Malware Removal: Virtumundo

From CastleCopsWiki

Jump to: navigation, search

This procedure is to remove Adware-Virtumundo (Vundo).Winfixer /WinAntiSpyware / WinAntiVirus and Adware-Virtumundo are not one and the same.

Persistent popups from rogue (fake) antispyware programs such as WinFixer, WinAntiSpyware, WinAntiVirus, Amaena.com, ErrorSafe, SystemDoctor and DriveCleaner which pester the user to purchase the phony program, are indicative of Adware-Virtumundo or a Vundo infection, for short, but it is also possible to have the program Winfixer program and its successors installed without Vundo accompanying it.

A fairly recent ploy used to draw users to the Winfixer website, spoofed a phony Windows Online Safety Center webpage as bait. Users were directed to the WinFixer website if they clicked the Full System Scan button, as depicted in the third screenshot. The light blue background section in the imposter image distinguishes it from the real Windows Online Safety Center. Recently, the Amaena.com website has replaced this ploy with a bacteria virus alertas depicted in the first screenshot. This is the latest lure used to redirect users to this WinAntiSpyware or WinAntiVirus affiliate website.

If WinAntiSpyware or WinAntiVirus was installed on your computer without your consent, it is removable via the Add / Remove Programs feature in the Control Panel. Vundo is not removable via Add / Remove Programs, but the following procedure should successfully eliminate it from your system.

Amaena.com WinAntiSpywareWinAntiVirusBacteria Virus Alert
Amaena.com WinAntiSpyware
WinAntiVirus
Bacteria Virus Alert
Winfixer Screenshot (Click to Expand)
Winfixer Screenshot
(Click to Expand)
Phony Live Safety Center Scam
Phony Live Safety Center Scam

Operational symptoms: ( 1 & 2 are most common)

  1. Winfixer or WinAntiSpyware / WinAntiVirus Popups
  2. Advertising pop-ups for a variety of other phony security products, such as SysProtect.
  3. Alerts possibly originating from the domain www.Amaena.com
  4. Possible system instability

HJT Log Symptoms:

Matching pairs 02 BHO and 020 Winlogon Notify entries containing the same random consonant filename (typically 5-8 chars in length).
The BHO entries can be of either the MSEvents Object,ATLDistrib Object, CIEPl Object, or No Name type

Note: If you have Winfixer / WinAntiSpyware / WinAntiVirus Popups popups with none of the HJT log symptoms described below then:

  1. You may have a new variant which suspends running when it detects HijackThis is running. You can workaround this by renaming HijackThis.exe to either HJT.exe or TJH.exe, and then rescan. This should make the signature BHO and 020 WinLogonNotify DLL entries visible.

  2. If option 1 doesn't solve the problem, then you should determine if you have the rootkit variant installed by following the Vundo Rootkit Detection and Removal Procedure

HJT Log Examples:

ATLDistrib Object
Example 1

O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\mljjj.dll
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll

Example 2

O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\pmnlj.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll

MSEvents Object
Example 1

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnkk.dll
O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll

Example 2

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddayv.dll
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll

CIEPl Object- Newest Variant- adds an infected 020 AppInit_DLLs HJT entry
Example 1

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\service.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\jfwofybc.dll
O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll

Example 2

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\System32\msvmon.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\gllrlgyd.dll
O20 - Winlogon Notify: msvmon - C:\WINDOWS\SYSTEM32\msvmon.dll
Note: Only variant with randomly named file in the AppInit_DLLs value and a constant 02 BHO CLSID = F85E86D8-F796-4C97-AAA2-26664A98A42C

No name BHO:

O2 - BHO: (no name) - {32879631-0c49-4df3-b9d1-becf87f640c0} - C:\WINDOWS\system32\uxfkqdhd.dll
O20 - Winlogon Notify: uxfkqdhd - C:\WINDOWS\system32\uxfkqdhd.dll

Additional Registry and File System Changes

If you run other diagnostic programs such as Silent Runners or Autoruns, you may encounter other registry and file system changes such those listed by McAfee SiteAdvisor here.

Some file addition examples are:

  • C:\WINDOWS\system32\SpOrder.dll
  • C:\WINDOWS\system32\stera.exe
  • C:\WINDOWS\system32\stera.job

The BootExecute Registry key is also changed:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute

The data value "BootStera="\\??\\C:\\WINDOWS\\system32\\stera.job" is added, so stera.job is executed at system startup.

Removal Directions:

Download VundoFix.exe by Atribuneto your desktop.

1. Double-click VundoFix.exe to run the program.
2. Click the Scan for Vundo button.
3. When the scan is complete, click the Remove Vundo button.
4. If VundoFix responds with a "No infected files were found" message, right-click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • You must examine your HJT log. and copy and paste the complete file path present in your 02 BHO and 020 WinLogon Notify entries into the first field of the list box.
Using our first HJT example above, this would be: C:\WINDOWS\system32\mljjj.dll
  • In the second field, copy and paste the same path but the filename should be spelled in reverse and an asterisk (wildcard symbol) should replace the file extension:
Using our first HJT example, this would be: C:\WINDOWS\system32\jjjlm.*
Note: You must substitute the filename found in your own HJT log for the filename used in the example
  • Click the Add Files button.
  • Click the Close Window button.
  • Click the Remove Vundo button.
5. You will receive a prompt asking if you want to remove the files, click Yes
6. Once you click Yes, your desktop will go blank as it starts removing Vundo.
7. When completed, it will prompt that it will shutdown your computer, click OK.
8. Restart your computer
9. A log called vundofix.txt will be created in your C:\ directory
10. Inspect C:\vundofix.txt with Notepad to be sure the fix completed properly

Please retain the log created C:\vundofix.txt should you need to post a HijackThis log.

For more information about VundoFix and Vundo threat symptoms refer to Attribune's website Attribune is the author of this tool.

VirtumundoBeGone - another Tool to try - if VundoFix failed to remove your infection

Some older variants of Vundo that are still in circulation may be removable with VirtumundoBeGone (even though they are resistant to removal with the VundoFix):

Such VundoFix-resistant variants may create HJT entries like the following:
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\system32\ljjjjjk.dll
O20 - Winlogon Notify: ljjjjjk - C:\WINDOWS\SYSTEM32\ljjjjjk.dll

Comprehensive list of Vundo related files, registry keys and values available at Malpedia (malware encyclopedia).

If VundoFix was ,unsuccessful in removing infection, download and run VirtumundoBeGoneby Secure2K.
Note: Do .not run VirtumundoBeGone on Vista as it has not been tested on Vista platforms and was written before Vista was released)

  • Follow the self-explanatory prompts to run the tool.
  • More information on VirtumundoBeGone be found here


Verify Vundo is eliminated

  1. Perform a HJT scan using the Do a system scan only option.
  2. Inspect the HJT log for the original Vundo entries which were present in your log.
  3. If there are no Vundo HJT entries remaining, then continue with step 3 in the Malware Removal Overview
  4. If the Vundo HJT entries are present with the (file missing) attribute, then you are no longer infected. You can remove the HJT entries, by checking them and clicking the Fix Checked button .
Example
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnkk.dll (file missing)
O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll (file missing)
5. You are still infected if:
  • Your Vundo HJT entries are still present without the (file missing) attribute
  • Your variant is of the new CIEPl Object type and the O20 - AppInit_DLLs entry remains, and cannot be removed by fixing it it with HJT

If you are still infected

  1. If no Virtumundo HJT entries are present but your popups persist, then you should check to see if you have the rootkit variant by following the Vundo Rootkit Detection and Removal Procedure

  2. You will need to post a HJT log - if you still have Winfixer popups even though you have exhausted all remedies, but only do so after Malware Removal is complete.

Now it is important that you return to the Malware Removal Overview and continue with step 4 (or step 3 if you have SpyAxe / Smitfraud symptoms).


This article is part of the Malware Removal and Prevention series
The series was developed as the key deliverable of the
Cleaning Malware Project.
Malware Removal and Prevention Overview
Malware Prevention
edit this template
Retrieved from "http://wiki.castlecops.com/Malware_Removal:_Virtumundo"
Personal tools