Amaena, Virtumonde, winantiviruspro2000,...

[Alm12]

Hello,

I didn't know about these issues of Xoftspy, but it seems that the version I used is not on the rogue list anymore (v.4.29).

I found it under the following line:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UniqData
Value: {C0BE1142-F574-48BC-BBAF-0AED0967B2A0}

There is no log file. The info is exactly as follows:

Vendor: Vundo Trojan
Type: Registry Key
Threat Level: Severe Risk
Characteristics: View Details (here is a link to paretologic website)
Object: software\microsoft\uniqdata

 

[Mr_JAk3]

Ok let's see...


Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as:

• Name the file peek.bat
• Save as Type: All files
• Select the desktop icon on the left to save it on the desktop.

Double click on peek.bat and let it run.
When finished it will open a file in Notepad.
That file will be named info.txt
Please post the contents of info.txt into your next reply here.

if not exist Files MkDir Files

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UniqData\{C0BE1142-F574-48BC-BBAF-0AED0967B2A0}"
type peek1.txt >> info.txt

Start Notepad info.txt

 

[Alm12]

After the procedure, there are no contents on info.txt. It's empty.

 

[Mr_JAk3]

Hi and sorry for the delay...

So that means that the entry isn't in the registry anymore...

Does Xoftspy still find it ?

 

[Alm12]

No, it is still there and xoftspy still finds it and reports as a threat.

But the file "info.txt" created by "peek.bat", just like you told me to do, is blank.

 

[Mr_JAk3]

Ok we'll remove it manually...

Backup your registry:

• Start
• Run
• Type the following to the box and hit Ok: regedit
• A window opens, click on File
• Choose Export form the menu
• Change the save location to C:\
• Give the filename, RegBackUp
• Make sure that the filetype is set to Registryfiles (*.reg)
• Click on Save

Now continue with regedit and navigate to the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UniqData

Rightclick the following and choose delete:
{C0BE1142-F574-48BC-BBAF-0AED0967B2A0}

Restart the computer and run a new scan with Xoftspy

:bigthumb:

 

[Alm12]

Ok, I did it and Xoftspy does not find it anymore.

But, guess what? Virtumonde is still hanging around! Now, it was spybot who found it. Check the log:

***********************************************************************************************************

--- Search result list ---
Win32.Virtumonde.ha: Configurations (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C47A9554-195A-4769-9B13-04F15B450A39}

***********************************************************************************************************

And one more thing. My Kaspersky proactive defense keeps blocking this process: C:\Windows\system32\drwtsn32.exe.

 

[Mr_JAk3]

Hi

Did you fix the item with Spybot S&D?

The drwtsn32.exe should be a system file...Let's see if it is clean.

Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\Windows\system32\drwtsn32.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

 

[Alm12]

Hi, Mr_JAk3, and thank you for your patience.

No, I did not fix the item with spybot. I am afraid it is one of those nasty things that keeps playing hide and seek. I wait for your instructions.

As for drwtsn32.exe, here are the results. It seems to be ok:

Complete scanning result of "drwtsn32.exe", received in VirusTotal at 03.17.2007, 23:07:14 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.17.0 03.16.2007 no virus found
AntiVir 7.3.1.43 03.17.2007 no virus found
Authentium 4.93.8 03.17.2007 no virus found
Avast 4.7.936.0 03.16.2007 no virus found
AVG 7.5.0.447 03.17.2007 no virus found
BitDefender 7.2 03.17.2007 no virus found
CAT-QuickHeal 9.00 03.15.2007 no virus found
ClamAV 0.90.1 03.17.2007 no virus found
DrWeb 4.33 03.17.2007 no virus found
eSafe 7.0.14.0 03.16.2007 no virus found
eTrust-Vet 30.6.3486 03.16.2007 no virus found
Ewido 4.0 03.17.2007 no virus found
FileAdvisor 1 03.17.2007 No threat detected
Fortinet 2.85.0.0 03.17.2007 no virus found
F-Prot 4.3.1.45 03.17.2007 no virus found
F-Secure 6.70.13030.0 03.17.2007 no virus found
Ikarus T3.1.1.3 03.17.2007 no virus found
Kaspersky 4.0.2.24 03.17.2007 no virus found
McAfee 4986 03.16.2007 no virus found
Microsoft 1.2306 03.17.2007 no virus found
NOD32v2 2124 03.17.2007 no virus found
Norman 5.80.02 03.16.2007 no virus found
Panda 9.0.0.4 03.17.2007 no virus found
Prevx1 V2 03.17.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 no virus found
Symantec 10 03.17.2007 no virus found
TheHacker 6.1.6.076 03.15.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.16.2007 no virus found
VirusBuster 4.3.7:9 03.17.2007 no virus found

Aditional Information
File size: 45568 bytes
MD5: c9f5e1de6da983e89e714ed80c11f000
SHA1: 1717b633478fb107d3c26344f710328b93ae550c
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=c9f5e1de6da983e89e714ed80c11f000

 

[Mr_JAk3]

Hi

Ok the drwtsn32.exe is clean. Does Kaspersky state that it is infected? If so then it is just a false positive.

You may fix the Spybot finding, it is a registry leftover...


Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove the tools we used.

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster and more secure browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly. How to enable Automatic Updates?
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with you antivirus software.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

 

[Alm12]

Thank you very much, Mr_JAk3! :bigthumb:

One last question to close: I already have Spybot installed. Should I also have Ad-Aware, AV Anti-Spyware, Spywareblaster?

 

[Mr_JAk3]

You're very welcome

Well I would recommend that you install at least the SpywareBlaster. It doesn't slow you computer down as it uses a passive protection.

For Ad-Aware, AV Anti-Spyware...two scanners see better than one