- Help - virtumonde.dll - virus?
- Posted by Bill9966 on May 19th, 2008
Help!!
Yesterday while I was on the internet Nod32 gave me a message that it
had quarantined a trojan. I did a succesful virus scan and then ran
Spybot Search & Destroy. S&D detected some spyware I hadn't seen
before - Virtumonde and Virtumonde.dll . It then required me to
restart my computer to eliminate Virtumonde. dll.
Now whenever I start my computer, Search&Destroy starts immediately
and eventually detects the same 2 programs which I then remove.
S&D also gives me the following message:
"System startup global entry value deleted"
If I cancel the scan, the message says a global entry value was
"changed" .
The change is:
old data: c:\windows\system32\pkmbqwqt.dll
new data: c:\windows\system32\crdulkka.dll
Windows XP also gives me a messagethat there is an error error
loading c:\windows\system32\pkmbqwqt.dll
In addition the following is happening:
1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.
2- My browers (IE and Firefox) cannot do any Google searches. The
Yahoo site can not even be accessed.
3-Windows "automatic update" has to be turned back on everytime I
start the computer.
4- While browsing to other sites I have always gone to before without
trouble (even secure sites) I get directed to other sites- namely
internet dating sites.
Any help would be appreciated.
Bill
- Posted by David H. Lipman on May 19th, 2008
From: "Bill9966" <bill9966@rcn.com>
| Help!!
|
| Yesterday while I was on the internet Nod32 gave me a message that it
| had quarantined a trojan. I did a succesful virus scan and then ran
| Spybot Search & Destroy. S&D detected some spyware I hadn't seen
| before - Virtumonde and Virtumonde.dll . It then required me to
| restart my computer to eliminate Virtumonde. dll.
|
| Now whenever I start my computer, Search&Destroy starts immediately
| and eventually detects the same 2 programs which I then remove.
|
| S&D also gives me the following message:
| "System startup global entry value deleted"
|
| If I cancel the scan, the message says a global entry value was
| "changed" .
|
| The change is:
|
| old data: c:\windows\system32\pkmbqwqt.dll
| new data: c:\windows\system32\crdulkka.dll
|
| Windows XP also gives me a messagethat there is an error error
| loading c:\windows\system32\pkmbqwqt.dll
|
| In addition the following is happening:
|
| 1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.
|
| 2- My browers (IE and Firefox) cannot do any Google searches. The
| Yahoo site can not even be accessed.
|
| 3-Windows "automatic update" has to be turned back on everytime I
| start the computer.
|
| 4- While browsing to other sites I have always gone to before without
| trouble (even secure sites) I get directed to other sites- namely
| internet dating sites.
|
| Any help would be appreciated.
|
| Bill
You are still infected thus the Pop-Ups for a rogue ant malware utility.
You can look into the Registry at the Winlogon/Notify key and find the name of the DLL then
remove power from the PC. Reboot in the Recovery Console and logon as the administrator.
Then delete the DLL from c:\windows\system32
Reboot the PC in Normal Mode and run SpyBot and other anti spyware/trojan removers.
If you don't understand what I just related...
1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe
2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"
3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sect...eckard/dss.exe
4. Save the scan results (Main.txt and Extra.txt)
5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...
{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Dave Budd on May 20th, 2008
In article <4831fcc5.3414984@news.rcn.com>, bill9966@rcn.com says...
AntiSpywareMaster is a rogue application.
If you follow David Lipman's advice, at some point one of the scans will
remove part of AntiSpywareMaster, effectively disabling it. You might
want to take its entry out of the Startup section in Start->Run->
MSConfig and delete its shortcut from your desktop as well.
--
Snob? Were I a snob, I wouldn't be talking to you.
- Posted by Lolo on May 20th, 2008
any idea where you got infected?
thanks
"Dave Budd" <dave.budd@manchester.ac.ku> wrote in message
news:MPG.229c94358c843c2d989a1d@news.individual.ne t...
- Posted by Bill9966 on May 20th, 2008
On Mon, 19 May 2008 23:47:59 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:
Thanks David
I use Windows XP and am a novice at this stuff. To make matters worse
I'm disabled (quadriplegic) so am slow at the keyboard.
I have 2 questions
1- Couldn't I just reset the registry to an earlier date and avoid
having to do all this?
2- If not could you explain the following more
Thanks so much,
Bill
- Posted by David H. Lipman on May 20th, 2008
From: "Bill9966" <bill9966@rcn.com>
| On Mon, 19 May 2008 23:47:59 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
| Thanks David
| I use Windows XP and am a novice at this stuff. To make matters worse
| I'm disabled (quadriplegic) so am slow at the keyboard.
| I have 2 questions
| 1- Couldn't I just reset the registry to an earlier date and avoid
| having to do all this?
| 2- If not could you explain the following more
| Thanks so much,
| Bill
Bill:
Then I suggest posting in an Epert forum where you will get asssited, personal, help.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Russg on May 20th, 2008
http://www.virtumonde-removal.com.re...irtuMonde.html
Above is a quick Google search, which may be
helpful. You can try it (Spyhunter).
Virtumonde has many versions and can be very
difficult to remove.
I don't know any more expert about malware
removal than Mr. Lipman.
Your question, can you restore your registry
to an earlier, uninfected, state. That probably
wouldn't work, as Virtumonde has changed
a lot more than your registry. Of course,
and I recommend it, if you made a complete
image backup of your computer, you could
format the drive and restore that. Such image
backup software is Nero Backitup and Symantec
Ghost. I believe XP Pro has backup software.
Good Luck
- Posted by Russg on May 20th, 2008
"Russg" sticks his 2 cents in.
Spyhunter is a try and buy anti-spyware.
It will do a free scan, certainly find stuff, then
require buying to get rid of the problems it finds.
I don't know if it is any good or not, but I'm sorry
I pointed to it.
Good and free anti-spy are Spybot Search and Destroy and Ad-Aware SE
personal.
I don't know if those two are still free and any
good.
I was hoping to find a free scan and removal
tool that would work on Virtumonde.
It could well be that you need to do the
Highjack This and the other tool that
David recommends and go to one of the
expert sites he recommends.
- Posted by David H. Lipman on May 20th, 2008
From: "Russg" <russgilb@MUNGEsbcyahoo.net>
| Above is a quick Google search, which may be
| helpful. You can try it (Spyhunter).
NO !
SpyHunter and affiliates have a BAD reputation for spamming Expert Forums.
http://temerc.blogspot.com/2007/04/s...t-2.html#links
http://temerc.blogspot.com/2007/04/e...e-critics.html
http://www.securitycadets.com/2007/0...orum-spammers/
Finally an important read...
http://spywarewarrior.com/viewtopic.php?t=24810
Enigma is not a good company!
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Bill9966 on May 23rd, 2008
On Mon, 19 May 2008 23:03:07 GMT, bill9966@rcn.com (Bill9966) wrote:
which offers freeware to fight just that trojan - www.atribune.org.
Does anyone know if it is legit & effective? Also does anyone know why
95% of the time I can't access Google search or even get into the
Yahoo site. (a few times I did.)
BTW, Nod32 let this thing in and didn't even pick it up in a
subsequent scan. I then installed Norton which at least found it but
could only "partially resolve" it (Norton's phrase.) I wonder if
Norton would have kept it out.
Thanks to everyone who has been responding.
- Posted by David H. Lipman on May 23rd, 2008
From: "Bill9966" <bill9966@rcn.com>
| which offers freeware to fight just that trojan - www.atribune.org.
|
| Does anyone know if it is legit & effective? Also does anyone know why
| 95% of the time I can't access Google search or even get into the
| Yahoo site. (a few times I did.)
|
| BTW, Nod32 let this thing in and didn't even pick it up in a
| subsequent scan. I then installed Norton which at least found it but
| could only "partially resolve" it (Norton's phrase.) I wonder if
| Norton would have kept it out.
|
| Thanks to everyone who has been responding.
I will vouch for the author and the VundoFix utility.
It is completely legitimate and as very effective but... not 100% as there are always new
variants using new techniques. Atri is doing his utmost to keep up with the Vundo/Virtumonde
family of malware.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Bill9966 on May 24th, 2008
On Tue, 20 May 2008 11:16:58 +0200, "Lolo" <kowts@freesurf.fr> wrote:
Yes. I was at a website that shows movies (not torrent downloads) You
just click and a movie comes on. I was at
http://www.free-tv-video-online.info/internet/movies/
It seemed like a harmless site. I watched one movie with no problems.
I then started watching "Tripping the Rift - the Movie" - the 4 part
version there. When I hit Part 4 that's when the trouble hit me.
- Posted by David H. Lipman on May 24th, 2008
From: "Bill9966" <bill9966@rcn.com>
| On Tue, 20 May 2008 11:16:58 +0200, "Lolo" <kowts@freesurf.fr> wrote:
|
| just click and a movie comes on. I was at
| hxxp://www.free-tv-video-online.info/internet/movies/
|
| It seemed like a harmless site. I watched one movie with no problems.
| I then started watching "Tripping the Rift - the Movie" - the 4 part
| version there. When I hit Part 4 that's when the trouble hit me.
In the future, if you think a URL is malicious, obfuscate it such that it is NOT clickable
such as...
hxxp://www.free-tv-video-online.info/internet/movies/
or
h**p://www.free-tv-video-online.info/internet/movies/
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Bill9966 on June 12th, 2008
On Tue, 20 May 2008 16:29:09 -0400, "Russg"
<russgilb@MUNGEsbcyahoo.net> wrote:
which offers freeware to fight just that trojan - www.atribune.org.
Does anyone know if it is legit & effective? Also does anyone know why
95% of the time I can't access Google search or even get into the
Yahoo site. (a few times I did.)
BTW, Nod32 let this thing in and didn't even pick it up in a
subsequent scan. I then installed Norton which at least found it but
could only "partially resolve" it (Norton's phrase.) I wonder if
Norton would have kept it out.
Thanks to everyone who has been responding.
- Posted by David H. Lipman on June 12th, 2008
From: "Bill9966" <bill9966@rcn.com>
| I now undertand that I have the Vundo trojan. There is a web site
| which offers freeware to fight just that trojan - www.atribune.org.
|
| Does anyone know if it is legit & effective? Also does anyone know why
| 95% of the time I can't access Google search or even get into the
| Yahoo site. (a few times I did.)
|
| BTW, Nod32 let this thing in and didn't even pick it up in a
| subsequent scan. I then installed Norton which at least found it but
| could only "partially resolve" it (Norton's phrase.) I wonder if
| Norton would have kept it out.
|
| Thanks to everyone who has been responding.
Yes, Atri's VundoFix is legitimate and effective.
Other utilities...
Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
Norman Vundo removal tool.
http://download.norman.no/public/Nor...do_Cleaner.exe
http://www.norman.com/Virus/Virus_re...tools/52658/en
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
- Posted by Dustin Cook on June 14th, 2008
Manatee Memories <royalfeline!REMOVE!@hotmail.com> wrote in
news:m0t0545nuvr44q5sieiiv68aem6950h804@4ax.com:
Hi Guys,
it's not NOD32's fault per say. The Trojan.Vundo family is large with new
samples coming on a daily basis. The fact Norton caught one early
shouldn't be taken as anything more than luck.
--
Regards,
Dustin Cook - http://bughunter.it-mate.co.uk
BugHunter v2.2e AntiMalware Removal Utility
