Page 2 of 5 FirstFirst 12345 LastLast
Results 11 to 20 of 46

Thread: Virtumonde

  1. #11
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    There is one small, additional problem that seems to have appeared around the time the malware did. The fonts in my Firefox browser are all bold in some areas that weren't like that before. Like the Google search results. In IE they are all italicized, also something that wasn't like that before. Any idea what happened? I tried messing with the text size, zoom and settings and it doesn't change anything.

  2. #12
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    That is most likely settings issue.

    Anyway, before we come to that, let's remove some malware:

    We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

    1. Run Spybot-S&D in Advanced Mode.
    2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    3. On the left hand side, Click on Tools
    4. Then click on the Resident Icon in the List
    5. Uncheck "Resident TeaTimer" and OK any prompts.
    6. Restart your computer.

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
    F:\WINDOWS\system32\osavyfsh.ini
    F:\WINDOWS\system32\ajxfnfbb.ini
    F:\WINDOWS\system32\pughinfp.ini
    
    Folder::
    F:\Program Files\uTorrent
    F:\Documents and Settings\Administrator\Application Data\uTorrent
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #13
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    Computer hung in the middle of ComboFix. Computer no longer starts. After Windows loading screen, screen goes black and nothing happens afterward. Safe mode too.

  4. #14
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Please choose Last Known Good Configuration from boot menu (restart computer and tap F8 before windows logo).

    Let me know if it helped.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #15
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    Computer is shutting down with a STOP BSOD error:

    STOP: c000021a {Fatal System Error}
    The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000135 (0x00000000 0x00000000).
    The system has been shut down.

  6. #16
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    This should help if you have windows CD.

    Let me know how it went.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #17
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    It would seem that Vundo is extremely contagious, or there is an epidemic going around. My laptop is now infected :[. Still working on getting Windows running. I did a recovery using a SP1 CD but I'm not sure that was the best idea.. my boot drive is SATA and was configured for AHCI.. now I'm getting a STOP error about jahci.sys:

    *** STOP: 0x0000007E (0xC0000005,0xF788F3C9,0xF7C43218,0xF7C42F18)


    *** jahci.sys - Address F788F3C9 base at F788C000, DateStamp 435da804

  8. #18
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    Oh yeah, if it helps, I have an installation of Kubuntu on another drive. It's got NTFS drivers so I can mess with the XP filesystem if necessary.

  9. #19
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Vundo has been going on for years but infection has unfortunately became a lot worse.

    Are you able to install recovery console from CD? This should give guidance for installing. If so, we might be able to restore situation prior to combofix run.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #20
    Junior Member
    Join Date
    Oct 2008
    Posts
    26

    Default

    Well, after messing with some bios settings, I got past the stop message but the XP loading screen is taking FOREVER. The bar is moving but it's been doing that for like 20 minutes now... I guess I'll let it run till morning and we'll see where it's at then..

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •