Win32/VirtuMonde.O

[DanG]

I had a message pop up today from Window Defender, indicating that I
had a "Win32/Virtumonde.O" trojan on my PC. I had WD remove the
virus, and restarted as required. A few minutes later, the message
popped up again. I have tried everything I can think of, including
running WD in Safe Mode, but the virus keeps coming back. It seems
that WD says it's been successfully removed, but it really isn't.

I've downloaded SpywareBot and Ad-Aware, but neither found my bug.
When I run the Symantec program specifically intended to remove
Adware.Virtumonde, it doesn't find anything. Neither does Avast.
Perhaps Adware.VirtuMonde and Win32/VirtuMonde are not the same thing.

Any clues on what else I can try?

[Ron H]

Did you install Spybot or Spywarebot ?

"Malke" wrote:

> Go through the preparatory steps here:
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> Include scanning with David Lipman's Multi_AV and follow instructions to
> do all scans in Safe Mode. Please see the special Notes regarding using
> Multi_AV in Vista.
>
> http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
> http://pcdid.com/Multi_AV.htm - download
>
> Then do the specific removal steps here:
> http://www.elephantboycomputers.com/page2.html#Winfixer
>
> You can also check to see if there are targeted removal steps for your
> malware here:
> Bleeping Computer removal how-to's -
> http://www.bleepingcomputer.com/forums/forum55.html
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the first link above (not here, please).
>
> Not all tools used will work in Vista and you will need to run them
> elevated. Since Vista is so new, it will be a while before removal
> techniques and tools are developed. If you are unable to remove the
> infection by following the general steps, register at one of the
> HijackThis forums as suggested.
>
> Standard caveat: If the procedures look too complex - and there is no
> shame in admitting this isn't your cup of tea - take the machine to a
> professional computer repair shop (not your local version of
> BigComputerStore/GeekSquad). Please be aware that not all local shops
> are skilled at removing malware and even if they are, your computer may
> be so infested that Windows will need to be clean-installed. Have all
> your data backed up before you take the machine into a shop.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

[David H. Lipman]

From: "DanG" <da...@rmci.net>

Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0 update 2 (jre 6u2)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_02

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1

Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Milo (MSPSS)]

Windows Defender has a different signature when it comes to detecting vundo /
virtuMonde, the possible detection may conclude if a part, the loader or the
dropper of vundo is just about to start - the reasons why its only defender
who may report such for it doesnt only rely on the end product ( when and if
vundo is already widespread in the system ) Please follow the steps above as
posted by malke and david. And please advice us for any development along the
way.

Also are you recieving ad marketing windows multiple prompts or so
experiencing slowdon on start-up or loading windows?
--
Milo
MSPSS

[DanG]

Malke: Sorry, I was never able to read your message. I see your name
in the tree, but no text. Seems like Milo was able to see it, so it
must be something on my end. (shrug)

Ron: I tried both SpyBot and SpywareBot. Both found some adware, but
not the VirtuMonde.O I needed to kill.

Milo: Yes, I have been seeing lots of windows prompts, many from sites
I never heard of, telling me that I have a virus, and that I must
download their software immediately. I do not. Also, I have not seen
any general slowdown of the machine.

David: I did have JRE1.4, which I uninstalled and put on JRE1.6. The
VirtumundoBeGone, which I ran first, seems to have done the trick.
VundoFix was next, but it did not find it. I then reran both in Safe
Mode, and both came up empty, I then ran the WD scan again, and it
also came up empty. (whew!)

Another note... I use Avast as my virus blocker, and it was the first
to tell me that a virus was inbound. I told it to delete the virus,
and it said it was unable to do so because the file was locked. A few
minutes later, Windows Defender popped up its message. By then, the
virus was already embedded on the machine. I find it interesting that
both packages saw it, and could do nothing about it.

Much thanks to all of you.
Da

[Milo (MSPSS)]

By any chance Windows Defender indicated the location of the said file tagged
as vundo?

1. Go to start > run
type %temp% ( folder would appear delete all entries that can be deleted
)
type temp ( same )
type prefetch ( same )

2. Go to control Panel > locate an icon named System left click
System Properties console would appear and go to System Restore tab
put a check on "Turn off System Restore", apply and ok
restart the computer scan again.

Should the process be successfull uncheck the "Turn off System Restore"
box
to avail of the restore point feature of windows, this time its no
longer tainted by the said strands of infecton.

--
Milo
MSPSS

[DanG]

Done.

Thanks
Dan

[Ron H]

DanG, Also now you have to get rid of Spywarebot it's on the list of rogue
spyware products that goad ( tells you that you have something when you
really don't) to make you purchase. Also is spyware itself
http://spywarewarrior.com/rogue_anti-spyware.htm

.htmlhttp://www.ntcompatible.com/have_you_seen_this_new_threat_yet_spywarebot_t34627
http://www.2-spyware.com/review-spywarebot.html

[Ron H]

DanG, One of those links doesn't work here it is again :
http://www.ntcompatible.com/have_you_seen_this_new_threat_yet_spywarebot_t34627.html

[DanG]

Yes, I ran SpyBot-S&D last night, and saw that SpywareBot was listed.
There was another one, too, that I downloaded from either
BleepingComputer or HijackThis (I forget which) that also set off
Avast warnings.

Dan

~On a clear disk, you can seek forever ~