Vundo or Virtumonde in a PC running Windows 98

Hello everybody,

first of all, forgive me for intentionally cross-posting: the only reason I’m doing this is because I don’t know whether the issue I’m dealing with is an Avast! issue or strictly a Vundo/Virtumonde issue. Please don’t “quarantine” me on my first post… :cry:

My father runs WIN98/SE on his PC, and he got infected with Vundo/Virtumonde (he used to browse with IE… bad thing I know). Yesterday I downloaded, installed and launched the last version of Avast! home (in English). I did set it to the “Thorough” level.

Actually, Avast did find “something” (and by looking to those filenames, for instance, I can bet it’s really Vundo) but it could not do anything, because, for every line, it generated an error that I could not find in the User Manual: Unable to scan: Archive is password protected.

As I said above, I don’t know whether this error is attributable to Vundo/Virtumonde trying to defend itself, or to some Avast! specific issue when dealing with this malware.

Because of the WIN98 environment, the choice of tools my father can use is dramatically reduced: for example, VundoFix and Malwarebytes can’t run under WIN98.

My father is an elderly person and I don’t want to flatten his HD and force him to start over from zero, reinstalling the O/S and all his applications etc… Can you help us to come out of this?

Here below is the image of the “Results of las scan” window that opened at the end of the scan (only the first lines are visible, but the rest is just the same).

Thank you in advance for any help you can give.


http://img31.imageshack.us/img31/2043/resultsoflastscan.jpg

Hi, Compaq, welcome to the forum.
Relax a little; most of those files flagged as “unable to be scanned” are from the quarantine of Spybot.
The report can be enlarged, following a scan, and the column headers dragged to give more information on file names and paths, which will usually help a user make a decision as to which might need further investigation.

Anything with “sbRecovery” in the title, I know from experience, refers to Spybot.
The others I can not say, because the file names/paths are not shown.
But just because something is “unable to be scanned” does not mean it is malicious. In Spybots case, it is password protected…a mechanism used by most security applications to make the quarantine inaccessible except via the program itself.

Now, what makes you think that the computer has Vundo on it? Were any detections made during the scan?

If any detections were made it is a very good idea to research the detection, and if it appears genuine, send it to the chest for further investigation. Do not delete it.

If in doubt about any particular detection, ask here.
I would like to know the date and time of the scan, and (if you have it) the VPS (database version) used. It’s possible that a lot of these detctions (if there were any) were false detections.
It is not usually necessary to use thorough settings in a scan, nor to scan inside archives. This will increase scan time, and the chance of FP’s.

SUPERAntiSpyware is compatible with Win 98.

http://www.superantispyware.com/superantispyware.html

AVZ too I think.

http://z-oleg.com/secur/avz/download.php

Greetz, Red.

Thank you so much Tarq57!
OK, I didn’t consider that all those files were from the quarantine of Spybot (that my father has installed)…

Just a word before going on. I don’t have any experience with antivirus programs because I don’t have (and never had) any on my machine, but I never saw a virus/adware/malware not even with binoculars, because of simple common-sense rules: NEVER run IE/Outlook but Firefox instead, ALWAYS inspect the contents of any incoming mail with Mailwasher before accepting it, NEVER have any application other than the beforementioned access the Internet, NEVER install any cracked/patched application (actually I don’t install anything, my configuration has not been changed in years), NEVER click on any popup or unsolicited invite-to-update-something, but rather close and restart the browser, NEVER open a file by double-clicking on it, but launching the related application and opening the file from there (so that if the contents doesn’t match what it’s supposed to be, the application would reject it)… and at the end, the good old Windows 98/SE, stable just like a rock.

The report can be enlarged, following a scan, and the column headers dragged to give more information on file names and paths

In effect, yesterday I enlarged the report (today it was gone, probably it’s no longer available after the system is shut down) but I could not find the folder where those files were located, despite the “Show hidden files” option being active: it was somewhere in the Spybot general folder, but probably it’s kept invisible to prevent the user from tampering with dangerous files.

Now, what makes you think that the computer has Vundo on it? Were any detections made during the scan?

Well… some week ago, Spybot began to be very slow on startup, say 10 times slower (my father reports) than it used to be, like there were something trying to interfere with it. And then, during the scan, if you look at the two numbers “scanned/total” (files), you will notice two interesting things:

  1. The number of files to be scanned is over 760,000 (obviously, there aren’t 760,000 files in C:.…)
  2. Most part of total scan time is spent in analyzing “VIRTUMONDE” files (read at the left of the abovesaid file counter)

And there is a third thing, not related with Spybot. Now, when my father tries to access ANY page or file under the Wikipedia domain, the browser is TERMINATED by Windows (the popup with “Access violation” etc etc). I read that Vundo/Virtumonde tries to prevent the browser from opening pages of sites where information about the malware itself might be found.

The VPS used was 091204-0 (updated today to 091205-0, with no difference in the outcome), the Avast! version is 4.8.1368

Thank you very much again…

Thank you Red! I am downloading the professional version of SUPERAntiSpyware right now, but would like to wait installing it until the issue will be better addressed on the forum… you know, too many chefs ruin the cake… :wink:

There is no need to wait, SAS works fine with avast as you will see from my signature and should effect any other issues whatever they might be that you mention.

But DavidR, from what I described, do you believe it could be really Vundo?.. Or am I after a ghost?.. ???

Sorry I don’t see anything in what you have described giving enough information to indicate any specific infection.

It really is immaterial anyway really as SAS can also detect Vundo, so it is just another tool to get the job done, clearing malware from the system.

So I see no point in waiting for as you have said “but would like to wait installing it until the issue will be better addressed on the forum…” as there really is insufficient information to address.

As far as password protected files are concerned, it is totally unrelated to vundo, how can avast scan them as it doesn’t know the password and even if it did there is no function to enter it.

Another point from your earlier post about files scanned against files on the system. They won’t match as avast counts ‘all’ files it scans and in a single archive file there could be hundreds of other files and these aren’t counted by explorer or system properties, etc. that just counts 1 for the single archive file and not the total contents.

Agree. Try SAS.

Spybot has a bit of an unusual scan method, from what I can tell; scanning for each type of infection at once, rather than scanning the HD start to finish to look for all infections. Perhaps this is why you are seeing a particular family of malware apparently being looked at for a longer period of time.
It’s current, there are lots of variants, it makes sense it might spend more time on it than some of the others.

I don’t keep Spybot maintained regularly, but there have been program updates to it recently that might explain some of the slow start behaviour. Especially on an older machine that’s probably a bit short of resources to run more modern programs with.

I like 98, but I certainly would not use it for, say, online banking/purchases etc. It was an excellent OS. At the time.

Ok, just brake a second!.. :o

Do I have to expect some interference or false positive if I run SAS on a system where Avast and Spybot are already installed?..

And, DavidR, could you please explain me in other words (I would have to repeat the lesson to my father!) the reason why Spybot indicates that over 760,000 files are present on C: when this is very far from reality?..

Thank you so much for your patience… ::slight_smile:

Ok, just brake a second!... Shocked

Do I have to expect some interference or false positive if I run SAS on a system where Avast and Spybot are already installed?..


No, you’ll be OK with it. No conflict likely.
The occasional false positive is always possible, with any blacklist-based scanner.

You’re welcome.

Spybot isn’t lying when it reports X number of files on the hard disk as that is effectively correct, it is what is seen by the windows file system, etc. as “VeryLargeArchiveFile.zip” is from the outside just one file.

If you create a new folder “FolderForVeryLargeArchiveFile” and extract the files from “ForVeryLargeArchiveFile.zip” into the “FolderForVeryLargeArchiveFile” folder and did the same count using Spybot, it would then count all the files in the new folder.

When avast scans an archive file, it extracts all files into a temporary folder avast4 and scans them, avast keeps a count of ‘all’ file it scans. So instead of reporting 1 file scanned, e.g. “ForVeryLargeArchiveFile.zip”, it reports all files it scanned that were inside the “ForVeryLargeArchiveFile.zip”.

So you can’t compare the two figures are they are looking at/counting different things.

Crystal clear! :smiley: Will soon install and run SAS, stay tuned for news.

BUT… ehm… :-[ what about the browser being terminated (it worked perfectly before!) whenever it tries to access a page containing elements (even just a direct link to a photo) pertaining to Wikipedia?.. Is there any virus/worm out there which behaves this way?.. That Wikipedia thing really looks evil… :-\

Are you talking about the SAS scan here - I don’t terminate the browser when I run scans or have SAS terminate them before a scan ?

If not, and it is just some sites it is blocking then it could be hosts file being modified by malware (see ~~~~ below)to make it difficult to get information or help removing malware. So an SAS scan may be able to find the cause.

What wikipedia thing really looks evil ?
Or are you just referring to the blocking of wikipedia pages or elements.

-- HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
 
Once open you are looking for entries with wikipedia.org, etc. on the line, you may well see other AV sites, post the contents of the hosts file. http://www.mvps.org/winhelp2002/hosts.htm and http://www.mvps.org/winhelp2002/hostsfaq.htm.

David, I haven’t installed SAS on my father’s PC yet. The evil “Wikipedia thing” is his browser being terminated (apparently by Windows due to an “unrecoverable error” or “access violation” (I can’t remember right now) whenever he tries to open ANY page (or just picture) under the Wikipedia domain. He’s NOT redirected to other sites: the browser is just terminated, period. Needless to say, until a few days ago Wikipedia opened normally from his computer, and right now, from MY computer, (running the same version of WIN98/SE) Wikipedia is perfectly accessible. Definitely not Wikipedia’s problem nor my PC’s problem… ??? :o

Whilst checking the hosts file is advisable, that would only block access to the site but shouldn’t cause the browser to be terminated.

What browser is your father using ?
I suggest a change of browser, whilst that might not turn up many browsers that support win98, there should still be the last firefox 2.xx available as 3.0 and 3.5 won’t work. Then you can check if it is browser related.

He’s running Netscape 7, and it worked perfectly until a few day ago, when all of a sudden it started to refuse anything related to Wikipedia. I have the latest release of Firefox 2 on my PC, and I wish to install it on my father’s PC too, but I wanted to be sure there isn’t any malware around before… I am quite concerned about installing a new browser on a PC already infected… :-\ :cry:

Well unless it is a file infecter then the potential for infecting browser files when installed is much reduced. Not to mention you have little choice to test the theory that Netscape 7 has been hacked.

You could also try uninstalling Netscape, rebooting and re-installing it, but if exploited/hijacked once it is likely that it could happen again.

I was thinking that your father may have been using IE, which given the OS would be a very old version and more vulnerable to attack.

OK, I told him to empty Spybot’s quarantine, just to begin sweeping away some junk. Then I think to install/run SAS. In case of negative outcome, I would install Firefox and see what happens. I would not uninstall Netscape because he needs the Email client “section” of it anyway (Firefox is a pure browser). I can’t see anything more to do at the moment… :-\

Yes, I would say that you are now on a monitoring watch to see if this issue presents itself in firefox, fingers crossed.