malware - Regkey - Location:atlevents.atlevents
Virtumonde - Malware - RegValue - Location:atlevents.atlevents ""


I am still convinced I have this bugger, especially because of the Ad-aware report and the fact that almost everything is slow to react with my computer. Applications are taking a long time to launch and web browsing is slow.

Phillie, if there is anything you can find from my HJT report and there is some fix you could whip up, I would be so thankful. I ran the HJT report upon a fresh reboot with no apps running.

Thanks guys.......

 

Hi Letsgojets,

I believe that it is against the rules for a Dolphins fan to help a Jets fan. I’ll make an exception - this time!


This is my generic fix for Stopguard/Virtumundo-related malware infections. I have had a lot of success with it, but there have been some failures as well.

ALSO NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully - Do them in the exact order given.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Look in C: > WINDOWS > PREFETCH & Delete tcptask.exe ( or any tcptask or ksatpct entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

ALSO: take a look inside the C:\WINDOWS\Web Folder for any backups (tcptask.bak & ksatpct.bak etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

NOW:
Run HijackThis and Check the Boxes for the Following:

O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\John\LOCALS~1\Temp\ksatpct.dat

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [*nutvss] C:\WINDOWS\system\nutvss.exe

O4 - HKLM\..\Run: [*librun] C:\WINDOWS\assembly\librun.exe

O4 - HKLM\..\Run: [*svcbas] C:\WINDOWS\Microsoft.NET\svcbas.exe

O4 - HKLM\..\Run: [*tcptask] C:\WINDOWS\Web\tcptask.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)

Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Web\tcptask.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

THEN:
Use Windows Explorer to run a search of your computer for:

tcptask
ksatpct
nutvss
librun
svcbas

and DELETE the related files. (We especially want to get rid of tcptask.ini & tcptask.dat & tcptask.bak AND ksatpct.ini & ksatpct.dat & ksatpct.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL. So, when you find them, search the associated folders carefully for any hidden remnants!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

You may want to try running the Symantec tool again, as well.

ALSO, once your machine is clean, you should visit Windows Updates and get updated.

Best luck
PP

 

you might want to check this out? i believe it's a full blown version for 30 days, meaning updates, and removal (something like that). anyway, i also use this in my arsonal(sp), when i'm working on stuff, have fun and good luck! - sosaman

http://www.intermute.com/spysubtract/

http://toolbar.yahoo.com/ <-- yahoo toolbar for internet explorer (the popup blocker works good (too good sometimes, as it blocks legit stuff), and the antispy works decent, sometimes catches stuff others miss.

 

I think I am finally clean!!!!!!!!!!!!!!!!!!!!!!!!

Phillie - First off, I am sorry about the Fins. Although I hate them to death, I have compassion for their fans, because I've been there as a Jets fan.

I followed your instructions precisely as written. I initially could not delete a couple of the problem files (tcptask) from C:\WINDOWS\WEB, because they were being used by another application.

I ran HijackThis and fixed the items you listed and ran the "DELETE A FILE ON REBOOT" for tcptask.exe (fyi - I knew this was a problem file from checking the running processes and every time I ended the process, it would come back. I noticed from other threads that others had the same type of problem file, but named something else. This trojan must name the files randomly or something?)

I rebooted in safe mode and searched for the files listed and deleted all that was found. The ones found were tcptask and ksatpct.

I ran CCleaner and Spybot. Spybot found 2 ATLEvents problems and I had it fix them. Then I ran cleanmgr and checked off Temporary Files, Temporary Internet Files and Recycle Bin.

I rebooted normally and ran the Symantec tool again (I even went to the site to launch it new in case they updated it from the last time I ran it). I said that Trojan.Vundo was not found on the pc.

I ran AdAware again, because this always was saying I still had the Virtumonde malware, and it said I had no problems!!!!!!!

I updated Windows and it installed a Service Pack and I now have it set for Automatic Updates.

My pc is humming now and it is such a relief!!!!!!!

I have the Avast! On-Access Scanner running now, but I think it is conflicting with Outlook, because when I try to Send/Receive messages it times out. I have to terminate the Avast to Send/Receive messages?

Most importantly though, I think I have finally ridded my computer of this nasty Vundo crap. I want to thank you so much for your help!!!!

Attached is the new HJT log, which I think is clean.

Again, thanks........ Oh.. I am guessing there is a place here to send donations through Paypal and I am going to find it and send one. It won't be much, but I figure if everyone were to, it would help.

Again, thabks for your time in helping a distressed virus victim.

--JB

 

Your log looks good! Happy to be able to help I'm sure Major Attitude would be thrilled if you purchased a MGs T-shirt

I'm not sure about your Outlook/Avast issue - Try the Software Forum, maybe?

Here is the canned "Recommendations" speech:

How to protect yourself from malware!

I definitely recommend that you use the following tools:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping your Windows up-to-date will do wonders in helping to keep Malware off your computer!

Best Regards (even for a Jets fan )
PP

 

Thanks again Phillie!

I just ordered a MG T-Shirt and will wear it with pride.

--JB

 

You're welcome!