virtumonde

voigtstr · Jun 5, 2008

Hi all,
Can spybot successfully remove virtumonde?

Spybot's own description for it says that its hard to remove. It also mentioned taking the machine off the network.

The machine I'm attempting to fix is my father's, my only way to administer it is via XP's remote assistance.

The machine was continously closing off windows explorer, and was also disabling various context menu entries the longer it was left running. It would get to the point where right click wouldnt work on anything.

After a reboot, (and remote assistance request from my father) I was able to again get control of the machine, right click the taskbar to get the task manager up, and then killed the explorer process (which was trying to take close to 100% cpu) This kills the taskbar and removes the desktop (ie no desktop icons were displayed), but at least now I had some cpu slices to play with. (another issue is the age and speed of the machine,its 8 years old, 425mHz machine with approx 390Mb of memory) and I could still launch apps with the "New Task..." button.

I was able to push spybot 1.5.2 to him and get all the updates. I was able to run avast which deleted a bunch of virus/trojan entries. I ran spybot and it found a lot of entries. The main cuplrits were smitfraud and virtumonde. After fixing all entries, and closing spybot, I instructed my father to disconnect the network cable from between his pc and DSL modem. We then restarted the pc, and spybot started automaticly, I think as windows entered the gui stage, but before starting winlogon etc. That scan is running now.
Is thats all thats required to remove smitfraud and virtumonde? Trying to get my father to do anything in safemode or work offline, is going to be a real struggle, he is not very computer literate at all (which is how he probably mananged to pick up so much malware).

I'd like to get him using an iMac instead of his old pc, since they seem to be currently immune to virii and spyware/malware, but that will have to wait till later in the year when he has a spare $1600 AUD.

Is there anything else I need to run to make sure that these nasties are out of his system? Would a hijackthis log help you guys at all?

Cheers
voigtstr

voigtstr · Jun 5, 2008

Spybot eventually finished again declaring "no immediate threats", however whilst it was running something wanted to connect to the internet, there was no identifier to the pop up except for "work offline" in the title bar, and button for retry and a button for work offline.

I got dad to hit the red x on that, and talked him through bringing up the task manager, iexplore.exe was taking 100% cpu.

When he closed the spybot window, within the minute, windows explorer terminated "explorer has encountered a problem and needs to close" or something similar, and then windows explorer (in this case the desktop) reloaded.

At this stage I've told him to keep the machine off the internet untill the issue is researched further.

Is it worth taking online, so I can remote control it and get a hijackthis log out of it now?

voigtstr · Jun 5, 2008

Should I post in the malware removal forum, and link to this thread?

drragostea · Jun 5, 2008

The Virtuemonde and SmitFraud trojan can be persistent to remove. If I recall correct one of these or both of them "boot up" when you computer boots, basically it's like simultaneously. Which is not good.

The latest detection updates would be June 4, 2008.

You said an iMac... do you mean the MAC OSX?

To save you all the trouble of getting Remote Assistance and perhaps some more time consummation and effort... Post a log in the Malware Forums and request help.
---
Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance).

---

Read the BEFORE YOU POST thread and download Hijack This. Run a scan and SAVE a log and post it in the Malware Forums. The links should be included in the BEFORE YOU POST.

voigtstr · Jun 5, 2008

drragostea said:
The Virtuemonde and SmitFraud trojan can be persistent to remove. If I recall correct one of these or both of them "boot up" when you computer boots, basically it's like simultaneously. Which is not good.

The latest detection updates would be June 4, 2008.

You said an iMac... do you mean the MAC OSX?

I've suggested to my father that, he wouldn't have these issues if he was running a modern Apple. An Imac would be ideal for him. I currently use a 17' MacBook Pro. I use an XP virtual machine to remote control his machine using remote assistance in Microsoft Messenger. His machine is 8 year old Dell desktop pc.

drragostea said:
To save you all the trouble of getting Remote Assistance and perhaps some more time consummation and effort... Post a log in the Malware Forums and request help.

Just to clarify, I'd be the person providing the remote assistance to my father. He lives a plane flight away which means I cant easily get physical access to his pc, unless I spend a fair bit of cash and time.

The first time I tried to remote control his pc, it was basically uncontrollable, so I suggested he get someone out of the phone book to help him. Whoever did the work, obviously didn't get rid of malware, and they also reset his system restore points. If I had physical access to his machine I would simply back up his email, bookmarks and photos to an ipod, and format the drive during a reinstall of XP. I have no hope in hell of walking him through how to do this himself. He is not computer literate at all.

drragostea said:
---
Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance).

---

Read the BEFORE YOU POST thread and download Hijack This. Run a scan and SAVE a log and post it in the Malware Forums. The links should be included in the BEFORE YOU POST.

He is going away for a few days, and will be back Monday night. I'll get him to connect the machine back onto the internet and I'll see if I can get a hijackthis log out of the machine. The only way I can use his machine is via remote assistance. Trying to talk him through running any application in safe mode will be extremely painful. If I can get the log off his machine ok, I'll post it as a new thread in the malware removal forums if that is the correct way to proceed.

Thanks for the reply drragostea.

drragostea · Jun 5, 2008

voigtstr said:
...I'll get him to connect the machine back onto the internet and I'll see if I can get a hijackthis log out of the machine... If I can get the log off his machine ok, I'll post it as a new thread in the malware removal forums if that is the correct way to proceed.

That would be great. Post it in the Malware Forums. Can your father's machine access the Internet?

voigtstr · Jun 6, 2008

drragostea said:
That would be great. Post it in the Malware Forums. Can your father's machine access the Internet?

I'm sure its connecting to internet sites in the background because after a while an iexplore.exe process is spawned, which takes upto 100% cpu in the process list.

If I remote controll his machine, I can kill iexplore.exe and explorer.exe both of which try to hog cpu, then I can push applications such as the install file for hijackthis via XP's remote assistance app.

I tried opening internet explorer on his machine when I first started investigating it, and it wouldnt open, but I haven't tried opening it since killing off cpu hogging processes via the process list. I havent tried using outlook express on his machine either. Somehow I'll have to get the hijackthis log back to my pc. Hopefully windows messenger will continue to work, and I can transfer the log that way.

drragostea · Jun 6, 2008

Fine.

Can you run Spybot?

voigtstr · Jun 6, 2008

drragostea said:
Fine.

Can you run Spybot?

Yes the first post in this thread, indicates that I have run spybot, and that it reckons it found and cleaned everything (after a reboot and it running again automaticly) however iexplore is still using 100% cpu in the background, and windows explorer (including the desktop) still crashes every minute or so.

drragostea · Jun 7, 2008

It has removed Virtuemonde?

Try getting a Hijack log from his computer [if possible]. Post a thread in the Malware Forums.

voigtstr · Jun 7, 2008

Spybot said "no immediate threats found" after it had run before and after a rebot, yet the following facts contradict this assertion

1) internet explorer still tries to run in the background and takes close to 100% cpu

2) windows explorer still crashes every minute or so if its process isnt manually killed from task manager. "Windows explorer has encountered a problem and needs to close"

drragostea · Jun 7, 2008

You have mentioned 1 and 2 in the previous post.

drragostea said:
Try getting a Hijack log from his computer [if possible]. Post a thread in the Malware Forums.

How is IE running in the background? Can you see the physical browser window? It can be a rogue process that takes the legitimate name, "iexplore.exe".

The best recommendation I can offer is to get the Hijack log from your father's machine. I cannot help you any further, your next step is a visit to the Malware Forums. Hopefully you can remove any further infection on your father's machine.

You said a removed a whole bunch of nasties on your father's PC in post#1, bt I doubt it's enough. Good luck.

voigtstr · Jun 7, 2008

drragostea said:
You have mentioned 1 and 2 in the previous post.

How is IE running in the background? Can you see the physical browser window? It can be a rogue process that takes the legitimate name, "iexplore.exe".

The best recommendation I can offer is to get the Hijack log from your father's machine. I cannot help you any further, your next step is a visit to the Malware Forums. Hopefully you can remove any further infection on your father's machine.

You said a removed a whole bunch of nasties on your father's PC in post#1, bt I doubt it's enough. Good luck.

1 and 2 were the two points I was making. There is only one infected computer.

IE is running as a background process, that is there is no physical window for it, it is an entry in the process list of the task manager.

I'll contact my father Monday night, get him to reconnect the network cable, I'll remote control it via XP's remote assistance program, and I'll run hijackthis, then post the log.

Thanks

tashi · Jun 7, 2008

Hi voigtstr,

Let me know when you post the log in the malware forum, I will ask one of our helper's to take a look at it.

Best regards.

drragostea · Jun 8, 2008

Then its got to be a rouge process created taking the name of the legitimate "iexplore".

I get your points. This is farthest I can get.

drragostea said:
You have mentioned 1 and 2 in the previous post.

The best recommendation I can offer is to get the Hijack log from your father's machine. I cannot help you any further, your next step is a visit to the Malware Forums. Hopefully you can remove any further infection on your father's machine.

voigtstr · Jun 8, 2008

drragostea said:
Then its got to be a rouge process created taking the name of the legitimate "iexplore".

I get your points. This is farthest I can get.

I don't think that's entirely accurate. Research I've done indicates that the malware does use a backgrounded task of Internet Explorer, to try and grab more trojans and spyware from specific websites.

The concept of opening an application but having it run in the background (ie without its own window)(or without output to stdout if its command line app) would be a concept familiar to most people who have studied computer science.

From my memory of studies from the early 90's when I was at uni you would background a task in unix by simply adding an ampersand (&) to the end of the command.

Terminator · Jun 8, 2008

3 questions:

1: Which version of Spybot are running? (the latest is 1.5.2.20)

2: Do you have the Google Toolbar installed?

3: Do you have Internet Explorer 6 installed?

If your answer to 2+3 is yes then you MAY have an Incompatiblity with Spybot's SDhelper which is a known problem, see HERE and HERE for more Infomation.

voigtstr · Jun 9, 2008

Terminator said:
3 questions:

1: Which version of Spybot are running? (the latest is 1.5.2.20)

2: Do you have the Google Toolbar installed?

3: Do you have Internet Explorer 6 installed?

If your answer to 2+3 is yes then you MAY have an Incompatiblity with Spybot's SDhelper which is a known problem, see HERE and HERE for more Infomation.

I'll remote control his pc tonight and find out the answer to those 3 questions

voigtstr · Jun 13, 2008

tashi said:
Hi voigtstr,

Let me know when you post the log in the malware forum, I will ask one of our helper's to take a look at it.

Best regards.

Thanks for that! I've post in the malware forum here -> http://forums.spybot.info/showthread.php?t=29391

virtumonde

voigtstr

New member

voigtstr

New member

voigtstr

New member

drragostea

New member

voigtstr

New member

drragostea

New member

voigtstr

New member

drragostea

New member

voigtstr

New member

drragostea

New member

voigtstr

New member

drragostea

New member

voigtstr

New member

tashi

Member of Team Spybot

drragostea

New member

voigtstr

New member

Terminator

New member

voigtstr

New member

voigtstr

New member