Solved

worm-koobface

Posted on 2009-05-08
9
532 Views
Last Modified: 2013-12-06
I have read through the other posts about koobface and have not been able to remove this threat. i have been working on this machine for 3 days now everytime i think its gone a restart brings it right back. i have searched for the files listed in the other posts and have not found them on the system. any help removing this would be great!

thanks also here is the hijackthis log.
hijackthis.txt
0
Comment
Question by:smartsystemsinc
  • 5
  • 4
9 Comments
 

Author Comment

by:smartsystemsinc
ID: 24338026
here is the combo fix log aswell.
ComboFix.txt
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338132
I recommend downloading and updating Malwarebytes.
You can get it free from www.Malwarebytes.org
Once downloaded and updated boot into Safe Mode (F8 at startup) and run your scans.
You should save malwarebytes.exe as a different name. ie mw.123
Once downloaded, rename to it's original mbam.exe
Some malware will prevent malwarebytes or other suites from running if downloaded with their original name.
Your log file is clean.
If you run malwarebytes and combofix as well as your antivirus suite in Safe Mode you should be able to rid yourself of this threat.
Combofix:
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs.
0
 

Author Comment

by:smartsystemsinc
ID: 24338168
i will run mal-warebytes again and post the log i have run it several times i have even slaved this drive and scanned it. all done in safe mode even :)
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 27

Expert Comment

by:David-Howard
ID: 24338331
Okay, there is an automated removal tool listed here as well as manual removal instructions.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3
I cannot speak for the removal tool as I have not used it.
If the manual instructions fail you may want to consider turning off System Restore and then running your scans.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
0
 

Author Comment

by:smartsystemsinc
ID: 24338334
ok i just finnished a malwarebytes scan and it came back clean however the webroot spysweeper with antivirus scan came back showing koobface and virtumonde. anyideas? i will try to get a log file out of webroot when the scan is done.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24338368
Please try the Symantec removal tool I listed above. You will need to disable System Restore.
0
 

Author Comment

by:smartsystemsinc
ID: 24338616
Here is the last bit that remains on the computer i do not have a symantec scanner but i did use webroot this is what it found:

HKU\S-1-5-21-3948417850-3809322032-3656077518-1007\software\microsoft\windows\currentversion\internet settings\ || Proxyoverride

this key was successfully removed then i restarted and scanned again this is the only key that remained the virtumonde is gone.

0
 
LVL 27

Accepted Solution

by:
David-Howard earned 500 total points
ID: 24338852
You might try exporting your Registry to external media and then deleting that key. At least the Proxyoverride portion.
http://www.ehow.com/how_11828_export-windows-registry.html
0
 

Author Closing Comment

by:smartsystemsinc
ID: 31579538
thank you so much loading the hive in a good computer worked brilliantly.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Info tools for social network surveillance 12 122
Local Drive Access Denied 5 102
turbotax on windows 10 88
ScanGuard 4 135
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question