Need help w/ Virtumonde removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by RubyDist, Feb 9, 2008.

  1. RubyDist

    RubyDist Private E-2

    One of my W2k machines has acquired the virtumonde trojan. After trying the usual stuff (ccleaner, spybot, adaware, etc.) and failing, I jumped on this forum and found the link to VundoFix by Atribune.

    I downloaded and ran VundoFix according to the instructions, and it couldn't delete all of the files, so it said it would run again after reboot. However, the machine won't reboot. It gets to the 'starting Windows 2000' page (the windows page, past the dos page) and it stops. I tried to reboot in safe mode, and then it hangs at the dos page that says 'starting Windows 2000'. apparently, the little sob has corrupted some system files...

    Where do I go from here? Is there any hope to avoid rebuilding the machine?
     
    RubyDist, Feb 9, 2008
    #1
  2. RubyDist

    RubyDist Private E-2

    Success!! I was able to get it to reboot by booting to the OS install disk, telling it to repair an existing installation of Windows, going into Console mode, and then rebooting. At that point it booted fine.

    After doing this, VundoFix got into an endless loop: it would find a number of infected files, delete most of them and find a few that couldn't be deleted. It would ask to run at reboot, and the same list of files couldn't be deleted. Apparently, at shutdown the pesky little sob runs a process that puts one or more of its files at the top of the stack of dll's to load...

    These files were: (all in c:\winnt\system32\)
    mljkjhf.dll
    xxyvv.dll
    vvyxx.ini
    vvyxx.ini2

    I booted to the OS install disk again, selected repair, went into Console mode and then deleted those files. The only one that was actually there was the first one - apparently it regenerates the others at bootup.

    Then, I rebooted and ran VundoFix again, and it came up clean. :)

    I am still running virus scans on that machine, but it looks like it was saved. (I'll post logs after they are all generated.)



    Now, at boot, it complains about a missing file crprolgf.dll - any guidance as to what this is for and how I can restore it?
     
    RubyDist, Feb 10, 2008
    #2
  3. RubyDist

    RubyDist Private E-2

    Okay, AVG found and killed some stuff, and I cleaned up a few more things w/ HiJackThis, here are the logs:
    Anything there that still needs to be killed?
     

    Attached Files:

    RubyDist, Feb 10, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall HJT as it will be properly installed when you do the following:

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Feb 11, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds