AntiSpyware fails to removeVirtumonde (C:\WINDOWS\system32\mlljg.d

[Guest]

Greetings everyone,

MS Antispyware says that it found the Virtumonde malware on one of my WinXP
SP2 boxes.

To remove the malware, Antispyware says it needs to remove some Registry
Keys, and the file "C:\WINDOWS\system32\mlljg.dll".

I boot into Safe Mode and rescan with Antispyware. Once it finds Virtumonde,
I click the "Remove" button, and confirm that I want to remove this threat.
Antispyware then says it has *removed* the threat, and asks me to reboot, so
I reboot.

Now, when I go back and check on the "View Details..." button, the log says
that Virtumonde was *ignored* and it doesn't say why.

If I look for the file, C:\WINDOWS\system32\mlljg.dll still exists! The file
was never removed.

Why does Antispyware ignore this file?

The same thing happens if I run Windows in "Normal mode" or "Safe mode" and
"Safe Mode with Command Prompt".

I cannot remove C:\WINDOWS\system32\mlljg.dll by hand because Windows says
that something is using the file. Again, this happens in "Normal mode" or
"Safe mode" and "Safe Mode with Command Prompt".

 

[Guest]

It's likely a registered component. Using ANY antispyware app to try to deal
with these types of problems will FAIL.

I suggest using a forum such as http://www.castlecops.com to see what
recommendations they have to manually remove Virtumonde (aka Vundo).

Alan

 

[Guest]

Yep, Vundo locks down the Winlogon key in the registry and runs as a dll to
the process. Symantec has a manual removal program - as does the reference in
CastleCops.

 

[Guest]

I guess this leads to the obvious question-- why the heck does Windows allow
some strange program to attach itself to a core process like Winlogon?

I know where we got this file from-- this file slipped in when IE hit some
strange advertising website (Timestamps of the file are identical to the
timestamp of a site in the IE browing history).

Shouldn't those sorts of important, core files be protected from random
internet websites?

But I guess I'm getting off topic.

 

[Guest]

Ah yes, why do users have root access? If they didn't, they wouldn't be able
to install such programs as Norton Internet Security, etc. (which, by the
way, doesn't usually prevent Vundo from being installed, in most cases). If
MS didn't allow this, most people would have an OS they couldn't configure
very much. But, that's the drawback. Unfortunately, most home users don't
deserve root access, but they do need to be able to install programs
(although that doesn't have much to do with Winlogon). But, it does have
enough to do with other critical processes that could be hijacked just the
same. MS wouldn't dare ship an OS that users couldn't configure (although
it's a good argument that they should). As time moves on, MS will lock it
down a bit more, but it won't stop viri/spyrii from being written to take
advantage of what's available. The same code that's written for the security
companies can be written for the viri and spyrii companies. It's a
never-ending battle. Hey, it gives some of us a job. [grin]