[SERIOUS] Virtumonde, Trojandownload.Agent

[dev22]

this seems pretty serious.

i'm not a computer beginner, i am actually retired security expert and I usually don't have any problems with my computers...

probably a new version of virus, spreading like crazy all over the world. i downloaded a new version of winrar 3.71 from a torrent site yesterday and it was probably infected with this shit.

what happens:
- major computer slowdown
- popups, popunders, in firefox as well as in IE (urls: adnetserver.com, suspensorpc.com and others)
- browser ad hijacking
- searching in google is painfully slow

AD browser hijacking: every site i visit which shows some ads is hijacked with this malware. the ads they normally display are removed and replaced by some other ads after few seconds, originating mostly from CPXinteractive.com Yield Manager. This happens on all websites no matter the language or ad format. Ads also rotate and change like each 5 seconds.

what i did:
- complete scans with nod32, hijack this, ad-aware, spybot -> no help

what i found:
- there're infected files (libraries) causing this mess located in Windows/System32. their names are totally random with .dll extension (pmnnmljJ.dll, byXQHBrq.dll, supmqbat.dll). there are some some .ini files with random names as well (ypukrblc.ini, qrBHQXyb.ini2, etc). each file has about 300 kB in size
- it's impossible to delete these files. i tried safe mode, applications moveonboot and killerbox and many other utilities - but nothing can delete these files! they must be hooked up somewhere in the kernel or in system drivers.
- there's a classic registry entry in HKLM/ms/win/cur version/run launching these files: "Runddl32.exe C:/Windows/System32/clbrkupy.dll". If you remove this, it's added back within few seconds.

here's one more URL which tried to download something but was stopped by nod32. Edit: removed

trojan


i am trying kaspersky online scan now and utility called SuperAntiSpyware now but I doubt it will help. this is a really serious shit spreading fast and I guess I'm not the only only having these issues right now.

UPDATE: kaspersky found the virus and marked it as Trojan-Downloader.Win32.Agent.pvz. It was unable to delete it though.

any help is welcome

[tashi]

Hello,

Please follow the procedure in this link:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Also: Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans

Then start your own thread in the Malware Removal Forum where a helper will advise you when available.

Regards.

[dev22]

SuperAntiSpyware in the safe mode solved all the problems after the full system scan. recommended app.

[tashi]

Hello dev22,

For future reference.

If Spybot-S&D does not detect or remove an item and you can find the files, please zip or rar them and send to:

To report a possible false positive: http://forums.spybot.info/showthread.php?t=19117

Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums

If needing assistance with an infection not removed by normal methods: Malware Removal Forum

Have a nice day.