PDA

View Full Version : evil Virtumonde - again



Larry Cunningham
2008-08-14, 21:26
First, I'm new here. I'd like to say thank you for Spybot and Teatimer, they are wonderful products. Here's my long and sad tale.

A short while back, I discovered Virtumonde, made aware of it by Teatimer. I'm running a fairly new Dell T5400 with 32-bit XP Pro, which had upgraded to SP3. After much grief and continuous loops, a very good friend suggested I back of SP3 as a first step, and then go to this site and get Spybot 1.6. This was interesting to me, since the Spybot 1.5.. something I had been using was always giving a message that no updates were available. My friend said that Spybot itself might have been infected somehow. Anyway, he told me about BHOs (Browser Helper Objects) which he said was a feature of IE 7.0, part of SP3..

I followed his advice and found that SP3 uninstalled itself gracefully and that IE 6.0 appeared afterward. And as I ran the Spybot 1.6, it saw and seemed to remove Virtumonde. I reboot and reran it multiple times, and thought I was home free.

Unfortunately, the next day, Teatimer is telling me that a process named BMe7682efa is at it again, trying to alter the registry. Denying it and saying to remember that decision only caused the process to continue, pounding away, trying alter the registry.

I also ran the Tuneup Utilities 2008 Startup Manager, and I could see this same process, checked to start. I unchecked it and deleted it and could see that Teatimer saw that deletion. Meanwhile, that process kept pounding away, trying to change the registry (all the was removed was the startup entry for the BME7682efa process, not the process itself).

I'll mention here again that the initial run of Spybot 1.6 reported that my Windows security updates were disabled, and try to fix it. But when I ran the services.msc and tried to change the Automatic Updates service to Automatic and then start it, I got an error 1058 message. This problem is still unresolved, I'm only mentioning it because after multiple tries, I continued to get this 1058 error message, so I had stopped messing with it.

Now, an interesting thing - on a second repeat performance of appearing out of nowhere, the BME7682efa process seemed to have at least one BHO involved. I had been under the impression that going back to IE 6.0 could eliminate the BHOs and that path for this trojan. Evidently not.

And when I ran Spybot 1.6 again, it found nothing. No complaints. Not even the fact that my Windows security updates were still turned off. Hmm.. Perhaps a feature?

To be safe, I downloaded a second copy of Spybot 1.6 plus the includes. And I disconnected completely from the internet, went through an uninstall of Spybot, did another clean installation, this time disabling its auto update on start up feature. And I ran the includes file manually. It all worked, of course, found and eliminated Virtumonde. That was this morning, about 3 hours ago. It seems to have succeeded, but I'll see in the next few days.

My point here is that Virtumonde might well be corrupting Spybot someway involving its auto updates. Is that possible? Can anyone here throw any light on this?

I really hate the notion of going to a reformat and clean reinstall of Windows XP Pro + SP2, to get rid of the Virtumonde trojan..

Thanks in advance for all advice,

Best regards,

Larry Cunningham

Las Cruces, NM USA

tashi
2008-08-14, 22:02
Hello.

Please follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) to produce a HJT log.


Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you as soon as available.

Cheers.

Larry Cunningham
2008-08-14, 23:46
Thank you, Tashi, I appreciate your help and this forum. Will do as you say.

L.