Ask a question »

Cleaning the trojan - Vundo/Virtumonde

May 2015


Cleaning the trojan- Vundo/Virtumonde




Intoduction


Vundo also known as Virtumonde/Virtumondo is a trojan that download and displays popup and advertising for antispyware program such as Winfixer. This trojan is quite difficult to clean from your computer and cause a constant degradation in the performance of your computer and may even restrict some access on your computer.

Getting Started


Download and install HiJackThis.

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Make a complete scan of your computer system using HijackThis and detect the Trojan.

Below is a report of HijackThis scan showing the presence of this Trojan in bold.

Logfile of HijackThis v1.99.1  
Scan saved at 13:13:20, on 17/05/2007  
Platform: Windows XP SP2 (WinNT 5.01.2600)  
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)  

Running processes:  
C:WINDOWSSystem32smss.exe  
C:WINDOWSsystem32winlogon.exe  
C:WINDOWSsystem32services.exe  
C:WINDOWSsystem32lsass.exe  
C:WINDOWSsystem32svchost.exe  
C:WINDOWSSystem32svchost.exe  
C:WINDOWSsystem32spoolsv.exe  
C:WINDOWSExplorer.EXE  
C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe  
C:WINDOWSSystem32FTRTSVC.exe  
C:WINDOWSSystem32svchost.exe  
C:Program FilesFichiers communsMcAfeeHackerWatchHWAPI.exe  
C:Program FilesNetwork AssociatesCommon FrameworkFrameworkService.exe  
C:PROGRA~1McAfeeMSCmcmscsvc.exe  
c:program filesfichiers communsmcafeemnamcnasvc.exe  
C:PROGRA~1McAfeeMSCmcpromgr.exe  
C:Program FilesNetwork AssociatesVirusScanMcshield.exe  
C:Program FilesNetwork AssociatesVirusScanVsTskMgr.exe  
C:Program FilesFichiers communsMicrosoft SharedVS7Debugmdm.exe  
C:Program FilesMcAfeeMPFMPFSrv.exe  
C:Program FilesPinnacleMediaServerMicrosoft SQL ServerMSSQL$PINNACLESYSBinnsqlservr.exe  
C:WINDOWSsystem32svchost.exe  
C:WINDOWSsystem32ctfmon.exe  
C:Program FilesiPodbiniPodService.exe  
C:Program FilesMSN Messengerusnsvc.exe  
C:Program FilesMozilla Firefoxfirefox.exe  
C:hijackthisHijackThis.exe  

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://google.dospop.com  
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.fr/  
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://fr.yahoo.com  
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Liens  
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:PROGRA~1WanadooSEARCH~1.DLL  
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll  
O2 - BHO: (no name) - {2EDB63B7-7432-42B8-B484-B7DE2779F848} - C:WINDOWSsystem32gebcaxw.dll  
O2 - BHO: (no name) - {4C8DB378-7DAD-46A6-AA86-7BD344296187} - C:WINDOWSsystem32mljgh.dll  
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:WINDOWSsystem32reejepwh.dll  
O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - (no file)  
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_01binssv.dll  
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)  
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar2.dll  
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll  
O4 - HKLM..Run: [RestoreIT!] "C:Program FilesPhoenix Technologies LtdRecoverPro_XPVBPTASK.EXE" VBStart  
O4 - HKLM..Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe  
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE  
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE  
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe  
O4 - HKLM..Run: [PinnacleDriverCheck] C:WINDOWSsystem32PSDrvCheck.exe -CheckReg  
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_01binjusched.exe"  
O4 - HKLM..Run: [WOOWATCH] C:PROGRA~1WanadooWatch.exe  
O4 - HKLM..Run: [WOOTASKBARICON] C:PROGRA~1WanadooGestMaj.exe TaskBarIcon.exe  
O4 - HKLM..Run: [ShStatEXE] "C:Program FilesNetwork AssociatesVirusScanSHSTAT.EXE" /STANDALONE  
O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesNetwork AssociatesCommon FrameworkUpdaterUI.exe" /StartedFromRunKey  
O4 - HKLM..Run: [Network Associates Error Reporting Service] "C:Program FilesFichiers communsNetwork AssociatesTalkBackTBMon.exe"  
O4 - HKLM..Run: [!AVG Anti-Spyware] "C:Program FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized  
O4 - HKLM..Run: [WindowsUpdate] rundll32.exe "C:WINDOWSsystem32kfoefyyx.dll",realset  
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe  
O4 - HKCU..Run: [WOOKIT] C:PROGRA~1WanadooGestMaj.exe GestionnaireInternet.exe  
O4 - HKCU..Run: [updateMgr] C:Program FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe AcRdB7_0_9  
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifier1.2.1128.5462GoogleToolbarNotifier.exe  
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background  
O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized  
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe  
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe  
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE  
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present  
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:PROGRA~1MICROS~3Office10EXCEL.EXE/3000  
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe  
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe  
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633  
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...  
O17 - HKLMSystemCCSServicesTcpip..{F79A0EAF-8E03-4AF2-AA8C-548940B99FDD}: NameServer = 80.10.246.1 80.10.246.132  
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:PROGRA~1MSNMES~1MSGRAP~1.DLL  
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:PROGRA~1MSNMES~1MSGRAP~1.DLL  
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1FICHIE~1SkypeSKYPE4~1.DLL  
O20 - Winlogon Notify: gebcaxw - C:WINDOWSSYSTEM32gebcaxw.dll  
<gras>O20 - Winlogon Notify: mljgh - C:WINDOWSsystem32mljgh.dll  
O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll </gras> 
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll  
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe  
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:Program FilesFichiers communsMcAfeeHackerWatchHWAPI.exe  
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - C:Program FilesNetwork AssociatesCommon FrameworkFrameworkService.exe  
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcupdmgr.exe  
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe  
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:program filesfichiers communsmcafeemnamcnasvc.exe  
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcpromgr.exe  
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:Program FilesNetwork AssociatesVirusScanMcshield.exe  
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:Program FilesNetwork AssociatesVirusScanVsTskMgr.exe  
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe 


In the above report, you will notice the line 02 and 020 which is the infection. However it may happen the lines bearing the infection may be hidden. To unhide the infection, rename the tools, for example yourname.exe. Then relaunch HijackThis for another report.

First Method : Vundofix


Procedure for cleaning trace of the virus.
  • Downlaod and install Vundofix.exe on below link:

http://www.softpedia.com/get/Antivirus/VundoFix.shtml
  • Once install, double click on VundoFix.exe and click on Scan for Vundo .
  • When the scan is completed, click on the button fix Vundo.
  • A pop box will appear and will ask if you wish to delete the files, click on Yes to confirm deletion.
  • Then desktop will then disappear for a moment (During file deletion).
  • A new pop up box will appear telling you that your PC will turn off, click on OK to restart your PC.
  • The report of your scan will be found in C:vundofix.txt. Open it to read the content and ensure that for all file.dll detected bear the notice Has been deleted
  • Then make once again a complete scan with the tool Hijackthis and check whether the line 02 and 020 has been deleted. If it is still present on your report, but mentioned file missing near the two lines, it means that the Trojan has been cleaned up shown as per below.


O2 - BHO: (no name) - {2EDB63B7-7432-42B8-B484-B7DE2779F848} - C:WINDOWSsystem32gebcaxw.dll (file missing)
O2 - BHO: (no name) - {4C8DB378-7DAD-46A6-AA86-7BD344296187} - C:WINDOWSsystem32mljgh.dll (file missing )
  • You just have to launch HijackThis and chose the option «Do a scan only».
  • Then check the lines and click on fix checked to make a complete deletion.

Second Method:VirtumundoBegone

  • Download and install VirtumundoBegone on below link:
  • Once download completed, double click on the file VirtumundoBeGone.exe and follow the instructions.
  • Once complete, restart your computer and the report VBG.TXT will be created on your desktop.
  • Notice : if you received a message from a blue screen stating Fatal Error, don't panic . This is expected.
  • Make another report from HijackThis and and fixed the corresponding line as already indicated above.
  • Notice: This tool is very effective only to detect the line 02 and 020 by examining the key in the registry reported by HiJackThis . (KEY HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects) for the line 02 and(Key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify

)
for the line 020. It focus only on the files no name which appear in the report. If those lines are detected, this tool will clean the Trojan.

Thirdq Method : Combofix

  • Download ComboFix to your desktop:


http://www.plunder.com/ComboFix-rar-download-134496.htm
  • Then restart your computer in safe mode.
  • Double click on combofix.exe
  • Press the Y Key to start a scan.
  • The report will be created under C:Combofix.txt
  • Make a report of HijakThis and fixed the corresponding line 02 or 020.

Under Vista and 7


Disable Users account (You can reactivate after cleaning up of Trojans)
Go to Menu Start > Control Panel
Double click on User Accounts
Select disable > Validate
Restart in Safe mode
Right click on Combofix on your desktop and select Execute as administrator")
Double click on combofix.exe
Select the Y key to start the scan.
The report will be generated under C:Combofix.txt

For more information on the ComboFix utility, go to below website:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

In case of difficulty to read the scan report, you can post it on the website forum for remote assistance.
The above tools can be used in combination in view to eradicate the Trojans completely from your system.

Quick Methods

Malwarebytes


MalwareByte's Anti-Malware
  • Download MalwareByte's Anti-Malware
  • Link :MalwareByte's Anti-Malware
  • Install the program,
  • Make updates (click Updates then Search for updates)
  • Start in Safe Mode:
  • Restart the computer,
  • Upon loading the BIOS, start pressing the F8 key on the keyboard until the Windows advanced option menu appears
  • Select "Safe Mode" In the menu, then press Enter.
  • Launch MalwareByte's Anti-Malware, click "Run a full review" and then select Search all disks,
  • Once the scan is complete, click "Remove" (if you are asked to reboot the PC, accept)
  • A report will be generated, save it to make a personal analysis or post the report on a forum.




Note that
: The scan will be much more effective against infections active if you are not using Internet Explorer and especially if you're in Safe Mode.

SUPERAntiSpyware


Method: SUPERAntiSpyware
  • Download SUPERAntiSpyware (SAS) and then install it and please update.
  • To scan your computer with SUPERAntiSpyware, click: Scan your Computer.
  • In the new window, you can choose the items left to scan (Drives, directories etc. ..).
  • In the right part, the type of scan. You can use the Perform Quick Scan.




Note that if you are using the quick methods, better make an online scan after.
For unlimited offline reading, you can download this article for free in PDF format:
Cleaning-the-trojan-vundo-virtumonde.pdf

See also

In the same category

Published by aakai1056. - Latest update by Jeff
This document entitled « Cleaning the trojan - Vundo/Virtumonde » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.