Drew Community  

Go Back   Drew Community > General Forums > Technology Discussion
uLogin ID  
Password
FAQ Members List Calendar Search Today's Posts Mark Forums Read


Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-09-2009, 10:07 PM
Andy A. Benavides Andy A. Benavides is offline
Ranger Cub
 
Join Date: Apr 2006
Posts: 59
Default ayo smart tech people

Hi,

I got a virus around christmas time, it's a virtumonde trojan... I've tried usin spypot to remove it and it does, but apparently it replicates itself every time spypot removes it. spybot says it replicates itself in the winlogin registry and in a random dll file. I used spybot to search which file and then I tried manually deletin it in the system32 folder, but it never lets me. I've tried disconnectin my laptop completely from the internet and runnin spybot but it jus keeps manifestin itself. I've gotten all the updates for spybot and when I tried to update f-prot I found out that don't work anymore... so what should I do? I keep denyin the registry changes the virus attempts and I think thats the only reason my laptop is still kickin... occasionally I get a weird page tryin to open up in firefox, but nothin serious ever happens... sooooo, what can I do? thanks in advance

andy
Reply With Quote
  #2  
Old 01-10-2009, 12:21 AM
Jonathan B. Reams's Avatar
Jonathan B. Reams Jonathan B. Reams is offline
Ranger Cub
 
Join Date: Jun 2005
Posts: 36
Default

virtumonde is very hard to get rid of, the dll it creates then registers a hook for winlogon notifications, so it can never be deleted while the system is booted because it will always be in use. unless you want to mess with booting from something like the trinity rescue kit or bartpe to remove the dlls and the winlogon notifications registrations while the system is offline, your best bet might be to bring it down to the helpdesk; I haven't found a good tool for removing this virus and removing it manually is a rather involved process.

Last edited by Jonathan B. Reams : 01-10-2009 at 01:44 AM.
Reply With Quote
  #3  
Old 01-11-2009, 12:36 AM
Gregory R. Everitt's Avatar
Gregory R. Everitt Gregory R. Everitt is offline
Junior Drewid
 
Join Date: Apr 2008
Posts: 65
Default

Well, the real solution here, the one I used, was to change the bootup configuration with msconfig (you can get that by running the msconfig command from the run feature in the start menu in XP, or in the search bar in Vista). I can't give a great description of this, and I can't promise you'll get good results from this, but here goes. Go to the startup tab. There should be some randomly titled entries which launch .dll files of the same name. You can tell if they are .dll files by checking the "command" field next to the entry. If you're sure that those items are not legitimate programs (try googling their names), try unchecking them and clicking "OK". Reboot and clean with Spybot again.
Reply With Quote
  #4  
Old 01-11-2009, 01:23 AM
Jonathan B. Reams's Avatar
Jonathan B. Reams Jonathan B. Reams is offline
Ranger Cub
 
Join Date: Jun 2005
Posts: 36
Default

That's actually only fixing part of the problem and will only result in a much larger infection down the road. virtumonde registers itself with winlogon and as a BHO and cannot be removed while the system is booted. Although removing entries from the run key will prevent the virus from being loaded when the shell starts, it will continue to run every time you start internet explorer and every time there's a winlogon notification (every time you press ctrl-alt-delete).
Reply With Quote
  #5  
Old 01-11-2009, 02:51 AM
Gregory R. Everitt's Avatar
Gregory R. Everitt Gregory R. Everitt is offline
Junior Drewid
 
Join Date: Apr 2008
Posts: 65
Default

In that case, wouldn't you delete the BHO while booted in Safe Mode?

EDIT: I couldn't tell you for sure if the msconfig trick I described was all I did. I can tell you that Spybot doesn't detect Virtumonde, however. My HijackThis log doesn't indicate any randomly named DLLs.

Last edited by Gregory R. Everitt : 01-11-2009 at 03:04 AM.
Reply With Quote
  #6  
Old 01-11-2009, 02:25 PM
Jonathan B. Reams's Avatar
Jonathan B. Reams Jonathan B. Reams is offline
Ranger Cub
 
Join Date: Jun 2005
Posts: 36
Default

Well the BHO, maybe. What about the winlogon notifications? The reason why viruses like virtumonde are so nasty is because the people who wrote them used all that same logic you're using to disinfect. spybot -> msconfig -> safe mode is a good procedure when trying to remove poorly written spyware, but I've seen plenty of virtumonde infections that persist in safe mode. The only sure way I've found of really removing virtumonde, short of reimaging the machine, is to do it through a livecd so you're disinfecting the machine while it's offline.

The latest version of spybot does in fact detect virtumonde, it just can't remove it effectively for all the reasons I've mentioned in this post.
Reply With Quote
  #7  
Old 01-11-2009, 05:33 PM
Gregory R. Everitt's Avatar
Gregory R. Everitt Gregory R. Everitt is offline
Junior Drewid
 
Join Date: Apr 2008
Posts: 65
Default

Quote:
Originally Posted by Jonathan B. Reams
Well the BHO, maybe. What about the winlogon notifications? The reason why viruses like virtumonde are so nasty is because the people who wrote them used all that same logic you're using to disinfect. spybot -> msconfig -> safe mode is a good procedure when trying to remove poorly written spyware, but I've seen plenty of virtumonde infections that persist in safe mode. The only sure way I've found of really removing virtumonde, short of reimaging the machine, is to do it through a livecd so you're disinfecting the machine while it's offline.

The latest version of spybot does in fact detect virtumonde, it just can't remove it effectively for all the reasons I've mentioned in this post.

So what are you recommending to Andy and me? Are you saying we should go down to CNS? Are you a member of CNS yourself? I would like to know what my options are here. I do know that my task bar locks up a lot and I was wondering what was causing that.

EDIT: I am using Windows Vista Enterprise on the freshman laptop. Also, the latest VundoFix hasn't found anything, for what it's worth.

Last edited by Gregory R. Everitt : 01-11-2009 at 07:34 PM.
Reply With Quote
  #8  
Old 01-11-2009, 08:53 PM
Jonathan B. Reams's Avatar
Jonathan B. Reams Jonathan B. Reams is offline
Ranger Cub
 
Join Date: Jun 2005
Posts: 36
Default

If you deleted the dlls the virus put into system32, and you're sure you got all of them, then you probably got rid of the virus. There are probably some references left to it in the registry, which isn't a huge problem but isn't the best thing either. The problem is that it's very difficult to remove all the dlls while the system is running because of how they register with winlogon. Winlogon is the parent process of everything that isn't a service on windows (explorer and all the programs you run), its a process that cannot be ended while the system is booted and starts in safe mode and regular mode. But if you manage to delete the dlls, and no new dlls appear, then you should be fine.

So, should you bring it to the desk? Yes, if your computer is exhibiting strange behavior or is giving you popups of either the spyware or f-prot variety and you don't feel you can fix the problem on your own, you should bring it down to the helpdesk to be repaired. The helpdesk has an environment for removing files, editing the registry, and running various virus/spyware removal tools without actually booting the system. And yes, I do work for CNS.
Reply With Quote
  #9  
Old 01-12-2009, 01:03 AM
Gregory R. Everitt's Avatar
Gregory R. Everitt Gregory R. Everitt is offline
Junior Drewid
 
Join Date: Apr 2008
Posts: 65
Default

Ah, thanks for the info. That helpdesk stuff you just described sounds easier than what I did. For future reference, do you usually have to intake laptops for this sort of thing?
Reply With Quote
  #10  
Old 01-12-2009, 12:22 PM
Jonathan B. Reams's Avatar
Jonathan B. Reams Jonathan B. Reams is offline
Ranger Cub
 
Join Date: Jun 2005
Posts: 36
Default

As with all computer problems, that depends on the circumstances of the problem and the circumstances when you come to the desk. In general, I'd say that virtumonde will require an intake, because of the time required to run the virus scan offline and then go in and remove references from the registry.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 08:09 PM.


Powered by vBulletin® Version 3.5.7
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

Drew University is not responsible for the content of posts made on this site. All posts and comments reflect the opinion of the author.