badbass Posted October 20, 2014 Share Posted October 20, 2014 This is from a dell win8 recovery cd after the hard drive has been overwriten with random bit patterns. I have a customer that is convinced her pc locks her out of the administrator acct. Sets up restrictive group policies. She if trying to convince me her entire hard drive is shared. I said you have a windows password you cant see a windows share on the other side of a router. She cant change her work group. Windows commands are not reconized as internal or external commands like ipconfig or sfc. She did find virtumonde. Null drivers for printers and network adapters. group policy object for sharing her entire drive. The only thing we found is virtumonde and maybe a keystroke logger. Is virtumonde a keystroke logger. Quote Link to comment Share on other sites More sharing options...
liv3vil Posted October 21, 2014 Share Posted October 21, 2014 according to panda security at http://www.pandasecurity.com/homeusers/security-info/53087/Virtumonde/ this is what they say (note: i copy and pasted it from their site) Brief Description AnchorVirtumonde is a spyware program that creates a DLL (Dynamic Link Library), which logs keystrokes and connects to a certain web page, in order to obtain miscellaneous information and display advertising messages periodically. Virtumonde connects the DLL it creates to the system process explorer.exe. By doing this, it goes memory resident, and checks if Virtumonde is currently running. If not, Virtumonde is launched again. Additionally, Virtumonde registers itself as LSP (Layered Service Provider), in order to harvest users' information about their connection, such as Internet usage, pages viewed, phone connection details, inventory of the applications installed in the computer, etc. Spyware can be installed with the user consent and awareness, but sometimes it is not. The same happens with the knowledge or lack of knowledge regarding data collected and the way it is used. Note: LSP (Layered Service Provider) is a Windows feature that allows to specify a number of programs, in order to process all the TCP/IP traffic taking place between Internet and the applications that are accessing Internet (such as the web browser, the email client, etc.). For example, it could be specified a computer security program, which analyses the traffic in search for viruses or other threats before transferring it to the final application of the traffic. However, this structure can also be used by adware and spyware programs, in order to intercept the communication across the Internet, and, what is worse, if they are deleted without taking precautions, the Internet connection will stop working indefinitely. Visible Symptoms AnchorVirtumonde is easy to recognize, as it displays advertising messages periodically. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.