I have research this files after my computer is infected with Win32.Adware.Virtumonde. I created a thread about my problem(Help!My computer is infected with Win32.Adware.Virtumonde) Here are the files: I. These files are found on your system32 1. sqxdxmyc.dll 2. qwuxdehs.dll 3. nskojqov.dll 4. ddcyqnoi.dll 5. cxmyhlqy.dll 6. yayxyawv.dll 7. yukudgvj.dll 8. Uukvwyxr.dll 9. yayvwPjj.dll 10 ukfgtyvq.dll 11. iiffGwnd.dll 12. ooaafgwd.dll 13. xdyxetyb.dll 14. kqrlampr.dll There are more dll of virtumonde.But in one pc you have only 6 dll found, other dll i found when i have renamed and deleted them. If you have deleted this files and if it comes back again: 1. Go to system32 2. arrange them by date 3. find dll files- They are very suspicious they contain 8 letters. And also you make sure that you didn't create this files(It's obvious because you didn't create them) 4. Download Trojan Remover (Use evaluation mode so that you can use it free) 5. After downloading the software, right click on these files. 6. Chose disable them by renaming it. 7. You cannot rename them manually because it prompts warning like, "it is use by another person or program" You cannot DELETE Them MANUALLY. 8. Do not delete them by using CMD.exe-It erases all your files in your system32 along with it. 9. If you have deleted them but it comes back with dll that you do not know follow step 2-3 or you can download Uniblue Spyeraser. For more help the serial keys are 0HPGGU-AQ4P67-NEWX5Q-J83MC9-4Z0VFV do not abuse this key.!!!!!!!!! 10. After downloading it and activating it go to setting enable block events and allowed events. 11. You will know this files because Uniblue spyeraser prompts if you want it to allow or not. 12. Here are the events that you have to block a.) events that are using BHO scroll down the message if you see these BHO are run by dll with 8 letters it is a virtumonde. b.) events that want to be run in the startup by dll's INI files of Adware virtumonde Here are the files 1. vwayxyay.ini 2. rpmalrqk.ini 3. qvytgfuku.ini 4. dnwgfii.ini 5. dnwgfii.ini2 6. nikkjiij.ini 7. xionqycdd.ini 8. voajoksnx.ini If you have found this files it is no use to delete them. They come back with similar names or different names. There are some chances you can delete them manually, but the chances are 25%. Use the Trojan remover by deleting them.(Remember you have to reboot your computer to take effect.) !!!!!!!!!!!!!To see these INI files!!!!!!!!!!!!! 1. Go to folder options 2. On the view tab chose the Show hidden files and folders 3. uncheck the hide extensions for known file types 4. uncheck hide the protected operating system files then click ok OR you can use rootkit revealer by downloading it free on http://technet.microsoft.com If you cannot use taskmanager you can use Process Explorer by Downloading it free on http://tachnet.microsoft.com so that you can see the process running on your computer. If situation becomes worst you have to use hijackthis. Symptoms you are infected by Win32.Adware.Virtumonde 1. Automatic updates are turned off and you cannot turn it on. 2. Taskmanager is disabled 3. regedit is disabled 4. Antiviruses are turned off 5. You see red and blue screns oftenly 6. You computer shutdowns or crash unexpectedly 7. Your internet browser runs slow and does not load nor refresh 8. May pop-ups about antiviruses or Your computer is in danger or pop-ups about porn or pop-ups about thier product If dis doesnt work you make reformat it like mines. I have discovered this files when i tried to delete them and renamed them. It came back when i inserted by diskette loaded with Win32.Adware.Virtumonde unknowingly. So I have to reformat my computer to delete these virus pernamently. (It's tired to do this steps again and again.) And also I forgot Make sure you delete the files found in your Temp and Temporary Internet Files. They have cookies and files of the virtumonde. It is found on your C:\documents and settings\(Your account)\local settings Or you can delete them securely by running disk cleanup. These files are found on the Temp and Temporary Internet Files: 1. css4[1] 2. kb516107[1] 3. kb713501[1] 4. kb456456[1] There are some files but it's hard to type it is found on cookies it contains many numbers like http://456.etc........ You can also see the other files running on msconfig or C:\windows\prefetch In prefetch you can see the files. These files are run in your msconfig or taskmanager(I think), because some of these files are run by adware.virtumonde. Like mines. For example: My computer runs 5 rundll32.exe. Suspicious isn't IT?!! If you look in your prefetch, you can see them. But be carefull on deleted some files. Win32.Adware.virtumonde files are also found in your regedit. HkeyLocalMachine\Software\Microsoft\Windows\Current Version\Run There you can see the files that will run in your startup. REMEMBER!!! Do not make any change!!!!!!!!!!!!!!!!!!!! in the registry just look at them and know them or find them!!!!!!!!!!!!! If it dosent work you might reconsider of reformatting you computer because this is my last option I have. I forgot also. To see them more run your trojan remover by scanning it or what ever types of scan you think of.
First off, Vundo files are randomly named. This means that they will be different for everyone. Secondly, there is a tool called VundoFix which will remove most variants of Vundo and Virtumonde, along with the associated registry values. There is no need for a format.
Hey edmund and Fredil. I commend you for your hard work researching what vundo did to your system, edmund. However, your work is wasted because vundo does not do the same thing to every single computer. As Fredil said, vundo makes random-named files, so it cannot be detected by name alone. You have to know that "Win32.Adware.Virtumonde" is only an antimalware's way of classifying Virtumonde/Vundo. The real common name is Virtumonde (which is vundo related). You don't have to type that long antimalware detection name everytime you want to mention virtumonde/Vundo. And no, HijackThis should not be used at the worst possible moment. It shoudl be used at the very first sympton, as so to outline the malware infection. Trojan Remover and Uniblue Spyeraser are not the only programs able to get rid of vundo. Every single worthy antimalware should be able to detect vundo, even though the deletion methods might differ slightly. And it isn't because of the inability of antimalwares to remove vundo files that makes vundo a severe infection. It is vundo's ability to regenerate; you must understand that vundo creates many hidden settings on your computer, so that it will be able to regenerate easily, and even though all files are removed, the computer will never be the same again. And Fredil, Vundofix isn't recommended as a primary removal tool for Virtumonde. Virtumundebegone is the tool for the job. And even though a format isn't necessary, it is recommended, as the hidden settings that vundo makes might never be reversed, and you still would be in a compromised situation with vundo off your system. Best Regards
Then I have to research more about virtumonde and it's main file that makes it regenerate. Hmmmmm.... But the files I found had patterns. Virtumonde dll have 8 randomized letter. But still you can find them even though they have differnt letter but they have still 8 letters.
Hey, Hey, Hey, Fredil, How do you squeeze 8 letters out of Svchost???? Maybe a rootkit is hiding one? LOL Just kidding……………. One of the most frequent lines when someone has a Vundo is: It remains a Bugger to rid and like cdavfrew said, sometimes a re-format/re-install is in order……. That being said, hang it there edmund085, the Tag Newbie doesn’t last FOREVER…. 2OG
Hey! I have sen a process that is very suspicious or file it is C++ hmm.... I will have to observe this file maybe this will be the clue. And also.... 8 letters that are randomly placed not scvhost.exe ex. frgy8Tjq.dll is an example. Letters that are scrambled like peanut butter and jelly fish.
I forgot something........... I have the contact of the virtumonde.com it's address hehhehehehe. Virtumonde.com is a URL Address where the virus will update or give information etc... etc... Address Domain Administrator admin@nameadminic.com (admin@nameadminic.com has no information found) Box 10518 A.P.O. Grand Cayman, Cayman Islands B.W.I. KY +1.345.946.6879 hehhehehhe hahahhahahhhaha and also I have been thinking of this Winlogon.exe, Explorer.exe, Rundll32.exe it acts suspiciously hmmmm.... I will observe this files. And I forgot..... DO NOT GO TO THAT WEBSITE IT CONTAINS A VIRUS.
dear cdafrew, Have you observed that in every log about computer's that have vundo. I have observed that rundll32.exe is associated by runounce.exe advpack.exe ssv.dll. hmmmmm. Can you observe this files or log. I will have to read this log and analyze them.
Um... edmund... rundll32.exe is involved in most vundo infections because of the tendency of vundo to be a dll file. Dll files need rundll32.exe to run, or they can hook into a system process like winlogon.exe or explorer.exe to run. There is nothing suspicious about these three processes, so I would advise you to do a little reading about them on the internet. As for advpack.exe, I believe that it has something to do with a Yamaha driver and nothing to do with vundo. ssv.dll is a java component, and may or may not be used by vundo.
hello I have research about these rundll32, winlogon.exe and explorer.exe. If you will search on the internet it says that there is a hook in these process. These files have hooks on vundo even advpack.dll im not sue about ssv.dll.
Nope I wont delete it but i have to find ways on how to disable the thread that is hooked by vundo. Maybe I have to use .vbs or.bat to remove or change the rundll32.exe. I'm not renaiming it but edit it so that vundo can't execute that's why i'm finding files and hijackthis logs so that i can analyze and study about it.
