Solved

worm-koobface

Posted on 2009-05-08
9
533 Views
Last Modified: 2013-12-06
I have read through the other posts about koobface and have not been able to remove this threat. i have been working on this machine for 3 days now everytime i think its gone a restart brings it right back. i have searched for the files listed in the other posts and have not found them on the system. any help removing this would be great!

thanks also here is the hijackthis log.
hijackthis.txt
0
Comment
Question by:smartsystemsinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:smartsystemsinc
ID: 24338026
here is the combo fix log aswell.
ComboFix.txt
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338132
I recommend downloading and updating Malwarebytes.
You can get it free from www.Malwarebytes.org
Once downloaded and updated boot into Safe Mode (F8 at startup) and run your scans.
You should save malwarebytes.exe as a different name. ie mw.123
Once downloaded, rename to it's original mbam.exe
Some malware will prevent malwarebytes or other suites from running if downloaded with their original name.
Your log file is clean.
If you run malwarebytes and combofix as well as your antivirus suite in Safe Mode you should be able to rid yourself of this threat.
Combofix:
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs.
0
 

Author Comment

by:smartsystemsinc
ID: 24338168
i will run mal-warebytes again and post the log i have run it several times i have even slaved this drive and scanned it. all done in safe mode even :)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:David-Howard
ID: 24338331
Okay, there is an automated removal tool listed here as well as manual removal instructions.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3
I cannot speak for the removal tool as I have not used it.
If the manual instructions fail you may want to consider turning off System Restore and then running your scans.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
0
 

Author Comment

by:smartsystemsinc
ID: 24338334
ok i just finnished a malwarebytes scan and it came back clean however the webroot spysweeper with antivirus scan came back showing koobface and virtumonde. anyideas? i will try to get a log file out of webroot when the scan is done.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338368
Please try the Symantec removal tool I listed above. You will need to disable System Restore.
0
 

Author Comment

by:smartsystemsinc
ID: 24338616
Here is the last bit that remains on the computer i do not have a symantec scanner but i did use webroot this is what it found:

HKU\S-1-5-21-3948417850-3809322032-3656077518-1007\software\microsoft\windows\currentversion\internet settings\ || Proxyoverride

this key was successfully removed then i restarted and scanned again this is the only key that remained the virtumonde is gone.

0
 
LVL 27

Accepted Solution

by:
David-Howard earned 500 total points
ID: 24338852
You might try exporting your Registry to external media and then deleting that key. At least the Proxyoverride portion.
http://www.ehow.com/how_11828_export-windows-registry.html
0
 

Author Closing Comment

by:smartsystemsinc
ID: 31579538
thank you so much loading the hive in a good computer worked brilliantly.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Preferred Cloud Managed Anti-Virus? 4 106
Windows 10 4 86
PUP or Virus 6 86
Opinions of Sophos Intercept X and Endpoint Security 2 77
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question