Guest Baudouin de Spa Posted July 27, 2008 Posted July 27, 2008 Hi all, I got the Virtumonde malware, and have succeeded to get rid of it. There's only one point left: when using Autoruns from Sysinternals (now Microsoft), I can see there is something left in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages That's a way to run C:\Windows\system32\byXQJYpP (which is a random file name given by Virtumonde, but I have deleted this file long time ago, which gives in Autoruns the message "File not found: C:\Windows\system32\byXQJYpP". I've disabled this entry in Autoruns, but if I delete it, it comes back again at next reboot (still disabled though). So there must be something left from Virtumonde somewhere trying to reinitiate the process, without succeeding in it. I tried searching the registry for anything special, without success. I also tried some Virtumonde removers, but they don't find anything: so I'm left here with the "root" of Virtumonde still trying, but not able to activate because it has been removed at 99%. I would like to try to delete the remining 1%, to have a perfectly clean MS-Vista. Can anyone help? Thank you. Quote
Guest David H. Lipman Posted July 27, 2008 Posted July 27, 2008 From: "Baudouin de Spa" <nomail@please.com> | Hi all, | I got the Virtumonde malware, and have succeeded to get rid of it. | There's only one point left: when using Autoruns from Sysinternals (now | Microsoft), I can see there is something left in | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages | That's a way to run C:\Windows\system32\byXQJYpP (which is a random file | name given by Virtumonde, but I have deleted this file long time ago, which | gives in Autoruns the message "File not found: | C:\Windows\system32\byXQJYpP". | I've disabled this entry in Autoruns, but if I delete it, it comes back | again at next reboot (still disabled though). | So there must be something left from Virtumonde somewhere trying to | reinitiate the process, without succeeding in it. | I tried searching the registry for anything special, without success. | I also tried some Virtumonde removers, but they don't find anything: so I'm | left here with the "root" of Virtumonde still trying, but not able to | activate because it has been removed at 99%. I would like to try to delete | the remining 1%, to have a perfectly clean MS-Vista. | Can anyone help? Thank you. 4 phase answer... Perform Part 1, Part 2 and Part 3 and alternately part 4 It is suggested that you execute each tool in Normal Mode then in Safe Mode. If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. There are numerous vulnerabilities in them and they are actively being exploited. It is highly suggested that you update to the latest version which is Sun Java JRE/JSE Version 6.0 update 7 (jre 6u7) Simple check, look under... C:\Program Files\Java The only folder under that folder should be the latest version. Such as... C:\Program Files\Java\jre1.6.0_07 http://java.sun.com/javase/downloads/index.jsp http://www.java.com/en/download/manual.jsp FYI: http://sunsolve.sun.com/search/document.do...y=1-26-102557-1 http://sunsolve.sun.com/search/document.do...y=1-26-102622-1 http://sunsolve.sun.com/search/document.do...y=1-26-102648-1 http://sunsolve.sun.com/search/document.do...y=1-26-102729-1 http://sunsolve.sun.com/search/document.do...y=1-26-102732-1 http://sunsolve.sun.com/search/document.do...y=1-26-102760-1 Part 1 ------------ Download Adware-Virtumundo Removal Tool -- http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe Part 2 ------------ Download Atribune's VUNDOFIX.EXE http://www.atribune.org/ccount/click.php?id=4 Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there. Part 3 ------------ Malwarebytes Anti-Malware http://www.malwarebytes.org/mbam/program/mbam-setup.exe Part 4 ------------ Norman Vundo removal tool. http://download.norman.no/public/Norman_Vundo_Cleaner.exe http://www.norman.com/Virus/Virus_removal_tools/52658/en Please report back your results -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest The Real Truth MVP Posted July 27, 2008 Posted July 27, 2008 Turn off System Restore, reboot, turn it back on. -- Ignore posts made by the person called Leythos, he is a stalker who's been obsessed with me for years ever since I spurned his advances towards me. "Baudouin de Spa" <nomail@please.com> wrote in message news:e8sF1p97IHA.4532@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Hi all, > I got the Virtumonde malware, and have succeeded to get rid of it. > There's only one point left: when using Autoruns from Sysinternals (now > Microsoft), I can see there is something left in > HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages > That's a way to run C:Windowssystem32byXQJYpP (which is a random file > name given by Virtumonde, but I have deleted this file long time ago, > which gives in Autoruns the message "File not found: > C:Windowssystem32byXQJYpP". > I've disabled this entry in Autoruns, but if I delete it, it comes back > again at next reboot (still disabled though). > So there must be something left from Virtumonde somewhere trying to > reinitiate the process, without succeeding in it. > I tried searching the registry for anything special, without success. > I also tried some Virtumonde removers, but they don't find anything: so > I'm left here with the "root" of Virtumonde still trying, but not able to > activate because it has been removed at 99%. I would like to try to > delete the remining 1%, to have a perfectly clean MS-Vista. > > Can anyone help? Thank you. </span> Quote
Guest Baud Posted July 27, 2008 Posted July 27, 2008 Thanks for your suggestions, David. I tried them all in normal and safe mode, but nothing was found. I also did a system file check, which gave no error. HijackThis doesn't give anything abnormal, and it's also the case with a lot of security suites I tried (Adaware, Eset Smart Security, AVG, Spybot S&D, CounterSpy, Spyware Doctor, ...) So there's still somewhere something that tries to initiate Virtumonde. It's not really a problem, cause it's completly transparent, and I can see with Autoruns that the process is aborted (file not found). I believe I can live with it till the next Vista reinstallation (which won't occur very soon, as I regularly image my system drive with True Image Home). Baudouin. "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:ezkuZO%237IHA.4928@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "Baudouin de Spa" <nomail@please.com> > > | Hi all, > | I got the Virtumonde malware, and have succeeded to get rid of it. > | There's only one point left: when using Autoruns from Sysinternals (now > | Microsoft), I can see there is something left in > | HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages > | That's a way to run C:Windowssystem32byXQJYpP (which is a random file > | name given by Virtumonde, but I have deleted this file long time ago, > which > | gives in Autoruns the message "File not found: > | C:Windowssystem32byXQJYpP". > | I've disabled this entry in Autoruns, but if I delete it, it comes back > | again at next reboot (still disabled though). > | So there must be something left from Virtumonde somewhere trying to > | reinitiate the process, without succeeding in it. > | I tried searching the registry for anything special, without success. > | I also tried some Virtumonde removers, but they don't find anything: so > I'm > | left here with the "root" of Virtumonde still trying, but not able to > | activate because it has been removed at 99%. I would like to try to > delete > | the remining 1%, to have a perfectly clean MS-Vista. > > | Can anyone help? Thank you. > > > > > 4 phase answer... > > Perform Part 1, Part 2 and Part 3 and alternately part 4 > > It is suggested that you execute each tool in Normal Mode then in Safe > Mode. > > > If you are using any version of Sun Java that is prior to JRE Version 6.0, > then you are strongly urged to remove any/all versions. > There are numerous vulnerabilities in them and they are actively being > exploited. > > It is highly suggested that you update to the latest version which is Sun > Java JRE/JSE > Version 6.0 update 7 (jre 6u7) > > Simple check, look under... > C:Program FilesJava > > The only folder under that folder should be the latest version. > > Such as... > C:Program FilesJavajre1.6.0_07 > > http://java.sun.com/javase/downloads/index.jsp > http://www.java.com/en/download/manual.jsp > > FYI: > http://sunsolve.sun.com/search/document.do...y=1-26-102557-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102622-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102648-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102729-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102732-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102760-1 > > > > > Part 1 > ------------ > Download Adware-Virtumundo Removal Tool -- > http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe > > > Part 2 > ------------ > Download Atribune's VUNDOFIX.EXE > http://www.atribune.org/ccount/click.php?id=4 > > Save VUNDOFIX.EXE to "C:" ( C:VUNDOFIX.EXE ) and execute it from there. > > Part 3 > ------------ > Malwarebytes Anti-Malware > http://www.malwarebytes.org/mbam/program/mbam-setup.exe > > Part 4 > ------------ > Norman Vundo removal tool. > http://download.norman.no/public/Norman_Vundo_Cleaner.exe > http://www.norman.com/Virus/Virus_removal_tools/52658/en > > Please report back your results > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest David H. Lipman Posted July 27, 2008 Posted July 27, 2008 From: "Baud" <nomail@please.com> | Thanks for your suggestions, David. | I tried them all in normal and safe mode, but nothing was found. | I also did a system file check, which gave no error. HijackThis doesn't | give anything abnormal, and it's also the case with a lot of security suites | I tried (Adaware, Eset Smart Security, AVG, Spybot S&D, CounterSpy, Spyware | Doctor, ...) | So there's still somewhere something that tries to initiate Virtumonde. | It's not really a problem, cause it's completly transparent, and I can see | with Autoruns that the process is aborted (file not found). | I believe I can live with it till the next Vista reinstallation (which won't | occur very soon, as I regularly image my system drive with True Image Home). | Baudouin. 1. Download and execute HiJack This! (HJT) http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe 2. Disable Notepad's word wrap: In Notepad.exe; Format --> uncheck; "Word wrap" 3. Download/run Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe 4. Save the scan results (Main.txt and Extra.txt) 5. And then post the contents of Main.txt and Extra.txt in your post in one of the below expert forums... { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner Logs. NOTE: Registration is REQUIRED in any of the below before posting a log Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://castlecops.com/forum67.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Pam Posted September 5, 2008 Posted September 5, 2008 Thanks! I think your solution may have worked for me! Pam "David H. Lipman" wrote: <span style="color:blue"> > From: "Baudouin de Spa" <nomail@please.com> > > | Hi all, > | I got the Virtumonde malware, and have succeeded to get rid of it. > | There's only one point left: when using Autoruns from Sysinternals (now > | Microsoft), I can see there is something left in > | HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages > | That's a way to run C:Windowssystem32byXQJYpP (which is a random file > | name given by Virtumonde, but I have deleted this file long time ago, which > | gives in Autoruns the message "File not found: > | C:Windowssystem32byXQJYpP". > | I've disabled this entry in Autoruns, but if I delete it, it comes back > | again at next reboot (still disabled though). > | So there must be something left from Virtumonde somewhere trying to > | reinitiate the process, without succeeding in it. > | I tried searching the registry for anything special, without success. > | I also tried some Virtumonde removers, but they don't find anything: so I'm > | left here with the "root" of Virtumonde still trying, but not able to > | activate because it has been removed at 99%. I would like to try to delete > | the remining 1%, to have a perfectly clean MS-Vista. > > | Can anyone help? Thank you. > > > > > 4 phase answer... > > Perform Part 1, Part 2 and Part 3 and alternately part 4 > > It is suggested that you execute each tool in Normal Mode then in Safe Mode. > > > If you are using any version of Sun Java that is prior to JRE Version 6.0, > then you are strongly urged to remove any/all versions. > There are numerous vulnerabilities in them and they are actively being exploited. > > It is highly suggested that you update to the latest version which is Sun Java JRE/JSE > Version 6.0 update 7 (jre 6u7) > > Simple check, look under... > C:Program FilesJava > > The only folder under that folder should be the latest version. > > Such as... > C:Program FilesJavajre1.6.0_07 > > http://java.sun.com/javase/downloads/index.jsp > http://www.java.com/en/download/manual.jsp > > FYI: > http://sunsolve.sun.com/search/document.do...y=1-26-102557-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102622-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102648-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102729-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102732-1 > http://sunsolve.sun.com/search/document.do...y=1-26-102760-1 > > > > > Part 1 > ------------ > Download Adware-Virtumundo Removal Tool -- > http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe > > > Part 2 > ------------ > Download Atribune's VUNDOFIX.EXE > http://www.atribune.org/ccount/click.php?id=4 > > Save VUNDOFIX.EXE to "C:" ( C:VUNDOFIX.EXE ) and execute it from there. > > Part 3 > ------------ > Malwarebytes Anti-Malware > http://www.malwarebytes.org/mbam/program/mbam-setup.exe > > Part 4 > ------------ > Norman Vundo removal tool. > http://download.norman.no/public/Norman_Vundo_Cleaner.exe > http://www.norman.com/Virus/Virus_removal_tools/52658/en > > Please report back your results > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest David H. Lipman Posted September 5, 2008 Posted September 5, 2008 From: "Pam" <Pam@discussions.microsoft.com> | Thanks! I think your solution may have worked for me! | Pam Cool ! :-) -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.