Spware.Virtumonde -- Can't Remove -- Please Help

Discussion in 'Malware Help (A Specialist Will Reply)' started by elie_isha, Sep 2, 2005.

  1. elie_isha

    elie_isha Private E-2

    I have a Toshiba M30 laptop with the following:
    • 1.5Mhz Centrino
    • 512 MB RAM
    • 60GB HardDrive
    • Windows XP Service Pack 2

    I received a message a couple of weeks ago that something was attempting to either access or add a BHO, and I was prompted to block it or not. I could've sworn that I answered to block it, but since then I have had pop-ups and slowdowns. I ran everything I had, Ad-Aware, Spybot, MS Anti-Spyware, Yahoo Anti-Spy, CWShredder, CCleaner and Ewido. I've run other things that were mentioned in similar posts to no avail. But it was Ewido that detected the VirtuMonde spyware, yet it was not successful in cleaning it. I had also downloaded Symantec's tool to remove the VirtuMonde bug, but it didn't even find it.

    Ewido did find the infected file being c:\windows\web\printers\acctapi.dll. But as I said, this file isn't actually "cleaned," as it always remains on my computer. Of course, when I tried deleting the file manually, the system says that something is using it and it cannot be deleted.

    I have read the numerous threads on this subject, but could not see a similarity in the files that needed to be deleted using HJT. I have turned off System Restore and run HJT in Safe Mode.

    Can someone please diagnose the log that was generated and help me clean my computer?? Thank you for any help.
     

    Attached Files:

    elie_isha, Sep 2, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Also note that HJT must be installed properly and must be run from normal boot mode.


    Please run the steps below.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

    Then download the below tools and extract them to their own folders (someplace you will be able to find them later).

    - Process Explorer 9.2

    - Pocket KillBox

    Do not run them now! Just download and extract them for later use. We will need them to make the final fixes for the Virtumundo problem.
     
    chaslang, Sep 2, 2005
    #2
  3. elie_isha

    elie_isha Private E-2

    O.K. I've done everything that was suggested as far as running the various virus scans and have downloaded the applications that I need going forward. The Virtumonde virus still exists on my laptop, though. Again, the infected file is C:\WINDOWS\Web\printers\acctapi.dll.

    Attached is the latest Hijack This file.

    I do appreciate your assistance with this.
     

    Attached Files:

    elie_isha, Sep 3, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of acctapi.dll once and then click the kill button. After you have killed all of theacctapi.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of acctapi.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\printers\acctapi.dll
    O15 - Trusted Zone: www.excite.com
    O15 - Trusted Zone: *.xdrive.com
    O20 - Winlogon Notify: acctapi - C:\WINDOWS\Web\printers\acctapi.dll

    Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop. Be sure the "Save as" type is set to "all files". Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

    C:\WINDOWS\Web\printers\acctapi.ini
    C:\WINDOWS\Web\printers\acctapi.ini2
    C:\WINDOWS\Web\printers\acctapi.bak
    C:\WINDOWS\Web\printers\acctapi.bak2
    C:\WINDOWS\Web\printers\acctapi.tmp
    C:\WINDOWS\Web\printers\acctapi.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log.
     
    chaslang, Sep 3, 2005
    #4
  5. elie_isha

    elie_isha Private E-2

    It appears that the acctapi.dll is gone from my laptop. It may be too early to tell if the Virtumonde spyware is completely gone, too, but it looks good so far.

    Attached is the updated HJT log. Thanks again for your help.
     

    Attached Files:

    elie_isha, Sep 4, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Sep 4, 2005
    #6
  7. elie_isha

    elie_isha Private E-2

    Hey, man. You really saved my ass. I really really really appreciate your help with this. I would have had no clue how to get rid of this ridiculous piece of spyware without someone guiding me through the process.

    I hope you continue to provide your assistance to others like myself. You were a true godsend.

    Thanks again.
     
    elie_isha, Sep 5, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Surf safely!
     
    chaslang, Sep 5, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds