Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Virtumonde Help Needed BADLY!!!
New Posts  All Forums:Forum Nav:

Virtumonde Help Needed BADLY!!!

post #1 of 22
Thread Starter 
As the title implies, my computer is now infected with the virtumonde virus. I have removed plenty of viruses from friends and families computers, but this one is proving to be a little bit more persistent in its attempts to ruin my computer.

For starters, I have scanned with Spybot and I know where all of the files and registry installments were made. I booted into safe mode and deleted the majority of the files and all but two registry entries that were causing problems. A few were left over and I knew that once I shut down my computer and turned it back on, the virus would just replicate itself and sure enough, it did.

I'm having problems deleting some .dll files that have been installed onto my computer. If I try to delete them, it tells me that they are being used by another program and it won't let me touch them. I have tried deleting them by using the command prompt but that failed as well.

The symptoms I'm getting from this are as follows: When I try to access any of my folders, explorer restarts itself. I get lots of pop ups obviously, and the virus has slowed my internet to a crawl (which has pissed me off more then anything.)

Please, if anyone knows how to get this **** off of my computer I will be forever in your debt. If you need additional information please let me know and I will gladly provide it for you.
For your health!
(16 items)
 
  
CPUMotherboardGraphicsRAM
3570k @ 4.5 Gigabyte Z77x-UD5H MSI 980TI 16GB G.SKILL Ripjaws X DDR3-1600 
Hard DriveHard DriveHard DriveCooling
Crucial M550 256GB OS Micron M550 1TB Samsung 1TB TRUE 
OSMonitorKeyboardPower
Windows 10 64-bit Dell S2716DG Corsair K70 EVGA 850w P2 
CaseMouseAudio
Antec Twelve Hundred Logitech G502 X-Fi XtremeMusic 
  hide details  
Reply
For your health!
(16 items)
 
  
CPUMotherboardGraphicsRAM
3570k @ 4.5 Gigabyte Z77x-UD5H MSI 980TI 16GB G.SKILL Ripjaws X DDR3-1600 
Hard DriveHard DriveHard DriveCooling
Crucial M550 256GB OS Micron M550 1TB Samsung 1TB TRUE 
OSMonitorKeyboardPower
Windows 10 64-bit Dell S2716DG Corsair K70 EVGA 850w P2 
CaseMouseAudio
Antec Twelve Hundred Logitech G502 X-Fi XtremeMusic 
  hide details  
Reply
post #2 of 22
Thread Starter 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:53 PM, on 4/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\\Windows\\system32\\Dwm.exe
C:\\Windows\\system32\askeng.exe
C:\\Windows\\Explorer.EXE
C:\\Program Files\\Windows Defender\\MSASCui.exe
C:\\Program Files\\Common Files\\Real\\Update_OB\
ealsched.exe
C:\\Program Files\\RivaTuner v2.06\\RivaTuner.exe
C:\\Program Files\\Adobe\\Reader 8.0\\Reader\
eader_sl.exe
C:\\Program Files\\Windows Sidebar\\sidebar.exe
C:\\Program Files\\Windows Media Player\\wmpnscfg.exe
C:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe
C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\MOM.EXE
C:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.EXE
C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CCC.exe
C:\\Windows\\system32\\wbem\\unsecapp.exe
C:\\Program Files\\Windows Sidebar\\sidebar.exe
C:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe
C:\\Windows\\system32\\SearchFilterHost.exe
C:\\Windows\\system32\\SearchProtocolHost.exe
C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant =
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,CustomizeSearch =
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {2A81196C-D492-40A2-A1CF-6CC9119CA7D9} - C:\\Windows\\system32\\awtsQGXr.dll
O2 - BHO: {b1266623-05af-77da-ce44-6f555402c6b8} - {8b6c2045-55f6-44ec-ad77-fa503266621b} - (no file)
O4 - HKLM\\..\\Run: [Windows Defender] %ProgramFiles%\\Windows Defender\\MSASCui.exe -hide
O4 - HKLM\\..\\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\\..\\Run: [TkBellExe] "C:\\Program Files\\Common Files\\Real\\Update_OB\
ealsched.exe" -osboot
O4 - HKLM\\..\\Run: [RivaTuner] "C:\\Program Files\\RivaTuner v2.06\\RivaTuner.exe" /T
O4 - HKLM\\..\\Run: [StartCCC] "C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
O4 - HKLM\\..\\Run: [Adobe Reader Speed Launcher] "C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe"
O4 - HKLM\\..\\Run: [MSServer] rundll32.exe C:\\Windows\\system32\\yayyVnLb.dll,#1
O4 - HKLM\\..\\Run: [b624a855] rundll32.exe "C:\\Windows\\system32\
binofpu.dll",b
O4 - HKLM\\..\\Run: [BMb5179bc9] Rundll32.exe "C:\\Windows\\system32\\mjwoypwt.dll",s
O4 - HKCU\\..\\Run: [Sidebar] C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun
O4 - HKCU\\..\\Run: [{F6E52582-3DE9-3AF4-0282-4B41CC538014}] C:\\Users\\Anthony\\AppData\\Roaming:kb11.exe
O4 - HKCU\\..\\Run: [WMPNSCFG] C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe
O4 - HKUS\\S-1-5-19\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-19\\..\\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-20\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~3\\OFFICE11\\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.6.0_02\\bin\\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.6.0_02\\bin\\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{39244AE6-A690-49ED-9C61-DF76FA612998}: NameServer = 24.25.5.1,24.25.5.150
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{75813100-7247-4390-8C9C-4313E11813BD}: NameServer = 192.168.1.1,24.25.5.150
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{918DF226-5E74-4B12-BD1C-8F0BD05C8F79}: NameServer = 24.25.5.150,24.25.5.149
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\\Windows\\system32\\Ati2evxx.exe
O23 - Service: NMIndexingService - Unknown owner - C:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\\Windows\\system32\\PnkBstrA.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\\Windows\\SYSTEM32\\VundoFixSVC.exe


There is my hijackthis log. I can't get rid of "awtsQGXr.dll" no matter what I try to do. I've tried using the kill on reboot function in hjt but that didn't work, manually deleting it won't work either. I've ran out of ideas, so if somebody knows how to get this off please let me know.
For your health!
(16 items)
 
  
CPUMotherboardGraphicsRAM
3570k @ 4.5 Gigabyte Z77x-UD5H MSI 980TI 16GB G.SKILL Ripjaws X DDR3-1600 
Hard DriveHard DriveHard DriveCooling
Crucial M550 256GB OS Micron M550 1TB Samsung 1TB TRUE 
OSMonitorKeyboardPower
Windows 10 64-bit Dell S2716DG Corsair K70 EVGA 850w P2 
CaseMouseAudio
Antec Twelve Hundred Logitech G502 X-Fi XtremeMusic 
  hide details  
Reply
For your health!
(16 items)
 
  
CPUMotherboardGraphicsRAM
3570k @ 4.5 Gigabyte Z77x-UD5H MSI 980TI 16GB G.SKILL Ripjaws X DDR3-1600 
Hard DriveHard DriveHard DriveCooling
Crucial M550 256GB OS Micron M550 1TB Samsung 1TB TRUE 
OSMonitorKeyboardPower
Windows 10 64-bit Dell S2716DG Corsair K70 EVGA 850w P2 
CaseMouseAudio
Antec Twelve Hundred Logitech G502 X-Fi XtremeMusic 
  hide details  
Reply
post #3 of 22
Have you tried this?


Ad-Aware 2007 also has a removal tool built in.
post #4 of 22
It is almost impossible to remove Virtumonde.

I've tried VundoFix, the Symantec Vundo Removal tool and almost every piece or trial/freeware software.

There is obviously the manual way to remove it, but it takes quite a long time. Every customer that brings their PC in with Vundo usually ends up getting a reformat.

To remove that file, try using File Assassin.
http://www.majorgeeks.com/FileASSASSIN_d5416.html
Legendary
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6750 ASUS P5B Deluxe XFX 8600GT 2 x 2GB G.Skill PQ 
Hard DriveOSMonitorKeyboard
Seagate 250GB Windows 7 x64 Samsung 225BW Saitek Eclipse 
PowerCaseMouseMouse Pad
PC P&C Quad 750W Silencer Thermaltake Tsunami Dream Logitech MX518 Func 1030 
  hide details  
Reply
Legendary
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6750 ASUS P5B Deluxe XFX 8600GT 2 x 2GB G.Skill PQ 
Hard DriveOSMonitorKeyboard
Seagate 250GB Windows 7 x64 Samsung 225BW Saitek Eclipse 
PowerCaseMouseMouse Pad
PC P&C Quad 750W Silencer Thermaltake Tsunami Dream Logitech MX518 Func 1030 
  hide details  
Reply
post #5 of 22
Here's what I did to remove it from my friend's PC. Download the free home edition of Avast and install it. Then use Avast's boot-time virus scan feature. It will probably ask you if you'd like to do a boot-time scan after you install Avast. Using the boot scan in Avast successfully removed the Virtumonde virus from my friend's PC.

Hope that helps!
 
Server
(3 items)
 
 
CPUGraphicsRAMHard Drive
Intel Core i7-3540M Intel HD Graphics 4000 8GB G.SKILL Ripjaws DDR3 1600 Samsung 840 EVO 250GB SSD 
OSMonitorMouseAudio
Windows 10 Pro x64 14" at 1600x900 Logitech Anywhere Mouse MX FiiO E17 USB DAC amp 
CPUOSCase
i3-540 Debian 8 (Jessie) Cooler Master Elite 341 
  hide details  
Reply
 
Server
(3 items)
 
 
CPUGraphicsRAMHard Drive
Intel Core i7-3540M Intel HD Graphics 4000 8GB G.SKILL Ripjaws DDR3 1600 Samsung 840 EVO 250GB SSD 
OSMonitorMouseAudio
Windows 10 Pro x64 14" at 1600x900 Logitech Anywhere Mouse MX FiiO E17 USB DAC amp 
CPUOSCase
i3-540 Debian 8 (Jessie) Cooler Master Elite 341 
  hide details  
Reply
post #6 of 22
ive done it with VundoFix it was the only program that completely took off the virus if it doesn't take it off try in safemode
DA RIG
(13 items)
 
  
CPUMotherboardGraphicsRAM
athlon 3800+ ASUS A8N-ASUS A8N-SLI 939 NVIDIA nForce4 2X 7600GS 512mb 3gb 
Hard DriveOSKeyboardPower
500gb windows xp pro Rosewill RK-100 Black 107 Normal Keys USB Standard Apevia turbolink 500watts 
Case
12-Bay ATX Computer Case (Black) 
  hide details  
Reply
DA RIG
(13 items)
 
  
CPUMotherboardGraphicsRAM
athlon 3800+ ASUS A8N-ASUS A8N-SLI 939 NVIDIA nForce4 2X 7600GS 512mb 3gb 
Hard DriveOSKeyboardPower
500gb windows xp pro Rosewill RK-100 Black 107 Normal Keys USB Standard Apevia turbolink 500watts 
Case
12-Bay ATX Computer Case (Black) 
  hide details  
Reply
post #7 of 22
Honestly i've tried so many things (everything listed here so far and more). My final solution: Reinstalled my OS. Back some **** up and just do it honestly.
TV Eye
(13 items)
 
  
CPUMotherboardGraphicsRAM
E2180 @ 3.0ghz GIGABYTE GA-EP35-DS3L Sapphire HD 4870 512mb 2gb G.Skill DDR2 800mhz 
Hard DriveOptical DriveOSMonitor
WD 320gb Memorex 16x DVD Burner Windows XP Acer 22in X223w 
KeyboardPowerCaseMouse
Saitek Cyborg RAIDMAX HYBRID 530w COOLER MASTER Mystique Razer DeathAdder 
  hide details  
Reply
TV Eye
(13 items)
 
  
CPUMotherboardGraphicsRAM
E2180 @ 3.0ghz GIGABYTE GA-EP35-DS3L Sapphire HD 4870 512mb 2gb G.Skill DDR2 800mhz 
Hard DriveOptical DriveOSMonitor
WD 320gb Memorex 16x DVD Burner Windows XP Acer 22in X223w 
KeyboardPowerCaseMouse
Saitek Cyborg RAIDMAX HYBRID 530w COOLER MASTER Mystique Razer DeathAdder 
  hide details  
Reply
post #8 of 22
Thread Starter 
Quote:
Originally Posted by onlycodered View Post
Here's what I did to remove it from my friend's PC. Download the free home edition of Avast and install it. Then use Avast's boot-time virus scan feature. It will probably ask you if you'd like to do a boot-time scan after you install Avast. Using the boot scan in Avast successfully removed the Virtumonde virus from my friend's PC.

Hope that helps!
Thank you very much for your suggestion, avast was the only thing that got rid of the most problematic files. I only have one file left to delete now. Spybot lists its as a virtumonde.dll file, but avast didn't pick it up (even though it picked up everything else) so I'm not too worried about it.

Avast is my new personal favorite
For your health!
(16 items)
 
  
CPUMotherboardGraphicsRAM
3570k @ 4.5 Gigabyte Z77x-UD5H MSI 980TI 16GB G.SKILL Ripjaws X DDR3-1600 
Hard DriveHard DriveHard DriveCooling
Crucial M550 256GB OS Micron M550 1TB Samsung 1TB TRUE 
OSMonitorKeyboardPower
Windows 10 64-bit Dell S2716DG Corsair K70 EVGA 850w P2 
CaseMouseAudio
Antec Twelve Hundred Logitech G502 X-Fi XtremeMusic 
  hide details  
Reply
For your health!
(16 items)
 
  
CPUMotherboardGraphicsRAM
3570k @ 4.5 Gigabyte Z77x-UD5H MSI 980TI 16GB G.SKILL Ripjaws X DDR3-1600 
Hard DriveHard DriveHard DriveCooling
Crucial M550 256GB OS Micron M550 1TB Samsung 1TB TRUE 
OSMonitorKeyboardPower
Windows 10 64-bit Dell S2716DG Corsair K70 EVGA 850w P2 
CaseMouseAudio
Antec Twelve Hundred Logitech G502 X-Fi XtremeMusic 
  hide details  
Reply
post #9 of 22
then again if all that fails u will have no choise but to format and dont bother backing up any applecation files as it can be hiding in there as well


EDIT: i say off with winxp's head and reinstall
post #10 of 22
i've got this virus myself right now.. i just finished doing the vundofix right now, going to try and use spydoctor on my safe mode reboot.. who ever created this virus a pox on your whole family! most likely in the end i'll be formating but i've got 80 GB's worth of keeper stuff to burn or move to the external hd, which i'll have to empty lol.. i've been trying to get rid of this thing for about 3 days to no avail, tried everything else so i'm down to this and a format..

good luck to all of us sufferers!

any further help would be definitely appreciated!!
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Virtumonde Help Needed BADLY!!!