Trojan.Virtumonde. Help please!

[QUOTH]

I'm running XP, IE7, Norton Antivirus, Windows Defender and Spyware Doctor

I seemed to have picked something up from somewhere. Virus, spyware, malware, who knows. Spyware Doctor tells me i've got a trojan. I've used add/remove programs to unistall the problem application.

When I connect to the internet norton antivirus goes crazy. The screen fills with popups telling me its scanning outgoing emails. Quickly the whole screen fills unless I disconnect the internet or go into task manager and close them all a couple of times [ I dont know if this fixes it or just stops norton from showing them]. I get no other warnings from Norton or Spyware Doctor.

I can open internet explorer 7, I can open web pages by selecting favorites or typing in the correct web adress. I can search with the search bar and get a page of google results. If I then click any of the results, even ones I know are good I get a page of more search results, or adverts from different providers [not google, nothing to do with the link].

No popups in IE but my popup blocker is always on full.

I also have Spyware doctor. I do a full search, it finds a trojan and a list of smaller new problems. I "fix" them and empty the quaranteen bin and restart my PC.

The problem starts again, I search with spyware Doctor again and it finds it. Again.

Norton antivirus dosen't seem to find anything after I have scanned with spyware doctor.

Ive also emptied the temporary internet files and cookies in internet explorer. Gmail [In IE7] tells me my cache is full even after deleting temp's and cookies.



I'm on the laptop at the moment as the PC is sick. Please help.

Q


EDIT: I'm hoping to install vista to get around this problem but guess what? Theres more problems! [l=My other thread]http://forums.anandtech.com/messageview.aspx?catid=32&threadid=2192154&enterthread=y[/]

 

[jamesminilogo]

What is the name of the trojan that Spydoctor finds.

This sounds similar to a problem that im working on for a friend. Could possibly be the Virtumonde trojan from the sounds of it.

 

[Old Hippie]

Update spyware programs.

Disable system restore.

Boot into safe mode.

Run your scans.

If that doesn't do it, I'd reinstall Windows.

Good Luck!

 

[robisbell]

run housecall on the machine in safe mode with network access, and if that does not fix it, then dban the drive, reload windows, and permanently disable system restore.

 

[QUOTH]

I have disabled system restore and restarted my pc. Same problems but spyDr can no longer find anything wrong.

If I have to reinstall Windows will I have to format my C drive? Its full atm and I can't back it up. It's been a while since I've had to reinstall windows. This PC has been fine so far.

Right now I'm scanning in safe mode with spyDr. When it's finished I'll try housecall [thanks robisbell].


Q

 

[mechBgon]

Report the exact names of whatever malware is discovered. Also boot into Safe Mode With Networking and run F-Secure's online scanner, which uses several antivirus engines and has rootkit detection as well. http://www.f-secure.com/security_center Another good free antispyware to use: http://www.superantispyware.com

Bigger picture: this stuff doesn't just fall from the sky. Here are some prevention strategies to consider for the future. Good luck!

 

[QUOTH]

I can't open either of those webpages on my troubled PC. I search for it with google [no problems]. I then copy the url [if i click I get a useless page of links/advert] and paste it into the adress bar. It won't connect, it always says "ie cannot display the webpage". I dont understand why this is, I can open anandtech or wikipedia by entering the correct url.

grrr

 

[jamesminilogo]

Originally posted by: mechBgon
Report the exact names of whatever malware is discovered.

As has been asked.

More help can be provided if we know the name of the malware.

 

[QUOTH]

z

Originally posted by: QUOTH
I have disabled system restore and restarted my pc. Same problems but spyDr can no longer find anything wrong...
Q

As I said SpyDR can nolonger find it so I don't know the name. I'll have alook in spyDr, I guess it should keep a history of what its found.

 

[jamesminilogo]

Sorry, i missed that.

Yeha see if Spyware Doctor keeps a history.

 

[mechBgon]

Originally posted by: QUOTH
I can't open either of those webpages on my troubled PC. I search for it with google [no problems]. I then copy the url [if i click I get a useless page of links/advert] and paste it into the adress bar. It won't connect, it always says "ie cannot display the webpage". I dont understand why this is, I can open anandtech or wikipedia by entering the correct url.

grrr

Malware often takes steps to prevent you from reaching security-related domains such as the ones I linked to. Try this for Superantispyware.com: http://208.62.68.168 and try this for F-secure: http://193.110.109.55/security_center For F-Secure's scanner, if you can run it, then run it while you're booted up in Safe Mode With Networking.


It may also help if you post a HijackThis log. Try to download and run HijackThis (download it from one of MajorGeeks' mirror links there). Run it, have it scan & save a logfile, then paste the logfile text here. If it won't run, try renaming HijackThis.exe to something else and then try to run it again... some malware will block it by name.

The next step will be to determine which items are bad, note them down, reboot into Safe Mode, and run HJT again while in Safe Mode, to actually kill them (if possible).

 

[QUOTH]

Threat Name-Trojan.Virtumonde

39 instances [entry, startup, file, registry key, registry value]

 

[mechBgon]

Originally posted by: QUOTH
Threat Name-Trojan.Virtumonde

39 instances [entry, startup, file, registry key, registry value]

Oh, ok. Start off by downloading and running the Microsoft Malicious Software Removal Tool, if possible: http://www.microsoft.com/secur...areremove/default.mspx It targets this stuff, among other things. Then carry on with the other steps afterwards.

 

[QUOTH]

When you say "kill them" do you mean find them with explorer and delete them?

Ive got the laptop so I can download anything, put it on a flash drive and then run on the PC. Just need to know what to find.

Thanks for the explanation. Out of curiosity what else is Virtumonde doing? The impression I got from norton is that its sending out emails by the hundred. Any idea why?

 

[cubby1223]

Grab this from another computer, and give it a run:
http://www.bleepingcomputer.co...ix/how-to-use-combofix

This is the best software program for getting the computer back under control. Norton sometimes complains about this software, do your best to get Norton to allow combofix to run.

And as linked above, use hijackthis and remove any BHO you don't recognize, should take care of the search engine problems.

 

[cubby1223]

Originally posted by: jamesminilogo

Originally posted by: mechBgon
Report the exact names of whatever malware is discovered.

As has been asked.

More help can be provided if we know the name of the malware.

My experience cleaning up computers - if there is one file that eludes all these security programs, then there are dozens more trojans and what-not on the drive. Hence, knowing one specific problem does very little towards cleaning up the machine on the whole. That's why you have to use the tools like hijackthis and combofix, and know how to search through the log reports and pick out the good and the bad by filename.

 

[RebateMonger]

Originally posted by: QUOTH
Out of curiosity what else is Virtumonde doing? The impression I got from norton is that its sending out emails by the hundred. Any idea why?

Most SPAM email is sent by computers that have been taken over by trojans. It's cheaper than paying for hosting and bandwidth, and it's impossible to blacklist tens of thousands of infected PCs.

Or, your PC could just be sending out malware-contaminated emails to try to infect MORE PCs.

Or, both.

 

[mechBgon]

Originally posted by: QUOTH
When you say "kill them" do you mean find them with explorer and delete them?

No, I mean that you first run HijackThis and get advised which items in the log should be deleted using HijackThis's checkboxes. Then, once you know what items to mark the checkboxes for, you reboot into Safe Mode, run HijackThis again, and checkmark the bad items and have them fixed / "killed."

 

[QUOTH]

Microsoft Malicious Software Removal Tool didn't find anything, I'll try some of the other apps suggested. Wish me luck.

Thinking about it I have a copy of vista that I haven't gotten around to installing yet. The plan would be to install vista on a new HDD, move some files over and then format what is now my C[and D partition] HDD. Just using Vista from the new drive, not reinstalling XP.

Is there any problem with this? Any chance Vista on my new drive will become "infected"? Do I need to fix my problem before I do this?


Also I'd like some suggestions for programs to keep running on my pc all the time. Norton and SpyDr are OK but clearly not good enough. Dosen't have to be free.

Q

 

[mechBgon]

Originally posted by: QUOTH
Thinking about it I have a copy of vista that I haven't gotten around to installing yet. The plan would be to install vista on a new HDD, move some files over and then format what is now my C[and D partition] HDD. Just using Vista from the new drive, not reinstalling XP.

Is there any problem with this? Any chance Vista on my new drive will become "infected"? Do I need to fix my problem before I do this?

It would take some deliberate actions to transfer the infection from the leftover XP stuff to Vista. The main danger would be running any executable files that aren't rock-solid trustworthy ones. Virtumonde/Vundo is something I primarily associate with warez, cracks and serial / keygens, so if you have any such stuff laying about, definitely don't execute it again.

Also I'd like some suggestions for programs to keep running on my pc all the time. Norton and SpyDr are OK but clearly not good enough. Dosen't have to be free.

Especially since you have Vista as an option, try a non-Administrator user account. Do not disable the User Account Control feature, no matter how many well-meaning folks tell you it's for noObs. If your version of Vista is Business or Ultimate, add a Software Restriction Policy. As a preventive measure, I feel that this foundation alone is more potent protection than the best-of-the-best antispyware and antivirus programs combined*, and you can still add them on top too. Not only that, the AV and AS software will be protected from tampering by anything that exploits your non-Admin user account.

Also, Vista in its own right has substantially better security than WinXP. However, WinXP with you using non-Admin + SRP is still quite good, too. On a practical note, when you install Vista on the new hard drive, be sure it's the ONLY DRIVE CONNECTED so that it gets the bootloader installed on it during Windows setup. External drives, memory card readers, flash drives and extra hard drives should all be unplugged while installing onto the new drive.

For antivirus protection: AntiVir in either the free or Premium variants. Definitely the best free AV. Of the paid antiviruses, it's a toss-up between AntiVir and Kaspersky, in my opinion, which is backed up by some rudimentary firsthand testing on real malware. At the rate that the bad guys crank out malware anymore, I don't recommend placing too much reliance on your antivirus software, no matter what kind it is.

For antispyware: you shouldn't need any if you're following these practices. Worst you'll see is tracking cookies, and if you use IE7 you can set your Privacy level to block them completely (Internet Options > Privacy tab > set the slider to Medium-High > click Advanced button > block 3rd-party cookies arbitrarily, allow 1st-party cookies).




*as long as YOU do not override it yourself, that is

 

[QUOTH]

Fantastic, thats just what I wanted to hear.

I know which app I installed which gave me virtumonde. Its uninstalled and deleted, definetly not running it again. Hmm, I just found some files on C which where created at after I got virtumonde. Some .exe's , a log and something else [I noted down there names incase you want to know]. I've deleted them and they haven't reappeared after restarting. Problems still persist.

Would you recommend antivir aswell as norton, spyDr and google defender? Do I only need 1 or two?

Yay, Lets try another scanner! :roll:

 

[QUOTH]

OK, I'm looking at a different solution, but theres a problem [of course]. I'm having trouble installing vista (my other help thread.

Please Help! Thanks all, I'm guessing this isn't related.....

 

[mechBgon]

Originally posted by: QUOTH

Would you recommend antivir aswell as norton, spyDr and google defender? Do I only need 1 or two?

No, don't use two antiviruses at the same time. Windows Defender has low detection rates, so I could take it or leave it, but you can use it in conjunction with another antispyware program if you want (personally, I would skip the antispyware and just use a non-Admin account plus SRP plus not downloading any more dodgy programs).

 

[QUOTH]

Lol, the last point goes with out saying. I don't use spyDr for antivirus, just spyware. OK. If you could have a look at my other thread I'd appreciate it.

 

[mechBgon]

Originally posted by: QUOTH
Lol, the last point goes with out saying. I don't use spyDr for antivirus, just spyware.

Right, but seriously, you shouldn't have any spyware to detect once you implement the other security steps. I'm basing that on my time as a systems administrator; we had no antispyware software, and we had no need of it either, because the systems were locked down in a fashion similar to what I keep suggesting (non-Administrator user accounts, etc). But if you want to pay for an antispyware, SuperAntispyware is one that at least gets good detection rates.