Nod32 Can't do it (virtumonde.hc)

Discussion in 'NOD32 version 2 Forum' started by faenil, Mar 11, 2007.

Thread Status:
Not open for further replies.
  1. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    I thought nod32 was invincible, but yesterday it let virtumonde.hc pass through the protection and infect the system...
    now nod32 detects it every minute, and says it'll delete the file after the reboot, but it doesn't...

    what can I do? I'm disappointed with nod...
     
  2. ASpace

    ASpace Guest

    Hello !

    Make sure your definition is up-to-date by pressing Control Center -> Update -> Update now.


    Make sure your settings are the same as this tutorial.

    Open Control Center -> NOD32 -> Run NOD32 and perforum full Scan&Clean over your hard drives . NOD32 will take care of these threats :)

    If you have problems deleting them in Normal mode , boot in Safe Mode and then perform full scan there .
    You can also use Ewido Micro for second opinion

    :thumb:
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I reckon Virtumonde dlls get injected into winlogon process before any program gets started. Try booting from a clean media and remove the dll manually or using NOD32.
     
  4. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    ok thank you very much...what if I haven't got any clean media?...is it the only possibility to get rid of this adware? Why did nod fail to detect it and let it infect winlogon.exe?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should keep in mind that NO AV detects all threats in the world, especially Virtumonde authors keeps fighting with AV vendors on a daily basis. Please drop an email to support [at] eset.com along with a link to this thread.
     
  6. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi
    I know that Marcos knows more about this than I, so I am not going to question his advice.
    Can the OP use the instructions below to remove "virtumonde" as it is considered "spyware"?
    http://www.spywareremove.com/removeVirtuMonde.html
    Just a suggestion.
    Cheers :)
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That post is not very helpful, als Virtumonde/Vundo uses tens of thousands different CLSIDs and filenames (including random ones).

    There's an excellent dedicated tool called VundoFix, but its use needs to be monitored by a skilled helper, as there usually needs to be some user interaction as well.

    By far the best thing to do is post a HijackThis log at one of the boards specializing in malware removal so that the experts can have a look at what's running and help you deal with your problem.

    Here are two outstanding forums that aren't quite as busy as the more familar ones

    http://www.bleepingcomputer.com/forums/index.php?
    http://www.techsupportforum.com/

    Best regards,
     
  8. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Thanks Tony
    I will stand corrected :eek:
    Cheers :)
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    No prob. :)

    Incidentally, the article is even worse than I thought at first glance:

    I had another look, and in addition to (a few) Vundo files it also lists a couple of ancient CoolWebSearch files and a SideStep dll (SbCIe02b.dll) as belonging to Vundo... :D
     
  10. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    Hi, guys...
    I used UnDll from Eset and I deleted the dll that infected logon.exe...
    than I ran a full scan with Nod32...

    It seems to be ok now...
    do you think the spyware has been removed?
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It's still a very good idea to go to one of the forums I mentioned and post a HijackThis log for analysis. There will invariable be additional files and registry keys that need to be removed.
     
Thread Status:
Not open for further replies.