Solved

worm-koobface

Posted on 2009-05-08
9
534 Views
Last Modified: 2013-12-06
I have read through the other posts about koobface and have not been able to remove this threat. i have been working on this machine for 3 days now everytime i think its gone a restart brings it right back. i have searched for the files listed in the other posts and have not found them on the system. any help removing this would be great!

thanks also here is the hijackthis log.
hijackthis.txt
0
Comment
Question by:smartsystemsinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:smartsystemsinc
ID: 24338026
here is the combo fix log aswell.
ComboFix.txt
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338132
I recommend downloading and updating Malwarebytes.
You can get it free from www.Malwarebytes.org
Once downloaded and updated boot into Safe Mode (F8 at startup) and run your scans.
You should save malwarebytes.exe as a different name. ie mw.123
Once downloaded, rename to it's original mbam.exe
Some malware will prevent malwarebytes or other suites from running if downloaded with their original name.
Your log file is clean.
If you run malwarebytes and combofix as well as your antivirus suite in Safe Mode you should be able to rid yourself of this threat.
Combofix:
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs.
0
 

Author Comment

by:smartsystemsinc
ID: 24338168
i will run mal-warebytes again and post the log i have run it several times i have even slaved this drive and scanned it. all done in safe mode even :)
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 27

Expert Comment

by:David-Howard
ID: 24338331
Okay, there is an automated removal tool listed here as well as manual removal instructions.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3
I cannot speak for the removal tool as I have not used it.
If the manual instructions fail you may want to consider turning off System Restore and then running your scans.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
0
 

Author Comment

by:smartsystemsinc
ID: 24338334
ok i just finnished a malwarebytes scan and it came back clean however the webroot spysweeper with antivirus scan came back showing koobface and virtumonde. anyideas? i will try to get a log file out of webroot when the scan is done.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338368
Please try the Symantec removal tool I listed above. You will need to disable System Restore.
0
 

Author Comment

by:smartsystemsinc
ID: 24338616
Here is the last bit that remains on the computer i do not have a symantec scanner but i did use webroot this is what it found:

HKU\S-1-5-21-3948417850-3809322032-3656077518-1007\software\microsoft\windows\currentversion\internet settings\ || Proxyoverride

this key was successfully removed then i restarted and scanned again this is the only key that remained the virtumonde is gone.

0
 
LVL 27

Accepted Solution

by:
David-Howard earned 500 total points
ID: 24338852
You might try exporting your Registry to external media and then deleting that key. At least the Proxyoverride portion.
http://www.ehow.com/how_11828_export-windows-registry.html
0
 

Author Closing Comment

by:smartsystemsinc
ID: 31579538
thank you so much loading the hive in a good computer worked brilliantly.
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question