Page 6 of 6 FirstFirst ... 23456
Results 51 to 56 of 56

Thread: Virtumonde needed

  1. #51
    Developer-Visiting Fellow
    Join Date
    Aug 2006
    Posts
    62

    Default

    Did you delete the folder - C:\QooBox ?

    There were a ton of infected files there. It's puzzling why Kaspersky didn't detect any from there.


    --------



    Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

    Code:
    @echo off
    if exist "%temp%\log.txt" del "%temp%\log.txt"
    
    for %%g in (
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13F4B4C78199D4682"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FAA3AE144846B5B"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FB24381D0E1290"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-13FFB53AB335F631C"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-140803F5C6026752E"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-140A47CF32DB118"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-143DA40363D666E10"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-144765B502DC71FE1"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-144CF652E3A636358"
    "C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\3FyIifGQQQKq\VirusBin\Infected-ACCB240D1EE312B0"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS1.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS2.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS3.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS4.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NNCMGRS5.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUCleaner1.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NousTechUDefender.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack3.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric2.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBHOje.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip"
    "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostabh.zip"
    "C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll"
    "C:\WINDOWS\system32\in5bCs.dll"
    "C:\WINDOWS\system32\drivers\etc\HOSTS.bak"
    "C:\WINDOWS\ywgqpzd.exe"
    ) do (
    del /a/f/q %%g >nul 2>&1
    if exist %%g echo.%%~g>>"%temp%\log.txt"
    )
    for %%g in (
    "%systemdrive%\VundoFix Backups"
    %systemdrive%\Deckard
    %systemdrive%\Qoobox
    ) do (
    rd /s/q %%g >nul 2>&1
    if exist %%g echo.%%~g>>"%temp%\log.txt"
    )
    if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
    ) else echo.Deleted Successfully !!
    nircmd wait 7000
    del %0
    Save this as fix.bat Choose to "Save type as - All Files"
    It should look like this:
    Double click on fix.bat & allow it to run

    Post back to tell me what it says



    ----------


    I noted certain things when reviewing your log. I have a question that bears asking. Do you visit crack sites?

  2. #52
    Member
    Join Date
    Jan 2008
    Posts
    39

    Default

    I did not delete the folder - C:\QooBox


    Message said "Deleted files successfully!!"

    What do you mean by crack sites? I visit torent sites if thats what you mean.

  3. #53
    Developer-Visiting Fellow
    Join Date
    Aug 2006
    Posts
    62

    Default

    Not that I have anything against torrents but some of these sites (or the files you downlaod) are terrible sources of infection. Any idea how you got infected this time round? When was the previous time you got infected?

  4. #54
    Member
    Join Date
    Jan 2008
    Posts
    39

    Default

    It happened around end of December to he beginning of January. I went to click on the download button (I don't remember the website) and I saw a MS-DOS looking black box open and then I started getting pop-up web pages and I ran Spybot and it said I had a vitumonde infection.

  5. #55
    Developer-Visiting Fellow
    Join Date
    Aug 2006
    Posts
    62

    Default

    It's nearing the end of January. You have been infected for close to a month. The damage toll has been heavy. Some programs may need to be reinstalled. If you do online transactions, I will suggest that passwords be changed now. If this computer contains important personal data, I'ld suggest a regime of frequent backups. You never know when the next infection will come along & cause you to lose everything.

    Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


    1. Uninstall ComboFix ... do not skip this step
      This process will perform some post cleanup measures.
      Do this by going to to Start > Run & typing in ComboFix /u

    2. ANTIVIRUS SOFTWARE
      It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


    3. FIREWALL
      Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html


    4. Microsoft Windows Update ? http://www.windowsupdate.com
      Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    5. SPYWAREBLASTER
      SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

      Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html


    Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
    • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

    • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

    • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

    • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

      ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

      NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

    After doing all these, your system will be optimised against future threats.

    It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
    Have a safe & happy computing day.

    Kindly respond to this thread once more so we can mark this thread as resolved.

  6. #56
    Member
    Join Date
    Jan 2008
    Posts
    39

    Default

    Thank-you so much for all of your help. It looks like I'll be changing all my passwords

    I appeciate the time that all of you spend helping others.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •