Results 1 to 3 of 3

Thread: evil Virtumonde - again

  1. #1
    Junior Member Larry Cunningham's Avatar
    Join Date
    Aug 2008
    Location
    Las Cruces, NM USA
    Posts
    21

    Question evil Virtumonde - again

    First, I'm new here. I'd like to say thank you for Spybot and Teatimer, they are wonderful products. Here's my long and sad tale.

    A short while back, I discovered Virtumonde, made aware of it by Teatimer. I'm running a fairly new Dell T5400 with 32-bit XP Pro, which had upgraded to SP3. After much grief and continuous loops, a very good friend suggested I back of SP3 as a first step, and then go to this site and get Spybot 1.6. This was interesting to me, since the Spybot 1.5.. something I had been using was always giving a message that no updates were available. My friend said that Spybot itself might have been infected somehow. Anyway, he told me about BHOs (Browser Helper Objects) which he said was a feature of IE 7.0, part of SP3..

    I followed his advice and found that SP3 uninstalled itself gracefully and that IE 6.0 appeared afterward. And as I ran the Spybot 1.6, it saw and seemed to remove Virtumonde. I reboot and reran it multiple times, and thought I was home free.

    Unfortunately, the next day, Teatimer is telling me that a process named BMe7682efa is at it again, trying to alter the registry. Denying it and saying to remember that decision only caused the process to continue, pounding away, trying alter the registry.

    I also ran the Tuneup Utilities 2008 Startup Manager, and I could see this same process, checked to start. I unchecked it and deleted it and could see that Teatimer saw that deletion. Meanwhile, that process kept pounding away, trying to change the registry (all the was removed was the startup entry for the BME7682efa process, not the process itself).

    I'll mention here again that the initial run of Spybot 1.6 reported that my Windows security updates were disabled, and try to fix it. But when I ran the services.msc and tried to change the Automatic Updates service to Automatic and then start it, I got an error 1058 message. This problem is still unresolved, I'm only mentioning it because after multiple tries, I continued to get this 1058 error message, so I had stopped messing with it.

    Now, an interesting thing - on a second repeat performance of appearing out of nowhere, the BME7682efa process seemed to have at least one BHO involved. I had been under the impression that going back to IE 6.0 could eliminate the BHOs and that path for this trojan. Evidently not.

    And when I ran Spybot 1.6 again, it found nothing. No complaints. Not even the fact that my Windows security updates were still turned off. Hmm.. Perhaps a feature?

    To be safe, I downloaded a second copy of Spybot 1.6 plus the includes. And I disconnected completely from the internet, went through an uninstall of Spybot, did another clean installation, this time disabling its auto update on start up feature. And I ran the includes file manually. It all worked, of course, found and eliminated Virtumonde. That was this morning, about 3 hours ago. It seems to have succeeded, but I'll see in the next few days.

    My point here is that Virtumonde might well be corrupting Spybot someway involving its auto updates. Is that possible? Can anyone here throw any light on this?

    I really hate the notion of going to a reformat and clean reinstall of Windows XP Pro + SP2, to get rid of the Virtumonde trojan..

    Thanks in advance for all advice,

    Best regards,

    Larry Cunningham

    Las Cruces, NM USA
    Last edited by tashi; 2008-08-14 at 22:00. Reason: Mod: removed email address

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Hello.

    Please follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) to produce a HJT log.


    Then start your own thread in the Malware Removal Forum where a helper will advise you as soon as available.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member Larry Cunningham's Avatar
    Join Date
    Aug 2008
    Location
    Las Cruces, NM USA
    Posts
    21

    Default thanks

    Thank you, Tashi, I appreciate your help and this forum. Will do as you say.

    L.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •