Help with Virtumonde clean up

**ken545** · 2008-12-12, 13:07

If you have not bypassed your router yet, delete this file first and see if it makes a difference. Have a few people looking in on this one.

C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}

**ken545** · 2008-12-12, 14:43

Hello,

It appears this is a new infection and the great people in the Malware Removal Community are coming up with a fix.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

**al5579** · 2008-12-13, 03:01

Hi. I pushed the reset button on my router and I tried to find the file you specified. Windows search found nothing. After the router reset I did the same search, got redirected by goored. Log as requested.

GooredFix v1.3 by jpshortstuff
Log created at 20:56 on 12/12/2008 running Option #1

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"

tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}

C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}

=====List of possible loading points=====

tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF

tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox

tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}

=====List of possible folders=====

C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}

=====List of possible registry values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"

**ken545** · 2008-12-13, 03:20

Hang in, where almost there, now we know its not your router. I notified JP Shortstuff about your reply, I want him to look this over so he can add it to his Gooredfix tool. Be back in the am, been a looooooooog day

**al5579** · 2008-12-13, 03:30

Ah, good to know. Been a long day for me as well. Thanks.

**ken545** · 2008-12-13, 12:36

Lets go ahead and run Option 2

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Then use Firefox and see if the redirect is gone, do some searches and make sure all is well.

**al5579** · 2008-12-14, 18:46

It worked. I've done multiple searches in Google and Yahoo and the redirects are gone. Give my thanks to jpshortstuff. There are some tools and files downloaded to my desktop which are RSIT, DNSCheck, RegQuery, DirLook, Regfix.reg. Could you tell me which ones I don't need? Thanks, Ken.

GooredFix v1.3 by jpshortstuff
Log created at 12:19 on 14/12/2008 running Option #2

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
->Deleting value... Done.

tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}

->Removing loadpoint... Done.

C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Emptying folder... Done.
->Deleting folder... Done.

=====List of possible loading points=====

tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF

tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox

=====List of possible folders=====

C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}

=====List of possible registry values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

**ken545** · 2008-12-14, 20:26

Thats great, now I can go have that cold one I have been wanting

You can drag any of the tools we used to the trash, I previously posted about how to remove Combofix and a list of tools to install, read through that and install those tools to help keep you more secure.

I would like to ask you to do this for us please, its totally voluntary but with Goordfix being new, JPShortstuff is looking for any information he can get to improve this fix. Would you mind uploading your Firefox profile to him.

Go to My Computer> C:Drive > Program Files > Mozilla Firefox > Defaults > Profile and open your Profile Folder, then click on Edit....Select All and then go to File > Send To > Compressed Zip Folder. (If you have WinZip installed if will be different )

Save the folder anywhere you can find it

Then go to
http://www.thespykiller.co.uk/
and towards the bottom of the page in the forums ( you need not registry if you do not want to ) look for the Uploads forum, start a new topic . Name the topic FOR JPSHORTSTUFF and put the link to this thread in the reply
http://forums.spybot.info/showthread.php?t=40901

Then use the Browse feature and browse to where you saved the Zipped file and upload it.

Thanks,

Take Care,
Ken

I will keep and eye out for you next time I am traveling across the Cross Bronx Expressway

**al5579** · 2008-12-14, 22:28

Ah, ok. I'll keep the tools that you recommended I can keep.

Sure, no problem. I'd be happy to help jpshortstuff. I uploaded the zip file of my Firefox profile folder to thespykiller.

Thanks, Ken. Perhaps I'll see you on the Cross Bronx.

**ken545** · 2008-12-14, 22:37

Great, thanks

Ken

Thread: Help with Virtumonde clean up

Thread Tools

Display

Posting Permissions