1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Help with probable Virtumonde infection

By shiba geezer ยท 25 replies
Jul 29, 2008
  1. I believe I have a problem similar to Techflame23 2/3/08 topic 98302 (sorry i can't post links yet)
    I am about to run through the 15 step procedure but want to make sure I have suffient antivirus/firewall running before getting started.
    I have norton antivirus but had not been online to run a live update for a month before I got the virus yeasterday. I also have uniblue speed up my pc which from what i understand removes spyware when you run the scan. Also from uniblue i have the registry booster.
    I knew I had the virus when norton windows poped up alerting me that intrusion attempts were blocked followed by what looks like windows security alerts warnings that the system was corrupted and to start scanning for malware (2 different pop up windows saying different but similarly dire things) coming up every couple minutes. A third more colorful/graphic "microsoft" window pops up every 5 minutes saying i have no virus protection. When i click the link it scans (too quickly i think) then tries to connect to via internet explorer to register the product. I'm fairly confident these are false protection programs especially since one is labled Vista and i'm still on XP os.
    Will I be okay going through the 15 steps with just norton (sans live update) and uniblue running? Should i try to do a live update of norton first?
    I forgot to mention the other symptoms of this virus. The one that has me scared to connect to the net is: it kept opening explorer browsers and tabs even after i disabled the connection. After disconnection from the internet yesterday I ran a norton full system scan, uniblue sumpc and registry scans. Norton found 0 risks, uniblue scans removed hundreds of privacy risks and registry defect files respectively. The last symptom of this virus is persitent creation of 2 obscene desktop shortcut icons. One is "Tits and ***" the other is "nude women" and dragging the mouse over them they list as .url's.
    Let me know what i should do (if anything) before starting the 15 steps. I'm just afraid of the multiple browser symptom (if it still persists) making it impossible to do the nesc. downloads.
    Thank you for your time.
  2. raybay

    raybay TS Evangelist Posts: 7,241   +10

    See if you can run these: MBAM MalwareBytes and SuperAntispyware
    The registry booster is junk. Download and run the free CCleaner.
    Once you have run them, download and run HiJack This and send the log to this forum.
    You may have to download these to another computer, and burn them to a disk. Then install from the disk. If you cannot do it in normal mode, run in SAFE MODE
  3. shiba geezer

    shiba geezer TS Rookie Topic Starter

    just to be clear, you are basically telling me to do steps 4,5, and 6. For now it is okay to skip step 3 with the online virus scanner?
    Just to be safe i think i'm going to go the separtate cpu to disk route. I should be able to install and run the programs without even connecting to the internet right?
    What about norton; should i just keep it running through the process? Right now uniblue starts up automatically. Should as disable it as per step 1?
    I'll start trying to download those 3 progr. and burn them from my work cpu.
    You're a lifesaver.
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First thing you should do is update your Antivirus product -> after that is done you should run a full scan. After that you should disable the real time protection which I will post instructions for below - most of the programs can be run using 2 computers and transfering the installers - however you have to connect to update them. Let us know if you have problems. After you disable your real time protection proceed through the preliminary removal

    Disable the Norton AntiVirus Auto-Protect feature by:

    1. Right-mouse click the Norton AntiVirus icon in the system tray.

    2. Select Auto-Protect option.

    3. Set the Select the duration option to Until system restart.

    4. Click OK

    Disable Norton AntiVirus Script Blocking feature by:

    1. Right-mouse click the Norton AntiVirus icon in the system tray.

    2. Select Norton AntiVirus Options.

    3. Under System, click Script Blocking.

    4. Make sure Enable Script Blocking option is de-selected.

    5. Click OK.
  5. shiba geezer

    shiba geezer TS Rookie Topic Starter

    Sorry Raybay
    What you told me to do would be step 4, downloading Highjackthis. Step 5 is renaming the Highjackthis.exe file. Should I do this after I download it to my infected cpu?. Step 6 is Super AntiSpyware and Malwarebytes which in order to do completely I will need to connect to the internet for updates (i'm scared).

    Skip step 7 and 8.

    Ccleaner is step 9.

    And last I should run an HJT scan which would be step 15.

    I'm all about getting this infection cleaned in a timely fashion and i as a novice trust you know what you're doing. As long as you think this is the way to go opposed to the full 15 steps I'm in it to win it.
    Just reassure me once and I'll just shut up and follow orders from here on out.
  6. shiba geezer

    shiba geezer TS Rookie Topic Starter


    Thank for the help. I'll try to run the live update for norton right off the bat. Like i mentioned before the multiple explorer browser symptom has me a bit nervous. I'll just have to give it a shot.

    Excuse the elementary nature of these next questions. I am on a different cpu downloading the program files for HJT, SuperAntiSpyware, Malwarebytes, and Ccleaner. Should I save the initial .exe files to the disk I'm using to transfer them or should I run the initial exe file and send the program files to my disk during the installation process? I just want to make sure I get the proper files on my disk before I leave work since I have to go home to get online access for my personal cpu.
    Do I have to worry about disabling the uniblue program or is that not a real-timer?

  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You will be fine, just make sure to follow all instructions carefully and post back here the required logs.

    The preliminary removal is a good start and will usually clean up a lot of infections, but we need the logs to clean up leftovers - or infections that aren't identified by the various programs

    I don't think uniblue will interfere with any of the programs we use.

    you can download the installers to disk but they won't be updated - if you are concerned about the multiple explorer windows lets get you a different browser right off the bat - internet explorer is often the target of attacks so that is why many people have switched to firefox and opera browsers

    only use internet explorer if you absolutely have to: Here are 2 more secure browsers to choose from
    1)Firefox -> http://www.mozilla.com/en-US/firefox/
    2)Opera -> http://www.opera.com/
  8. shiba geezer

    shiba geezer TS Rookie Topic Starter

    Thanks for your reassurance. I'm headed home to install the new security programs. Once I make sure they're installed correctly I'll get online (via firefox) after work tomorrow and get updates then proceed through. Should have the report logs to you by tomorrow around 6-7pm EST.
    Thanks againg for all your help.
  9. shiba geezer

    shiba geezer TS Rookie Topic Starter

    I'm a bit behind schedule but i did manage to get my norton updates via foxfire and ran a full system scan which found and resolved 7 issues. I'm a bit puzzled on the realtime disabling instructions most likely due to my version of norton being a different. When I right click on the taskbar icon only 3 option come up: "open norton protection center", "change notification options", and "show norton status on task bar".
    By going through "open norton protection center" and clicking an "options" tab then the "norton antivirus" tab I see a link for "real-time protection". Clicking on that brings up an "auto-protect" tab. When i click on that it shows a checked box by "turn on auto-protect" and three other checked sub options: "load auto-protect during system startup", "turn on bloodhound heuristics", and "turn on caching". My question is whether I should leave this/these boxes checked? Additionally I don't see any place to select the duration.

    I'll wait for a reply before i proceed further.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    uncheck turn on auto protect
    uncheck load auto-protect during system startup
    uncheck turn on bloodhound heuristics
    uncheck turn on caching

    Then proceed - after we are done remember to turn those back on.
  11. shiba geezer

    shiba geezer TS Rookie Topic Starter

    Log files

    Here are the log files from the 15-step preliminary removal. My cpu seems to be running a bit better yet still quite slow to start up (been that way for a couple years). Let me know what you think from looking at the logs and if there is anything I can do to maximize the preformance. Once again thank you folks for your support. I've spread the word to all my friends that techspot it the place to go for help. Right now I'm a starving grad. student but once I get my career in order I will donate what I can to you folks and the creators of the programs I used via your site.
    S. Geezer
  12. shiba geezer

    shiba geezer TS Rookie Topic Starter

    Sorry I forgot to add that Panda Antirootkit results were "No rootkits have been found."
  13. raybay

    raybay TS Evangelist Posts: 7,241   +10

    I our experience, Panda is among the worst at detecting anything. I was once a Panda dealer... but no more.
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    [​IMG]Update your Java Runtime Environment

    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 7) Follow the on screen instructions (uncheck the yahoo toolbar option)
    • After it installs the newest version Go back to Control Panel -> Add/remove programs (programs and features in vista)
    • Uninstall any older versions of Java


    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  15. shiba geezer

    shiba geezer TS Rookie Topic Starter

    Kaspersky results

    Here's the results log of the Kaspersky online scan.
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.


    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.

    7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
  17. shiba geezer

    shiba geezer TS Rookie Topic Starter

    Just had a couple final questions. I just got what looks like a Microsoft update alert ("!" inside a yellow shield. I clicked it to start the update and it didn't make much progress the first 5 minutes so I double clicked the toolbar icon. In the task window was the following:

    "Initializing installation... done!
    Installing Windows Malicious Software Removal Tool - July 2008 (KB890830) (update 1 of 1)..."

    I canceled the instillation since I was not sure if it was a residual virus/malware symptom. Should I be wary of such things or should I trust that those update are genuine?
    I just updated my Norton antivirus subscription. Does their service cover firewalls or should I get something else running for that?
    Lastly, I downloaded firefox and have been using that lately for my web browser and like it as my default. What is your opinion between the two? Can I keep using firefox and arrange the settings similarly to those you outlined in your last post?
    Thanks again for all your help.
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It's good that you are being careful - however that is a legit update that you are getting from Microsoft - there are similar looking updates that may say you are infected -click here to scan <- or something similar - those are not

    What you can do to be safe is cancel them - then check microsoft update yourself

    You can do this on XP by opening Internet explorer and going to www.update.microsoft.com

    or in Vista by going to Start -> Control Panel -> windows update

    Check for updates - install whatever it finds - then check it again if it ask you to restart you computer - keep doing this until it says no updates found - you could be behind on updates if the infection was blocking them
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    almost forgot the 2nd part of your question

    Firefox is definitely more secure than IE -> I have installed an IE tab in mine for cases where you have to use IE -> I never actually launch IE -> you can do this through tools-> add ons -> then search for IE Tab

    I am not sure if you Norton product includes a Firewall or not -> assuming that it does NOT you should consider installing Zone Alarm Free -> assumiing that is DOES -> you should not install another firewall as you only want 1 active firewall
  20. shiba geezer

    shiba geezer TS Rookie Topic Starter

    I just checked on my "norton protection center" and it says I have an active inbound firewall. Will I be good with that?
    So I can keep using firefox for my default browser but I should install and Internet Ex. tab for certain things that will only run with IE browser. After I get the tab installed can/should I uninstall IE? Are the settings you described for a more secure IE the same to set my firefox browser?
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Firefox by default is more secure - I recommend you use Spyware blaster to further secure it as posted in my all clean post

    I wouldn't worry about uninstalling IE, just leave it be

    I also wouldn't worry about changing those settings on firefox - just make sure to update spyware blaster and use the firefox protection
  22. raybay

    raybay TS Evangelist Posts: 7,241   +10

    Your active inbound firewall is likely Windows Firewall. If you have no outbound firewall, your risk is substantially increased as evil doers can take your computers to all corners of the world if they so wish.

    I see nothing special about Spyware Blaster, based on what I see in client computers. It doesn't come close to Spyware Doctor 6.0 or Spysweeper on the computers we examine in our shop.
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That's like comparing an apple to an orange

    they serve a different purpose - spyware blaster isn't a removal tool or real time monitoring program - it also doesn't eat up resources or conflict with other real time monitoring programs

    The main function of spyware blaster is to:
    # prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    # Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
    # Restrict the actions of potentially unwanted sites in Internet Explorer.

    it basically just manages your browsers security settings - and it is extremely simple to use - which is great for users that don't want to have to configure everything themselves


    I know spy sweeper manages IE but does it do anything for Firefox - from what I have seen it does not


    Oh yea and spyware blaster is free
  24. Mark2

    Mark2 TS Rookie

    Blind Dragon, you are not qualified to give malware advice anyway. I wouldn't be surprised if you're kicked out of training...
  25. raybay

    raybay TS Evangelist Posts: 7,241   +10

    In our experience, Spyware Blaster is just another one of the profit making software that does little good and opens additional risk. Haven't seen a review that gives it marks in the top 10 consistently.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...