Fletch XXX

Hey, anyone have experience with Virtumonde?

I got it on my work machine and have been fighting it for a few days.

Its weird, I thought I cleared the machine - ran Spy Bot and Malwarebytes in safe mode this morning, it quarantined and removed the files successfully, but something strange happens...

If I run the proggies and get rid of the infected files, after I remove them, I run Malwarebytes again., and the infected registry entries are still there??

Of course ive googled and followed directions on "vortmonde removal" pages etc, but nothing seems to actually get rid of it...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

ps i am in safe mode right now so the board is hard to surf lol must be 480 width or someshit in safe mode lol

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

TeenCat

maybe instead of "vortmonde removal" you can try "virtumonde removal" ... nothing of the manuals works? but sorry dont know how to help you better

__________________

GrouchyAdmin

Try posting comments on YouTube for a couple of hours. Maybe the sheer stupidity of the posters there will kill it off.

__________________

Iron Fist

__________________
i like waffles

Fletch XXX

that was a typo... of course i googled the correct thing.

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

i have the 3 infected registry keys and am going in manually via start > run > regedit

and remove them manually, hopefully that kills it...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

klinton

try combofix

Fletch XXX

the three files are:

run > mibutamiku
browser helper object
and root clsid regkey

removing them manually...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Barefootsies

Yep. Had this a few weeks ago. I posted on it then.
Yes. It's a bitch to get rid of. Wasted an afternoon dealing with that madness.

Here is my steps to clearing that shit up.
https://gfy.com/fucking-around-and-business-discussion/872735-virtumonde.html

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

Fletch XXX

driving me insane, i deleted the reg keys manually and they seem to reappear... right back in the list after i close window

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Iron Fist

This sounds like a fake thread, or you have me on ignore... haha. Good luck with it.

__________________
i like waffles

Fletch XXX

how in the hell can you delete a file and have it reaappear simply by clicking out of the folder????

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

ive ran malwarebytes more than 10 times, it claims to remove it, yet it does not.

As I said above, I have gone in through start > run > regedit and the files are not being deleted by malwarebytes,... the same 3 reg keys keep being detected even after deleting with Malwarebytes

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Barefootsies

That is one of the beauties of that virus.

You have to nuke that shit in SAFE MODE. Turn off restore. Clean registry. Kill virus. Restore back on.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

Fletch XXX

im in safe mode, not doing any restore stuff... how you clean registry other than in safe mode >delete?

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

k turned OFF sys restore, maybe that was it...

now to deleting...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Barefootsies

Turn off system restore.
Go into SAFE MODE.

THEN you use the

1. Microsoft Malware tool first. It should already be on your machine. Find it. Then run it twice.
2. Registry Cleaner (run G search for the program). Run it twice.
3. Run Spybot Search and Destroy, twice.

Once clean, turn restore back on.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

Fletch XXX

man I keep deleting these files and they do not go away.

sys restore off

in safe mode

will run MBAM again and see, but the files come back..

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Barefootsies

You can not manually delete them chief.

I tried that as well a half dozen times. Stop wasting your time. Find, and download if you do not have them, the programs I said. Run them like I said. You should be fine.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

Fletch XXX

why do i need a reg cleaner? I am deleting them manually...?

this is fucking silly... as I have said, everytime I run MBAM i get the same 3 reg keys shown to me as infected, i have the registry open to the file locations and manually delete, yet the reappear as soon as I delete them...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

what reg cleaner?

i am downloading this

http://www.malwarebytes.org/regassassin.php

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Barefootsies

Every time I would run S&D, it would find the virus as well. It would do the same thing you claim. It would also say it removed it, but did not. I tried manually deleting, then would run S&D again. It would find it again. The files would be back again.

Do the steps I said, with the programs I said. Otherwise, enjoy your morning of wasted time.

__________________
Should You Email Your Members?

Link1 | Link2 | Link3

Enough Said.

"Would you rather live like a king for a year or like a prince forever?"

Fletch XXX

well in trying to follow your directions:

1. http://www.microsoft.com/security/ma...e/default.mspx

doesnt seem to do anything after I download it, I click it open and it just goes away.

2. What registry cleaner? a google search for "registry cleaner" yields 4,920,000 results, I tried regassassin, didnt delete the keys.

3. I have spybot, and have trun it with same conclusion as you above, it isnt getting the files removed, and I keep trying other things.

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Darkcrni

My god, why don't you reinstall the fucker , just to be sure!!!

Fletch XXX

well, ive tried to download and run this more than once, same thing, it just opens then closes without running

http://www.microsoft.com/security/ma...e/default.mspx

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

polish_aristocrat

so malwarebytes didn't help?

__________________
I don't use ICQ anymore.

Fletch XXX

no, MBAM finds and *claims* to remove the same 3 files over and over, no matter how many times the prog is ran.

it finds the files, then claims to delete... but doesnt.

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Forest

sounds fuckign nasty

polish_aristocrat

are you on XP or Vista?

I know Combofix is a great program, someone mentioned it here, but a page says its only for XP

http://remove-malware.com/malware-ti...monde-removal/

Virtumonde removal can be successfully accomplished via the following steps below. Please note that this fix only works on Windows XP. NEVER RUN COMBOFIX ON WINDOWS VISTA!!!

Manual Steps for Windows XP

1. Download the latest version of combofix from here.

2. Save combofix in the root of your c: drive ( c:\combofix.exe)

3. Reboot the pc in safemode (edit* 4/22/08 - ComboFix may not work in safemode on some computers. If ComboFix does not work for you in safe mode I would suggest that you run malwarebytes' anti-malware in safemode...it removed Virtumonde without a problem).

4. Login and Run ComboFix.

5. Follow the on screen prompts to clean your pc.


here's a more detailed guide to Combofix
http://www.bleepingcomputer.com/comb...o-use-combofix

ive used combofix in the past to remove some other trojans.. but:

combofix may theoretically fuck up your system for good, it says 1/100 machines don't survive the scan
unlike the guide says, you should rather save combofix as some random characters like abs456.exe instead of combofix.exe

and after running combofix it not only removes some shit, but produces a log, and then after looking at the log, some additional steps may be nesessary but i never had to do that

anyway if you're on XP, you can try

edit: dont do anything, dont even move your mouse while Combofix is running

__________________
I don't use ICQ anymore.

DeanCapture

Fletch, I had that a while back and used two programs to rid myself of it. Since then, I've turned others on to this and they also got rid of it.

First, download & install Eset Smart Security.

Secondly, download & install SUPER Anti Spyware

Thank me later...

__________________
Twitter: @DeanCapture
Instagram: @TheDeanCapture
DeanCapture "at" Gmail.com

Fletch XXX

I shall do so right now. Thanks...

Man oh man,.. that is some nasty shit. I'm not the best with these things, but I can run the progs find, target, kill. But I downloaded and ran both of those and was able to remove most of the parts it seems... although, I have noticed a few "browser helper ojbects" that have returned, I at least for now it seems mostly neutralized.

The problem was killing the "in use memory module" stuff. I downloaded Dr Delete anf numerous free downloads, but took your advice on those. The frustrating thing is waiting for these things to scan a large HD, meanwhile you *know* where the reg keys are, but can't delete em, but in the end between a few programs I was able to put a stop on them and the main reg key that was calling upon other system32 .dlls.

Im still cleaning it up, but at least was able to finally get out of safe mode and plug it back online...

nasty stuff

vundo virtumonde, whatever it is i had(ve) em...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

well, didnt work.

The shit is still on my machine and I am still trying to rid myself of it.

the same registry keys that are causing this simply will not be removed by any of the programs, ... and upon a reboot it seems to come right back...

arrhgg

SUPERANTispyware even updates their virii definition list YESTERDAY with 6 vundo updates and it still didnt fix it!!!

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

nothing will delete these two

O4 - HKUS\S-1-5-19\..\Run: [mibutamiku] Rundll32.exe "C:\WINDOWS\system32\tapusura.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mibutamiku] Rundll32.exe "C:\WINDOWS\system32\tapusura.dll",s (User 'NETWORK SERVICE')

manual delete dont work, delete upon reboot from MBAM dont work, Hijack this dont work... SuperAntiSpyware dont even find it...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

the frustrating thing is very simple, I dont need *another virii or malware scanner*, I dont need another reg cleaner, I dont need another blahblahblahfixit.exe

I know EXACTLY where the regkeys are, I know exactly what the names are, but simply CANNOT REMOVE THEM, nor effectively stop them from autorun on reboot unless removed.

If i could simply delete the regkeys I am thinking that would be about the last traces of it,... but until then, I think it keeps making copies of itself or some of the .dll files and the process just starts over, very frustrating.

I think I must have the latest most recent vesion of this vundo/virtumonde trojan, because Superantispyware updated on the 19th with new virus definitions for vundo, but so far, it has not stopped this thing...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

found a task i hadnt killed... and disabled: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\tuvWpMGv.dll",d (was set to run every 2 hours)

also found this file: WMSysPr9.prx (old trojan file) not sure if related, but cleaning this shit has me digging DEEEEEP into the abyss...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

another .dll removed

system32/tudoniga.dll

trojan.fakealert

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

found a .dll that seems to be in-use and is not windows related, setting up Dr Delete to kill it upon reboot now...

system32/vuzinaku.dll

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

k vuzinaku.dll cannot be deleted, must be a main part of this... tried dr delete at start up but its not allowing this thing to be removed, acces denied. I unchecked "read only" etc...

cant even unregister the .dll at cmd prompt... as suggested here http://www.spywareremove.com/securit...ove-dll-files/

this is a headache

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

i quarantined the vuzinaku.dll with ESET, but it couldnt move it from sys32 folder

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

sys32/bovusuyo.dll located, deleted

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

i am wondering if as I delete them it is creating more, damn...

lemme comb the dir and see...

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

polish_aristocrat

did you try the combofix I posted? or are you on vista?






or maybe I am just on Stuart D's elite ignore feature

__________________
I don't use ICQ anymore.

Fletch XXX

I downloaded it, but didn't like the "can shut down your computer" warning lol

Am I describing something similar to what you had?

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

Fletch XXX

also found:

nayirima.dll
nelumoje.dll

but as I detected it was making more as I deleted them... and it was

the file names are all dynamic and yes they are being created as I deletd this file called "mabalawa"

upon deleting that it created a copy of mabalawa, two .dlls (raramugee.dll zofarimo.dll) and egumarar (config file)

lol

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

polish_aristocrat

I dont rememebr what i had, its been some trojan, perhaps a more simply one than yours.

I got the "1 in 100 computers won't survive the scan" message or so but I proceed and it went Ok.

You can make the windows recovery console like they suggest but I didn't do that.

anwway, Combofix is a powerful tool, recommended on many forums.
I was also scared to use it first but it went Ok.

If you take their warning literally, then you've got 99% chance that it will run fine... and hopefully it can get rid of your trojan, though no 100% promisses obviously..

anwyay good luck, cant really say much more

__________________
I don't use ICQ anymore.

Yngwie

did you try scanning with your network connection disconnected? Some of these virii use your internet connection in order to get shit from a database or whatever so if you're still connected that is more than likely why it keeps coming back. Try all these scan with NO NETWORK CONNECTION and see if that helps.

__________________
ICQ: 16544251 - Skype: gator37 @ eastlink.ca - email: yngwie @ isys.ca

Mutt

i've had Virtumonde - go here - complete step by step guide - you have most of the software already - read carefully, follow the instructions

http://forums.majorgeeks.com/showthread.php?t=35407

and you MUST run ComboFix after using SuperAntiSpyware, Spybot S&D, MBAM

there's nothing to fear running ComboFix

__________________

zEn84

Fletch man, just download windows new live one care program.

http://onecare.live.com/standard/en-us/3/default.htm

Its the only one that worked for me, the trial will still remove everything, you get like 3 months free. I have this puppy running all the time, rock solid program. Good luck with it..

Mutt

this shit is getting out of hand - there have been half a dozen posts just on GFY in the past week about Virtumonde. Why the fuck doesn't anybody in law enforcement go after these people - they're easy to trace, most of them are incredibly trying to get you to buy anti-spyware software after they put it on your machine or redirecting you to pay per click ad networks, follow the money. I know what site I picked it up on.

and the Mac owners who smugly tell you 'get a Mac' because Macs don't get this shit - sorry your time is coming, the more people switching to Mac makes it inevitable that these guys right now are writing malicious code for the Mac. Apple for the first time is now recommending their users start using anti-virus software - they know what's coming.

__________________