hi i have got two virus,s i can not get rid of =WIN32:Virtumonde-CI and WIN32:Small-IAK
I Have googled it but not come up with much, run most of the virus scans with no luck …
any body shine some light on these virus,es… getting very close to for-mat…lol…
here,s the log=
Logfile of HijackThis v1.99.1
Scan saved at 22:44:10, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. Possibly the ones I’ve mentioned below.
Why can’t you get rid of them ?
What error messages, file in use, etc. ?
Try this, Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde (download link in the instructions): http://www.bleepingcomputer.com/forums/topic18610.html
You don’t appear to have an active firewall, what is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections.
Upload the files in bold to VirusTotal (VT) - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast if avast isn’t detecting them, see below.
Fix:
O2 - BHO: (no name) - {C8B5CE99-4C3A-4006-8D12-D9A3CE973918} - C:\Program Files\Online Services\tedolusC:\WINDOWS\system32\m2[b]caws83122.exe.dll[/b] (file missing)
First check if this file really has gone, if not upload and check at VT also.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Besides doing what DavidR has posted and answering his questions, you can try this with superantispyware, it’s had some luck lately with vundo.
First update SAS Then
Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.
Under Scanner Options make sure the following are checked
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quaranine.
leave the others unchecked.
Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.
When the scan is done, quaretine everthing found . Reboot if asked. You can post the log in your next reply if you wish.
hi gents thanks for your quick reply.
yes i have the windows firewall but at the time of log the virus switches it off.
chain of events
sw/ on boot avast finds-avast stops connection -go,s to blue screen of death.
re-boot avast finds win32:smalHAK-avast aborts connection-then win32:virtumonde-ci-then win32:Maha-i -firewall is s/w off by virus.
avast finds ask to delet dose the job ,but on boot up …round it go,s again.
Even if the XP firewall was enabled it would provide little protection against what is happening as it provides zero outbound protection and something on your system is trying to download more malware and avast’s Web Shield is blocking that.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential and in your case very urgently required.
There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc.
If you haven’t already got SAS, or run VundoFix, act soon SUPERantispyware.
You have to get motivated and check out those files at virustotal (VT) quickly and if confirmed as malware run HJT again and fix the entries as one or more could be responsible for the attempted downloads.
OK . i think i have stopped the virus processes by using oldmans changing the preferences in SUPERAntiSpyware and a file i found at
= ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe which is named ( DrWebCureit)
when i start up all seems to be OK …but for one thing if i look in the my computer then on hard drive c: these file keep loading
C:/ eLibo2291
C:/ load
C:/ wr-1-312
C:/ setup_aim6
C:/ is68197
if i delete them thay keep installing!..
i now have firewall installed commode , but it keeps telling me to stop svchost.exe if i do i can to get on web.? sounds like this has in bedded itself in that file,?
sorry i forgot used VundoFix and virtuumundobegone and did not find any-thing…
Scan saved at 10:42:41, on 01/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP).
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
I get a downloader hit on one of the file names. The files are being replaced from either system restore or something on your computer.
I suggest you do the first 3 steps in Tech’s reply, use cleanup in step 2. Then rerun SAS with the same settings as before.
When doing the bootime scan with avast, please move anything found to the chest.
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
Rename hijackthis.exe to something like hijackme.exe or what every you like.
Attach the SAS log, (the log will be under Preferences, Statistics/Logs tab in the scanner logs), to your next reply along with the combofix and a new hijackthis(whatever you renamed it to) log.
And you must find a firewall or this could be an uphill battle. (Adjusting glasses)
Nice to hear you have a small chamber pot (commode) for a firewall, personally I would have used Comodo ;D ;D
The only time I have ever needed to allow svchost.exe to connect was for windows update, under normal circumstances you don’t need it to be able to connect to the internet. So there may be something else going on as you suspect.
What is the full text of the challenge by comodo about svchost.exe (or post a screenshot) ?
Do a search of your system and see what occurrences of svchost.exe you find and report the locations it is found ?
It may be a different file and not the actual system file.
i think i am clear ,thanks for all your help gents.
all the best Roger. :
…
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:29, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Looks good. But without the combofix log, can’t tell if anything is left.
You should update your java.
Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.
You do not have to install the Java Web Start ActiveX Control
Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.
When the download is complete, close all browser windows and double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.
Close Add/Remove Programs.
In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.
Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
a few of new virtumonde detections should come out at thursday… i don’t know if they will fully cover your variant of infection, but we’re adding new vundos now and also yours one should be detected soon…
