Virtumundo - why did NOD32 not pick it up? [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : Virtumundo - why did NOD32 not pick it up?

Ghosthunter
05-25-06, 09:08 PM
Ok this was one real pain Adware - Virus no idea what it was


I had no idea I even had it but couldnt figure out why I kept getting all these pop ups and outpost kept alerting me with all strange messages..even hijackthis would not show up with any signs


Long story short adware neither spybot could find it nor nod32 ..I had to eventually use two programs one called Vundofix.exe and another called Virtumundobegone.exe


I am curious why NOD32 did not pick it up?
CableDude
05-25-06, 09:21 PM
Dunno. Everything up to date? Latest version of NOD32?
Ghosthunter
05-25-06, 09:37 PM
Dunno. Everything up to date? Latest version of NOD32?


Yep...did a full scan as well..have everything maxed out in settings based upon a guide I found at a forum i forgot name
mnosteele52
05-25-06, 09:48 PM
You should submit the files or at least email Eset about it.

:)
YeOldeStonecat
05-25-06, 10:08 PM
It could be a new variant that current AV's don't know about yet......send it in, I've seen heuristics usuall pick it up as W32/Adware.

What do you have your settings to? Do you have "Threatsense" cranked up to detect potentially dangerous applications? ==>http://www.wilderssecurity.com/showthread.php?t=37509
Ghosthunter
05-25-06, 10:19 PM
that the guide I followed that you posted...

unfortunately i coudl nto find the dll's myself or registry settings did not show up with hijackthis..i had to use those programs above and when I did here what it did:


VundoFix V4.2.74

Checking Java version...

Scan started at 8:31:08 PM 5/25/2006

Listing files found while scanning....


C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ybadd.tmp
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ybadd.tmp
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ddaby.dll
Attempting to delete C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ybadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybadd.tmp
C:\WINDOWS\system32\ybadd.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ybadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\ddaby.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.74

Checking Java version...


[05/25/2006, 20:46:43] - VirtumundoBeGone v1.5 ( "C:\Downloads\VirtumundoBeGone.exe" )
[05/25/2006, 20:46:50] - Windows is in NORMAL mode.
[05/25/2006, 20:46:50] - Searching for Browser Helper Objects:
[05/25/2006, 20:46:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/25/2006, 20:46:50] - BHO 2: {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} ()
[05/25/2006, 20:46:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2006, 20:46:50] - Checking for HKLM\...\Winlogon\Notify\pmkhe
[05/25/2006, 20:46:50] - Found: HKLM\...\Winlogon\Notify\pmkhe - This is probably Virtumundo.
[05/25/2006, 20:46:50] - Assigning {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} MSEvents Object
[05/25/2006, 20:46:50] - BHO list has been changed! Starting over...
[05/25/2006, 20:46:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/25/2006, 20:46:50] - BHO 2: {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} (MSEvents Object)
[05/25/2006, 20:46:50] - ALERT: Found MSEvents Object!
[05/25/2006, 20:46:50] - BHO 3: {CB4C970C-F6C1-47FD-8FC2-523D52FF5568} ()
[05/25/2006, 20:46:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2006, 20:46:50] - Checking for HKLM\...\Winlogon\Notify\ddaby
[05/25/2006, 20:46:50] - Key not found: HKLM\...\Winlogon\Notify\ddaby, continuing.
[05/25/2006, 20:46:50] - Finished Searching Browser Helper Objects
[05/25/2006, 20:46:50] - *** Detected MSEvents Object
[05/25/2006, 20:46:50] - Trying to remove MSEvents Object...
[05/25/2006, 20:46:51] - Terminating Process: IEXPLORE.EXE
[05/25/2006, 20:46:51] - Terminating Process: RUNDLL32.EXE
[05/25/2006, 20:46:51] - Disabling Automatic Shell Restart
[05/25/2006, 20:46:51] - Terminating Process: EXPLORER.EXE
[05/25/2006, 20:46:51] - Suspending the NT Session Manager System Service
[05/25/2006, 20:46:51] - Terminating Windows NT Logon/Logoff Manager
[05/25/2006, 20:46:52] - Re-enabling Automatic Shell Restart
[05/25/2006, 20:46:52] - File to disable: C:\WINDOWS\system32\pmkhe.dll
[05/25/2006, 20:46:52] - Renaming C:\WINDOWS\system32\pmkhe.dll -> C:\WINDOWS\system32\pmkhe.dll.vir
[05/25/2006, 20:46:52] - File successfully renamed!
[05/25/2006, 20:46:52] - Removing HKLM\...\Browser Helper Objects\{06C7CAB4-39AC-499F-BCD2-D487DAC7A73C}
[05/25/2006, 20:46:52] - Removing HKCR\CLSID\{06C7CAB4-39AC-499F-BCD2-D487DAC7A73C}
[05/25/2006, 20:46:52] - Adding Kill Bit for ActiveX for GUID: {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C}
[05/25/2006, 20:46:52] - Deleting ATLEvents/MSEvents Registry entries
[05/25/2006, 20:46:52] - Removing HKLM\...\Winlogon\Notify\pmkhe
[05/25/2006, 20:46:52] - Searching for Browser Helper Objects:
[05/25/2006, 20:46:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/25/2006, 20:46:52] - BHO 2: {CB4C970C-F6C1-47FD-8FC2-523D52FF5568} ()
[05/25/2006, 20:46:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/25/2006, 20:46:52] - Checking for HKLM\...\Winlogon\Notify\ddaby
[05/25/2006, 20:46:52] - Key not found: HKLM\...\Winlogon\Notify\ddaby, continuing.
[05/25/2006, 20:46:52] - Finished Searching Browser Helper Objects
[05/25/2006, 20:46:52] - Finishing up...
[05/25/2006, 20:46:52] - A restart is needed.
[05/25/2006, 20:46:52] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[05/25/2006, 20:46:59] - Attempting to Restart via STOP error (Blue Screen!)



It never gave me an option to save or anything...so not much i can send to EST...i wish it did i dont blame EST just worried
Wiedmann_Devils
07-21-06, 12:18 PM
Anyone know what C:\WINDOWS\system32\pmkhe.dll and should if be deleted becuse its saying that this is where the virus on my computer is..
YeOldeStonecat
07-21-06, 01:40 PM
Anyone know what C:\WINDOWS\system32\pmkhe.dll and should if be deleted becuse its saying that this is where the virus on my computer is..

Yes it's part of virtu.mundo\winfixer family....adware.

Follow this thread here...
http://www.bleepingcomputer.com/forums/topic18610.html
Loonatic
08-01-06, 10:24 AM
Dealt with that particular bad boy on a clients PC yesterday. Those two programs got rid of it (Virtubegone, etc).