rsurfer
2008-04-28, 18:14
Hi All!
Got a very persistent version of Virtumonde on my computer and spent the last 2 days removing it. It started with my hard drive being accessed suspiciously and getting pop-ups when surfing right after I had installed a program called Trojan Remover from http://www.simplysup.com/ and I strongly suspect that it installed Virtumonde becuse the problems started right after that. Probably so there would be something to discover and remove when I ran it the first time... well it's fast scan was so slow that I aborted it after 5 Min's but before that it had discovered Virtumonde....
Well I launched SD instead and it discovered a lot of Virtumonde entries and I had to reboot into safe mode for it to remove those but I still got the pop-up and strange hard rive access so i downloaded and installed Vundofix from http://www.atribune.org/ and it discovered one more file called x... something and removed it but the pop-ups for security software was still there.
Then I surfed to this forum and read the latest treads about Virtumondo and downloaded and installed combofix and hijackthis. Combofix deleted a lot of entries but not all and I manually inspected the combofix log and found all the remaining files and made an CFScript file and drop it on combofix.
Strangely combofix did not delete the remaining files so I had to do it manually and then I ran hiJackThis and removed all suspicious looking entries from it. After that I rebooted and the pop-ups are gone and neither SD or combofix show anything strange so I guess I got rid of it completely.
Below is a summary of what I did so you SD guys can improve the Virtumondo removal in SD. Unfortunately I did not write down all the buttons or Tools entries I removed in HiJackThis but I removed all that looked strange.
------------------------------------------
ComboFix 08-04-26.5 - "censored" 2008-04-28 8:51:37.1 - NTFSx86
Running from: C:\Documents and Settings\"censored" \Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\"censored" \Skrivbord\WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program\alexa toolbar
C:\WINDOWS\icon.ico
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\DdghQqss.ini
C:\WINDOWS\system32\DdghQqss.ini2
C:\WINDOWS\system32\fxnwnqiv.ini
C:\WINDOWS\system32\guemuebt.ini
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\oledb32.dll
C:\WINDOWS\system32\QBbddfii.ini
C:\WINDOWS\system32\QBbddfii.ini2
C:\WINDOWS\system32\ssqQhgdD.dll
-------------------------------
Files I found to be suspicious from the hijackthis and combofix logs:
HiJackThis log (started by runddl32.exe)
C:\WINDOWS\system32\xhvsygnn.dll
combofix (suspected recent files):
C:\WINDOWS\system32\xxyabbcY.dll.vir
C:\WINDOWS\wininit.ini
wininit.ini content:
[rename]
c:\tempjunk1008.tmp=C:\WINDOWS\system32\iifddbBQ.dll_old
nul=c:\tempjunk3137.tmp
c:\tempjunk6400.tmp=C:\WINDOWS\system32\djudiqxh.dll_old
c:\tempjunk9144.tmp=C:\WINDOWS\system32\iifddbBQ.dll_old
c:\tempjunk9816.tmp=C:\WINDOWS\system32\lwbeqgwe.dll_old
c:\tempjunk4013.tmp=C:\WINDOWS\system32\hdekpjvd.dll_old
c:\tempjunk3137.tmp=C:\WINDOWS\system32\ssqQhgdD.dll
--------------------------------------------
CFScript.txt:
c:\tempjunk1008.tmp
c:\tempjunk3137.tmp
c:\tempjunk6400.tmp
c:\tempjunk9144.tmp
c:\tempjunk9816.tmp
c:\tempjunk4013.tmp
c:\tempjunk3137.tmp
C:\WINDOWS\system32\iifddbBQ.dll_old
C:\WINDOWS\system32\djudiqxh.dll_old
C:\WINDOWS\system32\iifddbBQ.dll_old
C:\WINDOWS\system32\lwbeqgwe.dll_old
C:\WINDOWS\system32\hdekpjvd.dll_old
C:\WINDOWS\system32\ssqQhgdD.dll
C:\WINDOWS\system32\xxyabbcY.dll.vir
C:\WINDOWS\wininit.ini
Got a very persistent version of Virtumonde on my computer and spent the last 2 days removing it. It started with my hard drive being accessed suspiciously and getting pop-ups when surfing right after I had installed a program called Trojan Remover from http://www.simplysup.com/ and I strongly suspect that it installed Virtumonde becuse the problems started right after that. Probably so there would be something to discover and remove when I ran it the first time... well it's fast scan was so slow that I aborted it after 5 Min's but before that it had discovered Virtumonde....
Well I launched SD instead and it discovered a lot of Virtumonde entries and I had to reboot into safe mode for it to remove those but I still got the pop-up and strange hard rive access so i downloaded and installed Vundofix from http://www.atribune.org/ and it discovered one more file called x... something and removed it but the pop-ups for security software was still there.
Then I surfed to this forum and read the latest treads about Virtumondo and downloaded and installed combofix and hijackthis. Combofix deleted a lot of entries but not all and I manually inspected the combofix log and found all the remaining files and made an CFScript file and drop it on combofix.
Strangely combofix did not delete the remaining files so I had to do it manually and then I ran hiJackThis and removed all suspicious looking entries from it. After that I rebooted and the pop-ups are gone and neither SD or combofix show anything strange so I guess I got rid of it completely.
Below is a summary of what I did so you SD guys can improve the Virtumondo removal in SD. Unfortunately I did not write down all the buttons or Tools entries I removed in HiJackThis but I removed all that looked strange.
------------------------------------------
ComboFix 08-04-26.5 - "censored" 2008-04-28 8:51:37.1 - NTFSx86
Running from: C:\Documents and Settings\"censored" \Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\"censored" \Skrivbord\WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program\alexa toolbar
C:\WINDOWS\icon.ico
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\DdghQqss.ini
C:\WINDOWS\system32\DdghQqss.ini2
C:\WINDOWS\system32\fxnwnqiv.ini
C:\WINDOWS\system32\guemuebt.ini
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\oledb32.dll
C:\WINDOWS\system32\QBbddfii.ini
C:\WINDOWS\system32\QBbddfii.ini2
C:\WINDOWS\system32\ssqQhgdD.dll
-------------------------------
Files I found to be suspicious from the hijackthis and combofix logs:
HiJackThis log (started by runddl32.exe)
C:\WINDOWS\system32\xhvsygnn.dll
combofix (suspected recent files):
C:\WINDOWS\system32\xxyabbcY.dll.vir
C:\WINDOWS\wininit.ini
wininit.ini content:
[rename]
c:\tempjunk1008.tmp=C:\WINDOWS\system32\iifddbBQ.dll_old
nul=c:\tempjunk3137.tmp
c:\tempjunk6400.tmp=C:\WINDOWS\system32\djudiqxh.dll_old
c:\tempjunk9144.tmp=C:\WINDOWS\system32\iifddbBQ.dll_old
c:\tempjunk9816.tmp=C:\WINDOWS\system32\lwbeqgwe.dll_old
c:\tempjunk4013.tmp=C:\WINDOWS\system32\hdekpjvd.dll_old
c:\tempjunk3137.tmp=C:\WINDOWS\system32\ssqQhgdD.dll
--------------------------------------------
CFScript.txt:
c:\tempjunk1008.tmp
c:\tempjunk3137.tmp
c:\tempjunk6400.tmp
c:\tempjunk9144.tmp
c:\tempjunk9816.tmp
c:\tempjunk4013.tmp
c:\tempjunk3137.tmp
C:\WINDOWS\system32\iifddbBQ.dll_old
C:\WINDOWS\system32\djudiqxh.dll_old
C:\WINDOWS\system32\iifddbBQ.dll_old
C:\WINDOWS\system32\lwbeqgwe.dll_old
C:\WINDOWS\system32\hdekpjvd.dll_old
C:\WINDOWS\system32\ssqQhgdD.dll
C:\WINDOWS\system32\xxyabbcY.dll.vir
C:\WINDOWS\wininit.ini