Solved

worm-koobface

Posted on 2009-05-08
9
528 Views
Last Modified: 2013-12-06
I have read through the other posts about koobface and have not been able to remove this threat. i have been working on this machine for 3 days now everytime i think its gone a restart brings it right back. i have searched for the files listed in the other posts and have not found them on the system. any help removing this would be great!

thanks also here is the hijackthis log.
hijackthis.txt
0
Comment
Question by:smartsystemsinc
  • 5
  • 4
9 Comments
 

Author Comment

by:smartsystemsinc
Comment Utility
here is the combo fix log aswell.
ComboFix.txt
0
 
LVL 27

Expert Comment

by:David-Howard
Comment Utility
I recommend downloading and updating Malwarebytes.
You can get it free from www.Malwarebytes.org
Once downloaded and updated boot into Safe Mode (F8 at startup) and run your scans.
You should save malwarebytes.exe as a different name. ie mw.123
Once downloaded, rename to it's original mbam.exe
Some malware will prevent malwarebytes or other suites from running if downloaded with their original name.
Your log file is clean.
If you run malwarebytes and combofix as well as your antivirus suite in Safe Mode you should be able to rid yourself of this threat.
Combofix:
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs.
0
 

Author Comment

by:smartsystemsinc
Comment Utility
i will run mal-warebytes again and post the log i have run it several times i have even slaved this drive and scanned it. all done in safe mode even :)
0
 
LVL 27

Expert Comment

by:David-Howard
Comment Utility
Okay, there is an automated removal tool listed here as well as manual removal instructions.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3
I cannot speak for the removal tool as I have not used it.
If the manual instructions fail you may want to consider turning off System Restore and then running your scans.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:smartsystemsinc
Comment Utility
ok i just finnished a malwarebytes scan and it came back clean however the webroot spysweeper with antivirus scan came back showing koobface and virtumonde. anyideas? i will try to get a log file out of webroot when the scan is done.
0
 
LVL 27

Expert Comment

by:David-Howard
Comment Utility
Please try the Symantec removal tool I listed above. You will need to disable System Restore.
0
 

Author Comment

by:smartsystemsinc
Comment Utility
Here is the last bit that remains on the computer i do not have a symantec scanner but i did use webroot this is what it found:

HKU\S-1-5-21-3948417850-3809322032-3656077518-1007\software\microsoft\windows\currentversion\internet settings\ || Proxyoverride

this key was successfully removed then i restarted and scanned again this is the only key that remained the virtumonde is gone.

0
 
LVL 27

Accepted Solution

by:
David-Howard earned 500 total points
Comment Utility
You might try exporting your Registry to external media and then deleting that key. At least the Proxyoverride portion.
http://www.ehow.com/how_11828_export-windows-registry.html
0
 

Author Closing Comment

by:smartsystemsinc
Comment Utility
thank you so much loading the hive in a good computer worked brilliantly.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

12 Steps to a more secure Internet experience (http://tekblog.teksquisite.com/) Everyone who is a licensed driver initially had to pass a driving test that consisted of taking:    1. a written test    2. a road test    3. a vision test Le…
OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now