Need Help With a Trojan

[lowZX14]

Ok, I've got a Trojan named Virtumonde.prx on my computer and I can't get rid of it.  I have ran Spybot 3 or 4 times and it got part of it, but there are still 3 registry entries that won't go away.  How can I get rid of it?

[Dragon]

Restart the comp in Safe Mode and run the scan again.

[lowZX14]

Ok, I restarted in safe mode and ran spybot.  Once again it says problem fixed but it wasn't.  I've ran it a few times now, and each time I go back into the registry editor, it shows the Trojan in 3 different places.  I've tried modifying and deleting in the registry editor, but it shows right back up.  Can anybody help me get rid of this?

[Wobbly]

Try Malwarebytes, I used it to sort out a problem on my daughter's pc

http://www.malwarebytes.org/

[gpwurzel]

Run an antivirus scan in Safe Mode, having turned off system restore first. Not sure spybot s+d will get rid of this particular trojan for you.

Once thats done, if required, turn on system restore and enjoy. (Reason for turning off system restore - it automatically removes any restore points you may have that have been infected etc).

If you use an online scan, you can do a search on Symantec.com to find manual removal instructions - if your not confident using them, check to see if there is a specific removal tool on there for this virus.

HTH,

Wurzel


*Checked on the symantec site, nothing with this name as a removal tool*

Good call Flotsom!!

[FLOTSOM]

have you tried running threat fire? or  rootkit analyzer? if you are deleting it but it comes back then the program is hidden inside another program somewhere, probably something that restarts on boot up. try these two programs (both are free or have free versions that are complete utilities)

if those don't work then contact skuzzy,Ghosth, or Chalenge or one of the many others who has some computer sense. if you read through the old post people have put up in technical support or in hardware and software then you can find those individuals who you feel maybe qualified to help you and send them a PM.

good luck

threatfire
http://www.threatfire.com/
rootkitrevealer
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

FLOTSOM

[Denholm]

Alright, it's time for the annual AV advertisement campaign...

Since you already know you're infected with a trojan, this is for the Anti-Virus and the Anti-Rootkit department. Here are the two online Anti-Virus scanners you should try out. (Use them in Safe Mode with Networking)

http://safety.live.com (Onecare Scanner, use Internet Explorer to run it.)

http://www.eset.com/onlinescan/ (NOD32 free online scan, use Internet Explorer to run it.)

Remember, don't run them both at the same time. Now here's the free rootkit scanner that I recommend:
http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml (AVG Anti-Rootkit Free)

Unfortunately you can't run it in Safe-Mode. So just unplug your Internet cable while running that scanner in regular mode. If the pesky thing is still not found after all that scanning, time to start considering the system restore or a Reformat.

[NHawk]

Virtumonde is a varient of Vundo.

Try this, it's worked for me on other people's computers...

http://vundofix.atribune.org/

or this (untested by myself)...

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

[lowZX14]

Thanks for the info guys, none of these have worked so far.  A few have found the Trojan and said that it was deleted but it didn't.  The rootkit scanner yielded nothing whatsoever.  I have something on another forum that is supposed to deal with this, so let's see how well that goes.  This is not good at all.

[FLOTSOM]

well once you get a fix make sure you post it here in case anyone ever gets this bug in the future.

the rootkitrevealer wont fix it but it should have found it if it was running in hidden mode. there is another program called "whatsrunning" that will help you dissect what drivers and processes are running and where they came from. this may help you track down the original file that this virus is hidding behind. i don't have the url but you can google it and find it.

did you erase all of your restore files? if you are having problems removing a Trojan it may be because it is hidding in a backed up file or automatically being reset because its hidden inside a restore point. i had a maleware program that did this to me awhile ago, once i got rid of the restore and back up files it was gone.

well again good luck and keep us informed

FLOTSOM

[lowZX14]

I will definitely let everyone know how it was fixed when it's done.  That's the funny thing, I did a restore after it was supposedly gone and went back 2 weeks.  Well then the restore wiped out some stuff that it wasn't supposed to so I reversed the restore back to today to copy all of the files.  When I went back to restore to 2 weeks ago, it wouldn't let me go back any further than today, all of those old restore points seem to be gone.

[Denholm]

That might not be Virtumonde you know? I've had a few bugs advertise themselves as Virtumonde when they were in fact other bugs such as Smitfraud.

Be careful, you're dealing with more than an ant, you're dealing with termites.

EDIT: You know, just thought of this. If you're a computer savvy guy you can try something else. However this only works if you have a Windows Installer disc (2000 or above) and if you have a secondary hard drive (Make sure to move all files on this HD elsewhere, because you're about to format the HD). If you have a secondary hard drive, take it out. Change it's jumper setting to make it primary. Now take out your primary, switch it's jumper setting to secondary. Now plug them back in appropriately (Primary on Primary Master, Secondary on Primary Slave)

Now during boot-up, install Windows on your new primary hard drive. After it's installed, forget about updates. Get yourself some AV software such as the free trial of NOD32. Then scan your now secondary hard drive for the bug. Do the same with other software such as Ad-Aware 2008, Spybot, Anti-Rootkit software.

The reason I'm suggesting this is simple. While you are booted on your primary hard drive (which is obviously infected) certain files are locked to the scanner, these are typically system log files and critical OS files. However, the bug could theoretically embed itself in some of these files. With your old primary hard drive as a secondary, these files will not be locked, enabling the scanner to scan EVERYTHING.

However, again, this is only if you have a windows installer disc of 2000 or later, and if you have a secondary hard drive.

[BaldEagl]

Try Bazooka.  It's a free D/L at downloads.com.  In my experience it finds a lot of stuff very quickly.  It won't remove or fix it for you but it will give you a link to a web page describing in detail how to eliminate it.

Once you're cleaned up SpywareBlaster has a very small profile and does a good job of active protection.

[stroker71]

I had a trojan on my computer and the way I got rid of it was let my anti-virus find it.  But I didn't let it remove it.  I used the root path the anti-virus provided and removed it manually.  What happened to me was if I let the anti-virus it would just rename itself and still be there. 

[mrroadkill69]

Try antisuperspyware. I have used justy about everything available and this program seems to work real well.