PDA

View Full Version : Persistent Virtumonde



rsurfer
2008-04-28, 18:14
Hi All!

Got a very persistent version of Virtumonde on my computer and spent the last 2 days removing it. It started with my hard drive being accessed suspiciously and getting pop-ups when surfing right after I had installed a program called Trojan Remover from http://www.simplysup.com/ and I strongly suspect that it installed Virtumonde becuse the problems started right after that. Probably so there would be something to discover and remove when I ran it the first time... well it's fast scan was so slow that I aborted it after 5 Min's but before that it had discovered Virtumonde....

Well I launched SD instead and it discovered a lot of Virtumonde entries and I had to reboot into safe mode for it to remove those but I still got the pop-up and strange hard rive access so i downloaded and installed Vundofix from http://www.atribune.org/ and it discovered one more file called x... something and removed it but the pop-ups for security software was still there.

Then I surfed to this forum and read the latest treads about Virtumondo and downloaded and installed combofix and hijackthis. Combofix deleted a lot of entries but not all and I manually inspected the combofix log and found all the remaining files and made an CFScript file and drop it on combofix.

Strangely combofix did not delete the remaining files so I had to do it manually and then I ran hiJackThis and removed all suspicious looking entries from it. After that I rebooted and the pop-ups are gone and neither SD or combofix show anything strange so I guess I got rid of it completely.

Below is a summary of what I did so you SD guys can improve the Virtumondo removal in SD. Unfortunately I did not write down all the buttons or Tools entries I removed in HiJackThis but I removed all that looked strange.
------------------------------------------

ComboFix 08-04-26.5 - "censored" 2008-04-28 8:51:37.1 - NTFSx86
Running from: C:\Documents and Settings\"censored" \Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\"censored" \Skrivbord\WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program\alexa toolbar
C:\WINDOWS\icon.ico
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\DdghQqss.ini
C:\WINDOWS\system32\DdghQqss.ini2
C:\WINDOWS\system32\fxnwnqiv.ini
C:\WINDOWS\system32\guemuebt.ini
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\oledb32.dll
C:\WINDOWS\system32\QBbddfii.ini
C:\WINDOWS\system32\QBbddfii.ini2
C:\WINDOWS\system32\ssqQhgdD.dll

-------------------------------

Files I found to be suspicious from the hijackthis and combofix logs:

HiJackThis log (started by runddl32.exe)
C:\WINDOWS\system32\xhvsygnn.dll

combofix (suspected recent files):
C:\WINDOWS\system32\xxyabbcY.dll.vir
C:\WINDOWS\wininit.ini

wininit.ini content:
[rename]
c:\tempjunk1008.tmp=C:\WINDOWS\system32\iifddbBQ.dll_old
nul=c:\tempjunk3137.tmp
c:\tempjunk6400.tmp=C:\WINDOWS\system32\djudiqxh.dll_old
c:\tempjunk9144.tmp=C:\WINDOWS\system32\iifddbBQ.dll_old
c:\tempjunk9816.tmp=C:\WINDOWS\system32\lwbeqgwe.dll_old
c:\tempjunk4013.tmp=C:\WINDOWS\system32\hdekpjvd.dll_old
c:\tempjunk3137.tmp=C:\WINDOWS\system32\ssqQhgdD.dll

--------------------------------------------
CFScript.txt:

c:\tempjunk1008.tmp
c:\tempjunk3137.tmp
c:\tempjunk6400.tmp
c:\tempjunk9144.tmp
c:\tempjunk9816.tmp
c:\tempjunk4013.tmp
c:\tempjunk3137.tmp
C:\WINDOWS\system32\iifddbBQ.dll_old
C:\WINDOWS\system32\djudiqxh.dll_old
C:\WINDOWS\system32\iifddbBQ.dll_old
C:\WINDOWS\system32\lwbeqgwe.dll_old
C:\WINDOWS\system32\hdekpjvd.dll_old
C:\WINDOWS\system32\ssqQhgdD.dll
C:\WINDOWS\system32\xxyabbcY.dll.vir
C:\WINDOWS\wininit.ini

Blade81
2008-04-29, 13:17
Hi

First of all you should never use ComboFix without supervision! Wrong CFScript can also cause much more damage than benefit.

If you want me to help you with this please post:
-a fresh hjt log
-c:\ComboFix\ComboFix.txt contents.

rsurfer
2008-05-05, 13:49
Im farly good with computers and have worked professionaly as an system administrator so I know how to use tools like combofix, just tought it was strange it did not remove the files in the CFScript... And yes the wrong CFScript can do a lot of danger if you put in the wrong files there but I only added the files I could be sure was not legit files and would be safe to remove.

Blade81
2008-05-05, 14:34
Im farly good with computers and have worked professionaly as an system administrator so I know how to use tools like combofixWell, keep in mind that these forums are read also by not computer savvy ones ;)

Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806 )

Anyway, if you need my assistance please post those logs I asked for. Otherwise let me know that case can be closed.

Blade81
2008-05-12, 18:55
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.