Virtumondo.C

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have found Virtumondo.C on my computer and like most of you am having
problems removing it. I think I have found a way to remove but need your help.

Virtumondo.C loads up when your computer loads up, and is beginning to get
very hard to remove. If you have Hijack this you can find the virus's name by
using this program.

http://www.merijn.org/files/hijackthis.zip

First line in HijackThis
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} -
C:\WINDOWS\system32\nnlmn.dll

Second line in HijackThis
O20 - Winlogon Notify: nnlmn - C:\WINDOWS\system32\nnlmn.dll

You can find it by looking for MSEvents Object and Win logon Notify, this is
were the virus is loading up. The filename will be different on your computer
but there it is.

When it loads it uses your computers login to attach itself to Microsoft
systems. This is way MSAS can't delete it. When it attaches to this system if
for some reason it did delete the infected file windows would crash. This
infected file is treaded as a file being used by Microsoft's systems.

Now that you know how this virus is working I have tried a few things. First
I have went into Safe Mode and tried to delete the file. But as stated above
it attaches itself to the login system. You will don't be able to delete it.
I have tried it in command prompt and tried to delete it but still it
attaches itself to the logon system.

I have a NERO CD-ROM Boot DISK with DR-DOS 7.1 but this file can't be delete
because it is a read only file. It would be easy to delete with command
attrib but the boot disk doesn't have this command. So I tried a Windows 98
Boot Disk but I have a NTFS System installed on my hard drive and the Windows
98 Boot Disk doesn't support NTFS. If you don't have a NTFS you can delete
the infected file.

Use command
ATTRIB -R -S -H c:\windows\system32\filename Then delete the file.

Make sure to use the remove tool in MSAS first before boot up your computer
with a Windows 98 boot disk to remove the reg keys to the virus.

If any one out there could help me out I need a boot disk that will get me
to the command prompt and you can use the dos command attrib and use for
NTFS. It would be of great help to all of use.

Just got a idea I will see if I can delete file with a autoexec.bat file
before system loads up will let you know if this works. Still if you have any
other ideas let me know.
 
Hi Justin - Four approaches to removing Winfixer (Vundo). It's suggested
that you try them in this order.

1 - Symantec has a new Vundo remover:
http://securityresponse.symantec.com/avcenter/FixVundo.exe
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

2 - It's been reported that the Removal Tool here is worthwhile:
http://forums.mcafeehelp.com/viewtopic.php?t=57049


3 - Then, courtesy of MVP Suzi Turner and Mosaic1:

"Atribune, a guy in the forums, has a Vundo fix tool as well:

Instructions for use by user as posted in the SpywareWarrior forum:

'Please download VundoFix.exe to your desktop. Here's a link:

http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please restart your computer into Safe Mode.

Once in safe mode open the VundoFix folder and double-click on KillVundo.bat

A command window will open and it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, to continue with the fix.


At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\geeby.dll

Press Enter.

Next you will see:

Please type in the second filepath as instructed by the forum staff

At this point please type the following file path (make sure to enter it
exactly as below!):
C:\WINDOWS\system32\ybeeg.*

Press Enter to continue.

The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click
FIX CHECKED:


O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} -
C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

After you have fixed these items, close Hijackthis.

The fix will tell you to shutdown using the Power button. Hold in your power
button until the computer shuts down. Wait about 15 seconds and then restart
the computer into regular windows.

Chkdsk will run. This is normal. It will take a few minutes and is checking
your file system because of the Bad Shutdown we caused.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Allow them to clean

Panda will have the option to create a log after the scan has finished.
Click
the See Report button. Then click the save Report button. It will be saved
under the name activescan.txt Do that and post that log into your next reply
here.

Run hijackthis and post the new log and the vundofix.txt file from the
vundofix folder into as well.'
----------------------------------------------------------------------------
--

The forum helpers have reported this fix from Atribune works. I don't know
about the Symantec tool.

If you'd like to join Spyware Warrior, you could see the thread where the
helpers are discussing this.

Suzi"


Note: Here's some added info relative to the above courtesy of MVP Steve
Wechsler (akaMowGreen):

"the .dll's file name :

C:\WINDOWS\system32\geeby.dll

will be different on different systems. What you can do to identify it
is to scan the system with HijackThis and look at the O2 BHO and/or O20
Winlogon entries to find out it's name. Close all other programs and
browsers prior to scanning with HJT.
REMEMBER that there is a hidden file that will have the name of the .dll
spelled backwards. Enter that name when the VundoFix requests the path
to the second file.

4 - Grinler, a Security MVP, has another removal method that can be used if
the recommended method fails :
http://www.bleepingcomputer.com/forums/topic18610.html"
_____________________________________________________

Here's the HijackThis info you may need:

Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13

There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html

In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt


Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here: http://net-integration.us/forums/index.php

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."




*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******


You probably should consider switching to Sun Java J2SE 5.0 JRE or later
here: http://java.sun.com/j2se/1.5.0/download.jsp (What I use, BTW),
especially since MS will apparently no longer be distributing Java or
providing any support for Java including security fixes after Dec 31, 2007.
BE SURE that you uninstall any prior versions of Sun Java as some,
specifically JRE v. 1.4.2_03, contain a security bug which certain malware,
notably Winfixer/Vundo, are suspected of exploiting. If you did have this
version of Sun Java, JRE v. 1.4.2-03, installed, please post back and tell
us.


When you get things cleaned up, take a look at my Blog, Defending Your
Machine, addy in my Signature below, for some additional curative and
preventive measures you might want to implement to help prevent this type of
thing in the future.
 
Back
Top