Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Smitfraud, Virtumonde and god knows what else

  1. 2008-10-01, 12:20 #11
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Here is the key to those items:
    C:\System Volume Information\_restore

    In the last instructions I posted:

    Clean infected System Restore files like this:
    VirusScan <<< can not clean those as they are protected Windows Files. Complete those instructions and the issues should be gone.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  2. 2008-10-01, 15:42 #12
    TimB_IE
    TimB_IE is offline
    Junior Member
    Join Date
    Sep 2008
    Posts
    13

    Default

    Not quite there yet. MBAM found another instance of Vundo and VirusScan is still not happy with a number of exe files, including Combofix. These occured during the MBAM scan, although MBAM seemed OK about the files. I had uninstalled Combofix as per your instructions before running MBAM and the closing message was that Combofix had uninstalled successfully.

    MBAM and VirusScan logs attached:


    Malwarebytes' Anti-Malware 1.28
    Database version: 1225
    Windows 5.1.2600 Service Pack 2

    2008-10-01 14:18:59
    mbam-log-2008-10-01 (14-18-59).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 116114
    Time elapsed: 57 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6928c803-aa5d-4b3a-9943-3c3f784a02bd} (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    VirusScan log:

    10/1/2008 1:02:34 PM Moved (Clean failed) IE_OTTAWA\stojicic mbam.exe C:\quarantine\A0056702.exe.Vir\A0056702.EXE.VIR RemAdm-ProcLaunch!171 (Remote Admin Tool)
    10/1/2008 1:02:43 PM Moved (Clean failed) IE_OTTAWA\stojicic mbam.exe C:\quarantine\A0056930.exe.Vir\A0056930.EXE.VIR RemAdm-ProcLaunch!171 (Remote Admin Tool)
    10/1/2008 1:02:51 PM Moved (Clean failed) IE_OTTAWA\stojicic mbam.exe C:\quarantine\ComboFix.exe.Vir\COMBOFIX.EXE.VIR RemAdm-ProcLaunch!171 (Remote Admin Tool)
  3. 2008-10-01, 15:53 #13
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    http://www.google.com/search?hl=en&q...es&btnG=Search
    those files have been renamed like that by the antivirus program.
    I don't know which one, but it might have been McAfee?

    C:\quarantine\ <<< delete the contents of that quarantine folder (or delete the folder)

    You should know this stuff if you own a computer, this is basic computing 101
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules