PDA

View Full Version : Virtumonde.atr - can't remove



chrisbmx
2010-04-05, 23:08
Hello,
I run a scan on spybot S&D and it won't let me remove virtumonde.atr and says I'm not an administrator and can't remove it becuase of this. We only have one account on this computer and we are the administrator. How can I remove this trojan??? Thanks, Chris

tashi
2010-04-06, 00:30
Hello chrisbmx,

Hello,
I run a scan on spybot S&D and it won't let me remove virtumonde.atr and says I'm not an administrator and can't remove it becuase of this. We only have one account on this computer and we are the administrator.

"On Windows Vista and Windows 7, Spybot-S&D might tell you that you are not authorized to perform some actions, since they require Administrator rights. You can solve this problem as follows:

1. Right-click the Spybot - Search & Destroy entry in your start menu, instead of just left-clicking to start it.
2. Choose Run as administrator from the context menu."

From our FAQ here: http://www.safer-networking.org/en/faq/42.html

There is also a screen shot which should help. :)

If you are still unable to remove the item please see the malware forum FAQ: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Best regards.

chrisbmx
2010-04-06, 03:08
I ran spybot as an administrator and could remove vitrumonde.atr. By the way I am running Vista home basic. Spybot said it fixed the problem. I'll try running it again at bedtime to see if it finds the file again. THANK YOU FOR YOUR HELP, THIS FORUM IS GREAT!!!

I noticed something a little strange though. Usually on the bottom of the screen, where is says " running bot-check (463876/940842) ", it stayed on the name virtrumonde from at or before 160000 until 890000. In the past, I would notice this name changing so much that i sometimes couldn't read what it was checking. Now it seems to be checking for the same file the whole time. It did switch extensions from dll to sci to sdn, but that's about it. I started looking there at 160000, so it may have done it earlier than that. Is this a problem?????

Thanks again. :thanks:

chrisbmx
2010-04-06, 03:47
Well, I spoke too soon. Now spybot finds Virtumonde.prx. I stopped the scan, fixed the problem, and now am re-running it as administrator. Why is this thing hanging around?

tashi
2010-04-06, 08:22
Hi chrisbmx,

Did you try running Spybot-S&D in safe mode?


If you are still unable to remove the item please see the malware forum FAQ: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Then start a new topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise you when available.

Best regards. :)

chrisbmx
2010-04-08, 02:17
I ran spybot and avg in safe mode. It found vondo.kz and moved it to the virus vault along with a bunch of other .dll files.

Today I found windows defender disabled. I started it back up and it told me at the bottom of the screen where the time is (i think that's programs running), that I had some sort of problem. It let me bring up a list of programs that start at startup. I found one called fonofusen -with the filename in it c:\progra`2\wonizaki\wonizaki.dll. I think this is a trojan from what I read on google.

If I go to windows defender. Go to tools. Go to software explorer. Go to startup programs, I found a wierd program under microsoft windows host process (rundll32) - "c:\progra~2\wonizaki\wonizaki.dll ,a". I am afraid to disable it since I think it will make my computer not boot up.
I am using a separate computer now since I don't want to use the vista machine until I get this resolved. How do I remove this virus and keep it from coming back?
Thank you so much!!! Chris

tashi
2010-04-08, 04:05
Hi chrisbmx,

Please start a topic in the malware removal forum as outlined in my posts above.

Best regards. :)

tashi
2010-04-08, 05:36
Hello chrisbmx,

I see you started a topic in the malware forum, however you did not produce a log for the volunteer analysts. http://forums.spybot.info/showthread.php?t=56701 ;)

Best regards,

Edit
Log now added. :)