Windows 7 - Memscan:Trojan.Virtumonde.IF

Asked By Nick Cumberbatch on 18-Jun-07 07:15 AM
I am using BitDefender, Spyware Doctor and Ad-Aware, XP Pro

Recently I tried downloaded a P2P file sharing Mp3 program called WinMX.
Unfortunately I was not aware of the threats that this program posed.

I have since uninstalled it and ran the above programs to scan and delete
threats.

However there is one persistent threat:  MemScan:Trojan.Virtumonde.IF that
seems to persist.

It appears to infect the following files:
windows\system32\asfpdf.dll
windows\system32\coma32.dll
windows\system32\isigerf.dll

Any assistance will be appreciated




Leythos replied on 18-Jun-07 07:25 AM
says...

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

AdAwareSE can be found here:
http://www.lavasoft.com/products/ad_aware_free.php

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
David H. Lipman replied on 18-Jun-07 04:54 PM
From: "Nick Cumberbatch" <nickcwpg@hotmail.com>




Two phase answer...

Perform Part 1 then perform Part 2

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0 update 1 (jre 6u1)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_01

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1




Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.



* * *  Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Lord Maximus replied on 26-Jun-07 10:22 PM
Nick Cumberbatch aka nickcwpg@hotmail.com,after much thought,came up
with this jewel:


File sharing must be done with care.
After you get your mess cleaned up,try LimeWire.
max
--
My Pages:
Virus Removal Instructions:
http://www.freespaces.com/maxwachtel/removal.html
Keeping Windows Clean:
http://www.freespaces.com/maxwachtel/keepingclean.html
Tools: http://www.freespaces.com/maxwachtel/tools.html
Change nomail.afraid.org to gmail.com to reply. nomail.afraid.org is
specifically setup for USENET.Feel free to use it yourself.
Nick Cumberbatch replied on 18-Jun-07 09:33 PM
Hi Dave:
I tried your solution

Part 1 results:

[06/18/2007, 21:44:29] - VirtumundoBeGone v1.5 (
[06/18/2007, 21:44:46] - Detected System Information:
[06/18/2007, 21:44:46] -  Windows Version: 5.1.2600, Service Pack 2
[06/18/2007, 21:44:46] -  Current Username: Nick Cumberbatch (Admin)
[06/18/2007, 21:44:46] -  Windows is in NORMAL mode.
[06/18/2007, 21:44:46] - Searching for Browser Helper Objects:
[06/18/2007, 21:44:46] -  BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670}
(&Yahoo! Toolbar Helper)
[06/18/2007, 21:44:46] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(Adobe PDF Reader Link Helper)
[06/18/2007, 21:44:46] -  BHO 3: {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(bho2gr Class)
[06/18/2007, 21:44:46] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(Yahoo! IE Services Button)
[06/18/2007, 21:44:46] -  BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(SSVHelper Class)
[06/18/2007, 21:44:46] -  BHO 6: {AE7CD045-E861-484f-8273-0445EE161910}
(Adobe PDF Conversion Toolbar Helper)
[06/18/2007, 21:44:46] -  BHO 7: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(Windows Live Toolbar Helper)
[06/18/2007, 21:44:46] - Finished Searching Browser Helper Objects
[06/18/2007, 21:44:46] - Finishing up...
[06/18/2007, 21:44:46] - Nothing found! Exiting...

Then Part 2
VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:54:47 PM 18-Jun-07

Listing files found while scanning....

C:\windows\system32\vtsqnkh.dll

Beginning removal...

Attempting to delete C:\windows\system32\vtsqnkh.dll
C:\windows\system32\vtsqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\vtsqnkh.dll
C:\windows\system32\vtsqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

At this point I began to get a Blue Screen whenever I try booting into SAFE
MODE.  Tried it 6 times with the same blue screen.  However I could boot
into Normal Mode.  Now I am not sure what to do next.  Something is
preventing me from booting in Safe Mode.   Did I get rid of threat??
David H. Lipman replied on 19-Jun-07 05:39 PM
From: "Nick Cumberbatch" <nickcwpg@hotmail.com>

Hi Nick:

Nothing but legitimate items were found by VBG.


However VundoFix found you had a very vulnerable and often exploited version Sun Java which
MAY be the reason you got infected with the Virtumonde Adware/Vundo Trojan.

Please go back to my original reply and follow my directions to remove v1.4.x and replace it
v6 update 1.




We need to verify that %windir%\system32\vtsqnkh.dll  has indeed been removed.
Another scan in Normal Mode is indicated and we'll then see if it was removed based upon the
VundoFix log.

if not, There are "other" steps we can take to remove the DLL, vtsqnkh.dll.

We can deal with the BSoD in Safe Mode after removing the DLL.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Nick Cumberbatch replied on 21-Jun-07 06:42 AM
After trying to solve this problem, I was still left with the Blue Screens
in both Normal and Safe Mode.  So unfortunately I have no choice but to
re-install windows.
David H. Lipman replied on 21-Jun-07 07:31 AM
Did the BSoD happen ONLY when using VundoFix or every boot ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm