LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: virtumonde??
From:	John Sproule <[log in to unmask]>
Reply To:	Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Tue, 7 Sep 2010 10:13:11 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (80 lines)

Generally, I have good luck doing essentially what you describe to remove 
this type of malware.  Boot into safe mode, and run an antimalware program 
to remove the problem.  Then, manually clean up any left over files and 
registry entries.  See this page for one example of a suggested method to 
follow for cleaning this problem from your computer: 
http://www.bleepingcomputer.com/virus-removal/remove-vundo-virtumonde .  The 
programs that I typically use, in this order, are malwarebytes, f-secure 
online, and hitman pro (online).

One thing that I'm beginning to suspect is that some of these common malware 
problems are now being reinforced by use of a root kit to keep reinstalling 
the malware after it is removed.  If you are confident that you removed the 
malware using the usual methods, but the virus reinstalls itself, this may 
be the reason why.  Hopefully, one of the three programs that I mentioned 
will pick up on root kit, if it is going on, but I get the impression that 
the antimalware programs maybe lagging behind a bit in this department.

Sites like bleepingcomputer have volunter antimalware experts that will walk 
you through a clean up of an infected computer (or so it appears from 
browsing their site), though I've not actually made use of that.  I'm afraid 
that I don't have the expertise to make much use of something like a Hijack 
This log, but it seems like some of the people on these help forums can 
recognize what should and shouldn't be showing up there.

A couple of other thoughts.  It is important that you be able to update your 
antivirus signatures before running the scan.  This type of malware is being 
constantly tweaked to try and stay ahead of the antimalware scans.  You 
mentioned running an erasure program and then reinstalling windows.  Does 
this program erase the whole drive or just the areas that it is deleting 
files from.  I don't really know, but I wonder if a root kit might not slide 
by a process like this.  I'm fairly certain something like Derek's Boot and 
Nuke will over-write the entire drive, including areas that are not 
typically used for data storage.  The hard drive manufacture's diagnostic 
disc, if it offers to zero the drive, would be another option to make sure 
that you are starting with a clean drive for fresh windows installation. 
Finally, you mentioned installing additional programs on this new install of 
windows.  Any chance these are previously downloaded programs that might be 
infected, or do you need to visit a web site to download these programs to 
reinstall them?  These infections typically hop onto the computer from the 
ads running on just about any web site.  On the other hand, when this 
occurs, the first popup that you see is only an ad.  It's clicking on it to 
try and close it that downloads the virus.  I tell people to shut down their 
computers at the first sign of this popup.  (Or use clt-alt-del to kill the 
web browser running the ad.)

I hope some of this useful.

John Sproule

--------------- Original Message Below ------------

Date:    Sun, 5 Sep 2010 21:11:18 -0700
From:    alan smith <[log in to unmask]>
Subject: virtumonde??

This program is a problem ( to put it politely? ) So far it has 3 
designations, .sdn .dll .sci
I have 2 main computers, a tower, an IBM desktop & 2 small Compaq desktops. 
All are running XPpro sp2. I use Spybot S&D and when I checked their spies 
etc. the name
virtumonde appears! Yet when they do a scan, they go right past it! I was 
going to use the IBM to clean the drive from my tower, but when I ran a 
Spybot scan, Virtumonde was there too, so I used a Compaq to do the 
cleaning? I went into SAFE mode & ran KASPERSKY's
boot disk. No luck. Then I tried RKILL.exe, & .com, & .scr AND .pif. all in 
safe mode, but no luck! I even tried to find it in the registry as listed by 
PC!Clean. Still no luck! Tonight I did a
Spybot scan & watched the folders, all 1,282,000 of them & Virtumonde took 
up half of my
"C" drive which has 31.25Gb which has 4.25Gb clear. When my tower 
didn'tclean, I checked the IBM & it's in there too. I made 7 passes with 
Heidi's ERASER & installed XPpro again plus the extra programs that I use. 
Well !! Guess who showed up?? Virtumonde!! I'm about ready to go to LINUX !! 
Has anyone had this much trouble with this program AND was it solved?????? 
Thank you for your support. Al Smith

                         PCBUILD's List Owners:
                      Bob Wright<[log in to unmask]>
                        Mark Rode<[log in to unmask]>

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG