Some relicate of Virtumonde

B

Baudouin de Spa

Hi all,
I got the Virtumonde malware, and have succeeded to get rid of it.
There's only one point left: when using Autoruns from Sysinternals (now
Microsoft), I can see there is something left in
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
That's a way to run C:\Windows\system32\byXQJYpP (which is a random file
name given by Virtumonde, but I have deleted this file long time ago, which
gives in Autoruns the message "File not found:
C:\Windows\system32\byXQJYpP".
I've disabled this entry in Autoruns, but if I delete it, it comes back
again at next reboot (still disabled though).
So there must be something left from Virtumonde somewhere trying to
reinitiate the process, without succeeding in it.
I tried searching the registry for anything special, without success.
I also tried some Virtumonde removers, but they don't find anything: so I'm
left here with the "root" of Virtumonde still trying, but not able to
activate because it has been removed at 99%. I would like to try to delete
the remining 1%, to have a perfectly clean MS-Vista.

Can anyone help? Thank you.
 
D

David H. Lipman

From: "Baudouin de Spa" <nomail@please.com>

| Hi all,
| I got the Virtumonde malware, and have succeeded to get rid of it.
| There's only one point left: when using Autoruns from Sysinternals (now
| Microsoft), I can see there is something left in
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
| That's a way to run C:\Windows\system32\byXQJYpP (which is a random file
| name given by Virtumonde, but I have deleted this file long time ago, which
| gives in Autoruns the message "File not found:
| C:\Windows\system32\byXQJYpP".
| I've disabled this entry in Autoruns, but if I delete it, it comes back
| again at next reboot (still disabled though).
| So there must be something left from Virtumonde somewhere trying to
| reinitiate the process, without succeeding in it.
| I tried searching the registry for anything special, without success.
| I also tried some Virtumonde removers, but they don't find anything: so I'm
| left here with the "root" of Virtumonde still trying, but not able to
| activate because it has been removed at 99%. I would like to try to delete
| the remining 1%, to have a perfectly clean MS-Vista.

| Can anyone help? Thank you.




4 phase answer...

Perform Part 1, Part 2 and Part 3 and alternately part 4

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0 update 7 (jre 6u7)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_07

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1




Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe


Part 2
------------
Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

Part 3
------------
Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

Part 4
------------
Norman Vundo removal tool.
http://download.norman.no/public/Norman_Vundo_Cleaner.exe
http://www.norman.com/Virus/Virus_removal_tools/52658/en

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
T

The Real Truth MVP

Turn off System Restore, reboot, turn it back on.

--
Ignore posts made by the person called Leythos, he is a stalker who's been
obsessed with me for years ever since I spurned his advances towards me.




"Baudouin de Spa" <nomail@please.com> wrote in message
news:e8sF1p97IHA.4532@TK2MSFTNGP05.phx.gbl...
> Hi all,
> I got the Virtumonde malware, and have succeeded to get rid of it.
> There's only one point left: when using Autoruns from Sysinternals (now
> Microsoft), I can see there is something left in
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
> That's a way to run C:\Windows\system32\byXQJYpP (which is a random file
> name given by Virtumonde, but I have deleted this file long time ago,
> which gives in Autoruns the message "File not found:
> C:\Windows\system32\byXQJYpP".
> I've disabled this entry in Autoruns, but if I delete it, it comes back
> again at next reboot (still disabled though).
> So there must be something left from Virtumonde somewhere trying to
> reinitiate the process, without succeeding in it.
> I tried searching the registry for anything special, without success.
> I also tried some Virtumonde removers, but they don't find anything: so
> I'm left here with the "root" of Virtumonde still trying, but not able to
> activate because it has been removed at 99%. I would like to try to
> delete the remining 1%, to have a perfectly clean MS-Vista.
>
> Can anyone help? Thank you.
 
B

Baud

Thanks for your suggestions, David.
I tried them all in normal and safe mode, but nothing was found.
I also did a system file check, which gave no error. HijackThis doesn't
give anything abnormal, and it's also the case with a lot of security suites
I tried (Adaware, Eset Smart Security, AVG, Spybot S&D, CounterSpy, Spyware
Doctor, ...)
So there's still somewhere something that tries to initiate Virtumonde.
It's not really a problem, cause it's completly transparent, and I can see
with Autoruns that the process is aborted (file not found).
I believe I can live with it till the next Vista reinstallation (which won't
occur very soon, as I regularly image my system drive with True Image Home).

Baudouin.



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:ezkuZO%237IHA.4928@TK2MSFTNGP05.phx.gbl...
> From: "Baudouin de Spa" <nomail@please.com>
>
> | Hi all,
> | I got the Virtumonde malware, and have succeeded to get rid of it.
> | There's only one point left: when using Autoruns from Sysinternals (now
> | Microsoft), I can see there is something left in
> | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
> | That's a way to run C:\Windows\system32\byXQJYpP (which is a random file
> | name given by Virtumonde, but I have deleted this file long time ago,
> which
> | gives in Autoruns the message "File not found:
> | C:\Windows\system32\byXQJYpP".
> | I've disabled this entry in Autoruns, but if I delete it, it comes back
> | again at next reboot (still disabled though).
> | So there must be something left from Virtumonde somewhere trying to
> | reinitiate the process, without succeeding in it.
> | I tried searching the registry for anything special, without success.
> | I also tried some Virtumonde removers, but they don't find anything: so
> I'm
> | left here with the "root" of Virtumonde still trying, but not able to
> | activate because it has been removed at 99%. I would like to try to
> delete
> | the remining 1%, to have a perfectly clean MS-Vista.
>
> | Can anyone help? Thank you.
>
>
>
>
> 4 phase answer...
>
> Perform Part 1, Part 2 and Part 3 and alternately part 4
>
> It is suggested that you execute each tool in Normal Mode then in Safe
> Mode.
>
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are numerous vulnerabilities in them and they are actively being
> exploited.
>
> It is highly suggested that you update to the latest version which is Sun
> Java JRE/JSE
> Version 6.0 update 7 (jre 6u7)
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0_07
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
>
>
>
>
> Part 1
> ------------
> Download Adware-Virtumundo Removal Tool --
> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
>
>
> Part 2
> ------------
> Download Atribune's VUNDOFIX.EXE
> http://www.atribune.org/ccount/click.php?id=4
>
> Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.
>
> Part 3
> ------------
> Malwarebytes Anti-Malware
> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
>
> Part 4
> ------------
> Norman Vundo removal tool.
> http://download.norman.no/public/Norman_Vundo_Cleaner.exe
> http://www.norman.com/Virus/Virus_removal_tools/52658/en
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
D

David H. Lipman

From: "Baud" <nomail@please.com>

| Thanks for your suggestions, David.
| I tried them all in normal and safe mode, but nothing was found.
| I also did a system file check, which gave no error. HijackThis doesn't
| give anything abnormal, and it's also the case with a lot of security suites
| I tried (Adaware, Eset Smart Security, AVG, Spybot S&D, CounterSpy, Spyware
| Doctor, ...)
| So there's still somewhere something that tries to initiate Virtumonde.
| It's not really a problem, cause it's completly transparent, and I can see
| with Autoruns that the process is aborted (file not found).
| I believe I can live with it till the next Vista reinstallation (which won't
| occur very soon, as I regularly image my system drive with True Image Home).

| Baudouin.



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe Format --> uncheck "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13





--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
P

Pam

Thanks! I think your solution may have worked for me!

Pam


"David H. Lipman" wrote:

> From: "Baudouin de Spa" <nomail@please.com>
>
> | Hi all,
> | I got the Virtumonde malware, and have succeeded to get rid of it.
> | There's only one point left: when using Autoruns from Sysinternals (now
> | Microsoft), I can see there is something left in
> | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
> | That's a way to run C:\Windows\system32\byXQJYpP (which is a random file
> | name given by Virtumonde, but I have deleted this file long time ago, which
> | gives in Autoruns the message "File not found:
> | C:\Windows\system32\byXQJYpP".
> | I've disabled this entry in Autoruns, but if I delete it, it comes back
> | again at next reboot (still disabled though).
> | So there must be something left from Virtumonde somewhere trying to
> | reinitiate the process, without succeeding in it.
> | I tried searching the registry for anything special, without success.
> | I also tried some Virtumonde removers, but they don't find anything: so I'm
> | left here with the "root" of Virtumonde still trying, but not able to
> | activate because it has been removed at 99%. I would like to try to delete
> | the remining 1%, to have a perfectly clean MS-Vista.
>
> | Can anyone help? Thank you.
>
>
>
>
> 4 phase answer...
>
> Perform Part 1, Part 2 and Part 3 and alternately part 4
>
> It is suggested that you execute each tool in Normal Mode then in Safe Mode.
>
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are numerous vulnerabilities in them and they are actively being exploited.
>
> It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
> Version 6.0 update 7 (jre 6u7)
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0_07
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
>
>
>
>
> Part 1
> ------------
> Download Adware-Virtumundo Removal Tool --
> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
>
>
> Part 2
> ------------
> Download Atribune's VUNDOFIX.EXE
> http://www.atribune.org/ccount/click.php?id=4
>
> Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.
>
> Part 3
> ------------
> Malwarebytes Anti-Malware
> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
>
> Part 4
> ------------
> Norman Vundo removal tool.
> http://download.norman.no/public/Norman_Vundo_Cleaner.exe
> http://www.norman.com/Virus/Virus_removal_tools/52658/en
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
 
You must log in or register to reply here.

Similar threads

M
Is it safe to delete entires from Autoruns when it says "File not found"?
Replies
0
Views
33
Mr_TommyGun
M
M
Is it safe to delete entires from Autoruns when it says "File not found"?
Replies
0
Views
25
Mr_TommyGun
M
A
Keyboard and mouse not working after messing with autoruns
Replies
0
Views
61
Alberto7503
A
G
Some REALLY bad issues
Replies
0
Views
7
Gumnut exists
G
A
How to fix Error 5: Access Denied when trying to run Diagnostic Policy Service and reconnect to WiFi.
Replies
0
Views
22
Abdullah Aqil
A
Back
Top Bottom