Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

worm-koobface

Posted on 2009-05-08
9
Medium Priority
?
537 Views
Last Modified: 2013-12-06
I have read through the other posts about koobface and have not been able to remove this threat. i have been working on this machine for 3 days now everytime i think its gone a restart brings it right back. i have searched for the files listed in the other posts and have not found them on the system. any help removing this would be great!

thanks also here is the hijackthis log.
hijackthis.txt
0
Comment
Question by:smartsystemsinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:smartsystemsinc
ID: 24338026
here is the combo fix log aswell.
ComboFix.txt
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338132
I recommend downloading and updating Malwarebytes.
You can get it free from www.Malwarebytes.org
Once downloaded and updated boot into Safe Mode (F8 at startup) and run your scans.
You should save malwarebytes.exe as a different name. ie mw.123
Once downloaded, rename to it's original mbam.exe
Some malware will prevent malwarebytes or other suites from running if downloaded with their original name.
Your log file is clean.
If you run malwarebytes and combofix as well as your antivirus suite in Safe Mode you should be able to rid yourself of this threat.
Combofix:
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs.
0
 

Author Comment

by:smartsystemsinc
ID: 24338168
i will run mal-warebytes again and post the log i have run it several times i have even slaved this drive and scanned it. all done in safe mode even :)
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 27

Expert Comment

by:David-Howard
ID: 24338331
Okay, there is an automated removal tool listed here as well as manual removal instructions.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3
I cannot speak for the removal tool as I have not used it.
If the manual instructions fail you may want to consider turning off System Restore and then running your scans.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
0
 

Author Comment

by:smartsystemsinc
ID: 24338334
ok i just finnished a malwarebytes scan and it came back clean however the webroot spysweeper with antivirus scan came back showing koobface and virtumonde. anyideas? i will try to get a log file out of webroot when the scan is done.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338368
Please try the Symantec removal tool I listed above. You will need to disable System Restore.
0
 

Author Comment

by:smartsystemsinc
ID: 24338616
Here is the last bit that remains on the computer i do not have a symantec scanner but i did use webroot this is what it found:

HKU\S-1-5-21-3948417850-3809322032-3656077518-1007\software\microsoft\windows\currentversion\internet settings\ || Proxyoverride

this key was successfully removed then i restarted and scanned again this is the only key that remained the virtumonde is gone.

0
 
LVL 27

Accepted Solution

by:
David-Howard earned 2000 total points
ID: 24338852
You might try exporting your Registry to external media and then deleting that key. At least the Proxyoverride portion.
http://www.ehow.com/how_11828_export-windows-registry.html
0
 

Author Closing Comment

by:smartsystemsinc
ID: 31579538
thank you so much loading the hive in a good computer worked brilliantly.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question