Hi all

Cut a long story short, i recently had my debit card details stolen and used, and i thought i may have had a keylogger. I scanned with a few antispyware programs and they all came back clean, then tried Spybot. It picked up the Virtumonde trojan. Just 1 entry in my registry i believe. i deleted it and its gone now. Hijackthis log is clean too.

Ive read on here and other sites about how bad this trojan is, and how its hard to remove and gives loads of popups and ads. Thing is i never experienced any of this. Was easy to remove and never had any ad popups at all. So was it the virus i got, or maybe just something left over from somewhere?

My main question tho, a few sites mention its a keylogger but dont say much about it. From reading it says it logs what you type so it can give related popups. Does it steal banking information?

Hi Bob,

Apologies in advance for the length of this post.

A few days ago I had a false positive entry under Spybot with the Virtumonde trojan.

Here is my thread about it http://forums.spybot.info/showthread.php?t=35981.

I scanned my pc also with around 7-8 other anti-virus and anti-malware/spyware programs and they all came back clean.

My point in posting is that you may never have had the Virtumonde trojan as it may have been a false-positive from Spybot (refer to my thread).

I am not an expert in computers however here is some information I found on the trojan for you.

Please note the source is Wikipedia so I can't vouch for the accuracy. However Wikipedia is usually a good starting point for information.

Hope it helps!

Simon

----------------------------------------------------------------------------

Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google.

Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5.0_7 (aka Version 5.0 release 7),[1] and earlier versions. Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector, AntiSpyware Master, and WinFixer. There are two main components to the Virtumonde.dll file. These are Browser Helper Objects and Class ID. Each of which are in the Windows Registry under Local Machine and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe. According to Spybot - Search & Destroy scans, there are two Virtumonde.prx files and one Virtumode.dll file located in the Windows Registry as well as the system32 directory.[2]

As the virus is resident in memory and attached to Explorer.Exe and Winlogon, they must be stopped before trying to remove the virus. Without Winlogon, there is no way to reboot the pc, so a forced reboot is needed, as when Winlogon re-starts, the virus files are recreated. Internet Explorer, older versions of Mozilla Firefox, and Opera are susceptible web browsers affected by this trojan, but Apple Safari, Mozilla Firefox 3+, and Flock seem to be unaffected by the Trojan's .dll file. The trojan's DLL files are named with eight random upper- and lower-case characters and stored in the Windows system32 directory. Many virus removal programs will remove some of the trojan-created hidden files but not the actual running DLL. The DLL cannot be removed by conventional means because the file is in use as soon as Winlogon starts. However, utilities (such as Zap and Dr. Delete) exist that will delete files that are in use. If some but not all of the trojan's files are removed, it will make a new DLL with a different random name.

The most obvious sign of infection are the pop ups. Vundo will cause the infected web browser to pop up advertisements; many of which claim a need for software to fix system "deterioration". The user's desktop background is changed to the image of an installation window saying there is adware on the computer. The screensaver is also changed to the Blue Screen. When the user tries to change the background and screensaver back to their original by going to the Display Properties, the background and screensaver tabs are missing because their "Hide" values in the Registry were changed to 1. Both the background and screensaver are in the System32 folder, however the screensaver cannot be deleted.

Infected DLLs (with randomized names such as "__c00369AB.dat") will be present in the Windows/System32 folder and references to the DLLs will be found in the user's start up (viewable in MSConfig), registry, and as browser add ons in Internet Explorer.

Depending on the version of the virus the following symptoms may or may not be present:

Vundo may attempt to prevent the user from removing it or otherwise impede its operation, such as by disabling the task manager or Windows registry editor. Another symptom of Vundo may be the desktop icons will disappear and so will the taskbar and reappear after a short period. This becomes very frustrating if you are trying to run programs as they get automatically aborted.

Web access may also be negatively affected. Vundo may cause many websites to be unaccessible; these websites may just hang. The hard drive may start to be constantly accessed by the winlogon process.

Symptoms may also include the disabling of Windows Automatic Updates or other web-based services.

On infected systems, there is usually a listing for "MS Juan" inside of the registry. This is a part of where your browsers are being hijacked from disallowing you to navigate certain sites. There will be a listing of your search page listed which also calls upon a random windows dll file causing the search functions on that site to not work. Some known website navigation disablings are doing Google searches, accessing Hotmail, Gmail, or MySpace. The webpages usually just hang there. Any web page that contains JavaScript in susceptible browsers will not properly load.

Hello,

There are many variants of Virtumonde/Vundo and they have evolved over time.

For instance, some cause popups that include advertisements for rogue anti-spyware programs, others may include rootkits making them more difficult to detect and remove as methods are used to hide the locations from removal tools.

We have skilled volunteer analysts who assist victims in our Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) using specialized tools that were created in order to target such infections.

The most common method of infection is through outdated versions of the Sun Java platform.

Sun Microsystems~Java. Security vunerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2)

Hope that helps.

Hey Simon

Thanks for the info. I read the Wikipedia entry and from the sounds of it, the people who have this trojan would know about it. It can cause alot of popups and ad messages. As i said i got nothing, if it wasnt for the scan i wouldnt have thought anything was wrong as my PC as it has been fine. So maybe it is a false positive. Is Spybot known to give alot of false positives?

Although if it was, what did spybot fix as the 2nd scan came back clean. I notice nothing mentions the keylogger aspect of the trojan unless you type in "Virtumonde keylogger" into Google and then its not very clear. So maybe it just makes ads popup.

And no need to apologise for the length of the post, the more info the better.

Cheers

Hello,

There are many variants of Virtumonde/Vundo and they have evolved over time.

For instance, some cause popups that include advertisements for rogue anti-spyware programs, others may include rootkits making them more difficult to detect and remove as methods are used to hide the locations from removal tools.

We have skilled volunteer analysts who assist victims in our Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) using specialized tools that were created in order to target such infections.

The most common method of infection is through outdated versions of the Sun Java platform.

Sun Microsystems~Java. Security vunerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2)

Hope that helps.

Thanks. Java is uptodate, but i do have old versions on my PC. So its ok to delete them then?

The fact i showed no symptoms of the trojan is still baffling me. I also ran the Virtumonde removal tool which picked up nothing after Spybot deleted it. Out of interest, will a HijackThis log show up the trojan and any varients of it, if it was on my system?

I'm having trouble with this adware too. Spybot says it removes it but then I have the same problems again and it finds it again, removes it and it comes back again.

I thought Spybot could take care of it. Now I can't even open Spybot.

Hello golferman,

At this point if you cannot open Spybot please see the links md usa spybot fan provided here: http://forums.spybot.info/showthread.php?t=36064

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you as soon as available.

Best regards.

BobbleBob, upon inquiring about his infection, noted it "Was easy to remove and never had any ad popups at all... Just 1 entry in my registry i believe. ".

then I think we can safely say it wasn't a full-fledged vundo/virtumonde infection, as this would indeed have resulted in numerous browser popups, and/or warnings about your system being infected (with a recommendation to download "their" scanner/remover to "fix" things); it would have included some infected files (i.e., not just a registry entry); and it would have offered resistance to removal unless the appropriate tool was used.

Thanks. Dunno what i had on my system then.

I did have http://www.superantispyware.com/definition/mppds/ file appear that avg picked up a few months back. I got rid of the virus but i never scanned with Spybot as i didnt have it then. Dunno if they're linked

Has their been any case of the virtumonde virus stealing banking details?

Hi there,

Thanks. Java is uptodate, but i do have old versions on my PC. So its ok to delete them then?
Older versions can usually be removed via ADD/Remove Programs.


The fact i showed no symptoms of the trojan is still baffling me. I also ran the Virtumonde removal tool which picked up nothing after Spybot deleted it.

I have no way of knowing if you are experiencing a false positive, did you see the link bobblebob provided to his own topic?

FYI:
How to report False Positives (http://forums.spybot.info/showthread.php?t=19117)


Out of interest, will a HijackThis log show up the trojan and any varients of it, if it was on my system?
Not necessarily.



....others may include rootkits making them more difficult to detect and remove as methods are used to hide the locations from removal tools.


If after analysis helpers suspected there was an infection, they would provide further instruction.

If the computer appeared to be clean they would confirm.