virtumonde 4

[goldtooth]

thread760-1473364
The above thread was closed some time ago, so I need some help.
I run the 'Spybot' and 'Malwarebytes anti-malware' programmes regularly, and note that they spend a considerable amount of time looking at 'virtumonde' programmes. They both say there are no infections, but I understand that virtumonde is a Trojan. I tried one of the virtumonde removal programmes, only to find that, after it had run (for over an hour) and found over 800 infections! (where the above two had found none), that it would cost me 50 quid to get rid of them. What is the best free way (if indeed there is one) to get rid of this virtumonde? Thanks

 

[edfair]

from a google search:

http://www.wiki-security.com/wiki/Parasite/Virtumonde

and the comment:
VirtuMonde is known to search for and delete Spybot Search & Destroy and Malwarebytes Antimalware. Likely that it also encourages false reporting.

Running both of those programs on a clean machine against your drive in an external case would probably clear it. The windows defender run from a CD could help.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[edfair]

detailed instructions, possibly out of date:

http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[goombawaho]

Those instruction are SO OLD, try some more modern methods.
Reboot if asked by each application - don't proceed to next step if asked to reboot.
1. Run CCleaner and clean out all temp files that it finds. (for each user on the PC if more than one).
2. Download and run RKILL (iexplore.exe or rkill.scr or rkkll.com)
3. Run TDSSKiller
4. Run MalwareByte's Anti-Malware. You need internet for it to update, so try regular mode then safe mode with networking. If it won't update, run it anyway and see what it can remove. Then reboot and try the update and run MBAM again if it updates.
5. Run Rogue Killer
6. Run Junk Removal Tool
7. If nothing above has worked, let us know.

Clean sources for files:

http://www.filehippo.com/download_ccleaner/

http://www.bleepingcomputer.com/download/rkill/

http://www.bleepingcomputer.com/download/tdsskiller/

http://www.majorgeeks.com/mg/getmirror/malwarebytes_anti_malware,1.html

http://www.bleepingcomputer.com/download/roguekiller/

http://www.bleepingcomputer.com/download/combofix/

http://www.bleepingcomputer.com/download/junkware-removal-tool/

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[ChrisHirst]

I tried one of the virtumonde removal programmes, only to find that, after it had run (for over an hour) and found over 800 infections! (where the above two had found none), that it would cost me 50 quid to get rid of them

That probably WASN'T a real 'removal' program, more likely it was a "pretend to find losts of crap so some idiot will pay for the 'Pro version' program.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[goldtooth]

OK many thanks for all of your help, edfair, goombawaho & ChrisHirst.
I've tried the 'old' method (thanks edfair), nojoy.
Then I tried the series of programmes suggested by goombawaho. All seemed to run OK, but although some stuff was deleted, there was no detection of virtumonde files.
Then, when I ran 'spybot search & destroy', most of its scan time was looking at virtumonde files, (.sdn .dll and .sci files), and the programme finally reported no infections! Something tells me my pc is infested with these files.
And why is I can't see these files on my hard disc when doing a windows explorer search?
Any more help, please?

 

[ChrisHirst]

And why is I can't see these files on my hard disc when doing a windows explorer search?

They are 'hidden' files, you need to set them 'visible'.

Tools -> Folder Options

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[goldtooth]

Sorry, ChrisHirst, the option was set on 'visible'.

 

[sggaunt]

There is also an option to hide operating system files, this is set to 'hide' by default.

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
That's just perfectly normal Paranoia everyone in the universe has that: Slartibartfast

 

[goombawaho]

Don't trust Spybot - it isn't nearly as reliable/effective as the programs I mentioned. I wouldn't even have it on my PC. If you run the other programs I mentioned AGAIN and they report clean, have no worries. The only place I could think some files may be hiding is in System Restore. I would turn system restore OFF. Reboot. Run the programs I listed again and then turn System Restore on. Done.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[ChrisHirst]

Don't trust Spybot

Get's my vote as well. It just hasn't been the same since ver2 came out. I stayed with v1.n up until I ditched my last M$ Windows machine earlier this year.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[goldtooth]

Thanks again, goombawaho, ChrisHirst and sggaunt.
Before I run all of those programs again, and with system restore off, I note that it is only Spybot that appears to pick up these virtumonde files (Malwarebytes doesn't, as do any of the others). If I didn't run Spybot I wouldn't have known, and this could be said for any pc user who doesn't run it!
So do you think I'm infected?

 

[goombawaho]

You'll need to post what Spybot is detecting for us to better understand what it's sniffing out. No, I don't believe you're infected as MalwareByte's has been able to remove Virtumonde for years now.

If you're really paranoid and want a final scan, remove your anti-virus software (uninstall) reboot and run combofix.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[edfair]

Any possibility of attaching the drive to another, fully protected, computer and scanning it there?

"fully protected" is in the eyes of the beholder but generally is pretty safe.

It becomes a trust thing for me when two packages don't agree.



Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[goombawaho]

Here's a good question: WHY are you getting Virtumonde in the first place. That's like five years ago in the malware timetable. It would be like getting measles.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[goldtooth]

Thanks, all. Before I do any more detecting, I'm waiting for a reply from the Spybot people, just to make sure I'm not missing a trick.

 

[goldtooth]

OK, here's my enquiry to Spybot and the reply:

"When I run the free version of Spybot on my pc, the program spends, during the scan, a considerable amount of time 'looking' at virtumonde files. Virtumonde is a Trojan virus, apparently. Yet, at the end of the scan, Spybot reports no infections. So what is going on? Is Spybot looking for these files although they might not be there? Or are they actually somewhere on my pc? All other virus detection software says my pc is clean and reveals no instances of virtumonde.
Thanks
Martin"

Reply:
"Hello Martin,

Spybot checks its rules to detect Virtumonde files. These files are not necessarily present on your system. The results of the scan are displayed, everything shown there is present on your system.

--
Regards,
Christian
Team Spybot"

Because Spybot says, after a scan, that my pc is clean, I presume then I'm OK. If you agree, I shall get rid of it (Spybot I mean!).

 

[goombawaho]

You can keep it on your PC if you like, but my preference is to run MalwareByte's once a week or every other week just to check on things. You can also run the other programs I mentioned periodically (especially Junk Removal Tool and Rogue Killer) to get second and third opinions on the cleanliness of your computer. No one product ever detects/removes everything.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.

 

[ChrisHirst]

during the scan, a considerable amount of time 'looking' at virtumonde files

Because "virtumonde" could infect a lot of different files and locations, so when it start scanning for those particular signatures, there is a LOT more 'stuff' to look through.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[goldtooth]

Thanks, all. So I still don't know for sure whether Spybot is 'looking for' Virtumonde files (and showing them during the scan) or actually detecting them. I suspect the former.
I have now asked my nephew (who is a pc wizard) to take over my pc remotely and have a look. I'll keep you posted. Thanks again.