Virtumonde problem i need help with please!

  gazmix 19:00 09 Sep 2007
Locked

Hi
I noticed my AVG threat detector detected something after i downloaded the 'Shareaza' file share programme.
I started to recieve a file in stages & i got the threat detection!
I clicked on 'heal' & apparently it healed!
I got it again!
I cancelled all file shares & uninstalled Shareaza & ran Spybot!

It found the usual, plus 5 entries of Virtumonde!
I googled virtumonde & this guy said that hehad this & couldn't remove it. He could only move 4 of 6 entries. Also that it is in the memory ?? sorry but i aint got a clue realy!!
Apparently virtumonde hides itself & causes browser hijack & popups, this i'm getting!!

It said that the only way of getting rid, was with windows onecare scan, but i tried this & it said it can't be done on my pc as i have to upgrade!!
Could it be that i'm using Mozilla?

What can i do? Apparently a hijackthis log one't find anything & neither will other anti virus scans it mentioned!

Thanks

Gaz

  gazmix 19:16 09 Sep 2007

I'll have a look, cheers.
I have both firefox & IE, i thought the onecare wouldn't work with ff, so i tryed with IE, it said my security settings were disabling me from doing the online check!, i have AVG & ZA, i was wondering if my ZA firewall may not be set up correct!
How should it be set up?
Gaz

  gazmix 14:20 10 Sep 2007

I read Fingees link befoe, this is why i wrote what i did in my 1st post.

I have run Rogue remover which seemed ok & posted a hijackthis log on malwareremover.com.

Spybot found 5 entries of virtumonde & according to Spybot, it also deleted them. But on the link in Fingees post, it says that Spybot can't always delete them.

Now when i turn on my pc & evertyhing on my desktop loads up & before i go online, i get a ZA programme
alert saying ' tmp24.tmp.exe ' is trying to access the internet!!
What could this be, i've googled it & i don't understand.
Any help appreciated
Gaz

  wee eddie 14:25 10 Sep 2007

I had this problem a while back.

I contacted Spybot and I think that it was Karen there that solved it for me.

  gazmix 14:57 10 Sep 2007

I ran VundoFix, it found 4 files, i followed the instructions, pc rebooted.

It said that if Vundofix couldn't remove any files, it would run on reboot.
It hasn't automaticaly started on reboot, so does this mean that it's got rid of Virtumonde from my system?
Would it have automaticaly run again after reboot if it couldn't remove files the 1st time??

  gazmix 15:33 10 Sep 2007

Hi
I have run Vundofix & it showed 4 entries, it rebooted & didn't reappear after reboot, so i guess it removed all files!

I ran Virtumondebegone in Safe Mode as instructed & this is the logfile:-


[09/10/2007, 15:16:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\user\Desktop\VirtumundoBeGone.exe" )
[09/10/2007, 15:16:44] - Detected System Information:
[09/10/2007, 15:16:44] - Windows Version: 5.1.2600, Service Pack 2
[09/10/2007, 15:16:44] - Current Username: user (Admin)
[09/10/2007, 15:16:44] - Windows is in SAFE mode with Networking.
[09/10/2007, 15:16:44] - Searching for Browser Helper Objects:
[09/10/2007, 15:16:44] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[09/10/2007, 15:16:44] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/10/2007, 15:16:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/10/2007, 15:16:44] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/10/2007, 15:16:44] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/10/2007, 15:16:44] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/10/2007, 15:16:44] - BHO 4: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
[09/10/2007, 15:16:44] - BHO 5: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
[09/10/2007, 15:16:44] - Finished Searching Browser Helper Objects
[09/10/2007, 15:16:44] - Finishing up...
[09/10/2007, 15:16:44] - Nothing found! Exiting...


As you can see, it's says all is ok!!
But how can i tell for definate!

When i boot my pc & before i logon to internet, i get the ZA programme alert saying:-
tmp24.tmp.exe is trying to access the internet!
This has just started since i had issues with the Virtumonde!
Could this be part of Virtumonde or something else?
Thanks

  gazmix 16:04 10 Sep 2007

Hi
I ran Vundo again, & it found nothing, so i assume Virtumundo is gone!!

I clicked start/Search & typed in 'tmp24.tmp.exe'

It found this :-
Name : TMP24.TMP.EXE-35EACD24.pf
Type : PF File
In Folder : C:\WINDOWS\prefetch
Modified : 9/9/07 ( this is when i started getting the ZA prog alert on boot up!)

Does anyone know what this could be??

Thanks

  gazmix 18:51 10 Sep 2007

Hi
I googled it & it came up with a tool by Atribune called ATF Cleaner, i used this & nothing, what do you have in mind??

  gazmix 21:04 10 Sep 2007

VoG
I'll check that out thanks.
Since i ran the ATF Cleaner as i said! This site loads up very weird, I don't get the red & blue logo at the top & all is in bigger print :(
I reckon i've done something wrong & it won't let me system restore to a previous date!
Doh!!

  gazmix 23:03 10 Sep 2007

A removal forum?

I don't get why the look of this site has changed so dramatiacaly since i ran the ATF cleaner that is available at click here can someone help me with this??
Thanks

  gazmix 00:35 11 Sep 2007

VoG
I downloaded the Windows XP Prefetch Clean & Control & it asked me what setting i should put it at, i used the recommended, or should i have used the Windows default?? setting & i then rebooted.

I clicked on 'Clean Prefetch Folder now'after i re-booted & it said prefetch log flushed, i then rebooted again & still i get the Zone alarm Security alert for tmp24.tmp.exe
hmmm
Gaz

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi 9 Release Date, Price & Spec Rumours

Illustrator Owen Davey on how he's created a successful series of animal-themed children's picture…

MacBook Pro 2019 release date, 16in MacBook Pro news and rumours

Xiaomi Mi 9 : date de sortie, prix et autres rumeurs