Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/malware, Hijackthis, And Me


  • Please log in to reply
7 replies to this topic

#1 TikiGod

TikiGod

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 03 May 2008 - 08:38 PM

Well... I didn't exactly go about things in the most logical of fashions (since I had discovered HijackThis from a roommate of mine here at college), so some background explanations before anything else. Something was bogging down system resources like crazy, typing occured in a s l o w fashion, and certain webpages wouldn't load (a la Vundo). I tried a program called VundoFix, and later VirtumundoBeGone. Both proved to be temporary success stories at best; whatever that "thing" was (that I assumed was Vundo due to my issues fitting the common symptoms) kept coming back! The recurrences were especially triggered when I opened IE, rather than my normal FireFox.

Spybot and Ad-Aware proved slightly useful at best; same situation for my Symantec AntiVirus (Corporate Edition I believe? Was provided by my university). So I ran HijackThis, deleted BHOs that looked "fishy" (yeah, I'm not that knowledgeable, so maybe not the best of ideas, but I'm pretty certain none were "essential" BHOs). Eventually was led to ComboFix, which I have just run on my computer. Things seem to be running much better now, but I would like to be certain that I did not skip over any steps here or potentially leave any "openings" for future problems. I've got a ComboFix log as well as a HijackThis log, but I figure it'd be best to follow forum rules and just post the HijackThis one to start :thumbsup:

Thanks for your time, whoever it is that comes to my case. This has been the bane of my computer existence for almost a week now, and I would love to see an end to it without having to resort to reformatting. And here's the logfile!

Attached Files



BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:27 AM

Posted 06 May 2008 - 08:21 AM

I hope you do understand that you should not run combofix on your own, we are talking about a powerful tool, and if something goes wrong you are screwed with you pc.

Also, if you have a report from combofix, please add it in your next reply to this thread.

Please do this:

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :thumbsup:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 TikiGod

TikiGod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 06 May 2008 - 03:06 PM

I was quite flustered when I ran combofix, and more than likely should not have resorted to that when I did (and obviously did not have adequate supervision). Suppose I got lucky? Perhaps? I'm not sure, I guess I'll post the logfile and you can tell me. :thumbsup: Thanks for letting me know of yet another useful anti-malware/adware program! Can always appreciate the effects of a cleaner PC! And of course, thanks for donating your time and expertise in helping me with my computer! Here are those logfiles:

note: I ran combofix the same day of the original post, and Malwarebytes' Anti-Malware the day of this post

Attached File  ComboFix.txt   15.06KB   28 downloads
Attached File  mbam_log_5_6_2008__16_00_14_.txt   1015bytes   27 downloads

#4 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:27 AM

Posted 06 May 2008 - 03:17 PM

Hello!

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#5 TikiGod

TikiGod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 07 May 2008 - 07:11 PM

Here ya go. Wasn't at my computer for the whole (few hour) scan, and anti-virus may have turned itself back on? I'm not sure if that's even possible; I just de-activated auto-detect and it was on when I came back. Either way, here's the logfile.

Attached File  kaspersky_log.txt   34.38KB   10 downloads

#6 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:27 AM

Posted 08 May 2008 - 03:46 AM

Looks good.

Could you open Symantec, and locate its Quarantine, Please empty/delete everything in there.

Next:

Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

Any problems still?
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#7 TikiGod

TikiGod
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 09 May 2008 - 12:44 AM

Things are running great now! Thank you so much for the help and peace of mind you've provided (as well as basic tools I can use in the future). I was worried about reformatting, and now I can concern myself with simply defragging and the like. I know what site I'll recommend to friends with similar issues from here on out.

#8 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:27 AM

Posted 12 May 2008 - 12:24 PM

Thanks and again sorry for the delay.

Let us make sure your system is clean.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for me to analyze.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users