Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: Virtumonde - can't shake it

  1. #21
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Your RSIT Log looks good.

    Kaspersky found some infected System Restore points. They are harmless where they are. I'll show you how to remove them and set a new clean one in an upcoming post.
    Kaspersky also found files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove those and ComboFix in an upcoming post as well.

    I was feeling over-confident and ran Spybot again (the way I initially found this infection). It found 1 registry infection (virtumonde again and I had it "fix" it.
    Sorry for going off on my own like that. I won't do that again. But I want you to know what I did just in case it matters.
    Do you still have the Spybot Log from that run? If you do, just post the section of the log that shows what Spybot removed (the virtumonde registry infection).


    The machine seems snappier, but I have still not dared to click on links in a web browser (this is when it was taking me to spurious advertising sites). I'm afraid it could re-infect me. Should I try using the browser like normal again?
    You should be good to go ahead and try clicking on links in your web browser. I don't see any signs of virtumonde (or any other infections) in the latest logs that you've posted.


    Besides checking to see if you get redirected, I'd like for you to do the following:


    First, go to your Yahoo mail (the pacbell mail/account) and delete any e-mails in your Inbox that you no longer need. Also, delete all e-mails in the Junk/Spam/Bulk/Trash folder.


    Finally, Clear Java's Cache

    Click Start > Control Panel

    • Double-click the Java icon in the control panel. (coffeecup icon)
    • Click Settings under Temporary Internet Files.

      -The Temporary Files Settings dialog box appears.
    • Click Delete Files.

      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets


    Click OK on Delete Temporary Files window.

    -Note: This deletes all the Downloaded Applications and Applets from the cache.

    Click OK on Temporary Files Settings window.
    Close the Java Control Panel

    You can view those instructions along with graphics here


    Let me know how things went.
    Malware Removal University Master
    Member of ASAP & UNITE

  2. #22
    Junior Member
    Join Date
    Feb 2010
    Posts
    15

    Default Looking good :)

    Well it's a big moment. I'm actually posting this from the "previously" infected computer. YEAH!!! Everything seems fine again. No weird pauses and re-directs of any kind.

    I will post the log from Spybot below.
    I cleared all my old email on SBC Yahoo and from this machine.
    I cleared my java cache.

    This is the section of the Spybot Log file that FOUND it...


    --- Report generated: 2010-02-21 18:07 ---

    Virtumonde.sdn: [SBI $70056CE6] Data (File, nothing done)
    C:\WINDOWS\system32\takasafu
    Properties.size=6456
    Properties.md5=0339F6D44BEE3F6159D67534D051EFA7
    Properties.filedate=1266638339
    Properties.filedatetext=2010-02-19 19:58:59


    This is the section of the Spybot Log that FIXED it...

    --- Report generated: 2010-02-21 18:09 ---

    Virtumonde.sdn: [SBI $70056CE6] Data (File, fixed)
    C:\WINDOWS\system32\takasafu
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

  3. #23
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Great to hear that the redirects have stopped.

    If there are no more problems, then you are good to go.

    You can delete the following off of your computer:

    DDS.scr
    RSIT.exe
    The two RSIT Logs
    GMER.zip
    GMER.exe
    The GMER Log



    To remove ComboFix, do the following:

    Go to Start > Run - type in ComboFix /Uninstall & click OK

    Empty your Recycle Bin.


    Please take the time to read my All Clean Post.

    Please follow these simple steps in order to keep your computer clean and secure:

    This is a good time to clear your existing system restore points and establish a new clean restore point

    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    • This will remove all restore points except the new one you just created.
    .

    Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


    Make your Internet Explorer more secure This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it asks you if you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.

    Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
    • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
      Computer Safety on line Anti Malware
    • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
      1. Click the start button on the task bar at the bottom of your screen
      2. Click run
      3. In the dialog box, type services.msc
      4. hit enter, then locate dns client
      5. Highlight it, then doubleclick it.
      6. On the dropdown box, change the setting from automatic to manual.
      7. Click ok..
    • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    • Please read Tony Klein's excellent article: How I got Infected in the First Place
    • Please read Understanding Spyware, Browser Hijackers, and Dialers
    • Please read Simple and easy ways to keep your computer safe and secure on the Internet
    • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
      Opera.
      If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
    • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
    Follow these steps and your potential for being infected again will reduce dramatically.

    Here's a good website to read about Malware prevention:

    http://users.telenet.be/bluepatchy/m...revention.html

    If your computer is running slow, click here for instructions on how to help speed up your computer.

    Good luck!

    Please reply one last time so that I know you have read my post and this thread can be closed.
    Malware Removal University Master
    Member of ASAP & UNITE

  4. #24
    Junior Member
    Join Date
    Feb 2010
    Posts
    15

    Talking Looks good

    Everything looks good now.

    I've gone through all your instructions (getting rid of my un-necessary anti-virus logging utilities, ComboFix, etc).

    By the way, DDS.scr now runs

    I've checked my settings in IE, put in a hosts file, and run SpywareBlaster.

    I'm still working my way through all your assigned reading.

    Thank you very much for all the help.

  5. #25
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    You're welcome. I'm glad I was able to help you out.

    Good luck and safe surfing!
    Malware Removal University Master
    Member of ASAP & UNITE

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •