Virtumonde.dll aka help my compute has a virulat pestilance

Malechai

Alright so I seem to have picked up a nasty little Trojan/key logger known as Virtumonde. I running spybot S&D constantly trying to eradicate the little bugger. For now I've stoped it from altering my registy but It just wont go away. Looking for some advice here, thanks.

Note: Ran S&D on start up twice one time it seemed to have iradicated it but has come back for more. Seems to have immbedded it's self in the registry and system 32. Running XP pro.

seasleepy

I've had good luck with Vundofix in the past. Lavasoft also apparently has a Virtumonde remover in the latest Ad-Aware, but I haven't used it.

Malechai

Thanks I'll definatly give that a shot.

Malechai

Thanks for the attempt but vundofix didn't even see virtumonde. Thinking I may have to go to a special forum and use combofix with some expert support.

GrimReaper

Download and run HiJackThis and post the log file here as a downloadable text file or in a spoiler. (ideally as linked text file)

Then we'll tell you what to delete from where.

JerikTelorian

I fixed these at school for the past two years, I'll whip up a guide over the next couple hours to help you out.


Removal:

Download RegMon and Process Explorer:

http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Put them on a Flash Drive.

Record the name of the vundo infection (e.g. htthy.dll).

Now, while in Normal Windows mode (not safe mode), open both ProcExp, and RegMon. The next part takes mostly a keen eye to get past. Record some Registry activity, and look for odd patterns of three entries. They should have a wierd entry in the last column (like 0xfff9f). Check those, and look for the name of your virus in the other columns. If you find it, record the name of the process they are in (for me, this is almost always either lsass.exe or winlogon.exe).

Now, navigate to that process with ProcExp. Right click on it, and select "Properties", then the "Threads" tab. If your previous searching was correct, you should find a thread with the name of your virus in there. It shoudl be fairly easy to find because it will have a very high CPU use. Kill the threads with the virus name in them, then close Process Explorer.

Now, open the Registry Editor. This part can be fairly dangerous if you don't know how to play with the registry, so be careful. Search for, and remove keys related to the virus. In some instances, you might need to edit only part of a key relative to the virus, leaving the other parts behind. It's tricky business, but if you're already comfortable mucking about in the registry, it shouldn't be hard.

Finally, reboot, and navigate to c:\windows\system32\, and delete [virusname.dll]. Boom, you're clean.