Virtumonde virus is eating my wife's computer

You could be like 50% of computer owners, and just go buy a new PC.

Anyway, I can kill damn near anything by going to and getting:

malwarebytes antimalware
spybot search&destroy
avira free personal edition

If that doesn’t kill it, call someone who knows what they’re doing because you’re not going to learn how to manually pick it out of the registry in a reasonable timeframe by reading a forum.

Vundofix is slow and doesn’t help with the other droppers and trojans that come along with the Vundo infection.

This stuff CAN get past Firefox, but the window of opportunity is shorter.

What’s her mail client, Jeff?

This man speaks the truth. I just had a client that gave me a 4 year old computer they wanted to refurbish to give to one of their employees. I could immediately tell why they bought a new system, it was crawling with viruses circa 2005.

Thanks for all the help guys. Got back home this evening and taking first shots at this on her system. I’ll probably work on it more in the morning.

First shot, downloaded Malwarebytes Anti-malware as suggested, booted into safe mode, and ran it from there. It picked up a ton of bad stuff, including a lot of virtumonde items, and it said that it cleaned all of them but about 4, which it said it would clean up on reboot. Rebooted into safe mode, and ran it again, and so far it has said that it has picked up 6 infected objects. Ugh - guess it wasn’t able to clean everything. I’m waiting for it to finish the scan and let it try to clean again, but I suspect if it couldn’t clean them all out the first time it won’t the second time either. Already ran Spybot and ESET Nod32.

Someone asked her email client - just gmail, within Firefox.

Sounds like you don’t have the REALLY nasty variety which disables every program mentioned in this thread. Malwarebytes should take care of this one easily enough.

That one’s easy to beat, you just disable the TDSSServ.sys driver hidden in the Device Manager.

It’s doubtful she got that from email then, Gmail does a pretty good job sanitizing the bad stuff. It’s probably an infected link from a search engine on a website with a hacked page.

I recently had a run-in with Virtumonde, and it’s pretty brutal.
Best thing to do is go to Spybot Search and Destroy’s homepage and then post a Hijack this log of your wife’s computer and get help from one of their security experts on their forums.

They have several stickies listing things you need to do before asking for help.

I had a run in with Virtumonde and instead of doing the above, I managed to glean enough information from several other people’s infections to “clean” my system. Unfortunately there is a weird side effect to my system being virus free.
Namely that I can only use IE or Firefox to surf/browse for about 5 minutes before I get messages saying that I’m not connected to the internet.
Which is really odd, because I am connected, and I can use MSN messenger to talk, connect to Rockstar Games Social Club, and play WoW without any trouble.

I have a new HD I’ve been meaning to install, this gives me an excuse to do so, just haven’t actually gotten around to doing it yet.

MBAM from safe mode has killed Virtumonde in every case I’ve tried. The slower the computer is, the more I make on that “job”. Thank you, scumbags of the planet!

Well, I ran MB from safe mode and it found about 30 something problems, most Virtumonde related (and that was after Spybot and NOD32 had supposedly cleaned it.) After cleaning, I rebooted into safe mode again ran MB again, and it found 6 more problems (I let it complete it running overnight.) This morning, I let it clean those - 4 registry entries and 2 files - and I rebooted again in safe mode and rescanned, and so far on the indepth scan (which takes over an hour on her system) it’s clean, which is encouraging since it normally picks up the problems in the first 10 minutes, so crossing my fingers.

I was impressed enough with MB that I ran it on my own laptop this morning, which stays clean as I am pretty anal about things, and it has found two infected objects - don’t know what they are yet as MB doesn’t let you see until it’s done. At least one good thing has come out of this - I know a lot more about tracking crap like this down than I did before. Thanks to all, and hopefully in about an hour my wife’s system will be clean. At that point I’ll go in and update Java and make sure her XP has all critical updates. I may purchase MB and have it run resident on her system, if for no other reason than to support MB for being so good.

Yeah, MBAM is bloody awesome. It’s currently how awesome Spybot was 4 years ago. Spybot, sadly, doesn’t deal with newer stuff like Smitfraud and Vundo nearly as well as MBAM, which kinda bums me out because they used to be so fantastic. Nonetheless, Spybot is still part of a healthy computer, because it picks up the little cookie crap that MBAM doesn’t bother with.

I like this thread. I try to carry recent versions of most anti-spyware apps on a flash drive to help my parents and less savvy friends clean up their machines when this happens.

So what should be in my toolkit these days?

Hijack this 2.0.2
Spybot S&D
Malwarebytes Anti-Malware
Avira Antivir OR AVG Antivirus
Firefox along with Flash plugin installer
Speedfan for checking SMART status on hard drives

It’s also handy to have a copy of the UBCD4Win and a little program called Portable Apps which lets you run some of this software directly off your thumbdrive.

I’m going to bold something here on Ryan’s awesome post. This is about the fourth person I’ve either seen a post from or know personally that has gotten burned running nothing but NOD32 in the last 2 months. All of them gamers (or on a gaming forum.)

I think this highlights not so much that NOD32 is slipping (although that’s arguable) but that it’s important to have a solution that not only does AV, but anti-malware of ALL types. Weather that means choosing a two application approach or an all-in-one doesn’t matter, it’s that JUST AV isn’t cutting it anymore.

Also, for what it’s worth, the AVG IS suite (Internet Security) is a nice fit in this respect.

ESET has a security suite, but I don’t know how well it handles live threats like Vundo downloaders. It’s difficult to really test out solutions when you have to spend all day removing the threats.

What I don’t understand is why there isn’t some damned enthusiast site somewhere (Anand? Techarp? Tom’s?) who’s taking some time to test the various stuff against new threats and see how they all perform.

Norton inevitably ends up a PC Magazine Editor’s Choice, which I think just blows a hole right through their credibility on anything. Norton won’t stop jack, let alone all of jack’s buddies.

Hmm. Malwarebytes found about 32 the first scan in safe mode - clean, reboot into safe mode, then scan, and found 6. Clean, reboot into safe mode, found 1. Clean, reboot into safe mode, waiting for results.

I’m curious - while the number is going down, why is it finding new ones, albeit at significantly lower numbers, each scan?

Ever since the time I was reviewing a game, and was about to downgrade it for running so slowly and then discovered that removing Norton resulted in it running fine, I have been a Norton anti-fan. Norton just sucks in so many ways.

It is interesting that when I Googled this virus, I didn’t find any articles on it from any major outlets.

And yeah, I’m thinking maybe a combo of ESET and MB is the way to go. My problem is that I tend to disable (on my machine) things when gaming, for performance reasons.

I’ve been testing Threatfire, which works very good in conjunction with real-time software as a behavioral booster, but I can’t endorse it just yet. You may want to give it a shot yourself though and decide if you like it.

I’ve run into problems with it thinking stuff like Securom or software DRM is malware due to the fact it acts like malware does, so then you have to ‘unhook’ it from the system temporarily to run your game or app or whatever.

Make sure system restore is off. If it’s still finding one or two on boot, you’re going to have to track down the culprit. It could be a downloader that’s so new it’s evading detection, or it could be the file can’t be erased on boot and needs to be deleted manually.

Didn’t think to turn off system restore.

Well, just using MB and scanning in safe mode, rebooting, repeat, it appears to have finally cleaned everything out. MB takes about an hour and a half to scan on my wifey’s laptop, so it was a laborious process, but appears to have worked. Thanks to all.

After it showed up clean in safe mode, I rebooted back into normal mode, updated to the latest Java and uninstallled the older version, updated all of her Windows components to the latest security updates, and hopefully we got everything. I’ll recheck it in the morning and hopefully it will remain clean. Gonna pay MB for the full version so it can run realtime in addition to NOD32 (right now I’m running NOD32 and Spybot - I think I’ll substitute MB for the Spybot.)

If you’re carrying all these tools on a USB stick, it’s also a good idea to have a write-protectable stick. I’ve had infected anti-spyware tools left on mine after visiting people with antique viruses :)

I had two PCs last week where disabling the driver wasn’t enough. I had to boot to UBCD and manually delete all TDS*.* files as well as the Program Files folder and the entry in the registry. In fact, the registry entry actually has a subfolder called “disable” (or something similar) where it lists the names of many popular antimalware programs’ executables. Pretty funny.

I also discovered that it’s best to uninstall the TDSServ.sys driver and immediately reboot when it prompts to do so. Disabling didn’t always work nor did uninstalling and choosing to reboot later…

As for AV software, my NOD32 just expired so I’m about to give Sunbelt’s VIPRE a try: