ADW_VIRTUMUNDO.B

Question

Anyone heard of this or better yet, know how to remove it?  My Trend Micro PC-cillan Internet Security screen keeps popping up and saying I have this but numerous scans don't show it.   I've also tried the latest 'VUNDO' virus removal tool from Symantech but that said VUNDO wasn't on my system....so there must be a diff between VUNDO and '...Virtumundo.'   ANY help would be appreciated.  Thanks

ky331 · Answer

two points:   Symantec has released at least 2 new/updated versions of the vundo removal tool in the past week... to the best of my knowledge, the latest is version 1. 4.0 ; so if you tried an earlier version, it's worth the time to get/try the latest. http://securityresponse.symantec.com/avcenter/FixVundo.exe     symantec also offers a separate Adware.VirtuMonde removal tool (not sure about the .B-part) http://securityresponse.symantec.com/avcenter/FxVMonde.exe   per their directions, you should run the Vundo first, then follow it by the VirtuMonde.     if these don't succeed, you should post a HiJackThis log in the HJT forum Message Edited by ky331 on 10-21-2005 02:27 PM

winelvr56 · Answer

Thanks KY... I'll try the Virtumonde tool... Guess I missed that one.  I DID use the 1.4.0 version of Symantech's other tool and like I said, it didn't identify anything.  What's really curious (to me at least) is that Trend Micro HAS directions on removing this virus....the only problem is everything they tell you to do is predicated on the Virus scan identifying infected files... which it doesn't... says there are no viruses and no spyware on my system... Yet there's the alert.  I searched for the file the alert says is infected too but didn't find it... so not sure what's happening.      I'll try that other Symnatech tool...thanks again... Winelvr

ky331 · Answer

when your Trend Micro PC-cillan Internet Security screen pops up reporting Virtumundo.B, does it indicate the particular files that it believes are infected??

in the absence of more specific details, I suggest you try HiJackThis:

Download the latest version of HJT(hijackthis) (version 1.99.1) from

http://majorgeeks.com/download3155.html

you must create a separate folder and place it there.... people commonly use C:\HJT. Note: Please do *NOT* use a TEMP (temporary) folder, *NOR* your DESKTOP, as HJT will be generating log files and backup files in the folder from which it is run... you risk accidentally losing these if you use a TEMP folder, and you will generate extreme clutter if you use your DESKTOP.

The file above comes as a compressed .ZIP file... you have to UNzip it (hopefully, you have an UNzip utility built into your Windows Explorer. If for any reason, you're unable to UNzip it, you can download the already-unzipped .EXE file from http://downloads.malwareremoval.com/HijackThis.exe )

After Unzipping, double click on HiJackThis.EXE

Click on Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy

Then go to the new forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Be sure to include a detailed description of any problems/errors/warnings you are encountering.

Hopefully, one of the HJT experts will get to it as quickly as possible.

WARNING: HiJack This is a VERY POWERFUL tool. Do *NOT* do anything else (in particular, do NOT use it to delete any entries) until you are advised to do so!! Improper use of this tool can severely damage your system.

Supplemental note: The procedure as worded above has been carefully edited over time, so as to expedite the process of helping people. Nevertheless, it seems that many individuals try to be "creative", and make some variations. It really would be to your benefit if you follow these directions EXACTLY as stated... because certain changes on your part can result in slowing-down the help process.

Specifically, the following are 3 very common BAD deviations which will cause delays:

a) BAD: using an older/outdated version of HiJackThis...

The experts only work with the current version. So if you make a post with an older version, you'll simply be advised to get the latest version, re-run it, and re-post your log.

b) BAD: using a TEMP directory or your DESKTOP for HJT....

Some experts may insist you move HJT before they'll begin working with you. Others will start the repair process, advising you to move HJT as one of the very first steps. Failure to do so can result in losing potentially critical information. So please, just use the suggested C:\HJT directory, rather than try to be creative.

c) BAD: posting your log in the wrong forum...

if you post your log back here, in the Virus/SpyWare forum, it will "sit idly", either until the forum moderator gets around to move it for you... or until you decide to repost your log... in the HiJackThis forum.

winelvr56 · Answer

Well NO LUCK with the 'Virtumonde' tool either.... Ran it and it says nothing on my system... Guess I'll keep looking or maybe someone will have a better idea.

winelvr56 · Answer

Morning KY331.... Yes, the pop-up alert DOES identify a single infected file... but I've searched for it and can not locate it.  Additionally, when I run a FULL virus scan as Trend Micro suggests, it says the system is clean and doesn't identify any files.   I'll take your suggestion and try posting the resulting Logfile.   Thanks for your continued advice.  Winelvr

secured2k · Answer

KY331: A few people have posted and reported success using my tool. Do you think it can be used as another removal option here? I've tried to make it as automated as possible and it will do the same things as the manual removal steps (plus a little more).   Why Norton's tool doesn't work: The removal tool is based on file and memory signature scanning. The program is smart enough to kill threads of possible trojan variants, but the scan reports show no files detected or removed. The tool does not remove the registry entries pointing to the infected file so on reboot, it comes right back. Message Edited by secured2k on 10-22-2005 10:26 AM

secured2k · Answer

To answer your questions...

The Atribine/VundoFix will also cause a blue screen crash. My tool does everything that fix does automatically. It's basically just scripted system commands.

The tool uses "kernel32::GetVersionExA" to get the Windows Version. If the system is not Windows NT based (NT,2000,XP,2003,Vista), the tool will not work.

So far, no one has reported a false positive. I will explain what the tool does automatically and if you or anyone else has an idea to improve it's operation, let me know and I will see if I can fix it.

A problem with the tool not detecting an unnamed BHO was reported. The tool was fixed/enhanced in version 1.2 to check for unnamed BHO.

Another problem that was reported was the tool actually killed itself during the repair process. I have known about this since version 1.0 and added a note on the intro screen if the tool ends prematurely, just run it again. It happens because it's given instructions to kill some processes like RUNDLL32 which might be hosting the program (not sure why). Every step is added to the log file as it happens.

So far, no one has complained that the tool does not work with their security product (minus the extreme security products in which the users are advanced enough to know why). In v1.2, I removed the part about stopping McShield. While having an antivirus running that detects the virus and denies access to the file may prevent the rename operation, it will not stop the tool from removing the registry entries that cause the program to start up at boot. Also, a command is set to have the file renamed in reboot (before most AV's load).

ChrisRLG has pointed me toward another forum, but I just wanted to get the word out that there is a tool for removing some specific or hard to remove malware. I currently am making a simple one for Alemod/OleAdm. I have already completed the WinKRootKit (WinIK.sys) and Virtumundo tools.

Directly from the source, in simple terms, here is what the tool does:

Creates a mutex to prevent the tool from running more than once.

Checks if the OS is NT based
Checks if the user is Admin
Creates some temp files used for the program.

Creates the log file if it doesn't exist.

Asks if the user wants to continue.

Looks at the browser helper objects list and searches for "MSEvents Object" (MSEO)

If it's not MSEO, then check the next BHO.

If the BHO name is blank, check the file name.

If the base file name is also in Winlogon Notify (where it shouldn't be), name the BHO MSEO.

If the BHO has changed, it will restart from the beginning to check BHOs.

If none of the BHOs are MSEO and none of the Blank BHO's are located in Winlogon notify, the program will exit showing the log file.

If the BHO is MSEO, it will kill rundll32, iexplorer, disable automatic shell restart, and kill explorer

It suspends the NT Session manager and removes winlogon.exe from memory (this is where vundo is)

The automatic shell restart setting is restored (since winlogon can't restart it)

The bad file is renamed with a .VIR extension. If it can't be renamed (AntiVirus/Security product) it will be renamed on reboot (PendingFileRenameOperations).

The tool will then remove 2 MSEventObjects registry entries, the BHO entry, the Winlogon notify entry, and add an entry to Internet Explorer to KILL (not run) the BHO with that GUID (vundo).

The tool then sets an entry in the registry to have the system automatically reboot on STOP error (blue screen) and then reenables the session manager. The session manager sees WinLogon is missing and STOPs the system (reboot/blue screen).

ky331 · Answer

Secured2k:

were you ever able to get in touch with ChrisRLG ? If he could "test" things out, I'd certainly feel more comfortable.

I like recommending Symantec tools, because I'm confident they "inflict no damage" ---- that is, if you run the tool, and the "offending" file isn't file, it simply tells you so.

I've been using the Atribune/VundoFix, because we've had just amazing results with it.... though I still am leery about doing anything that will force a "blue screen of death".

i've also noticed that some people have had success with your tool. Can you tell me anything more about it? for example, I downloaded it the other day, and see it will only work on newer (2000, XP) systems, but not older (95/98/ME) --- is that correct?

has your program ever generated a "false positive" ??? [accidentally removed a file that wasn't really infected]

have there been ANY problems/"defects" reported back to you?

are there any other contingencies? for example, to the best of your knowledge, will it "cooperate" with Norton/Symantec, Grisoft/AVG, and Avast! ? do these need to be disabled in order for your fix to work? and what about Anti-spyware monitoring programs, like Microsoft Anti-Spyware Beta, SpyBot's TeaTimer, WebRoot's SpySweeper, WinPatrol &etc ? --- any known conflicts there?

get back to me [and also, ideally, to ChrisRLG], and I'll see what can be done.

P.S. when you first showed up in this forum, as an "unknown quantity", we had to be skeptical. A lot of people who don't "qualify" will offer advice here. I've seen a few of your posts, and it definitely seems you know what you're doing :smileyhappy:

Message Edited by ky331 on 10-22-2005 02:25 PM

ky331 · Answer

secured2k:

it sure sounds good.

the only way we'll know for sure is to run more tests. and that's exactly what i suggest you do. i'm gonna take the rest of this weekend off from replying to NEWLY posted WinFixer/Vundo-related problems (but I will continue to follow-up on those logs where I've already posted a reply/advice). So go ahead, start reply to the new requests, offer your tool, and let's see how it goes.

I'm rooting for you, because I want us to conquer the WinFixer thing, once and for all.

by the way, are you in a position to analyze the remainder of each person's log? if so, by all mean do so. if not, when you clear the WinFixer problem, make a note of each person's name/log#, and I'll instruct you who to pass-on the information to.

Good luck.

Message Edited by ky331 on 10-22-2005 03:19 PM

secured2k · Answer

OK.

ky331 · Answer

secured2k: i've sent information about your tool to RKinner... wanted you to be aware, in case he gets in touch with you.

winelvr56 · Answer

Hi KY331...been reading your mssgs with Secured2K. Is this tool he has something I can try for my Virtumundo problem?...or is it strictly for NT systems?

Haven't had a chance to run my Hijack this log yet but once I do will post it. Thanks. Winelvr

ky331 · Answer

wineIvr:   according to his notes, it will run on  windows 'NT,2000,XP,2003,Vista' --- implying it would not run under win 95/98/ME.   the other day, when i tried to download it on a 98SE system, it nicely acknowledged that my system did not meet the necessary specifications, and did not try to proceed beyond that.   since i have essentially no more info about secured2k's tool than what we've communicated in this thread, i suggest all questions about it be directed to him.   as i've already stated, he's used it successfully with a few people, so it seems to be working okay.   we need more data (test cases) to be certain.   i was especially cautious when he first started posting the other day, but from what i've seen, he seems to know what he's talking about.

ky331 · Answer

secured2k: well, looks like you're 'officially in business' here... I see that forum moderator ChrisM (not to be confused with ChrisRLG) has posted a 'sticky' at the top of the HJT forum page, advertising/acknowledging your WinkRootKit and Virumundo Removal tools: http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=18052

winelvr56 · Answer

Hi Secured2K.... Just wondering if the 'tool' you've been discussing with KY might work for my 'Virtumundo.B' problem??  If you think so and are willing please get back to me with info on what I need to do to get the tool, run it etc.  Thanks.  Winelvr

Virus & Spyware

ADW_VIRTUMUNDO.B

Was this post helpful?