Brand spakin' new install of XP on a brand spankin' new puter.

The daughter-in-law was over today and wanted to look at her email and do some surfin'.

I have not a clue what she was looking at but after 40 minutes or so, she called me over and mentioned that she must have goofed up because the computer was getting a popup from the taskbar that I had an infection.

After looking at it, I was thinking that didn't look right from the icon it was displaying when I got a popup that looked like a Nod32 popup. Kinda....

Crap...So Nod32 didn't catch it. After looking around the puter, I had what looked to be a blue screen with a link to buy software to get rid of this virus and my task manager wouldn't boot. Virtumundo......was my first thought so I went out looking for the tools to remove it.

Arg...I couldn't download them and my printer was disabled so I couldn't do a print out of what I need to do to manually get rid of it. These bastards are getting smart.

Nobody at home at the neighbors and I'm not sure I want to visit her in the evening anyway...*wiggles eyebrows* so I did the next best thing and downloaded some software that came recommended on a few sites like C/Net for removing it.

Spyware Doctor seemed to do the trick but it still cost me 30 bucks.

I think I'll get the other stuff downloaded as well as a file printed before it happens again. Who knows that if it does happen that this software will still do the job? virtumondo is getting complicated.
Bastards.....

*washes mouth out with soap for all the expletives*

Now to just figure out how she got it and to wonder why Nod32 didn't catch it.

Was your daughter-in-law visting porn sites or the Gov. Palin supporter web page on facebook. :rotfl:

I kid ;)

Glad you got it fixed. BTW, next time you reformat, load up all your software programs and tweak settings. Do a defrag and back up you OS. Get something nasty, use Acronis to be up and running within minutes.

http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde


And google or search majorgeeks for Malware Bytes.

Yard..I did but with this one, to do it manually, I needed to print out all the stuff I needed to look at in a Hijack this log. Guess what? It disabled my printer and my short term memory isn't bad but it's not anywhere near good enoough to remember a few lines, let alone a ton of them. lol

Since this proggie works, I'll not worry about it for a while but at some point, I'll download an print everything I need to disable it.


JOCS....who know's what she was looking at. I doubt it was porn knowning her. She seems to think it was a link she found off of a friend in facebook.

Yard..I did but with this one, to do it manually, I needed to print out all the stuff I needed to look at in a Hijack this log. Guess what? It disabled my printer and my short term memory isn't bad but it's not anywhere near good enoough to remember a few lines, let alone a ton of them. lol

Why not just save it in notepad?

Pretty easy to clean, people everywhere getting slammed by it, very widespread over the past 6 months.

Install CCleaner
Install and update Spybot 1.6, SuperAntispyware, and Malwarebytes
Reboot into safe mode and run them in that order (the thorough scan options)

Really bad infections, there's a program called SDFix.exe you can find from Bleeping, but since finding MalwareBytes, and the latest Spybot 1.6, we've not had problems cleaning computers and keeping them clean.

NOD is catching most of the variants, usually stopping most of it from being installed on your PC. Were you fully updated yet? program component wise too?

A couple of weeks ago, I was messaging back 'n forth with a developer for a large antivirus company.....he said the Vundu/ZLob variant developers are incredibly aggressive, they've really ramped up their efforts to stay ahead of the antivirus companies, usually releasing several .dll variants a day. So it's getting past all the antivirus brands at some point or another. Take a peek at Kasperskys forums too...on the front page of the infection forum there's at least several threads from Kaspersky users asking how to clean it.

Yeah the problem is, believe it or not, there were sites I couldn't get to and even if I could, I couldn't download anything. Nada...

Zlob was the variant for sure. The bastards...

I couldn't get to CCleaner but I had it on my back up disk but that wasn't enough. I couldn't get to Spybot and the one I had downloaded and saved a whiile back wasn't updated. I couldn't download Malwarebytes either. In fact in reading what to do, there wasn't much of anything I could download.

Let's see..yes, Nod32 was up to date also.

I'll check the Kaspersky forums out and get stuff downloaded in case it happens again.

Thanks for the replies. :)

Zlob was the variant for sure. The bastards...

Yeah, they're all related.....kajillions of variants, all falling under the Vundu/Virtumundo/Smitfraud names.

Out of Russia. Commonly come in from video codecs, and increasingly...media files via P2P avenues. It has turned into the biggest, and most aggresssive, threat on the internet.

Well I downloaded and did what you suggested. I'm sure I'm all clean now and have ask for a refund on the other software that didn't come close to catching it all. I've also uninstalled it.

Hopefully I'm done. :D

I've put all those files into a folder and burned them to a disk as well as added them to a USB drive. Just in case....

Pretty easy to clean, people everywhere getting slammed by it, very widespread over the past 6 months.

Install CCleaner
Install and update Spybot 1.6, SuperAntispyware, and Malwarebytes
Reboot into safe mode and run them in that order (the thorough scan options)

Really bad infections, there's a program called SDFix.exe you can find from Bleeping, but since finding MalwareBytes, and the latest Spybot 1.6, we've not had problems cleaning computers and keeping them clean.

NOD is catching most of the variants, usually stopping most of it from being installed on your PC. Were you fully updated yet? program component wise too?

A couple of weeks ago, I was messaging back 'n forth with a developer for a large antivirus company.....he said the Vundu/ZLob variant developers are incredibly aggressive, they've really ramped up their efforts to stay ahead of the antivirus companies, usually releasing several .dll variants a day. So it's getting past all the antivirus brands at some point or another. Take a peek at Kasperskys forums too...on the front page of the infection forum there's at least several threads from Kaspersky users asking how to clean it.

YOSC, Does one have to use the paid version of these programs or do the free versions work just as well?

thx

Free version for cleaning existing infections, that's all I use for rigs we have to fix.
Paid version allows real time protection for those who desire to keep them running on their systems for an added layer of protection.

The "shotgun effect" (using several different tools) works well. Don't forget, this ZLob trojan is being released at the rate of several variants a day. So whatever tool worked for your yesterday...or even this morning, may not work on a new infection/variant found tomorrow..or even later this afternoon. The best success I found is in using several tools.

For REALLY stubborn ones, additional tools I may lean on to use...
AVG AS (not their antivirus, but their antispyware)
Esets SysInspector. This is like a super combination of autoruns and hijack this...on steroids
Esets "undll" utility
AntiVir

Esets SysInspector. This is like a super combination of autoruns and hijack this...on steroids

Nice find Cat!

Nice find Cat!

I second that, how long have you known about this great tool and not told us???:irate:;)

The only thing I don't see with it is an option to delete a process or .dll file etc., is the option there YOSC?

Downhill, I would also do a scan with SUPEAntiSpyware, it is very good at removing the Vundo variants and it's free as well.

:cool:

Free version for cleaning existing infections, that's all I use for rigs we have to fix.
Paid version allows real time protection for those who desire to keep them running on their systems for an added layer of protection.

The "shotgun effect" (using several different tools) works well. Don't forget, this ZLob trojan is being released at the rate of several variants a day. So whatever tool worked for your yesterday...or even this morning, may not work on a new infection/variant found tomorrow..or even later this afternoon. The best success I found is in using several tools.

For REALLY stubborn ones, additional tools I may lean on to use...
AVG AS (not their antivirus, but their antispyware)
Esets SysInspector. This is like a super combination of autoruns and hijack this...on steroids
Esets "undll" utility
AntiVir

Thx cat for your response. Appreciate it.

I second that, how long have you known about this great tool and not told us???:irate:;)

The only thing I don't see with it is an option to delete a process or .dll file etc., is the option there YOSC?

Downhill, I would also do a scan with SUPEAntiSpyware, it is very good at removing the Vundo variants and it's free as well.

:cool:

I mentioned it a few times over the year or so it's been out.
Superantispyware gets run on my first pass..my first post up above. Those "additional tools" I use for really infested systems, although usually my suite of initial tools cleans them up fine.

For pulling dll files, Esets tool, "Undll", does the trick, although it would be good if they included that utility in Sysinspector.

Yeah, they're all related.....kajillions of variants, all falling under the Vundu/Virtumundo/Smitfraud names.



I see these daily... these kids in college now just find a new movie site and pass it on.... they come in I ask them "Ok, which movie site are you going to?"

Nasty variants and at times hard to remove even if superantispyware,malwarebytes or spybot doesn't pick them up..I often have to look through msautoruns and even slave the drives and remove the crap with superantispyware to get the computers to boot up they are so hosed.

Ohh and you can avoid installing CCcleaner since its updated so much by just downloading the portable (http://www.majorgeeks.com/CCleaner_Portable_d5735.html) and keeping it up on a flashkey...I keep this on a protected network login to run to speed up my cleaning times on systems that come in.

Its not limited to movie sites, I've been cleaning this off peoples PCs that are kifght browsers and hardly do anything online and ebay addicts as well.

It gets around.

i see these daily... These kids in college now just find a new movie site and pass it on.... They come in i ask them "ok, which movie site are you going to?"


http://forums.speedguide.net/images/smilies/biggrin.gif

Its not limited to movie sites,

No, I agree...its not limited to movie sites but thats perhaps 98% of the sources I've seen in the last 2years and thats maybe around 1200+ systems and counting.

But your right it does get around sure enough.

Its not limited to movie sites, I've been cleaning this off peoples PCs that are kifght browsers and hardly do anything online and ebay addicts as well.

It gets around.

Couple of weeks ago a client got her laptop hosed from downloading a song via limewire. The song was embedded with a WMF exploit.

Couple of weeks ago a client got her laptop hosed from downloading a song via limewire. The song was embedded with a WMF exploit.

Limewire, ya no surprise there, lol

I remember when I would make Limewire BSOD on Win 98. :D

I remember when I would make Limewire BSOD on Win 98. :D

Now you can download a copy of win98 off limewire that will BSOD on its own!

I remember when I would make Limewire BSOD on Win 98. :D

Well since your still using Win95 I'll go winnuke on ya!! :D

Well since your still using Win95 I'll go winnuke on ya!! :D

:rotfl:

yeah I've seen virtumonde too. A couple months ago my buds were installing some kind of skin to make xp look like vista... at one point they had every rig they'd sold or worked on come back w/ this problem. quickly, lol.

I never came up w/ a fix, the tools I dwnld'd didn't clean the infection, so every time I came in the next night... my buds had just reinstalled the OS while I was gone. Which still resulted in returns until they dropped that stupid skin.

Can't recall the name of the skin, was not anything from MS tho.


btw, just dwnld'd Eset SysInspector. Thanks Stonecat. :thumb: