125 replies to this topic

[Essexboy]

Please follow all of the steps in this section of the Malware Forum. These self-help tools will help you clean up 70% of problems on your own. If you are still having problems after doing the steps, then please post a HiJackThis Log in the Malware Forum. If you are unable to run and/or post a HJT log, then post that in your initial post in the topic you create in that forum. Should you post in that forum please do not respond to your own topic. Our Malware Staff look for topics to help out in that have no responses. The Malware Forum is very busy with many more requests for help than we have volunteer helpers, so please be patient. If you have not had a response to a topic after 3 days then please go to the Waiting Room and read the pinned topic for instructions.

[jtc982]

the link is dead. is there another to d/l the file?

[Essexboy]

Which link so that I can investigate ?

[dr.pep]

This is not an advertisement... [removed remaining content and links]

While there are no affiliate links, and the poster will not profit from this post, it's been our experience that the paid version of that product will not remove this infection in every case, and we're not going to imply recommending it's purchase by allowing the links to remain.

We recommend free tools here whenever possible, and there are free tools that do a great job.

Edited by admin, 20 March 2008 - 11:13 AM.
removed link and paid product references

[Anonymous1337]

I used VundoFix to help my computer out on this Vundo virus caused by an lsass.exe application.
I also get that Microsoft C++ Visual Buffer Overload Window, so I though VundoFix would help get rid of that as well.
But I have over 8400 seemingly infected files...

Is that normal?

Edit-Ok I realize this is not normal; my whole computer suddenly died.

Edited by Anonymous1337, 18 April 2008 - 06:46 PM.

[Rorschach112]

Sounds like you have a file infecter and a lot of legitimate and needed files were removed

We have seen the problem before and it is fixable. Somebody will get to your post in the Malware Removal forum don't worry.

[Anonymous1337]

Alright, thanks for the reassurance.
Just been psyched for the past couple days about this >_<;

[fatin_fab]

hey.. my laptop effected by win32/adware virtumonde.. im planning to use the guides that u showed in 1st page.. but im using Windows Vista.. is it ok?

[hellenic]

Hi there
I just got infected by virtumode trojan and run the vundofix.exe but found nothing, so i tryed the second solution available the virtumundobegone.exe which was very helpfull finally. I am not sure though if everything is ok now so i post the contents of VBG.TXT here. Please if there is still something wrong help me to get rid of this nasty thing.

Tanks a lot guys for the very good job you doing here which was very helpful during the past also.


[05/02/2008, 20:18:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe" )
[05/02/2008, 20:18:10] - Detected System Information:
[05/02/2008, 20:18:10] - Windows Version: 5.1.2600, Service Pack 2
[05/02/2008, 20:18:10] - Current Username: User (Admin)
[05/02/2008, 20:18:10] - Windows is in NORMAL mode.
[05/02/2008, 20:18:10] - Searching for Browser Helper Objects:
[05/02/2008, 20:18:10] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:10] - No filename found. Continuing.
[05/02/2008, 20:18:10] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:10] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:10] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:10] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:10] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:10] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:10] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:11] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:11] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:11] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:11] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:11] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:11] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:11] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:11] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:11] - BHO 15: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - Checking for HKLM\...\Winlogon\Notify\efcCsqQH
[05/02/2008, 20:18:11] - Found: HKLM\...\Winlogon\Notify\efcCsqQH - This is probably Virtumundo.
[05/02/2008, 20:18:11] - Assigning {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} MSEvents Object
[05/02/2008, 20:18:11] - BHO list has been changed! Starting over...
[05/02/2008, 20:18:11] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:11] - No filename found. Continuing.
[05/02/2008, 20:18:11] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:11] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:11] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:12] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:12] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:12] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:12] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:12] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:12] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:12] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:12] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:12] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:12] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:12] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:12] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:12] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:12] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:12] - BHO 15: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} (MSEvents Object)
[05/02/2008, 20:18:12] - ALERT: Found MSEvents Object!
[05/02/2008, 20:18:12] - Finished Searching Browser Helper Objects
[05/02/2008, 20:18:12] - *** Detected MSEvents Object
[05/02/2008, 20:18:12] - Trying to remove MSEvents Object...
[05/02/2008, 20:18:13] - Terminating Process: IEXPLORE.EXE
[05/02/2008, 20:18:29] - Terminating Process: RUNDLL32.EXE
[05/02/2008, 20:18:31] - Disabling Automatic Shell Restart
[05/02/2008, 20:18:31] - Terminating Process: EXPLORER.EXE
[05/02/2008, 20:18:33] - Suspending the NT Session Manager System Service
[05/02/2008, 20:18:34] - Terminating Windows NT Logon/Logoff Manager
[05/02/2008, 20:18:35] - Re-enabling Automatic Shell Restart
[05/02/2008, 20:18:35] - File to disable: C:\WINDOWS\system32\efcCsqQH.dll
[05/02/2008, 20:18:35] - Renaming C:\WINDOWS\system32\efcCsqQH.dll -> C:\WINDOWS\system32\efcCsqQH.dll.vir
[05/02/2008, 20:18:36] - File successfully renamed!
[05/02/2008, 20:18:36] - Removing HKLM\...\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:36] - Removing HKCR\CLSID\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:37] - Adding Kill Bit for ActiveX for GUID: {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
[05/02/2008, 20:18:38] - Deleting ATLEvents/MSEvents Registry entries
[05/02/2008, 20:18:38] - Removing HKLM\...\Winlogon\Notify\efcCsqQH
[05/02/2008, 20:18:38] - Searching for Browser Helper Objects:
[05/02/2008, 20:18:38] - BHO 1: -{AE7CD045-E861-484f-8273-0445EE161910} ()
[05/02/2008, 20:18:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:38] - No filename found. Continuing.
[05/02/2008, 20:18:39] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/02/2008, 20:18:39] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[05/02/2008, 20:18:39] - BHO 4: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[05/02/2008, 20:18:39] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[05/02/2008, 20:18:39] - BHO 6: {49E0E0F0-5C30-11D4-945D-000000000003} (IE PopUp-Killer)
[05/02/2008, 20:18:39] - BHO 7: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)
[05/02/2008, 20:18:39] - BHO 8: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/02/2008, 20:18:40] - BHO 9: {66F6A8E6-4D9A-4C67-8D83-E32D7F103AD9} ()
[05/02/2008, 20:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:40] - Checking for HKLM\...\Winlogon\Notify\xxyabxXp
[05/02/2008, 20:18:40] - Key not found: HKLM\...\Winlogon\Notify\xxyabxXp, continuing.
[05/02/2008, 20:18:40] - BHO 10: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/02/2008, 20:18:41] - BHO 11: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/02/2008, 20:18:41] - BHO 12: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/02/2008, 20:18:41] - BHO 13: {AA569288-7339-4B75-A849-E89505685A35} ()
[05/02/2008, 20:18:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2008, 20:18:41] - Checking for HKLM\...\Winlogon\Notify\opnomLBU
[05/02/2008, 20:18:41] - Key not found: HKLM\...\Winlogon\Notify\opnomLBU, continuing.
[05/02/2008, 20:18:41] - BHO 14: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/02/2008, 20:18:41] - Finished Searching Browser Helper Objects
[05/02/2008, 20:18:41] - Finishing up...
[05/02/2008, 20:18:41] - A restart is needed.
[05/02/2008, 20:19:07] - Attempting to Restart via STOP error (Blue Screen!)

[Rorschach112]

The guides will work fine on Vista fatin_fab

hellenic, please don't post your logs here, you can only receive help in the malware removal forum

[bironran]

Ding Dong! The Witch is dead. Which old Witch? The Wicked Witch!
Ding Dong! The Wicked Witch is dead.

I thank you all for the VirtumundoBeGone.exe, it had done in 3 seconds what I've been trying to do for 7 hours.
I've run _every_ online AV / spyware scanner (some failed, some succeded, best was Microsoft protection center), Spybot S&D (partial sucess), Adaware 2008 (almost nothing) and my own AVG 8.0 (which to detect anything!) - nothing.
I've tried VundoFix.exe and FixVundo.exe (the original and symantec's) - nothing.
I've tried manually doing things by suspending the processes and deleteing files - it still eluded me.

Then I've tried "VirtumundoBeGone.exe". 3 seconds, one reboot. gone. GONE!!! Yey! Merriment and joy! And a log file to certify the dead.
Way to go, geeks to go.

[Rorschach112]

Glad it worked for you

Thanks for the feedback

[JoeC444]

I had the frustrating experience of having vundo.ere on my computer. One popular "free" program required registration and purchase. I have seen other suggestions, but I used Malwarebyte's Anti-Malware program, a true freebie. It found vundo.ere (in many places) and 5 other malware files/programs. All but one [System32/ddccrixo.dll] were removed. The latter can be removed by changing the name of the file, e.g., add a 2 to it, and deleting it. Without the change, it wouldn't go away.

[Rorschach112]

Glad you got it fixed. We are big fans of Malware Bytes here, so no surprise that it helped fix your problem

[ruggb]

Hello,
I am helping a friend clean his son's new Dell laptop of malware. Spybot S&D did a pretty good job of most. Now I am left with Virtumonde.dll and Wind 32.Banker.aipy.rtk. I was going to do your Malware Removal Guide on the Virtumonde, however, the creator has removed the VundoFix.exe from his site. Is it OK to use the VirtumundoBegone instead. I know it was recommended to do this only if the VundoFix.exe didn't work.
Thanks,
P.S. his son is in the guards and currently deployed in Iowa to help with the floods. He will be heading to Iraq in a few months. I really want to get this done for him quickly.