Vundo/virtumonde removed
I have been going through the cleanup steps and reviewing the many excellent links provided in your last post from yesterday afternoon. I got a bit of a scare at one point, but I think it was a false alarm. Here is a summary of events.
As I was reading your links yesterday, McAfee started it's regular scheduled scan in the background and gave me the following "Virus Alert" in a popup...
Excerpt from McAfee Scan log...
3/12/2009 4:17:39 PM Deleted NT AUTHORITY\SYSTEM C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP2\A0000225.dll Vundo.gen.aj
... end log excerpt.
I quickly disconnected and shut down. But on starting up, I saw that the bad file was apparently in one of the System Restore files - I had not yet flushed these files per your directions, so I did that and figured that was that.
Just to be sure, I then did another Spybot update & scan, followed by a MBAM update & scan. Both came out clean.
Finally, another McAfee update & full scan. The McAfee scan log then showed...
Scan log excerpt...
12/03/2009 8:20 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bekozije.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:20 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bekozije.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:20 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\biwohojo.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:20 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\biwohojo.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:20 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bowewore.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\bowewore.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\dezupiye.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\dezupiye.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\eufowd.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\eufowd.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fejuvn.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fejuvn.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fsrfkm.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\fsrfkm.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\malesiba.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\malesiba.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\monept.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\monept.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\rozodobu.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\rozodobu.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\tigahifa.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:21 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\tigahifa.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:21 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\wisolike.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:22 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\wisolike.dll.vir File was deleted as part of Cleaning it
12/03/2009 8:22 PM Infected GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\yidopamo.dll.vir Vundo.gen.aj (Trojan) (Removable)
12/03/2009 8:22 PM Deleted GBW-LAPTOP\Gary C:\Qoobox\Quarantine\C\WINDOWS\system32\yidopamo.dll.vir File was deleted as part of Cleaning it
... end of excerpt.
I've never seen the folder "Qoobox" before but my guess is it was created by one of the cleanup programs I ran (Combofix maybe?). Anyway, McAfee deleted the bad files, and even the Qoobox folder was gone when I booted up this morning, so all seems well. If you agree, then I guess our work is done, although I am continuing to implement several of your good tips while I'm still highly motivated.
And I have to finish by expressing my sincere thanks and appreciation for the work that you and your colleagues are doing in this forum. It is a rare and pleasant experience to find things like this going on; it reminds us of what the internet could and should be, but too often is not.
Somewhere else in the forum I saw a mention of ways to donate, which I will also be visiting.
