Removal of Win32/Adware.Virtumonde and Win32/PrivacyRemover.M64 Malware
Wednesday, September 03, 2008 ADVERTISEMENTS
Captain's Log Stardate -315673.93
Lalaine's desktop got infected with some kind of a trojan or virus last night. Her desktop wallpaper was replaced by a fake warning window (check picture above).
Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer
Warning! Win32/Adware.Virtumonde
Detected on your computer
Warning! Win32/PrivacyRemover.M64
Detected on your computer
She tried to changed it back but the desktop and screensaver tab from her display properties have disappeared, making it impossible to change the background wallpaper and screensaver.
We've tried different programs to scan her desktop with no luck. Avira, Ad-Aware, Spybot Search and Destroy, SUPERAntiSpyware, and Malwarebytes can't even finish scanning her computer. The system would either restart or display the ever famous Windows XP Blue Screen.
I've search the internet and it seems that this virus or trojan is new (based on the timestamps of forum posts). Most (or all) of the tutorials currently available on the internet don't work. There are links to programs that supposedly remove this malware but I just don't download and trust programs from unknown sources.
So it's either I reformat the computer (which is out of the question) or I look for a way to remove this virus from her computer. System Restore? Screwed. I've disabled her computer's system restore to save disk space. Stupid me.
Anyway, I opened up Windows Task Manager and saw two unknown programs, a.exe and ohbmaodi.exe. I've terminated the processes and uploaded them to Virus Total. No detection on ohbmaodi.exe and a suspicious file detection on a.exe. I was getting frustrated since most of the forums and websites I've been through have no definite solution to remove the malware.
I've installed HijackThis and finally I saw a pattern within the log report after comparing it to three logs from three different people from two different message boards.
Here is Lalaine's HijackThis report:
O4 - HKLM\..\Run: [lphcnlgj0eg51] C:\WINDOWS\system32\lphcnlgj0eg51.exe
And here's the three other logs I've encountered.
O4 - HKLM\..\Run: [lphcjthj0ec09] C:\WINDOWS\system32\lphcjthj0ec09.exe
O4 - HKLM\..\Run: [lphcn7rj0era7] C:\WINDOWS\system32\lphcn7rj0era7.exe
O4 - HKLM\..\Run: [lphceedj0e70e] C:\WINDOWS\system32\lphceedj0e70e.exe
Notice the similarity of their filenames? During this time, Avira updated my virus definition files and detected a.exe as TR/FraudPack.26624 Trojan. Since Avira crashed the desktop earlier, I disabled its realtime protection and proceeded to remove the malware manually.
I uploaded the file (lphcnlgj0eg51.exe) to Virus Total and 15 out of 36 Anti-Virus programs detected it as a malware/trojan/virus.
So we've finally got our target, time to exterminate it. If you're infected with this malware, you may follow my instructions below. But be warned, this may damage your computer even more since we'll be tinkering with the Windows registry.
First install HijackThis from Trend Micro. (download link).Once installed, launch the application and click Do a system scan and save log file. After the scan, a log file will be opened via notepad. This will be you guide in finding the malware.
Review the log and look for a filename that resembles the filename we've encountered earlier. The filename may start with lphc then random 3 characters then j0e then another random 3 characters. From the logs I've gathered, you filename might look like this (where X=random character):
lphcXXXj0eXXX.exe
Now that you've got your target, time to open up the Registry Editor. Click START then RUN then type in regedit and press Enter.
Let's restore you desktop wallpapers and screensavers first. Find you way through
HKEY_CURRENT_USER\Control Panel\Desktop
Notice on the ride side panel, there are 4 elements that the virus/malware altered. The ConvertedWallpaper, OriginalWallpaper, SCRNSAVE.EXE, and Wallpaper. Right click on each of them, click Modify then use the values below:
ConvertedWallpaper - C:\Documents and Settings\XXX\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (where XXX is your current XP login)
OriginalWallpaper - C:\Documents and Settings\XXX\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (where XXX is your current XP login)
SCRNSAVE.EXE - C:\WINDOWS\system32\logon.scr
Wallpaper - C:\Documents and Settings\XXX\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (where XXX is your current XP login)
Now let's restore your Desktop and Screensaver tabs. Find you way to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Delete the System folder under Policies, then that's it. Your Desktop and Screensavers tab will be back like Bucky 'O Hare.
Now time to eradicate the malware from your system. Click Edit then Find.
Enter the filename you got from Hijackthis (In my case it's lphcnlgj0eg51.exe) then press Find. I found mine on these folders:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete all the registry entries you'll find and restart your computer. After the restart, update your anti-virus and anti-spyware software then perform a complete scan of your computer.
That's it! You've exterminated the Win32/Adware.Virtumonde / Win32/PrivacyRemover.M64 trojan.
Always keep your antivirus and anti-spyware up to date and avoid visiting dubious websites to prevent future infections. I think Lalaine got this from one of the local showbiz blogs :P
*Computer end log*Labels: internet, security, software, tutorials
Love my blog? Then subscribe by entering your email address below. You will receive blog updates directly to your inbox.
|
THERE ARE 9 COMMENT(S) ON THIS POST:
To save you the trouble of having gone through all that my dear chap, you could have simply used superantispyware. Just download it for free from superantispyware.com.
That's the first program that actually killed the vundo crap (and its numerous variants) from my pc. I got it while checking out asian porn sites.
Actually, I seem to get it all the time from different porn sites, that's why I don't go there anymore. Tell your friend that visiting "showbiz" sites (which post nude or x-rated stuff) might not be such a good idea anymore. She could just download those stuff via torrent.
Thank you very much for the thorough explanation of the fix, worked perfectly. I appreciate the time you have taken to help others.
@superantispyware - as you can read above, I've also used superantispyware and it won't finish scanning.
thnx buddy ..u saved a lot of my time ... i was thinking of formatting my system
Hi.... I have the same problem...I've tried your method, but by the end, my computer always shuts down and restarts before I can complete your method. After that, I kept trying again and again, and finally I was able to complete all the registry changes before the computer shut down. However, when it did restart, the registry was back to the previous state, with altered background, etc.!!! Please help me!!!
hi mike ... the best solution is to install malwarebytes (from malwarebytes.org) and run the scan and remove everything it detects...then run SDFix in safe mode ..shuld clear off everything .. then run kaspresky online scan at the end to make sure no virus remains .... refer geekstogo.com for further info ...
@mike - what kind of shutdown do you have? The one where the pc shutdowns instantly or the one where you'll see a message with a countdown timer to shutdown?
If it's the latter then create a shortcut to "shutdown -a". This will abort the shutdown or try to open Run and type "shutdown -a" without the quotes then press enter.
Hey man, I had it all removed but I could not get the background desktop thing, thank you very much for having such a well explained step by step man you saved me.
You're a lifesaver. My version was "phc1b9j0ens2" but did the same as yours. The registry edits were the key.
Post a Comment
Comments on Captain's Log are moderated. Comments will not be visible until it has been approved.
Please choose the NAME/URL field when posting a comment if you do not have an account with OpenID, Google, Gmail, LiveJournal, or Wordpress.com. Anonymous comments will be rejected.
Click here for Related Content
Subscribe to Post [Atom]
Subscribe to Post Comments [Atom]
Comments? Suggestions? Violent reactions? Click here to contact me. Otherwise, post your comment here.