Virtumonde/Smitfraud and Confuscate, The art of dealing with them.
The loitering zone is for discussions about things other than Stargate. Please use the appropriate section when posting, and be sure to read the forum rules.
Loitering Zone Index: Off Topic Chatter | TV, Movies & Music | Computer Talk | Sports Talk | Forum Games
Virtumonde/Smitfraud and Confuscate, The art of dealing with them.
Jun 7th 2009, 4:53 PM
Airman First Class
Joined: June 8th 2005
Member No.: 9,233
Before I begin, I need to make one thing clear. None of the procedures outlined in this post are for beginners. If you're not comfortable with carrying out any of these operations, please print out this post and then take your computer with the printout to a qualified technician.
Virtumonde is a computer virus which creates one or more randomly generated *.dll files which run under EXPLORER.EXE and LSASS.EXE. Using these two processes is a failsafe which prevents the randomly generated *.dll files from being removed, even in safe mode.
The effects of this virus causes unwanted browser windows to pop up and it disables the Registry Editor, Task Manager and Command Prompt, which is another failsafe designed to prevent the virus from being removed. In addition to this, it also installs software in the background including misleading applications such as Antivirus Xp, Spyware Sheriff and others which demand an upfront payment to 'activate' the software.
One of the companion viruses associated with Virtumonde is Smitfraud-C. This one disables the changing of wallpapers and installs an HTML page in place of your regular wallpaper containing a button saying something like "fix now" or "register".
And once such viruses are successfully removed, your computer is not the same until you set about to undo the settings that were altered by the two viruses.
Dealing with Virtumonde and Smitfraud-C is to first disconnect from the Internet, disable System Restore and clear out the Internet Cache and temporary files. Run a genuine antispyware program such as SuperAntiSpyware Pro or Spybot Search & Destroy; preferably both.
Once you have identified the random *.dll file(s) Use Process Explorer to kill EXPLORER.EXE and then LSASS.EXE (Remember, killing LSASS.EXE will shut down the computer in one minute) and then use the Command Prompt to remove the offending *.dll files.
Alternatively, you can use the Windows Recovery Console to remove the offending files.
This method is for Windows Xp only. I haven't done this on a Vista machine yet. When I do, I'll provide a follow up post.
Firstly, run your antispyware program, but take no action against the files identified. Only deal with the registry items.
Secondly, write down the offending *.dll files on a piece of paper, insert your Windows Xp CD and shut down the computer.
Thirdly, boot from the CD and when it comes up with install Windows Xp or repair using the recovery console, press 'R' instead of 'ENTER'.
Fourthly, in the recovery console, you will get a DOS prompt. This is not just any DOS prompt. The commands are different and have different parameters.
Fifthly, here are the instructions for removing the offending files:
1. Navigate to SYSTEM32 (CD WINDOWS\SYSTEM32 [N.B. You need to put a space after CD, otherwise the command won't work.])
2. Remove the offending files you have written down. The command is DELETE <random letters>.dll
Finally, after you have tackled the virus, download and use these tools to right your system:
Credit for these files to Doug Knox www.dougknox.com
Now, let's talk about the Confuscate Trojan.
You are running your computer and you plug in your USB flash drive or USB external hard drive but you cannot access it. It either does nothing or spits out an error message saying: "(d) drive is not accessible. the maximum number of secrets that may be stored in a single system has been exceeded" The computer picks up the drive and all the "New hardware found" balloons go their merry way.
When you click "Safely Remove Hardware", the device doesn't have any drive letter attached. Furthermore, when you open "Disk Management', it shows only the CD/DVD drive(s).
And any antispyware program which launches on startup (such as SuperAntiSpyware Pro) crashes each time. When you try to run it, it fails to launch. Also, you cannot install any new anti-spyware programs either.
Also, when you run a virus scan, your computer locks up during the scan.
It is most likely your computer is infected with the Confuscate Trojan. The misbehavior I have just described are failsafes the virus uses to prevent removal via antispyware and antivirus programs.
Dealing with this virus is pretty tricky since this is a rootkit (a virus which loads *.dll files under key system files such as explorer.exe, lsass.exe, svchost.exe and so on.
It also installs a service within Windows making it especially difficult.
The offending files are found under
"C:\Windows\System32\" and are named:
If you need to run any antispyware programs in the mean time such as Super Anti Spyware and/or Malwarebytes' Anti Malware, first go to "[d]:\Program Files\SUPERAntiSpyware", and "[d]:\Program Files\Malwarebytes' Anti-Malware", rename the files "SUPERAntiSpyware.exe" and "MBAM.EXE" to "STARGATE.EXE" and GENERALHAMMOND.EXE respectively and then run the programs. When you're done, you can then rename the files back to their original names.
PLEASE NOTE: The instructions below are for Windows Xp systems ONLY. Do not attempt this on a Windows Vista system. I have not encountered this virus on a Vista machine yet, but when I do, I'll provide a thread to give instructions on removal from a Vista machine.
To remove these files, first turn off System Restore (And for good measure, clear out your temp files as well. This should remove any payloads tucked away that it uses to reinstall the virus and reinfect the system). Now, insert your Windows Xp CD, reboot the computer and boot from the CD. When the setup screen comes about, press "R" to repair using Recovery Console, choose the Windows installation (usually by pressing "1" and then ENTER) and when you get the logon for Administrator and the password prompt, type in your password and press Enter (If you haven't installed a password for Administrator, just press Enter.).
You will get a special DOS prompt. Now type "CD \WINDOWS\SYSTEM32" (IMPORTANT for those familiar with DOS: The Recovery Console Prompt has special commands which work differently to normal DOS. You must put a space after the CD command or it won't work.), then type dir UAC*. When you see the listing, type DELETE UAC<random letters>..dll, .dat, etc. for each file listed (IMPORTANT: You can only delete the files individually).
Now type "CD DRIVERS" and then type dir UAC* and then DELETE UAC<random letters>.sys, etc.
After all this is done, start Windows normally (you might see some error messages referring to the files you just deleted coming up. Just dismiss them all) and you should then be able to run your antispyware and/or your antivirus programs again and use your USB drives.
After you have run your scans, and cleaned your system, it should be back to normal again.
Here is also a link which may be helpful: http://forum.avast.com/index.php?act...;topic=44103.0
|Lo-Fi Version||Time is now: November 26th 2014 - 1:27 PM|