Virtumonde infected Win XP !!HELP!!

[canvend]

Hi:

I would like to thank you very, very much for your expert help. Fantastic!

I still cannot turn of the language bar. Any ideas? Perhaps it is some left over damage?

Now that my PC is clean, I will follow your recommendation.

Can you advise what will prevent me from being re-infected with the Virtumonde virus again. My Norton Antivirus did not catch it and this concerns me because it is always active. I wonder why Norton did not quarantine the virus - especially since Virtumonde is so prevalent and has been around for so long. I would assume that someone would have reported it to Symantec a long time ago and they would at least have updated defenitions and a fix for it if infected.

I have read the sticky at http://forums.spybot.info/showthread.php?t=279 and intend to follow all the advice - but will that still stop Virtumonde?

When opening bit torrent downloads, which online scanner site(s) do you recommend to check the file before opening it?

When testing software what do you recommend so that it can be uninstalled completely without fouling up the operating system. I was just about to look into several programs such as:

"Deep FreeZe" http://www.faronics.com/html/deepfreeze.asp

"Try and decide" by Acronis http://www.acronis.com/homecomputing/products/trueimage/

"SteadyState" by Microsoft http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

"ShadowUser Pro" http://www.storagecraft.com/products/ShadowUser/

Thank you.

Stephen

 

[canvend]

Hi:

As I was uninstalling combofix Norton popped up the following virus warning:

"Norton Antivirus has detected and removed a virus from your computer."
Object name: C:\Qoobox\QUARAN~1\C\WINDOWS\system32\GPCK~1.VIR
Virus name: Trojan.Metajuan
Action taken: The file was automatically deleted.

Strangely there is no directory on my C: drive called Qoobox

Stephen

 

[canvend]

Hi:

As soon as I clicked OK to close the Norton Antivirus warning another Norton window popped up the following virus warning:

"Norton Antivirus has detected and removed a virus from your computer."
Object name: C:\Qoobox\QUARAN~1\C\WINDOWS\system32\KKIWQI~1.VIR
Virus name: Trojan.Vundo
Action taken: The file was automatically deleted.

Stephen

 

[Blade81]

I still cannot turn of the language bar. Any ideas? Perhaps it is some left over damage?

I assume you've tried this? In case it doesn't help I'd recommend asking at http://forums.pcpitstop.com.

Can you advise what will prevent me from being re-infected with the Virtumonde virus again. My Norton Antivirus did not catch it and this concerns me because it is always active. I wonder why Norton did not quarantine the virus - especially since Virtumonde is so prevalent and has been around for so long. I would assume that someone would have reported it to Symantec a long time ago and they would at least have updated defenitions and a fix for it if infected.

Unfortunately there's no antivirus product that would detect all possible threats. Different Vundo variants exist and new are coming all the time.

I have read the sticky at http://forums.spybot.info/showthread.php?t=279 and intend to follow all the advice - but will that still stop Virtumonde?

It's user's carefulness that counts the most. Of course that doesn't mean that you couldn't still get infected but it lowers the odds.

When opening bit torrent downloads, which online scanner site(s) do you recommend to check the file before opening it?

First of all, you shouldn't download suspicious looking and illegal torrents at all. You should always have local antivirus protection installed too (as you now have Norton). Not relying only on online ones. You can always check a suspicious file in places like Virustotal or Jotti.

When testing software what do you recommend so that it can be uninstalled completely without fouling up the operating system.

Unfortunately I don't have much selfexperience of those. If I need to test something I usually set it up on my virtual machine.


Those Norton notifications are ok since that Qoobox folder was ComboFix quarantine folder containing all bad items. That should get removed when ComboFix is uninstalled.

 

[canvend]

Hi:

I still cannot get rid of the language bar even after following all the instructions. I wonder if it is still virus related.

Norton has quarantined another virus.

You said:
"Unfortunately I don't have much selfexperience of those. If I need to test something I usually set it up on my virtual machine."

Please explain how you do this on a virtual machine.

Stephen

 

[Blade81]

Hi

What virus did Norton quarantine and where?

Please explain how you do this on a virtual machine.

Virtual machine makes it possible to have another, virtual operating system installed in your physical computer. For example your main operating system is Windows XP but using virtual machine system you can run virtual instances of other operating systems as well in same computer. To understand this better check here for detailed description of virtual machines.

 

[canvend]

Hi:

THe viris was called hacktool, found in C:\Program Files\Snadboy's Revelation v2\RevelationHelper.dll and has since been quarantined.

There are nummerous Virtual machines, which one(s) have you had the most success with? I would like one that allows you to reboot and undo the changes if they are not wanted. I experimented with Deep Freeze, and it does not allow this - only one reboot to accept the changes or not.

Still no success with the language bar.

Stephen

 

[Blade81]

I've so far tried only VMWare which does it's job well. There's a good tutorial written by wng_z3r0 here.

For that language bar problem I suggest already meantioned PC Pitstop forum since we don't have technical issue handling here and to me it looks more like that kind of issue than malware related.

 

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.