Unable To Remove Adware.virtumonde.gfh
My PC is infected with Adware.Virtumonde.GFH, tech info here: http://www.bitdefender.com/VIRUS-1000155-e...umonde.GFH.html
I got 2 files infected:
C:\WINDOWS\system32\sstqq.dll
c:\windows\system32\yayayxy.dll
I used BitDefender 10 to scan but It said:
disinfect failed
moved failed
So, that stubborn virus is still there (in fact BitDefender deleted it but it appeared again and again)
What can I do now?
PS
I booted in safe mode but still can't delete those dll files (those files are being used by another proccess...), same for the corresponding registry keys (they reappeared each time I deleted)
I'm thinking of a plan:
I'll create a boot diskette then boot from this disk, then I'll use dos
command:
del C:\windows\system32\yayayxy.dll
What does this sound like?
Comments
-
It sounds like a good plan, however it is hard to create boot disks from Windows XP and up (there is no built-in way to do so as far as I know) and there is also the issue that you need additional utilities to read a NTFS partition, however if you have the install CD for Windows, you can boot into the recovery console and delete the file from there. See this topic for instructions.
Best regards.0 -
A somewhat better approach would be to find out first which process loads those DLLs. To accomplish this, download Process Explorer and press Ctrl+E (Find DLL). Type the name of each DLL and press Search; a list of the executables loading the DLLs will appear. Locate those executables and upload them here.
After we have a look at the EXEs, the DLLs can be unlocked using Unlocker and then deleted (word of warning: when handles owned by a process are unlocked, that process may become unstable, so if the process is a system process, you may need to reboot your computer); this way you don't have to reboot the computer.0 -
When it's indeed Adware.Virtumonde.GFH, it will be loaded under winlogon.exe and explorer.exe/iexplore.exe (since it runs as a Browser Helper Object as well).A somewhat better approach would be to find out first which process loads those DLLs
if you're under Vista, then you can deal with this easily since Vista doesn't support Winlogon Notify packages..; So in that case, just kill explorer.exe and iexplore.exe and delete the files (or let Bitdefender deal with it)
However, when you're running under XP/Win2k, then it will be harder to remove. Unlocker will fail here as well unfortunately as it also watches the PendingFileRename operations.
You can use Process Explorer: http://www.microsoft.com/technet/sysintern...s###plorer.mspx to deal with it in combination with Unlocker.
In process explorer, suspend explorer.exe, iexplore.exe and winlogon.exe, then use unlocker to kill the file. It will tell you to delete the file on reboot - and this will work this time as the related processes are suspended.0 -
When it's indeed Adware.Virtumonde.GFH, it will be loaded under winlogon.exe and explorer.exe/iexplore.exe (since it runs as a Browser Helper Object as well).
if you're under Vista, then you can deal with this easily since Vista doesn't support Winlogon Notify packages..; So in that case, just kill explorer.exe and iexplore.exe and delete the files (or let Bitdefender deal with it)
However, when you're running under XP/Win2k, then it will be harder to remove. Unlocker will fail here as well unfortunately as it also watches the PendingFileRename operations.
You can use Process Explorer: http://www.microsoft.com/technet/sysintern...s###plorer.mspx to deal with it in combination with Unlocker.
In process explorer, suspend explorer.exe, iexplore.exe and winlogon.exe, then use unlocker to kill the file. It will tell you to delete the file on reboot - and this will work this time as the related processes are suspended.
I'm using WinXP SP2 and I couldn't suspend Winlogon.exe (access is denied). Moreover, When I used Unlocker with yayayxy.dll it said:
Error debug priveleges
check FAQ on http://ccollomb.free.fr/unlocker/
When I wen to that website it said:
- What is "Error Debug Privileges"? It means that your Local Security Settings do not allow a Debug Privilege for your profile. Read Microsoft's documentation and set "Debug Programs" rights
What to do now?
I think that it's simple to create a boot diskette (just insert a floppy disk -> format as MS-DOS startup disk) isn't it? (I've never tried)0 -
another method I can think up is using command prompt:
rd/q/s "C:\windows\system32\yayayxy.dll"
what's your opinion?0 -
You can also try Vundofix: http://www.atribune.org/ccount/click.php?id=4
This will be the fastest and easiest option. Run the tool and it will scan for virtumonde/Vundo/Conhook related files and delete them.
In case it doesn't recognise the ones you have, you can rightclick in Vundofix and select the option to add more files.
There you'll see some empty fields where you have to copy and paste the filepath to the files, so in this case:
C:\Windows\system32\yayayxy.dll
C:\WINDOWS\system32\sstqq.dll0 -
You can also try Vundofix: http://www.atribune.org/ccount/click.php?id=4
This will be the fastest and easiest option. Run the tool and it will scan for virtumonde/Vundo/Conhook related files and delete them.
In case it doesn't recognise the ones you have, you can rightclick in Vundofix and select the option to add more files.
There you'll see some empty fields where you have to copy and paste the filepath to the files, so in this case:
C:\Windows\system32\yayayxy.dll
C:\WINDOWS\system32\sstqq.dll
Thank you so much!!!! You are great!
I've searched the internet for several days and found many people have the same problem as me.
Thank you again!0 -
You're most welcome.
0