Virtumonde infestation

[insectoidone]

after almost a week of trying, i give up, this thing is killing me and my system! it taxes the computer so i can't hardly do anything, and it won't let me log into myspace or search google...how odd. i've run spybot many times and it finds virtumonde, i've navigated to the registry using regedit before and deleted the registries, but it still comes up! i navigated to the system32 folder and tried to delete the files that it finds ('something'_odd.dll) but it won't let me...(edit: i tried that in safe mode, but it lets me delete them in regular mode...)

i've tried everything besides reinstalling my OS, can i get rid of this thing?

also, everytime i start windows vista, many windows pop up and close and i can catch what seems to be loading something in system32, and it seems like my hard drive is loosing space, this week it started out at 100gbs, now it's an 90.2 and i haven't installed anything.

 

[PiCoPi]

Disable system restore points and run a Spybot scan again in Safe Mode with no Internet connection.

Run also an antivirus scan. What are you currently using?

 

[drragostea]

You are infected with a Virtuemonde trojan... Very persistent to remove :sad:.

Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

• "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance).

 

[PiCoPi]

Why not even give Dr.Web CureIt a try.
Let it run a fast scan first and then choose a custom scan on your hard disk.

 

[tashi]

Hello,

Disable system restore points

Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware. Let your helper advise you as to when a System Restore flush is called for.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

insectoidone, please follow the instructions in that link as drragostea suggested.

Regards

 

[PiCoPi]

I apologise! Although I never depend on System Restore, it is much better to keep a clean image of your pc

 

[Hokuszpok]

I've got also a new Virtumode infection few days ago. NOD32 did not alert me about the malware dll copied to System32 dir... But Kerio Personal Firewall stoped a code injection to Explorer.EXE. Spybot also did not detected the infection, but showed a suspicious autorun entry in registry. This entry still apeared again after I deleted, and the dll also was wtrite protected... So I booted from a CD (UBCD4WIN), deleted the dll, and the regitstry entry, (I mailed the dll to NOD32 support, and from this week NOD32 detects this infection).

So, I think it is good idea to keep an emergency bootCD for these cases.
If your Explorer.EXE is not infected, you can follow this method. If is, and there are no restore points, just reinstall SP2 (if your OS is XP). Installing SP2 overwrites 65% of the system files, including Explorer.EXE. After this, don't forgot to reinstall all updates released after SP2...