Virtumonde

Discussion in 'Malware Help (A Specialist Will Reply)' started by roberts663, Nov 23, 2005.

  1. roberts663

    roberts663 Private E-2

    Hi
    This computer has been running fine, but panda keeps detecting it since i fixed it. Here is my Panda log.
    Thanks
     

    Attached Files:

    roberts663, Nov 23, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Nov 23, 2005
    #2
  3. roberts663

    roberts663 Private E-2

    My hijack this logs all are clean, but stuff keeps popping up in scans. -FixVundo say that IExplore is infected with a viral strain and that it cleans it, but it comes back, and I have a few remnants of other stuff like trojan droppers.
    -Symantec Trojan.Vundo Removal Tool 1.5.0
    The process "IEXPLORE.EXE" might be affected by the threat. It has been suspended.
    The process "IEXPLORE.EXE" might be affected by the threat. It has been terminated.


    Trojan.Vundo has been successfully removed from your computer!
    -C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP285\A0021268.dll Trojan-Downloader.Win32.Agent.yf
    From FSecure
    -SpySweeper found Instant Access
    10:16 AM: Quarantining All Traces: instant access
    10:16 AM: instant access is in use. It will be removed on reboot.
    10:16 AM: prohome[1].htm is in use. It will be removed on reboot.
    -Computer Associates online found 2 processes from Vundo in my system volume information.
     
    roberts663, Nov 28, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Please follow the steps below (If you have already run ALL of the steps in the READ & RUN ME while running the Virtumonde aka Trojan Vundo Fix w/ Tool steps, then continue to the link on downloading, installing and running HijackThis.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis

    .
     
    chaslang, Nov 29, 2005
    #4
  5. roberts663

    roberts663 Private E-2

    I have ran ALL the steps extensively with all the updated software, managed to get all the virtumonde off through CA scanner. The tool process killvundo doesn't remove everything, Spysweeper got rid of some, Ewida got rid of some and CA got the rest. The only thing that is left I believe is that trojan dropper that FSecure detected. I have all these darn programs on my computer, I type in a wrong url and all this stuff gets on...computer is working fine, but I don't like stuff on my computer that doesn't have my permission to be on it. Never know what these programs are doing and what else can be put on with them.
    Here are my logs, one is from kaspersky
     

    Attached Files:

    roberts663, Nov 29, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If Kaspersky is finding the below then you probably did not disable System Restore:
    If you did disable System Restore (double check) then boot into safe mode an delete the file yourself.


    You can have HJT fix the below left over from uninstalling SpySweeper:
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Here are a few other comments on your log. You can decide what you want to do yourself.

    BigFix is a resource hog that really is not required to run at startup.
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

    For more info, see: http://www.bleepingcomputer.com/startups/BIGFIX.EXE-568.html

    I always recommend removing stuff like below, but if you are going to keep accessing those sites, they will just be installed again.
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
     
    Last edited: Nov 29, 2005
    chaslang, Nov 29, 2005
    #6
  7. roberts663

    roberts663 Private E-2

    Okay, looks like that worked. Amazing how this stuff gets on PC's so easily. I have a lot of protection stuff on my computer, when i mispell a url, i must have gotten a few new strains.
    Thank you
     
    roberts663, Nov 29, 2005
    #7
  8. roberts663

    roberts663 Private E-2

    Which poker software is malware free and which ones causes problems? I didn't know that poker software comes packed with malware.
     
    roberts663, Nov 29, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not really convinced that any of them are that good. And I just don't trust them or the stuff on sites like that to be free of malware. I would not recommend any of them. They are all use at your own risk just like P2P programs people use for downloading.
     
    chaslang, Nov 29, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds