[Resolved] Another Virtumonde victim who needs help

**Geri** · 4th September 2008

Hi
OK If you still have problems with Kaspersky then we'll try Panda.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

**Nokanda** · 4th September 2008

thanks Geri. Kaspersky's still working and it's into its first hour so I'll let it go and see what happens. If it crashes again then I'll try Panda.

**Nokanda** · 4th September 2008

ok, scan's done. Here's the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 04, 2008 17:14:34
Records in database: 1191804
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan statistics:
Files scanned: 78466
Threat name: 9
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 04:30:10

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05080000.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05080001.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05080002.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06D80000.VBN Infected: not-a-virus:AdWare.Win32.BHO.fd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN Infected: not-a-virus:AdWare.Win32.BHO.fd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08080000.VBN Infected: not-a-virus:AdWare.Win32.BHO.fd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08080001.VBN Infected: not-a-virus:AdWare.Win32.BHO.fb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08140000.VBN Infected: not-virus:Hoax.Win32.Agent.s 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN Infected: Trojan-Downloader.Win32.Agent.bls 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08880002.VBN Infected: Trojan-Downloader.Win32.PurityScan.eg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0000.VBN Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0001.VBN Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\088C0002.VBN Infected: Trojan-Downloader.Win32.IstBar.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200000.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200001.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200002.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F200003.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240000.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240002.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240003.VBN Infected: Trojan.Win32.Patched.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F240004.VBN Infected: Trojan.Win32.Patched.af 1
G:\System Volume Information\_restore{43F793CE-AC1B-48E8-B48E-6E188798D758}\RP226\A0039504.exe Infected: Trojan-Downloader.Win32.IstBar.gen 1
G:\System Volume Information\_restore{43F793CE-AC1B-48E8-B48E-6E188798D758}\RP226\A0039505.exe Infected: Backdoor.Win32.Bifrose.yjw 1
G:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.60 1

The selected area was scanned.

**Geri** · 5th September 2008

Hi
OK that looks good.

You need to empty your Nortons Quarantine folder

You should clean out the restore points on your G Drive.

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.

To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK
6. Make a new restore point.
7. Click Start, All Programs, Accessories, System Tools, System Restore.
Choose Create a restore point and clicked Next, Under “Type a description for your restore point…”put a name in the box,. Click Create. In the next window click Close.

Let me know how that went and we should be able to mark this resolved.

Thanks
Geri

**Nokanda** · 5th September 2008

thanks Geri! the quarantine folder is empty and the restore point has been reset. I can finally wake up from this nightmare! do you think I should do one more scan before I defrag?

**Geri** · 5th September 2008

Hi
I don't think another scan is necessary.

Let me know when you are done and We'll close this off.

Geri

**Nokanda** · 5th September 2008

ok, I'm done then. Thanks so much for the help. You guys are the best!

**Geri** · 5th September 2008

You are welcome.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
An ounce of prevention is worth a pound of cure

Surf Safely
Geri

**Nokanda** · 6th September 2008

That post was the first one I read when I found out you had helped, and were still helping, people with the same problem I was experiencing. Excellent advice and some good referrals. It's the reason why I put an end to Norton and got AVG. I'm working on a few of the others. I hope to never have to call on you for that kind of help again but I am going to tell my friends about this site - just in case.