Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not just Virtumonde?


  • Please log in to reply
2 replies to this topic

#1 Roger_Williams

Roger_Williams

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 07 January 2005 - 08:38 PM

I'd appreciate advice on whether the symptoms on my home computer are all Virtumonde related or whether something else is going on. It is running XP home edition.

I found the browser (IE) on the computer my family use had been hijacked. I got Adaware SE plus and its first scan found 4,800 critical objects! This and McAfee anti-virus enabled me to recover control of the browser except that I can't access sites with an https URL. This meant I was unable to use IE to access GoToMyPC, the remote control program/site I use to contact my office PC from home. It also shut me out of some of the "help" sites my Google search found. Not BleepingComputer, thank goodness!

Fortunately I use Opera browser/mail, and could access https://www.gotomypc.com with that.

Oh yeah. Couple of other things. My IE says (in "about" under "help") that it's SP1, with a whole string of later updates, but I keep getting notifications of MS SP1 updates and the updates always abort, as if something is blocking them. I get "update failed" notices. I also used the Symantec utility that targets Virtumonde in "safe" mode, and deleted "sabr.exe." I've set IE security to put up a dialog when a script is used, and if I don't like what happens when I click "yes" I try "no" the next time. But it would help if I knew what the scripts were executing. <sigh>

However, although I have AdWatch running in automatic mode, and although the previously ceaseless attempts to update my registry with Virtumonde entries have ended--I no longer see the tray icon flashing all the time as they are automatically blocked--I still find four Virtumonde-related critical objects every time I run an Adaware scan. So they're getting in somehow, maybe when the kids or my wife are using the computer.

If you're still with me, I'd like to know if the problem with accessing https sites and the impossibility of updating IE are related to the Virtumonde infection or are something different. And I'd appreciate suggestions. I'm prepared to dive in with HiJackThis and ask for help with the log, but want to be sure that's the right thing to do.

I've looked at the "run" registry, and can't see any obviously Virtumonde-related entries, but then what do I know? (answer, almost nothing!!)

Roger

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:12:14 AM

Posted 08 January 2005 - 01:09 AM

Here's a link to the self help guide, for the removal of Virtumonde:
How to remove Virtumonde Stopguard CATLEvents Trojan.Vundo, Self-Help Guide

After you try this:

Download the latest version of HijackThis (HJT), from here.

Put HijackThis in a Permanent folder:
Click My Computer / C: / File / New / Folder / name the folder; HijackThis
Put HijackThis.exe, in this folder.
This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.

Read the pinned post in the HJT forum, here

Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.

That way we can eliminate the possibility of other spyware/malware, being the cause of your
problem.

If this doesn't help with your problem, which I think it will, then post back in the appropriate forum. In your post, mention that you have already submited a HJT log, and it was cleaned.
This way we can start looking for the problem on a clean machine.

Edited by tg1911, 08 January 2005 - 01:10 AM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 Roger_Williams

Roger_Williams
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 09 January 2005 - 05:15 AM

Thanks. I will do exactly as you say. I had found the page you give the reference for, and it looked a bit daunting, I must say. But I will definitely try to work through it. Hopefully I will end up with a HiJackThis log that someone will eventually be able to help me with. I can see the advantage of being sure that Virtumode has been eliminated before looking for anything else... I was just afraid that Virtumonde might be protected by this other stuff that's going on--like inability to access https sites, and inability to apply security patches to IE.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users