Restart problem may be related to virtumonde

Hi, I too am having the restart issue. :-[ This happened shortly after avast successfully intercepted two trojans that came from a website. I deleted them on the spot when I got the warning message but then I decided to run a full virus and spybot scan to be safe. Avast detected nothing but spybot detected the virtumonde thing. I believe I deleted it, but the system seems to boot up slowly now and I get the restart system error every time from avast.

I saw another person mention virtumonde and I think that is the problem and not what the other person was saying about adobe acrobat. I don’t even have adobe update on my system and I am having this problem.

Here is a bit more info, the website thinks the attack came from a third party ad source and not from their site, but regardless I was bombarded by:

Two trojans that avast successfully intercepted.

Virtumonde which made it through and installed, but was soon thereafter successfully removed by spybot.

Internet Speed Monitor which caused a bunch of pop ups & IE to start on its own.

I removed the Internet speed monitor through add / remove which has happened before, and the two trojans never installed.

The only thing that made it through was Virtumonde, which although apparently now removed from my system, has left avast seemingly messed up with the restart error. Also I have tried full avast uninstall and reinstall and it does not solve this issue. :-\

Check for the new hidden files of Vundo using the tool essexboy mentioned here:

http://forum.avast.com/index.php?topic=32297.msg269971#msg269971

What browser were you using? Is everything on your computer up to date? These drive-by downloads usually require out of date, un-patched and vulnerable software to be present.

Scan with Secunia Software Inspector to reveal any security weaknesses.

I tried everything you mentioned and nothing helped. I even tried system restore but for whatever reason, even though system restore had been on and the system volume information folder had a bunch of restore points, after the vermonde infection it was empty. I use firefox and all software was up to date. I am a pretty knowledgeable user and this has me completely lost. It would seem the Virtumonde was successfully removed by Spybot, but it left a lot of damage in its wake. My hunch is the registry hotkeys and some other things were altered during the infection that cause the current issue with avast restart needed and the now seemingly slow Windows boots. Haven’t ahad an issue like this in years, usually spybot and avast do the trick immediately. :-[

Virtumonde? This link could give a little help.
http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=3

The tool described in the essexboy’s post will produce a list of altered files. You will be able to see which programs are corrupted.

this link will take you to his post and the tool link.

http://forum.avast.com/index.php?topic=32297.msg269932#msg269932

Thanks, though I tried that one before and it didn’t work. I did find something else that seems to work, here is more of an update:

It seems the infection can be caused in a number of ways including having Sun java 1.5 or earlier.

I tried a program by a company named atribune called Vundofix. Vundofix detected and removed a ton of Virtumonde files on my system that neither spybot nor avast could detect at all. It seemed to remove all but one .dll file, but I am still getting the avast start error and the boot is still slow but definitely better then before.

Whatever this problem is it is definitely related to a new more potent virtumonde infection. Looks like avast has some work to do to fix whatever virtumonde messed up. I still think the issue is probably related to damage in the windows / avast registry. I am rescanning now to see if Vundofix redetects the files, if I don’t post in a few minutes it means the second scan was clean and the best first step to solving this issue is to get Vundofix to at least get rid of the virus and then go from there with resolving the other issues.

Nope, the VundoFix scan seems to redetect the files. I am going to try another method, where VundoFix detects and shows exact location of infected Virtumonde files, then I will try to find this dos boot deletion program I used to have that can delete files before windows boot. That may get rid of this.

Just take care. Some files, even infected, are needed to boot.
I recommend you backup your data and documents…

Hang on, here is a list of all the files in question, let me know if any are critical before I boot delete them. lol 8)

c:\windows\system32\opnopur.dll
c:\windows\system32\qtutv.ini
c:\windows\system32\qtutv2.ini
c:\windows\system32\vtutq.dll
c:\windows\system32\vtutq.exe

I think they are all crap files, it seems the list of bad files is about 40% less then the original scan so the first time fixed some of them and improved it a little. If these files look good to delete I will try the boot delete next.

All crap…

Great deleting now, will let you know what happens, hopefully this may be the start of a fix to this whole Virtumonde avast restart issue.

Alright here is the update, this is a MAJOR problem

Vundofix deletes the files, then on restart it says it cannot start the virus as specifies in the windows registry (Anyone know how I can turn it off in the registry? where it is?)

then on next reboot all the Vundo / Virtumonde files are back. In addition to the ones listed hkcmd.exe and igfxpers.exe are also back.

What’s most incredible is that even my boot-delete tool, which until now has deleted everything, cannot seem to remove these Vundo files?

Any ides? Anyone? This is definitely the cause of the slow boot and avast problems.

I am going to try the symantec vundo removal tool next…

Edit: Update As expected symantec didn’t even detect anything. The only thing that can even detect it is Vundofix by atribune, but that tool isn’t able to delete it. Any ideas on how to deactivate it from registry? Where the system 32 start up keys are?

Rootkit technology… I suggest you visit this page http://www.antirootkit.com/software/index.htm for antirootkit detection, removal & protection.
Comparison test here: http://www.informationweek.com/software/showArticle.jhtml?articleID=196901062&pgno=1&queryText=

Full computer on-line scanning:
Kaspersky
Trendmicro housecall
Ewido
F-Secure
Spysweeper

Great info thanks, I am trying something called trojanhunter 5.0 by mischele or something software which according to wiki, is the only program that can handle the latest version of this vundo thing. If that doesn’t work I will try one of these rootkit detectors next. Will any of this stuff be incorporated into avast eventually? I will try to find out how to deactivate the virus in the registry too if it’s possible and nothing above works.

Edit: Trojanhunter did not work, this must be a very new and very bad version of vundu / virtumonde. I tried that other file by the forum user and nothing seemed to happen.

avast already has some antirootkit detection. More on version 5.

Trojanhunter did not work, this must be a very new and very bad version of vundu / virtumonde. I tried that other file by the forum user and nothing seemed to happen. Will try the rootkit stuff next but I think this may be something entirely new that the avast and other experts need to get working on. :-\

They have been for the last few weeks. One of the problems being encountered is vundos ability to update and infect program executables. Some programs may seem fine in one use and infected the next. Programs such as av’s, antispyware as well as window components like msconfig have been infected. Each use of these programs result in more infected files.

Alright major and GOOD update, I may start a separate thread on this so it gets attention:

I found this thread: http://www.dslreports.com/forum/r19208560-Vundo-Vundo-Removal

The person seemed to have the same problem, could detect but not delete with vundofix. I downloaded combofix mentioned in the middle of the thread and it seems to have kicked Vundo / Virtumonde’s @$$ into next Tuesday! 8)

There are no longer any Vundo files on my system, at least right now, even after reboot.

Combofix also deleted a bunch of other stuff, including some stuff in the avast and Adobe acrobat (another user mentioned) folder, as well as a n=bunch of quicktime stuff.

Avast is still working, I did get the start error but the thing that caused all of this appears to be gone and boot is completely back to normal. Here is a log of what combofix deleted:

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\opnopqr.dll
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vtutq.exe