PDA

View Full Version : Virtumonde also



mikebind
2009-03-31, 09:34
Hi, I don't have HJT, and I was looking for some guidance for my particular situation. My problem started when I clicked on a poorly chosen link and my computer slowed down considerably and I got a warning that my computer was trying to contact a malicious IP address. Also, TeaTimer warned me that a few startup registry entries were trying to be changed. I denied those changes and tried to close my browser (Chrome), but everything was running extremely slowly. Eventually I hard-rebooted the computer. On startup I was warned again about registry changes for startup programs with nonsense-looking names which I repeatedly denied, then blacklisted (the questions popped up every few seconds). At some point during this whole process it occurred to me to disconnect my internet connection, so I did that. I did a Windows Defender quick scan which found nothing, and then a Spybot scan which found some cookies and the Virtumonde trojan. I told Spybot to fix the problems and got no errors, but the description for Virtumonde suggested that I might need to more to make sure it didn't come back.

So, my question is, what do I need to do to finish the cleanup? The description said Virtumonde installs a browser helper object, so I have not opened a browser since the initial event, and I have not reconnected to the internet (I'm using a different computer at the moment, obviously). Also, I denied all requested registry changes that were brought to my attention by TeaTimer.

I have no problem downloading HJT and posting a log, but I didn't know if I could save some trouble by avoiding reconnecting my infected computer to the internet until the cleanup was complete.

mikebind
2009-03-31, 10:49
It seems I was being overly cautious. When I restarted my computer and rescanned with Spybot, it found nothing, so I think that my problem is resolved. If someone takes a look at this and there is something they think I should be concerned about, please let me know by email. My email address is my username (AT) gmail. Thanks anyway!

tashi
2009-03-31, 23:10
Hi mikebind,

If you need one of our volunteer analysts to advise you please follow the procedure in this sticky faq to produce a log and then start a new topic.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Note:
If you have lost your Internet connection on the infected computer, or otherwise cannot post from that machine; you can download HJT to a clean PC if one is available. You can also try this if malware is blocking your access to security forums and tools.


Upload to infected machine
Place HJT into own folder
Run HJT on the infected PC and post the log you produce using the clean PC.



Regards. :)