Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde [RESOLVED]


  • This topic is locked This topic is locked

#16
ronbc

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
This is the report from Kaspersky Online:


KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 01, 2008 5:21:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/04/2008
Kaspersky Anti-Virus database records: 675320
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 90334
Number of viruses found 5
Number of infected objects 25
Number of suspicious objects 0
Duration of the scan process 01:42:10

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{473F09F9-4BBB-423C-8395-A911AD5AE677}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ryonn\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\History\History.IE5\MSHist012008040120080402\index.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ryonn\Local Settings\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\lovescript616f.exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\lovescript616f.exe ClickTeamPro: infected - 1 skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\wpepro09x.zip/WPE PRO.exe Infected: Sniffer.Win32.WpePro.a skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\wpepro09x.zip/WpeSpy.dll Infected: Sniffer.Win32.WpePro.a skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\wpepro09x.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\netpass.zip/netpass.exe Infected: not-a-virus:PSWTool.Win32.NetPass.i skipped
C:\Documents and Settings\Ryonn\Desktop\Downloaded\netpass.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ryonn\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\history.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ryonn\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ryonn\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\key3.db Object is locked skipped
C:\Documents and Settings\Ryonn\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Ryonn\Application Data\Mozilla\Firefox\Profiles\h96m4867.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ryonn\ntuser.dat Object is locked skipped
C:\Program Files\MyScript\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Program Files\LoveScript 6.16\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080328-013845-988.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080328-013857-442.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080328-014115-386.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080328-015223-681.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080328-015249-563.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Ryonn.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Ryonn.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Ryonn.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\cache\Icon\2C37866 Object is locked skipped
C:\Program Files\Yahoo!\Messenger\cache\Icon\DEFA81DD Object is locked skipped
C:\Program Files\Yahoo!\Messenger\cache\Icon\16E761DA Object is locked skipped
C:\System Volume Information\_restore{BB8FCA29-C2A6-438E-8AAD-2508321A6D63}\RP555\A0122599.exe Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{BB8FCA29-C2A6-438E-8AAD-2508321A6D63}\RP555\A0122600.dll Infected: Sniffer.Win32.WpePro.a skipped
C:\System Volume Information\_restore{BB8FCA29-C2A6-438E-8AAD-2508321A6D63}\RP577\A0125308.exe Infected: not-a-virus:PSWTool.Win32.NetPass.i skipped
C:\System Volume Information\_restore{BB8FCA29-C2A6-438E-8AAD-2508321A6D63}\RP626\A0139640.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BB8FCA29-C2A6-438E-8AAD-2508321A6D63}\RP626\A0140688.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{BB8FCA29-C2A6-438E-8AAD-2508321A6D63}\RP633\change.log Object is locked skipped
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geBuUlJa.dll_old.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\Program Files\MyScript.rar.vir/MyScript/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\QooBox\Quarantine\C\Program Files\MyScript.rar.vir RAR: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-03-31_120330.09.zip/ddcBTLbc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-31_120330.09.zip ZIP: infected - 1 skipped
Scan process completed.
  • 0

Advertisements


#17
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



  • Make sure you have an Internet Connection.
  • Double-click OTScanIt.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#18
ronbc

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I'm interested in this MVPS Hosts file, but I dont know how to download/install this.

Could you please give me a short / brief explanation about how to do this?

Btw, I always use Firefox. Down to IE!! :[
  • 0

#19
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download mvps.bat, run it, accept any prompts, that is it

Let me know how that goes and if you got any more questions
  • 0

#20
ronbc

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thank you.

Now about this Firefox. It takes like 5 seconds to open the window after the click.
Is something wrong here ? :)
  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nope, more than likely due to your PC being slow or something like that. Nothing I can do

Any more questions ?
  • 0

#22
ronbc

ronbc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Nope.. not now.
Though I will return here in a few days to fix my friend's comp with the same problem :|

Thanks, Rors. You've been a great help.
And Happy Easter day.
  • 0

#23
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP