|
Virtumonde Virus, anyone have experience?
Hey, anyone have experience with Virtumonde?
I got it on my work machine and have been fighting it for a few days. Its weird, I thought I cleared the machine - ran Spy Bot and Malwarebytes in safe mode this morning, it quarantined and removed the files successfully, but something strange happens... If I run the proggies and get rid of the infected files, after I remove them, I run Malwarebytes again., and the infected registry entries are still there?? Of course ive googled and followed directions on "vortmonde removal" pages etc, but nothing seems to actually get rid of it... |
ps i am in safe mode right now so the board is hard to surf lol must be 480 width or someshit in safe mode lol
|
maybe instead of "vortmonde removal" you can try "virtumonde removal" ... nothing of the manuals works? but sorry dont know how to help you better :)
|
Try posting comments on YouTube for a couple of hours. Maybe the sheer stupidity of the posters there will kill it off.
|
|
Quote:
|
i have the 3 infected registry keys and am going in manually via start > run > regedit
and remove them manually, hopefully that kills it... |
try combofix
|
the three files are:
run > mibutamiku browser helper object and root clsid regkey removing them manually... |
Yep. Had this a few weeks ago. I posted on it then.
Yes. It's a bitch to get rid of. Wasted an afternoon dealing with that madness. Here is my steps to clearing that shit up. fucking-around-and-business-discussion/872735-virtumonde.html |
driving me insane, i deleted the reg keys manually and they seem to reappear... right back in the list after i close window
|
Quote:
|
how in the hell can you delete a file and have it reaappear simply by clicking out of the folder????
|
Quote:
As I said above, I have gone in through start > run > regedit and the files are not being deleted by malwarebytes,... the same 3 reg keys keep being detected even after deleting with Malwarebytes |
Quote:
You have to nuke that shit in SAFE MODE. Turn off restore. Clean registry. Kill virus. Restore back on. |
Quote:
|
k turned OFF sys restore, maybe that was it...
now to deleting... |
Quote:
Go into SAFE MODE. THEN you use the 1. Microsoft Malware tool first. It should already be on your machine. Find it. Then run it twice. 2. Registry Cleaner (run G search for the program). Run it twice. 3. Run Spybot Search and Destroy, twice. Once clean, turn restore back on. |
man I keep deleting these files and they do not go away.
sys restore off in safe mode will run MBAM again and see, but the files come back.. |
Quote:
You can not manually delete them chief. I tried that as well a half dozen times. Stop wasting your time. Find, and download if you do not have them, the programs I said. Run them like I said. You should be fine. |
why do i need a reg cleaner? I am deleting them manually...?
this is fucking silly... as I have said, everytime I run MBAM i get the same 3 reg keys shown to me as infected, i have the registry open to the file locations and manually delete, yet the reappear as soon as I delete them... |
|
Quote:
Do the steps I said, with the programs I said. Otherwise, enjoy your morning of wasted time. |
Quote:
1. http://www.microsoft.com/security/ma...e/default.mspx doesnt seem to do anything after I download it, I click it open and it just goes away. 2. What registry cleaner? a google search for "registry cleaner" yields 4,920,000 results, I tried regassassin, didnt delete the keys. 3. I have spybot, and have trun it with same conclusion as you above, it isnt getting the files removed, and I keep trying other things. |
My god, why don't you reinstall the fucker , just to be sure!!!
|
well, ive tried to download and run this more than once, same thing, it just opens then closes without running
http://www.microsoft.com/security/ma...e/default.mspx |
so malwarebytes didn't help?
|
Quote:
it finds the files, then claims to delete... but doesnt. |
sounds fuckign nasty
|
are you on XP or Vista?
I know Combofix is a great program, someone mentioned it here, but a page says its only for XP http://remove-malware.com/malware-ti...monde-removal/ Virtumonde removal can be successfully accomplished via the following steps below. Please note that this fix only works on Windows XP. NEVER RUN COMBOFIX ON WINDOWS VISTA!!! Manual Steps for Windows XP 1. Download the latest version of combofix from here. 2. Save combofix in the root of your c: drive ( c:\combofix.exe) 3. Reboot the pc in safemode (edit* 4/22/08 - ComboFix may not work in safemode on some computers. If ComboFix does not work for you in safe mode I would suggest that you run malwarebytes' anti-malware in safemode...it removed Virtumonde without a problem). 4. Login and Run ComboFix. 5. Follow the on screen prompts to clean your pc. here's a more detailed guide to Combofix http://www.bleepingcomputer.com/comb...o-use-combofix ive used combofix in the past to remove some other trojans.. but: combofix may theoretically fuck up your system for good, it says 1/100 machines don't survive the scan unlike the guide says, you should rather save combofix as some random characters like abs456.exe instead of combofix.exe and after running combofix it not only removes some shit, but produces a log, and then after looking at the log, some additional steps may be nesessary but i never had to do that anyway if you're on XP, you can try edit: dont do anything, dont even move your mouse while Combofix is running |
Fletch, I had that a while back and used two programs to rid myself of it. Since then, I've turned others on to this and they also got rid of it.
First, download & install Eset Smart Security. Secondly, download & install SUPER Anti Spyware Thank me later...:thumbsup |
Quote:
Man oh man,.. that is some nasty shit. I'm not the best with these things, but I can run the progs find, target, kill. But I downloaded and ran both of those and was able to remove most of the parts it seems... although, I have noticed a few "browser helper ojbects" that have returned, I at least for now it seems mostly neutralized. The problem was killing the "in use memory module" stuff. I downloaded Dr Delete anf numerous free downloads, but took your advice on those. The frustrating thing is waiting for these things to scan a large HD, meanwhile you *know* where the reg keys are, but can't delete em, but in the end between a few programs I was able to put a stop on them and the main reg key that was calling upon other system32 .dlls. Im still cleaning it up, but at least was able to finally get out of safe mode and plug it back online... nasty stuff vundo virtumonde, whatever it is i had(ve) em... |
well, didnt work.
The shit is still on my machine and I am still trying to rid myself of it. the same registry keys that are causing this simply will not be removed by any of the programs, ... and upon a reboot it seems to come right back... arrhgg SUPERANTispyware even updates their virii definition list YESTERDAY with 6 vundo updates and it still didnt fix it!!! |
nothing will delete these two
O4 - HKUS\S-1-5-19\..\Run: [mibutamiku] Rundll32.exe "C:\WINDOWS\system32\tapusura.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [mibutamiku] Rundll32.exe "C:\WINDOWS\system32\tapusura.dll",s (User 'NETWORK SERVICE') manual delete dont work, delete upon reboot from MBAM dont work, Hijack this dont work... SuperAntiSpyware dont even find it... |
the frustrating thing is very simple, I dont need *another virii or malware scanner*, I dont need another reg cleaner, I dont need another blahblahblahfixit.exe
I know EXACTLY where the regkeys are, I know exactly what the names are, but simply CANNOT REMOVE THEM, nor effectively stop them from autorun on reboot unless removed. If i could simply delete the regkeys I am thinking that would be about the last traces of it,... but until then, I think it keeps making copies of itself or some of the .dll files and the process just starts over, very frustrating. I think I must have the latest most recent vesion of this vundo/virtumonde trojan, because Superantispyware updated on the 19th with new virus definitions for vundo, but so far, it has not stopped this thing... |
found a task i hadnt killed... and disabled: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\tuvWpMGv.dll",d (was set to run every 2 hours)
also found this file: WMSysPr9.prx (old trojan file) not sure if related, but cleaning this shit has me digging DEEEEEP into the abyss... |
another .dll removed
system32/tudoniga.dll trojan.fakealert |
found a .dll that seems to be in-use and is not windows related, setting up Dr Delete to kill it upon reboot now...
system32/vuzinaku.dll |
k vuzinaku.dll cannot be deleted, must be a main part of this... tried dr delete at start up but its not allowing this thing to be removed, acces denied. I unchecked "read only" etc...
cant even unregister the .dll at cmd prompt... as suggested here http://www.spywareremove.com/securit...ove-dll-files/ this is a headache |
i quarantined the vuzinaku.dll with ESET, but it couldnt move it from sys32 folder
|
sys32/bovusuyo.dll located, deleted
|
i am wondering if as I delete them it is creating more, damn...
lemme comb the dir and see... |
did you try the combofix I posted? or are you on vista?
or maybe I am just on Stuart D's elite ignore feature :1orglaugh |
Quote:
Am I describing something similar to what you had? |
also found:
nayirima.dll nelumoje.dll but as I detected it was making more as I deleted them... and it was the file names are all dynamic and yes they are being created as I deletd this file called "mabalawa" upon deleting that it created a copy of mabalawa, two .dlls (raramugee.dll zofarimo.dll) and egumarar (config file) lol |
Quote:
I got the "1 in 100 computers won't survive the scan" message or so but I proceed and it went Ok. You can make the windows recovery console like they suggest but I didn't do that. anwway, Combofix is a powerful tool, recommended on many forums. I was also scared to use it first but it went Ok. If you take their warning literally, then you've got 99% chance that it will run fine... and hopefully it can get rid of your trojan, though no 100% promisses obviously.. anwyay good luck, cant really say much more |
did you try scanning with your network connection disconnected? Some of these virii use your internet connection in order to get shit from a database or whatever so if you're still connected that is more than likely why it keeps coming back. Try all these scan with NO NETWORK CONNECTION and see if that helps.
|
i've had Virtumonde - go here - complete step by step guide - you have most of the software already - read carefully, follow the instructions
http://forums.majorgeeks.com/showthread.php?t=35407 and you MUST run ComboFix after using SuperAntiSpyware, Spybot S&D, MBAM there's nothing to fear running ComboFix |
Quote:
http://onecare.live.com/standard/en-us/3/default.htm Its the only one that worked for me, the trial will still remove everything, you get like 3 months free. I have this puppy running all the time, rock solid program. Good luck with it.. |
this shit is getting out of hand - there have been half a dozen posts just on GFY in the past week about Virtumonde. Why the fuck doesn't anybody in law enforcement go after these people - they're easy to trace, most of them are incredibly trying to get you to buy anti-spyware software after they put it on your machine or redirecting you to pay per click ad networks, follow the money. I know what site I picked it up on.
and the Mac owners who smugly tell you 'get a Mac' because Macs don't get this shit - sorry your time is coming, the more people switching to Mac makes it inevitable that these guys right now are writing malicious code for the Mac. Apple for the first time is now recommending their users start using anti-virus software - they know what's coming. |
| All times are GMT -7. The time now is 02:33 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123