TechSpot

Virtumonde

By blightfyre
Sep 4, 2008
  1. after i run adaware and spybot(my 2 usuals) it usually finds and gets rid of virtumonde. it keeps coming back though. and lately something else has been popping up. when i try to look at mypictures, dr watson(i believe) shuts it down and then my desktop blinks and a message window at top left comes up. it comes and goes so fast that all i can see is 'personalized settings' at the top and c:
    recycler............and a bunch of other characters. ive tried deleting c:\recycler to get rid of contents(from what i understand it'll come back after reboot) but still have same problem. just checked and still does it after everything i did as you instructed.
    wasnt able to do online scan. something about siging up for something. i hope you can help. and any help you give will be greatly appreciated
     
  2. rf6647

    rf6647 TS Maniac Posts: 829

    I suggest that you repeat the Malware Removal procedures.

    Combofix.log appears to be incomplete.
    System Restore archive shows past infection with Purity.
    HJT analysis courtesy of Castlecops gives conflicting info for "MSCONFIG.EXE" from the program files/pchealth.

    MSCONFIG.EXE (pchealt) is on the startup list. I consider this usage suspect.

    Dr. Watson being invoked as you describe does not sound reasonable. Suspicious.

    One strain of Purity adds /Windows/??system32 directory. Windows Explorer lists this directory before the legit copy of 'system32'. '??system32' filename contains non-printing characters. Command prompt > dir c:\windows\*system32* > analyze results

    Purity malware could have impacted the wbem directory, as well. I believe that the removal of the infection by my AV protection made a bad decision and quarantined the legit copy of the directory. I'll never know since this was over a year in the past.
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Actually the combofix log will always cut off if it is too long - by design

    and the legit msconfig file has been moved to a bak folder and replaced with a malicious file

    Did you run Smitfraudfix? If so attach rapport.txt

    If not,

    [​IMG] Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Double-click SmitfraudFix.exe
    • Select 1 and hit Enter
    • The report can be found at the root of the system drive, usually at C:\rapport.txt

    ======================================

    FindAWF

    Click here to download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.


    Attach Here:
    1)C:\rapport.txt
    2)AWF.txt
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...