<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d7294114\x26blogName\x3dCaptain\x27s+Log\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLACK\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://jepoy.bengero.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://jepoy.bengero.com/\x26vt\x3d-5041441038811922973', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Captain's Log
Captain's Log
Subscribe to my feed, Captain's Log Enter your email address:

Removal of Win32/Adware.Virtumonde and Win32/PrivacyRemover.M64 Malware
Wednesday, September 03, 2008

ADVERTISEMENTS


Captain's Log Stardate -315673.93


Lalaine's desktop got infected with some kind of a trojan or virus last night. Her desktop wallpaper was replaced by a fake warning window (check picture above).

Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer

Warning! Win32/Adware.Virtumonde
Detected on your computer

Warning! Win32/PrivacyRemover.M64
Detected on your computer

She tried to changed it back but the desktop and screensaver tab from her display properties have disappeared, making it impossible to change the background wallpaper and screensaver.

We've tried different programs to scan her desktop with no luck. Avira, Ad-Aware, Spybot Search and Destroy, SUPERAntiSpyware, and Malwarebytes can't even finish scanning her computer. The system would either restart or display the ever famous Windows XP Blue Screen.

I've search the internet and it seems that this virus or trojan is new (based on the timestamps of forum posts). Most (or all) of the tutorials currently available on the internet don't work. There are links to programs that supposedly remove this malware but I just don't download and trust programs from unknown sources.

So it's either I reformat the computer (which is out of the question) or I look for a way to remove this virus from her computer. System Restore? Screwed. I've disabled her computer's system restore to save disk space. Stupid me.


Anyway, I opened up Windows Task Manager and saw two unknown programs, a.exe and ohbmaodi.exe. I've terminated the processes and uploaded them to Virus Total. No detection on ohbmaodi.exe and a suspicious file detection on a.exe. I was getting frustrated since most of the forums and websites I've been through have no definite solution to remove the malware.

I've installed HijackThis and finally I saw a pattern within the log report after comparing it to three logs from three different people from two different message boards.

Here is Lalaine's HijackThis report:

O4 - HKLM\..\Run: [lphcnlgj0eg51] C:\WINDOWS\system32\lphcnlgj0eg51.exe

And here's the three other logs I've encountered.

O4 - HKLM\..\Run: [lphcjthj0ec09] C:\WINDOWS\system32\lphcjthj0ec09.exe

O4 - HKLM\..\Run: [lphcn7rj0era7] C:\WINDOWS\system32\lphcn7rj0era7.exe

O4 - HKLM\..\Run: [lphceedj0e70e] C:\WINDOWS\system32\lphceedj0e70e.exe


Notice the similarity of their filenames? During this time, Avira updated my virus definition files and detected a.exe as TR/FraudPack.26624 Trojan. Since Avira crashed the desktop earlier, I disabled its realtime protection and proceeded to remove the malware manually.

I uploaded the file (lphcnlgj0eg51.exe) to Virus Total and 15 out of 36 Anti-Virus programs detected it as a malware/trojan/virus.



So we've finally got our target, time to exterminate it. If you're infected with this malware, you may follow my instructions below. But be warned, this may damage your computer even more since we'll be tinkering with the Windows registry.

First install HijackThis from Trend Micro. (download link).Once installed, launch the application and click Do a system scan and save log file. After the scan, a log file will be opened via notepad. This will be you guide in finding the malware.

Review the log and look for a filename that resembles the filename we've encountered earlier. The filename may start with lphc then random 3 characters then j0e then another random 3 characters. From the logs I've gathered, you filename might look like this (where X=random character):

lphcXXXj0eXXX.exe

Now that you've got your target, time to open up the Registry Editor. Click START then RUN then type in regedit and press Enter.

Let's restore you desktop wallpapers and screensavers first. Find you way through

HKEY_CURRENT_USER\Control Panel\Desktop


Notice on the ride side panel, there are 4 elements that the virus/malware altered. The ConvertedWallpaper, OriginalWallpaper, SCRNSAVE.EXE, and Wallpaper. Right click on each of them, click Modify then use the values below:

ConvertedWallpaper - C:\Documents and Settings\XXX\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (where XXX is your current XP login)

OriginalWallpaper - C:\Documents and Settings\XXX\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (where XXX is your current XP login)

SCRNSAVE.EXE - C:\WINDOWS\system32\logon.scr

Wallpaper - C:\Documents and Settings\XXX\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (where XXX is your current XP login)

Now let's restore your Desktop and Screensaver tabs. Find you way to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Delete the System folder under Policies, then that's it. Your Desktop and Screensavers tab will be back like Bucky 'O Hare.

Now time to eradicate the malware from your system. Click Edit then Find.


Enter the filename you got from Hijackthis (In my case it's lphcnlgj0eg51.exe) then press Find. I found mine on these folders:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Delete all the registry entries you'll find and restart your computer. After the restart, update your anti-virus and anti-spyware software then perform a complete scan of your computer.

That's it! You've exterminated the Win32/Adware.Virtumonde / Win32/PrivacyRemover.M64 trojan.

Always keep your antivirus and anti-spyware up to date and avoid visiting dubious websites to prevent future infections. I think Lalaine got this from one of the local showbiz blogs :P


*Computer end log*

Labels: , , ,


Posted by Jepoy @ 9/03/2008 03:51:00 PM
Post a comment! | Email This Story!
9 comments | | View blog reactions

Love my blog? Then subscribe by entering your email address below. You will receive blog updates directly to your inbox.
 Enter your email address:

LINKS OR TRACKBACKS:

Create a Link





Search the Web or My Blog for Removal of Win32/Adware.Virtumonde and Win32/PrivacyRemover.M64 Malware
 
Custom Search

THERE ARE 9 COMMENT(S) ON THIS POST:

Posted by Anonymous superantispyware on Saturday, September 6, 2008 at 2:23:00 AM GMT+8:  
To save you the trouble of having gone through all that my dear chap, you could have simply used superantispyware. Just download it for free from superantispyware.com.

That's the first program that actually killed the vundo crap (and its numerous variants) from my pc. I got it while checking out asian porn sites.

Actually, I seem to get it all the time from different porn sites, that's why I don't go there anymore. Tell your friend that visiting "showbiz" sites (which post nude or x-rated stuff) might not be such a good idea anymore. She could just download those stuff via torrent.

Posted by Anonymous Anonymous on Sunday, September 7, 2008 at 2:01:00 AM GMT+8:  
Thank you very much for the thorough explanation of the fix, worked perfectly. I appreciate the time you have taken to help others.

Posted by Blogger Jepoy on Sunday, September 7, 2008 at 2:35:00 PM GMT+8:  
@superantispyware - as you can read above, I've also used superantispyware and it won't finish scanning.

Posted by Blogger nitz on Tuesday, September 16, 2008 at 2:44:00 AM GMT+8:  
thnx buddy ..u saved a lot of my time ... i was thinking of formatting my system

Posted by Anonymous mike on Friday, September 19, 2008 at 6:11:00 AM GMT+8:  
Hi.... I have the same problem...I've tried your method, but by the end, my computer always shuts down and restarts before I can complete your method. After that, I kept trying again and again, and finally I was able to complete all the registry changes before the computer shut down. However, when it did restart, the registry was back to the previous state, with altered background, etc.!!! Please help me!!!

Posted by Blogger nitz on Monday, September 22, 2008 at 4:30:00 AM GMT+8:  
hi mike ... the best solution is to install malwarebytes (from malwarebytes.org) and run the scan and remove everything it detects...then run SDFix in safe mode ..shuld clear off everything .. then run kaspresky online scan at the end to make sure no virus remains .... refer geekstogo.com for further info ...

Posted by Blogger Jepoy on Monday, September 22, 2008 at 12:58:00 PM GMT+8:  
@mike - what kind of shutdown do you have? The one where the pc shutdowns instantly or the one where you'll see a message with a countdown timer to shutdown?

If it's the latter then create a shortcut to "shutdown -a". This will abort the shutdown or try to open Run and type "shutdown -a" without the quotes then press enter.

Posted by Anonymous Nicolas on Monday, September 29, 2008 at 12:25:00 PM GMT+8:  
Hey man, I had it all removed but I could not get the background desktop thing, thank you very much for having such a well explained step by step man you saved me.

Posted by Anonymous Kevin on Wednesday, October 1, 2008 at 12:46:00 PM GMT+8:  
You're a lifesaver. My version was "phc1b9j0ens2" but did the same as yours. The registry edits were the key.

Post a Comment

Comments on Captain's Log are moderated. Comments will not be visible until it has been approved.

Please choose the NAME/URL field when posting a comment if you do not have an account with OpenID, Google, Gmail, LiveJournal, or Wordpress.com.
Anonymous comments will be rejected.



Click here for Related Content
Subscribe to Post [Atom]
Subscribe to Post Comments [Atom]
Comments? Suggestions? Violent reactions? Click here to contact me. Otherwise, post your comment here.

Ferengi Rules of Acquisition #1 Once you have their money, never give it back. Click the DONATE button to donate any amount :~)
   
My Amazon.com Wish List Ferengi Rules of Acquisition #164 Never spend your own money when you can spend someone else's. So why not buy the things from my wishlist? :~)


Sign up for PayPal and start accepting credit card payments instantly.

Tim Cumper Watch
SCAM HOAX ALERT: The Tim Cumper Scam
GameOPS' Official Statement on the Accusations of Pierre Tito Galla

Search

 

Join the Captain's Log Community



Twitter
    Categories
    - Anime
    - Anything Goes
    - Blogging
    - Contests
    - Current Events
    - Events
    - Freewares
    - Gadgets
    - Hardware
    - Internet
    - LOL
    - Movies
    - Mobile
    - Personal
    - Photography
    - Polls
    - Showbiz
    - Site Updates
    - Tips and Tricks
    - Tutorials
    - Video Games
    - Videos
    Starfleet Blogs
    - Lalaine
    - Mocha
    - Kuya Pau
    - Euri
    - Noelle
    - Siopao Master
    - Rochelle
    - Rocky
    - Pepper
    - Glen
    - Mark
    - Ka Edong
    - J-Spot
    - Karen
    - Barrio Siete
    - Mike
    - Bong
    - Nostalgia-M
    Sponsored Links



    MyBlogLog




    Hailing Frequencies


    You can reach me via my email above or via this Contact Form.

    You can also reach me on SMS via my public mobile +639165777270 or send GAMEOPS <space> JEPOY <space> YOUR MESSAGE to 2299.
    Use this widget to privately upload files to me using drop.io: simple private sharing




     
    Recent Entries
    - Maria Ozawa Stars in Taiwanese Horror Film
    - Sen. Bong Revilla Indirectly Promotes Piracy and S...
    - Photoshop Alternative: Paint.NET
    - ABS-CBN's XXX Exposes Victim's Identity
    - Be connected 24ever with your friends only from Gl...
    - Cheap Travel Offers by Trusted Tours and Attractio...
    - Protect Your Gmail Accounts from Hacking
    - New iPhone 3G Loaded with Pictures of Cute Factory...
    - Sun Cellular Launches WAP-based Push Email
    - FAIL: Twitter removes SMS updates
    Popular Entries
    - hospitalscams.blogspot.com = Severe Case of Psychosis
    - ├╝mobile Invite Codes Giveaway!
    - PLDT Landline Plus Hands-on
    - Pinoy Big Brother Scandal
    - Super Twins Director Denies Rip-off
    - Ellen Adarna Graces UNO Magazine
    - Maria Ozawa's Trip to the Philippines
    - Sigaw ng Bayan's 9 Million
    - Thank You Friendster :)
    Personal Blogging
    Archives
    - June 2004
    - July 2004
    - August 2004
    - September 2004
    - October 2004
    - November 2004
    - December 2004
    - January 2005
    - February 2005
    - March 2005
    - April 2005
    - May 2005
    - June 2005
    - July 2005
    - August 2005
    - September 2005
    - October 2005
    - November 2005
    - December 2005
    - January 2006
    - February 2006
    - March 2006
    - April 2006
    - May 2006
    - June 2006
    - July 2006
    - August 2006
    - September 2006
    - October 2006
    - November 2006
    - December 2006
    - January 2007
    - February 2007
    - March 2007
    - April 2007
    - May 2007
    - June 2007
    - July 2007
    - August 2007
    - September 2007
    - October 2007
    - December 2007
    - January 2008
    - February 2008
    - March 2008
    - April 2008
    - May 2008
    - June 2008
    - July 2008
    - August 2008
    - September 2008
    - October 2008
    - November 2008
    - December 2008
    - January 2009
    - February 2009
    - March 2009
    - April 2009
    - May 2009
    - June 2009
    - July 2009
    - August 2009
    - September 2009
    - October 2009
    - November 2009
    - December 2009
    - January 2010
    - February 2010
    - March 2010
    - April 2010
    - May 2010
    - June 2010
    - July 2010
    - September 2010
    - November 2010
    - December 2010
    - August 2011
    - November 2011
    Transporter / Site Menu
    - About Me
    - About Captain's Log
    - Favorite Links
    - Advertise
    - Subscribe
    - Licensing
    - Contact Me
    - Privacy Policy
    - Disclosure Policy
    - Photoblog
    - Personal Blog

    - Tierra Maria Estates Scam
    - Hospital Scams Hoax
    - Tim Cumper
    - Timothy Ellis Cumper
    - Ellumbra
    Entrecard
    Miscellaneous

    Design Inspired by:

    myDestiny Cable Internet
    Blue Fish Network



    Technology & Computers - Top Blogs Philippines

    Technology Blogs - Blog Top Sites

    Clicky Web Analytics


    My Amazon.com Wish List
     
     
     
       
     
     
    Captain's Log
    Creative Commons License
    Captain's Log by Jepoy is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Philippine License.
    Captain's Log LCARS v4 Blogger Theme created by John Phillips Bengero. ©2004-2009.
    Star Trek and related logos are trademarks of CBS Studios/Paramount Pictures. ©1966-2009.
    Captain's Log
    ss_blog_claim=38e11f6a24f3a9ecf2a68b53f2e86feb ss_blog_claim=38e11f6a24f3a9ecf2a68b53f2e86feb