Help with Virtumonde clean up
- Thread starter al5579
- Start date
- Status
ken545
Emeritus-Security Expert
Good Morning,
C:\WINDOWS\ijibanovekegubix.dll <-- Delete this file
Open Firefox and go to Tools> Clear Private Data, put a checkmark in everything and click on Clear Private Data Now
Go to Tools> Options> Application Tab, do you see anything out of the ordinary in there.
If that didn't help what about this.
Did you completely uninstall Firefox ?
Mozilla Firefox <---Did you delete this folder ??
You need to to that so that there is no trace of Firefox on your system, then reboot and reinstall it
http://www.mozilla.com/en-US/firefox/
If your still having this issue than I am going to have someone else look at this as I am out of ideas
Ken
C:\WINDOWS\ijibanovekegubix.dll <-- Delete this file
Open Firefox and go to Tools> Clear Private Data, put a checkmark in everything and click on Clear Private Data Now
Go to Tools> Options> Application Tab, do you see anything out of the ordinary in there.
If that didn't help what about this.
Did you completely uninstall Firefox ?
Mozilla Firefox <---Did you delete this folder ??
You need to to that so that there is no trace of Firefox on your system, then reboot and reinstall it
http://www.mozilla.com/en-US/firefox/
If your still having this issue than I am going to have someone else look at this as I am out of ideas
Ken
Good morning.
Ok, I found and deleted the file you indicated in C:\Windows and now it's gone.
I uninstalled Firefox and deleted the Mozilla Firefox folder in C:\Program files. I did a Windows search and found additional folders with the title Mozilla. Those I deleted as well. Then I rebooted and reinstalled Firefox. I did a web search on Google and Yahoo. I still got redirected by goored in Google and Yahoo led me elsewhere. Internet Explorer is still unaffected by this, so I guess I'll do my web searches there for the time being.
Still, I appreciate the ideas you're giving to help me. Thanks.
Ok, I found and deleted the file you indicated in C:\Windows and now it's gone.
I uninstalled Firefox and deleted the Mozilla Firefox folder in C:\Program files. I did a Windows search and found additional folders with the title Mozilla. Those I deleted as well. Then I rebooted and reinstalled Firefox. I did a web search on Google and Yahoo. I still got redirected by goored in Google and Yahoo led me elsewhere. Internet Explorer is still unaffected by this, so I guess I'll do my web searches there for the time being.
Still, I appreciate the ideas you're giving to help me. Thanks.
ken545
Emeritus-Security Expert
Look for and delete this file, it may be in C:\windows or C:\windows\system32
f52c75cc.dll
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this
f52c75cc.dll
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this
ken545
Emeritus-Security Expert
Hello,
It appears this is a new infection and the great people in the Malware Removal Community are coming up with a fix.
Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
It appears this is a new infection and the great people in the Malware Removal Community are coming up with a fix.
Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Hi. I pushed the reset button on my router and I tried to find the file you specified. Windows search found nothing. After the router reset I did the same search, got redirected by goored. Log as requested.
GooredFix v1.3 by jpshortstuff
Log created at 20:56 on 12/12/2008 running Option #1
=====Suspect Goored Entries=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
=====List of possible loading points=====
tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF
tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
=====List of possible folders=====
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
=====List of possible registry values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
GooredFix v1.3 by jpshortstuff
Log created at 20:56 on 12/12/2008 running Option #1
=====Suspect Goored Entries=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
=====List of possible loading points=====
tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF
tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
=====List of possible folders=====
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
=====List of possible registry values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
ken545
Emeritus-Security Expert
Lets go ahead and run Option 2
Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Then use Firefox and see if the redirect is gone, do some searches and make sure all is well.
Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Then use Firefox and see if the redirect is gone, do some searches and make sure all is well.
It worked. I've done multiple searches in Google and Yahoo and the redirects are gone. Give my thanks to jpshortstuff. There are some tools and files downloaded to my desktop which are RSIT, DNSCheck, RegQuery, DirLook, Regfix.reg. Could you tell me which ones I don't need? Thanks, Ken.
GooredFix v1.3 by jpshortstuff
Log created at 12:19 on 14/12/2008 running Option #2
=====Goored Deletions=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
->Deleting value... Done.
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Removing loadpoint... Done.
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Emptying folder... Done.
->Deleting folder... Done.
=====List of possible loading points=====
tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF
tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox
=====List of possible folders=====
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
=====List of possible registry values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
GooredFix v1.3 by jpshortstuff
Log created at 12:19 on 14/12/2008 running Option #2
=====Goored Deletions=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{609E0751-889D-402A-B225-DBA0ACE20764}"="C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}"
->Deleting value... Done.
tif0o28q.default: Extension0=C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Removing loadpoint... Done.
C:\Documents and Settings\Allen\Local Settings\Application Data\{609E0751-889D-402A-B225-DBA0ACE20764}
->Emptying folder... Done.
->Deleting folder... Done.
=====List of possible loading points=====
tif0o28q.default: Extension2=C:\Program Files\AVG\AVG8\ToolbarFF
tif0o28q.default: Extension1=C:\Program Files\AVG\AVG8\Firefox
=====List of possible folders=====
C:\Documents and Settings\Allen\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
=====List of possible registry values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
ken545
Emeritus-Security Expert
Thats great, now I can go have that cold one I have been wanting :lip:
You can drag any of the tools we used to the trash, I previously posted about how to remove Combofix and a list of tools to install, read through that and install those tools to help keep you more secure.
I would like to ask you to do this for us please, its totally voluntary but with Goordfix being new, JPShortstuff is looking for any information he can get to improve this fix. Would you mind uploading your Firefox profile to him.
Go to My Computer> C
rive > Program Files > Mozilla Firefox > Defaults > Profile and open your Profile Folder, then click on Edit....Select All and then go to File > Send To > Compressed Zip Folder. (If you have WinZip installed if will be different )
Save the folder anywhere you can find it
Then go to
http://www.thespykiller.co.uk/
and towards the bottom of the page in the forums ( you need not registry if you do not want to ) look for the Uploads forum, start a new topic . Name the topic FOR JPSHORTSTUFF and put the link to this thread in the reply
http://forums.spybot.info/showthread.php?t=40901
Then use the Browse feature and browse to where you saved the Zipped file and upload it.
Thanks,
Take Care,
Ken
I will keep and eye out for you next time I am traveling across the Cross Bronx Expressway
You can drag any of the tools we used to the trash, I previously posted about how to remove Combofix and a list of tools to install, read through that and install those tools to help keep you more secure.
I would like to ask you to do this for us please, its totally voluntary but with Goordfix being new, JPShortstuff is looking for any information he can get to improve this fix. Would you mind uploading your Firefox profile to him.
Go to My Computer> C
rive > Program Files > Mozilla Firefox > Defaults > Profile and open your Profile Folder, then click on Edit....Select All and then go to File > Send To > Compressed Zip Folder. (If you have WinZip installed if will be different )Save the folder anywhere you can find it
Then go to
http://www.thespykiller.co.uk/
and towards the bottom of the page in the forums ( you need not registry if you do not want to ) look for the Uploads forum, start a new topic . Name the topic FOR JPSHORTSTUFF and put the link to this thread in the reply
http://forums.spybot.info/showthread.php?t=40901
Then use the Browse feature and browse to where you saved the Zipped file and upload it.
Thanks,
Take Care,
Ken
I will keep and eye out for you next time I am traveling across the Cross Bronx Expressway
- Status