Virtumonde removed, but not without pain

[mrmabs]

Just some helpful information, I hope this is the right place to post.

I had a very stubborn Virtumonde infection up until about an hour ago, all attempts to remove it failed, most of the time when Spybot or Sophos tried to remove the file, it would result in crashing explorer and reboot my computer. Safemode, Administrator login, manually removing all entries from registry and rebooting, manually deleting file all failed.

The file was rqRKCtUk.dll in the system32 directory, and according to Spybot and Sophos it hooked itself into explorer itself as a BHO and in key "{BB81FE02-F70B-46C2-82C3-DE5C6652E677}".

My only solution to this issue was to boot to the Windows XP cd and enter the recover console to delete the file.

If anyone is interested, I have what I believe is the original offending file and the above dll (although the dll was successfully detected by Spybot). The exe is 18Mb, which wasn't detected as being harmful by anything, as I like to scan all unknown files before I run them. I believe the exe also had a Zlob payload, and it was cleaned up easily. I also have an unknown dll "nwkmtafu.dll" that was not detected by any software, but may also be related to this infection.

 

[Ramalama]

Hello fellow Virtumondo survivor!
It is a great feeling to have slaughtered that beast, I agree. There are so many variants of this thing, so what you experienced and what I got were different. Mine attached itself to the windows login, with an excutable dll called from the users run key. The pattern was this - I would delete it, reboot, it would come back and do the exact same thing - load three new dlls, an xml and a txt file of sites to use to get the popup ads, a couple new ini files, etc. It also turned off Windows Update and enabled all cookies.

But the way I ended up killing it was due to the fact that another thing it did was to delete the file in the system32 folder that is the Windows activate key. So I had to activate windows each time I had to reboot. At one point I had to call and do it via phone, and the very helpful lady at microsoft told me to call the support number, and I handed over the use of my computer to a Microsoft angel, who downloaded smitfraud, highjack this (even though I already had it) and ice sword, and as I watched, fascinated, he systematically anhilalted it. All the while telling me every step he took in case it happened again. Spybot found it, but could not get rid of it due to the attachment to the logon process.

Between the time that I first discovered it at about quarter after nine in the morning on Saturday till mid afternoon on Monday, it had created about 200 dlls. They were not active, except for the trio that were made each time it booted. The actual dll that was running the show was not to be seen in any of the logs at all since it was in a key for the login and looked legit.

I had been using the CAisafe antivirus along with adaware, and neither caught it. I kept them up to date and still it got through. The people making these things are very clever. I have gotten a trial version of TrendMicro's combination spyware virus protection and it found traces of the thing after the Microsoft tech told me I was cured. I like this product but there is no support forum.

People say a lot of bad stuff about Microsoft but the people who help you on the phone are awesome, just like the ones in this forum.

My virtumondo arrived in a fake CNN email, by the way. It was a you tube video of some political thing or so it said!

The primary symptom I had was enormous popups mostly for antivirus stuff but then it got obscene. It was as you said painful!

Edited to add - all my dlls followed the six random letter combination of upper and lower case. The payload was vwFYOn.dll but I suspect it was random also.

Just some helpful information, I hope this is the right place to post.

I had a very stubborn Virtumonde infection up until about an hour ago, all attempts to remove it failed, most of the time when Spybot or Sophos tried to remove the file, it would result in crashing explorer and reboot my computer. Safemode, Administrator login, manually removing all entries from registry and rebooting, manually deleting file all failed.

The file was rqRKCtUk.dll in the system32 directory, and according to Spybot and Sophos it hooked itself into explorer itself as a BHO and in key "{BB81FE02-F70B-46C2-82C3-DE5C6652E677}".

My only solution to this issue was to boot to the Windows XP cd and enter the recover console to delete the file.

If anyone is interested, I have what I believe is the original offending file and the above dll (although the dll was successfully detected by Spybot). The exe is 18Mb, which wasn't detected as being harmful by anything, as I like to scan all unknown files before I run them. I believe the exe also had a Zlob payload, and it was cleaned up easily. I also have an unknown dll "nwkmtafu.dll" that was not detected by any software, but may also be related to this infection.

 

[tashi]

Hello,

If anyone is interested, I have what I believe is the original offending file and the above dll (although the dll was successfully detected by Spybot). The exe is 18Mb, which wasn't detected as being harmful by anything, as I like to scan all unknown files before I run them. I believe the exe also had a Zlob payload, and it was cleaned up easily. I also have an unknown dll "nwkmtafu.dll" that was not detected by any software, but may also be related to this infection.

Please zip or rar the file/s and send them to: detections@spybot.info


Thank you.