Spyware: VirtuMonde

[bobblehead1706]

I have some spam on my CPU called VirtuMonde. I've downloaded a VirtuMonde fix, but it doesn't find any results. Spybot finds the problem, appears to fix it, but when i scan again...it finds VirtuMonde again. It also finds a Norton antivirus override. I can't seem to remove this files...any suggestions? In the mean time my net doesn't work and i get a bunch of XXX sites appearing.

 

[Dwarf]

Hi,

One of the golden rules in dealing with malware is to prevent it from re-installing itself when you run your anti-malware applications. In order for to do do this, I recommend that you restart your PC in SAFE mode and that you DISCONNECT (unplug the network cable) from the Internet for the procedure. Next, perform FULL system scans with each of your anti-malware applications in turn, allowing them to automatically fix any issues that they find. If they need you to reboot, reboot into SAFE mode. Most of the anti-malware vendors give you the option of sending a suspect file to them for analysis by their experts if the software is currently unable to deal with the problem - use this option if required. Please note that the whole procedure may take several hours. Once your system has been certified as being 'clean', you can reconnect to the Internet and reboot into normal mode. I strongly advise against downloading so-called malware fixes from the Internet - some of these actually install malware which can be far trickier to remove than the malware that they claim to be able to remove.
Dwarf

 

[sidney1st]

What you did is not enough
To help you i need a new hijackthis log, pls attach it here (dont paste)

 

[bobblehead1706]

Thanks for the info. I didn't unplug the network cable...i will rescan in safe mode and hopefully it won't re-install it self. (I'll try it tomorrow) I usually don't have a problem removing spam/viruses...but this is the second time i got this VirtuMonde...first time i had the same problem and did a reformat bc it ended up deleting several windows files.

BTW- what's hijackthis log?... I use Spybot and Norton to scan.

 

[mafia_boy]

ahh yes the virtumonde strain of spyware, i recently had this on my system and even kaspersky didnt get rid of this one, i eventually got rid of it with malwarebytes anti-malware app which detected and deleted all of the files from my system! I also used spysweeper and another one which i cant remember now just to be on the safe side, there are a lot of different files that are installed with the Virtumonde attack so its better to be safe than sorry to use a couple of your best spyware removal apps??

TBH with you this spyware app messed with my system something silly, it seems to be running ok and my scans are all coming back clean now but im always worried that something maybe left behind?? im in two minds to do a reformat and have done with it!!??

 

[sidney1st]

BTW- what's hijackthis log?... I use Spybot and Norton to scan.

Go there and download a small prog that you will install in C:\program files
This prog
You could read all about this program on the site:
HijackThis Logfileauswertung

 

[dmex]

HI Bobblehead,

You must run Spybot S+D with administrative permissions by Right-Clicking and selecting "Run As Admin" on the shortcut or it will not remove any spyware.

Steven

 

[bobblehead1706]

Scanned in safe mode with my network unplugged and i think i got rid of the spam and a found a few new viruses...although it affected my XP drive.

I attached that hijack file as sidney1st requested.

 

[dmex]

Heres two still in your startup list..

HKLM\..\Run: [d2c30521] rundll32.exe "J:\WINDOWS\system32\wcuxtxvr.dll"
HKLM\..\Run: [BM9bf1da28] Rundll32.exe "J:\WINDOWS\system32\hegkegda.dll"

These two files from your hijackthis log are not real system files (random names are dead giveaway), obviously a virus since they are random files using the official Windows rundll32 process :eek:

Steven

 

[bobblehead1706]

Ah man...

Just rescanned....my friend is back.

Hope links are allowed..if not i'll remove them.
http://i165.photobucket.com/albums/u69/forza_roma/3-1.jpg

These are my popups..
http://i165.photobucket.com/albums/u69/forza_roma/1-3.jpg
http://i165.photobucket.com/albums/u69/forza_roma/2-2.jpg

 

[Dwarf]

Hi,

From your last two screenshots, I see that it mentions 'SystemErrorFixer'. Whenever you get messages like this on your screen, DO NOT, under any circumstances, click anywhere on them as this will trigger the download of the malware package. Instead, use 'Task Manager' to close them down. Right click on your Taskbar and select 'Task Manager'. Select the 'Applications' tab. The name of this message will appear in the list of tasks. Right click on this name and select 'End Task'. Finally, close the 'Task Manager'. See the tutorial 'Task Manager - Open and Close Applications and Processes' for further details.
You might find the following link 'Remove SystemErrorFixer' helpful, but as it says, removal of this malware is difficult. In cases where you have stubborn malware on your system, a clean reinstallation of Vista (including a FULL disk format) may be required.
Dwarf

http://www.vistax64.com/tutorials/121580-task-manager-open-close-applications-processes.html

Remove SystemErrorFixer

 

[bobblehead1706]

Ya, thanks Dwarf...i think i'm going to have to reformat...i'm 0/2 with VirtuMonde, which caused me to reformat. Can't seem to beat this bad boy.

I'll try out the link...thanks to all for their help

 

[dmex]

Ya, thanks Dwarf...i think i'm going to have to reformat...i'm 0/2 with VirtuMonde, which caused me to reformat. Can't seem to beat this bad boy.

I'll try out the link...thanks to all for their help

Damm man, Yeah spyware is a **** to remove sometimes

Thats where the UAC prompts are the most handy thing ever made on Windows since it lets you deny system-wide rights to programs...Just remember if you see one of the UAC prompts ask yourself if its something that your doing right then that really needs system-wide access and nothing from the Internet does

Goodluck with the format removal, just remember to backup
Steven

 

[bobblehead1706]

Funny thing is that the spyware is on my XP drive :eek:....my Vista drive is perrrrrfect lol

 

[Dwarf]

Hi,

In that case, carry out my recommendations in my previous post on that drive and reinstall XP. Do make a backup of important data before you do so. Next, I would still advise you to carry out the reinstallation of Vista. Malware has a nasty habit of hiding itself and then automatically reinstalling, so don't assume that your Vista installation has completely escaped the clutches. The slightest foothold is enough for malware to wreak havoc on your system. In fact, to be on the safe side, format BOTH disks when you reinstall XP. You can then put XP on the desired disk and when it comes to Vista you can then perform a QUICK format of the required disk before reinstalling it.
Dwarf

 

[Chappy]

Heres two still in your startup list..

HKLM\..\Run: [d2c30521] rundll32.exe "J:\WINDOWS\system32\wcuxtxvr.dll"
HKLM\..\Run: [BM9bf1da28] Rundll32.exe "J:\WINDOWS\system32\hegkegda.dll"

Yep...and random combination 8 letter name is a dead giveaway for a LOP.com varient of spyware. I'm pretty sure that this VirtuMonde comes from the same bastrads that gave us fits with the 1000's of LOP.com varients too, and many of those were also system fatal in many cases.
At one time a few years ago when I was teaching HJT log analysis and testing new & unknown varients, we could literally see over 20 new LOP varients a DAY!!! We couldn't keep up with them and Merijn (HJT author) had to rewrite many of the HJT routines because the LOP authors were inserting dll bombs that would completely HOSE a users system if HJT used it's normal routines to remove them.

What a nightmare those days were, and te battles are still continuing today....damn spyware authors!

 

[system001]

seems to be a vista problem. with what i am running antivirus / spyware wise i never had this problem in xp. since vista i am getting rid of something almost every other day. i am running counterspy, ca antispam, zonealarm antivirus / antispam, spysweeper, windowwasher, and microsoft onecare. currently virtumonde seems blocked from opening webpages or going online to download other spyware, but it does not want to ce completely removed.

 

[dmex]

seems to be a vista problem. with what i am running antivirus / spyware wise i never had this problem in xp. since vista i am getting rid of something almost every other day. i am running counterspy, ca antispam, zonealarm antivirus / antispam, spysweeper, windowwasher, and microsoft onecare. currently virtumonde seems blocked from opening webpages or going online to download other spyware, but it does not want to ce completely removed.

Hey System001,

Wow talk about overkill...Have you tired Spybot S+D or Adaware SE using the "Run as Admin" option and removing the infection?

VirtuMonde is defiantly not a Vista problem....You must have got infected from either a piece of software your using and allowed it permission to install, UAC prevents anything from automatically gaining the permission to run without your consent

System Restore or checking for the latest versions of the software your using can also help prevent infections or security issues...Limewire, Msgplus, daemon tools and many others all come with some form of spyware these days and unticking its option can prevent its install and also dont install anything if its not from the vendors website and check google for information about its authenticity or for other hidden unknowns :eek:

 

[system001]

all of the protection software is current including their def's. i am running nothing that i did not run under xp, with the exception of replacing registry crawler with reg help pro. as far as overkill, not. before the first xp service pack you needed this level of protection. xp was as bad as vista. in my case with looking for work some job site most likely sent me an attatchment that i foregot to check. i will get rid bof this just like i did the other attacks on vista. i do not believe in rebuilding for spyware. there is always to get rid of it.

 

[Dwarf]

Hi System001,

I agree with what Steven (dmex) says. There is no need to have all these programs running. In fact, using more than one anti-virus simultaneously can actually make you more susceptable to some malware as the programs can 'fall over each other'. You state that you have 'ZoneAlarm antivirus' and 'Microsoft OneCare'. As far as I know, the latter also includes an anti-virus.

For information, I currently use Kaspersky Internet Security 7.0.1.325 as my main protection. This is set to its default automatic configuration. I also carry out manual weekly scans using Windows Defender, Spybot S&D and Ad-Aware (see links below).

There have been variants of 'VirtuMonde' circulating since the days of Win98, so it is definitely not a Vista problem.
Dwarf

The home of Spybot-S&D!

Ad-Aware @ Lavasoft - The Original Anti-Spyware Company - Lavasoft