Part 1 is here.
OK, so I did a little research, and found a few tools I thought my help me. I decided to tackle this one problem at a time. First, let’s get rid of that stupid desktop wallpaper. A quick trip to Display Properties then the Desktop tab, Customize Desktop and the Web tab to get rid of any extra entries there. Then I used this reg file from bleepingcomputer.com to fix the registry entries that were keeping me from changing the wallpaper. One restart later, and that was taken care of.
One problem down. One much more complicated problem left to tackle.
Ewido at least identified what I was dealing with. Something called Adware.Virtumonde. Since this sucker was running even in safe mode, I borrowed an NTFS boot disk from work, and had a couple of tools I found to help specifically and went to town. First I tried out Symantec’s removal tool. Unfortunately, this tool’s scan returned nothing. Couldn’t even find the infection. Not sure if the dll’s had been programmed to hide from Symantec’s tool, or if it was looking for a different version, but either way, this was useless.
The next tool to try was the VundoFix from atribune.org. This was the jackpot. It found the infected dll’s and even managed to kill running processes long enough to get rid of them. After letting it do it’s thing, and restarting, there were no alerts any longer.
At this point, I wanted to do a couple more things. I used the boot disk to make sure the dll’s that had been identified as infected were actually gone. They were. Then I started normally and ran a deep scan using AdAware. When it found nothing, and Process Explorer and Ewido showed no unusual processes, I had a good feeling that we were relatively safe, at least safe enough to run behind my Hawking firewall/router at home, so it was time to hookup to the Internet and start getting updates. Except I couldn’t connect to Windows Update. Seems the hosts file had a whole bunch of entries pointing to 127.0.0.1 including windows update, most A/V company sites, and links to anti-spyware downloads. Seems AVG updates weren’t on that list, and since I was loading programs from my thumb drive, I really hadn’t run into this until now. So I wiped out the hosts file and went back to getting my updates.
After I had all the updates, I grabbed a copy of Windows Defender as well, and ran a full scan with that. It found a couple of left-behind fragments, but nothing that was running currently. I did a quick install of a previous version of Zone Alarm to verify that nothing was trying to connect to the Internet, and then uninstalled it because I’ve been having so many problems with it on our work laptops.
The last thing I did was set-up this machine in a simple, yet relatively safe, configuration. I left AVG, Windows Defender and AdAware installed. I turned on the Windows firewall. I turned on Automatic Updates, and set AVG and Windows Defender to get updates automatically as well. I typed up a description of what I had done along with some recommendations for safe surfing, and I turned it back over to it’s owner Friday morning.
Monday, my wife was handed a nice thank you card and a batch of made-from-scratch, delicious, chocolate chip cookies to take home to me.
In Part 3, an epilogue if you will, I’ll go into detail on why I made some of the choices I did, and try to list some more useful links to help cleanup malware, so if you have any tools that you have been using, let me know so I can add them. Thanks!