TechSpot

Virtumonde, Google Redirect, False Windows Security Alerts, Blue Screens, Help

By leftwngr
May 11, 2009
  1. Got infected last week with Virtumonde, Vundo, and that Antivirus 2009 thing. My google is redirecting as is my yahoo. I tried pretty much everything I could get my hands on including:
    MBAM, PC Tools Spydoctor, Dr. Web, Norman, et. al.

    I came across your site and followed your 8 steps diligently. No other efforts have been made on this machine.

    Computer seems to work okay, but I've still got a redirect issue and I'm still getting the false windows security alert.

    During the 8 steps, I came across the names Virtumonde, Vundo, and all sorts of crazy named files. I also had to run Super Anti Spyware in Safe Mode because the computer kept crashing and giving me the blue screen.

    This is a Windows XP Pro machine with SP3

    I can't seem to shake this and your help would be greatly appreciated.

    Thank you in advance.
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello leftwngr

    It looks like you have two antivirus programs running - McAfee and Avira

    You should uninstall one of them from add/remove programs in conrolpanel.

    Also remove Viewpoint

    Reboot.

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.


    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    Thank you for your help.

    I'll get to it 1st thing in the a.m. when I get into the office.

    Look forward to getting this resolved.
     
  4. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    Followed your instructions and the log is attached.

    I think that may have done the trick. Computer is running much better and no more re-directs. Little false warning is gone too. On the surface, it looks good. Hope it the logs reports a clean computer.

    By the way, I removed McAfee, but it still seems to appear on the log.

    *EDIT* Ran the McAfee Removal tool afterwards. Seems to have taken it all off. Do I need to run combofix again?

    Thank you again.
     
  5. touch

    touch TS Rookie Posts: 978

    That´s good news :)

    No need to run combofix again, I´ll prefer you attach fresh hijackthis log, as there are (probably) remnants from McAfee in the log
     
  6. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    Crossing Fingers

    Here's the requested log.

    I'm hoping it's clean.

    Hey, thanks again for your help with this.
     

    Attached Files:

  7. touch

    touch TS Rookie Posts: 978

    It is clean.

    How are things running now ?
     
  8. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    Computer is running great.

    Thanks a bundle.

    You guys rock.
     
  9. touch

    touch TS Rookie Posts: 978

    Sounds good :grinthumb

    Now your computer problems are solved, it is time for the clean-up procedure.

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place
     
  10. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    thanks again. I'll take care of the clean up on Monday. Won't be on the machine until then.
     
  11. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    uh oh...

    touch:

    got one more lingering issue here.

    Yahoo search is redirecting still. For some reason I get a new window that opens up and it's linking to some ad server.

    Attached is a new HT Log.

    Sorry.
     
  12. touch

    touch TS Rookie Posts: 978

    No problem :)

    Let´s see a new combolog.

    But, first uninstall ComboFix.exe And all Backups of files that it deleted
    Click START then RUN
    Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


    Then please download newest Combofix:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  13. leftwngr

    leftwngr TS Rookie Topic Starter Posts: 16

    CF Log

    Touch:

    Sorry for the delay. Was out of town for a bit.

    I can see v1.adwarefeed.com come up everytime I use yahoo and it does a search. It is in the status bar in the lower left of firefox. Is that the problem?

    Here is the requested log and thanks again.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...