Brian Whaley's Pixelated Views: Virtumonde is not your friend

Thursday, January 15, 2009

Virtumonde is not your friend

I was the victim of a very annoying piece of malware I have been avoiding the corporate install of Internet Explorer for months now, and I have been using Firefox 2 and 3 instead. I am sure I was doing something I should not have been, because for the last two weeks these strange popups have been plaguing my Firefox browsers, and my machine has been running like there was taffy on my hard drive. I tried to remove the trojan with Spybot S&D, and that did not work. It did identify a Browser Helper Object (BHO) and some registry entries that I could not get rid of. That is when I knew it would be bad. Derek recommended that I try Macafee Avert Stinger. That was no help either. I tried HijackThis. That was informative, but not as helpful as I had hoped. So I did some more digging online, and an article recommended Malwarebytes' Anti-Malware (MBAM). That was a big step forward. It clearly identified my problem as the Virtumonde Trojan. There were 59 DLLs, BHOs, data files, and registry entries all over my computer from this one trojan. I used MBAM to remove all of them, but the BHO registry entry was stubborn. This meant there was still more. I did some research on Virtumonde, and found that a tool called ComboFix will wipe it out entirely. It took about 20 minutes to run, rebooted my machine, and took another 20 minutes to complete. But when it was all done, I was trojan free. No more popups when I use Firefox, and my machine is fast again. Now... if only I knew what I did that was so bad...

4 comments:

jason said...: u were a bad man thats all.. shame on you; January 15, 2009 5:25 PM
Jesse said...: ... you were too stubborn to just repave the machine and avoid all the drama?

Seriously, for an infestation that badly, I don't know how you'll feel "safe" without blitzing the drive and reinstalling. You've got access to the image disk, after all.

In the future, I'd recommend you keep a VM around to be a sandbox for any "risky" activities. Fire up the VM, do your business, close it down without saving any state changes. VM is always clean and fresh.; January 16, 2009 7:20 AM
Jesse said...: damn lack of edit button.

That should read "... for an infestation that bad ..."; January 16, 2009 7:21 AM
Brian Whaley said...: Yep. Too stubborn to wipe the drive. I liked my machine just the way it was. And unfortunately the image has changed a whole bunch now, so the old image disk I had is no good any more.

Yes, VM is great stuff. We started using it for browser testing (since we can't have IE7 on the machine) and for SharePoint development. I will put up a post about that soon too.; January 16, 2009 7:55 AM