Memscan:Trojan.Virtumonde.IF

Memscan:Trojan.Virtumonde.IF

Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Memscan:Trojan.Virtumonde.IF Nick Cumberbatch 06-18-2007
Posted by Nick Cumberbatch on June 18, 2007, 7:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am using BitDefender, Spyware Doctor and Ad-Aware, XP Pro

Recently I tried downloaded a P2P file sharing Mp3 program called WinMX.
Unfortunately I was not aware of the threats that this program posed.

I have since uninstalled it and ran the above programs to scan and delete
threats.

However there is one persistent threat: MemScan:Trojan.Virtumonde.IF that
seems to persist.

It appears to infect the following files:
windows\system32\asfpdf.dll
windows\system32\coma32.dll
windows\system32\isigerf.dll

Any assistance will be appreciated



Posted by Leythos on June 18, 2007, 7:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
says...
> I am using BitDefender, Spyware Doctor and Ad-Aware, XP Pro
>
> Recently I tried downloaded a P2P file sharing Mp3 program called WinMX.
> Unfortunately I was not aware of the threats that this program posed.
>
> I have since uninstalled it and ran the above programs to scan and delete
> threats.
>
> However there is one persistent threat: MemScan:Trojan.Virtumonde.IF that
> seems to persist.
>
> It appears to infect the following files:
> windows\system32\asfpdf.dll
> windows\system32\coma32.dll
> windows\system32\isigerf.dll
>
> Any assistance will be appreciated

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

AdAwareSE can be found here:
http://www.lavasoft.com/products/ad_aware_free.php

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Posted by David H. Lipman on June 18, 2007, 4:54 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| I am using BitDefender, Spyware Doctor and Ad-Aware, XP Pro
|
| Recently I tried downloaded a P2P file sharing Mp3 program called WinMX.
| Unfortunately I was not aware of the threats that this program posed.
|
| I have since uninstalled it and ran the above programs to scan and delete
| threats.
|
| However there is one persistent threat: MemScan:Trojan.Virtumonde.IF that
| seems to persist.
|
| It appears to infect the following files:
| windows\system32\asfpdf.dll
| windows\system32\coma32.dll
| windows\system32\isigerf.dll
|
| Any assistance will be appreciated
|



Two phase answer...

Perform Part 1 then perform Part 2

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java
JRE/JSE
Version 6.0 update 1 (jre 6u1)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_01

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1




Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.



* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Nick Cumberbatch on June 18, 2007, 9:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Dave:
I tried your solution

Part 1 results:

[06/18/2007, 21:44:29] - VirtumundoBeGone v1.5 (
"C:\Downloads\VirtumundoBeGone.exe" )
[06/18/2007, 21:44:46] - Detected System Information:
[06/18/2007, 21:44:46] - Windows Version: 5.1.2600, Service Pack 2
[06/18/2007, 21:44:46] - Current Username: Nick Cumberbatch (Admin)
[06/18/2007, 21:44:46] - Windows is in NORMAL mode.
[06/18/2007, 21:44:46] - Searching for Browser Helper Objects:
[06/18/2007, 21:44:46] - BHO 1:
(&Yahoo! Toolbar Helper)
[06/18/2007, 21:44:46] - BHO 2:
(Adobe PDF Reader Link Helper)
[06/18/2007, 21:44:46] - BHO 3:
(bho2gr Class)
[06/18/2007, 21:44:46] - BHO 4:
(Yahoo! IE Services Button)
[06/18/2007, 21:44:46] - BHO 5:
(SSVHelper Class)
[06/18/2007, 21:44:46] - BHO 6:
(Adobe PDF Conversion Toolbar Helper)
[06/18/2007, 21:44:46] - BHO 7:
(Windows Live Toolbar Helper)
[06/18/2007, 21:44:46] - Finished Searching Browser Helper Objects
[06/18/2007, 21:44:46] - Finishing up...
[06/18/2007, 21:44:46] - Nothing found! Exiting...

Then Part 2
VundoFix V6.5.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:54:47 PM 18-Jun-07

Listing files found while scanning....

C:\windows\system32\vtsqnkh.dll

Beginning removal...

Attempting to delete C:\windows\system32\vtsqnkh.dll
C:\windows\system32\vtsqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\vtsqnkh.dll
C:\windows\system32\vtsqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

At this point I began to get a Blue Screen whenever I try booting into SAFE
MODE. Tried it 6 times with the same blue screen. However I could boot
into Normal Mode. Now I am not sure what to do next. Something is
preventing me from booting in Safe Mode. Did I get rid of threat??


>
> | I am using BitDefender, Spyware Doctor and Ad-Aware, XP Pro
> |
> | Recently I tried downloaded a P2P file sharing Mp3 program called WinMX.
> | Unfortunately I was not aware of the threats that this program posed.
> |
> | I have since uninstalled it and ran the above programs to scan and
> delete
> | threats.
> |
> | However there is one persistent threat: MemScan:Trojan.Virtumonde.IF
> that
> | seems to persist.
> |
> | It appears to infect the following files:
> | windows\system32\asfpdf.dll
> | windows\system32\coma32.dll
> | windows\system32\isigerf.dll
> |
> | Any assistance will be appreciated
> |
>
>
>
> Two phase answer...
>
> Perform Part 1 then perform Part 2
>
> It is suggested that you execute each tool in Normal Mode then in Safe
> Mode.
>
>
> If you are using any version of Sun Java that is prior to JRE Version 6.0,
> then you are strongly urged to remove any/all versions.
> There are numerous vulnerabilities in them and they are actively being
> exploited.
>
> It is highly suggested that you update to the latest version which is Sun
> Java JRE/JSE
> Version 6.0 update 1 (jre 6u1)
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.6.0_01
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
>
>
>
>
> Part 1
> ------------
> Download Adware-Virtumundo Removal Tool --
> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
>
> Information on the Adware-Virtumundo Removal Tool:
> http://forums.mcafeehelp.com/viewtopic.php?t=57049
>
> Part 2
> ------------
> Download Atribune's VUNDOFIX.EXE
> http://www.atribune.org/ccount/click.php?id=4
>
> Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.
>
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>



Posted by David H. Lipman on June 19, 2007, 5:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Hi Nick:

Nothing but legitimate items were found by VBG.

|
| Java version is 1.4.2.3
| Old versions of java are exploitable and should be removed.

However VundoFix found you had a very vulnerable and often exploited version Sun
Java which
MAY be the reason you got infected with the Virtumonde Adware/Vundo Trojan.

Please go back to my original reply and follow my directions to remove v1.4.x
and replace it
v6 update 1.


< snip >

|
| Attempting to delete C:\windows\system32\vtsqnkh.dll
| C:\windows\system32\vtsqnkh.dll Could not be deleted.
|
| Performing Repairs to the registry.
| Done!
|
| Beginning removal...
|
| At this point I began to get a Blue Screen whenever I try booting into SAFE
| MODE. Tried it 6 times with the same blue screen. However I could boot
| into Normal Mode. Now I am not sure what to do next. Something is
| preventing me from booting in Safe Mode. Did I get rid of threat??
|

We need to verify that %windir%\system32\vtsqnkh.dll has indeed been removed.
Another scan in Normal Mode is indicated and we'll then see if it was removed
based upon the
VundoFix log.

if not, There are "other" steps we can take to remove the DLL, vtsqnkh.dll.

We can deal with the BSoD in Safe Mode after removing the DLL.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Similar ThreadsPosted
Vundo/Virtumonde trojan removal February 24, 2008, 10:04 pm
Some relicate of Virtumonde July 27, 2008, 7:18 am
Re: Virtumonde, Registry Keys, User Accounts, Microsoft August 29, 2008, 7:54 pm
Trojan August 2, 2005, 8:42 pm
Trojan August 19, 2005, 6:31 pm
trojan by icq November 4, 2005, 6:40 am
Trojan November 7, 2005, 3:45 pm
trojan November 8, 2005, 3:46 pm
Trojan.moo December 18, 2005, 3:23 pm
Trojan! ? August 14, 2006, 9:52 pm

The site map in XML format XML site map

Contact Us | Privacy Policy