Problems removing Vmonde ---- htepo.com

[Buck Rogers]

Hello,

A client's computer is infected with Virtumonde.generic (identified by
Spybot S & D). This manifests itself with two icons on the desktop
that point to htepo.com.

Googling htepo.com generates 411 hits and through the dialogue, I
downloaded a couple of programs (Vundofix by Atribune and FXVMonde
from Symantec).

I ran Adaware, Spybot S &D, Vundofix and FXVMonde. Spybot and
Vundofix were the only ones to identify the problem. Adaware and
Symantec's FXVMonde didn't find it. This was done in Safe Mode and in
Normal Mode.

I also ran the current version of Stinger and did a complete scan with
an updated Norton AV. Again this was done in Safe and Normal Mode.

It appeared the Malware was deleted by Spybot and Vundofix (by reading
the logs and noting the icons were delted). After cleaning, I went on
line with no problems and the popups stopped manifesting themselves.
However, after returning the computer, the client was re-infected the
moment he went on line.

The computer is up to date (XP Home), XP Firewall turned on, and
Norton is up to date and working correctly.

The only reason I have to explain the re-infection is either the
initial clean only deleted the .dll file and not the real culprit or
the client is not connected to the internet properly......he is
plugged directly into the DSL modem with no router inbetween.

Does anyone have any suggestions on how to clean this junk properly?
This is the first time in many moons I've been stumped on cleaning a
computer.

I'll provide any further info you might need to help me with this
problem.

Regards,

Buck

 

[Malke]

Buck Rogers wrote:
> Hello,
>
> A client's computer is infected with Virtumonde.generic (identified by
> Spybot S & D). This manifests itself with two icons on the desktop
> that point to htepo.com.
>
> Googling htepo.com generates 411 hits and through the dialogue, I
> downloaded a couple of programs (Vundofix by Atribune and FXVMonde
> from Symantec).
>
> I ran Adaware, Spybot S &D, Vundofix and FXVMonde. Spybot and
> Vundofix were the only ones to identify the problem. Adaware and
> Symantec's FXVMonde didn't find it. This was done in Safe Mode and in
> Normal Mode.
>
> I also ran the current version of Stinger and did a complete scan with
> an updated Norton AV. Again this was done in Safe and Normal Mode.
>
> It appeared the Malware was deleted by Spybot and Vundofix (by reading
> the logs and noting the icons were delted). After cleaning, I went on
> line with no problems and the popups stopped manifesting themselves.
> However, after returning the computer, the client was re-infected the
> moment he went on line.
>
> The computer is up to date (XP Home), XP Firewall turned on, and
> Norton is up to date and working correctly.
>
> The only reason I have to explain the re-infection is either the
> initial clean only deleted the .dll file and not the real culprit or
> the client is not connected to the internet properly......he is
> plugged directly into the DSL modem with no router inbetween.
>
> Does anyone have any suggestions on how to clean this junk properly?
> This is the first time in many moons I've been stumped on cleaning a
> computer.
>
> I'll provide any further info you might need to help me with this
> problem.

See targeted removal steps here:
http://www.bleepingcomputer.com/forums/forum55.html

It's probably time for you to post a HijackThis log in one of the
specialty forums below (not here, please):

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Buck Rogers]

On Fri, 09 Nov 2007 08:52:25 -0800, Malke <notreally@invalid.invalid>
wrote:

>Buck Rogers wrote:
>> Hello,
>>
>> A client's computer is infected with Virtumonde.generic (identified by
>> Spybot S & D). This manifests itself with two icons on the desktop
>> that point to htepo.com.
>>
>> Googling htepo.com generates 411 hits and through the dialogue, I
>> downloaded a couple of programs (Vundofix by Atribune and FXVMonde
>> from Symantec).
>>
>> I ran Adaware, Spybot S &D, Vundofix and FXVMonde. Spybot and
>> Vundofix were the only ones to identify the problem. Adaware and
>> Symantec's FXVMonde didn't find it. This was done in Safe Mode and in
>> Normal Mode.
>>
>> I also ran the current version of Stinger and did a complete scan with
>> an updated Norton AV. Again this was done in Safe and Normal Mode.
>>
>> It appeared the Malware was deleted by Spybot and Vundofix (by reading
>> the logs and noting the icons were delted). After cleaning, I went on
>> line with no problems and the popups stopped manifesting themselves.
>> However, after returning the computer, the client was re-infected the
>> moment he went on line.
>>
>> The computer is up to date (XP Home), XP Firewall turned on, and
>> Norton is up to date and working correctly.
>>
>> The only reason I have to explain the re-infection is either the
>> initial clean only deleted the .dll file and not the real culprit or
>> the client is not connected to the internet properly......he is
>> plugged directly into the DSL modem with no router inbetween.
>>
>> Does anyone have any suggestions on how to clean this junk properly?
>> This is the first time in many moons I've been stumped on cleaning a
>> computer.
>>
>> I'll provide any further info you might need to help me with this
>> problem.
>
>See targeted removal steps here:
>http://www.bleepingcomputer.com/forums/forum55.html
>
>It's probably time for you to post a HijackThis log in one of the
>specialty forums below (not here, please):
>
>http://aumha.org/downloads/hijackthis.zip
>http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
>http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
>another tutorial
>http://aumha.net/ - Click on the HijackThis forum. Read the announcement
>and the stickies *first*.
>http://www.atribune.org/forums/index.php?showforum=9
>http://aumha.net/viewforum.php?f=30
>http://www.bleepingcomputer.com/forums/forum22.html
>http://castlecops.com/forum67.html
>http://www.dslreports.com/forum/cleanup
>http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
>http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
>http://gladiator-antivirus.com/forum/index.php?showforum=170
>http://spywarewarrior.com/viewforum.php?f=5
>
>
>Malke


Malke,

Thanks for the quick response. I didn't mention it in my post but I
ran Hijackthis and cleaned up some stuff. I downloaded spyware doctor
and stopzilla from links at bleepingcomputer and will try them out.
I'll post back my results.

Thanks again,

Buck

 

[Malke]

Buck Rogers wrote:

> Malke,
>
> Thanks for the quick response. I didn't mention it in my post but I
> ran Hijackthis and cleaned up some stuff. I downloaded spyware doctor
> and stopzilla from links at bleepingcomputer and will try them out.
> I'll post back my results.

When you run HijackThis, make sure you rename it first. There is malware
- particularly some of the new variants of Vundo which install rootkits
- that will hide certain registry keys from HJT if you run hjt.exe.

If your client has one of the Vundo rootkits (often picked up when
installing dodgy codecs) then you may be able to eradicate it with
guided help from the experts at BleepingComputer. Or not, in which case
back up his stuff and do a clean install on your client's machine.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Buck Rogers]

On Fri, 09 Nov 2007 09:34:12 -0800, Malke <notreally@invalid.invalid>
wrote:

>Buck Rogers wrote:
>
>> Malke,
>>
>> Thanks for the quick response. I didn't mention it in my post but I
>> ran Hijackthis and cleaned up some stuff. I downloaded spyware doctor
>> and stopzilla from links at bleepingcomputer and will try them out.
>> I'll post back my results.
>
>When you run HijackThis, make sure you rename it first. There is malware
>- particularly some of the new variants of Vundo which install rootkits
>- that will hide certain registry keys from HJT if you run hjt.exe.
>
>If your client has one of the Vundo rootkits (often picked up when
>installing dodgy codecs) then you may be able to eradicate it with
>guided help from the experts at BleepingComputer. Or not, in which case
>back up his stuff and do a clean install on your client's machine.
>
>
>Malke


Malke,

I've put the hard drive on a test machine as the slave and have
deleted the dll file. Is there any way to determine what executable
is calling it?

Regards,

Buck

 

[Malke]

Buck Rogers wrote:
Malke,
>
> I've put the hard drive on a test machine as the slave and have
> deleted the dll file. Is there any way to determine what executable
> is calling it?

It's very hard to do and certainly nothing I can tell you without being
able to see the machine. Please run HJT and post at BleepingComputer or
one of these other specialty forums (not here):

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html

One of the experts there will be able to guide you on this.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Buck Rogers]

On Fri, 09 Nov 2007 14:28:48 -0800, Malke <notreally@invalid.invalid>
wrote:

>Buck Rogers wrote:
> Malke,
>>
>> I've put the hard drive on a test machine as the slave and have
>> deleted the dll file. Is there any way to determine what executable
>> is calling it?
>
>It's very hard to do and certainly nothing I can tell you without being
>able to see the machine. Please run HJT and post at BleepingComputer or
>one of these other specialty forums (not here):

>
>Malke


Malke,

Thanks for the input.

I did the following with the infected hard drive installed as a slave
in a test machine.......went to the system32 subdirectory of the
Windows directory, sorted the files by date and looked at the files
dated around the .dll file I deleted based on the HJT log. Found a
few .exe files with strange 8.3 file structures that were 70 kb in
size (dihnmink.exe for instance). Wrote down the file names and
googled them....no hits. Therefore I renamed them (in case I was
mistaken, I didn't delete). Rebooted and YEA!!!!! the infection is
gone.

I hope this helps anyone out there who has the same problem.

Regards,

Buck