1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Leftover Virtumonde trash

Discussion in 'Virus & Other Malware Removal' started by texmedic49, Sep 20, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    So much for that idea, it tells me it can't find the file.
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Ok

    try the other locations:

    C:\windows\Servicepackfiles\i386\explorer.exe
    c:\windows\system32\dllcache\explorer.exe
     
  3. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    While I was waiting on you, I popped in my Knoppix CD. Interestingly enough, explorer.exe was right where it should have been. I copied the version from the service pack location, renaming the old file first. I have rebooted, and still have the same issue. I am starting in safe mode now...we'll see what happens.
     
  4. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    Here is something interesting. I decided to see what WOULD run from the task manager prompt. I got clean manager to come up...it lists 0 bytes of free space on c: like it isn't even seeing the disk. BTW, I think explorer is TRYING to start, I can see it in the process list for a split second, and then it disappears. I also tried to bring up system restore again, and the process IS running, but with no interface.
     
  5. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Interesting:

    let's have a look as to what is going on

    Do you have access to be able to burn a CD and do you have a USB?

    Please do the following:

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.

    • Next download driver.sh to your USB drive
    • next download the following files and save them to the USB as well:

      http://noahdfear.net/downloads/java.opt
      http://noahdfear.net/downloads/kavscan.sh

      Now there are a couple of things I would like you to do in xPUD

    • Remove the USB and insert it in the sick computer before you boot with the CD
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Click on File
    • Expand mnt
    • sda1 or sda2...will usually correspond to your HDD
    • sdb1 is likely your USB
    • Expand your USB (sdb1)
    • Confirm that you see driver.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash driver.sh
    • Press Enter
    • If successful, the script will check all your drivers
    • After it has finished a report will be located in the USB drive as report.txt


    Once that is done,

    please do the following:


    Navigate to the mnt>sdb1 folder, click Tool>Open Terminal and type bash kavscan.sh & exit then hit Enter

    The Terminal will close and the Firefox browser will open shortly in full screen mode

    When Firefox opens, it should be at the Kaspersky online scanner page
    *If you get a script error, click Continue on the error

    Accept the agreement to start downloading the database definitions

    When you get a security warning about the application's digital signature, check the 'Always trust content from this publisher' box then click Run

    *You may then get another message stating 'Launch of the Java Application is interrupted! Please establish an uninterrupted internet connection for work with this program' - click OK

    The program will then begin downloading and installing and will also update the database - please be patient as this can take a considerable amount of time

    Once the update is complete, click on Folder in the Scan section
    In the Browse for folder dialog that opens, navigate to eg; /mnt/sda1 (or /mnt/sda2 if sda2 is your HD) to scan the entire drive,

    Check the box 'Include subfolders' then click Scan

    Once the scan is complete, it will display if your system has been infected

    Click the View report link

    Click the Save Report ... button

    Navigate to the mnt/sdb1 (your usb device) folder in the Save dialog then save the report as:

    Filename: kavscan.txt
    Files of Type: Text file (.txt)

    To close the browser, click File>Close Window or press F11 to exit full screen mode, then use the close button in the title bar.





    Attach both the report.txt and the kavscan.txt for my review
     
  6. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    Stand by, making some adjustments...I'm running linux on my laptop, so that isn't going to work...
     
  7. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
  8. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    I have to leave for work now - I'll be back later tonight
     
  9. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    the links I gave you have compilations to assist with burning the CD and getting the files we need for diagnosis
     
  10. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    Gotcha. Thanks again!
     
  11. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    I made it all the way to the on-line scan part, it won't run because java isn't installed. I will try to figure out how to intall Java this afternoon and see what happens.
     
  12. noahdfear

    noahdfear Malware Specialist

    Joined:
    Nov 20, 2003
    Messages:
    144
    Open a Terminal window while viewing the sdb1 folder and type opt-get java.opt then hit Enter.
    Java should now be installed.
    Type bash kavscan.sh & exit to restart the browser.
     
  13. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    That did it, thanks. What was I telling it to do with the opt-get command?
     
  14. noahdfear

    noahdfear Malware Specialist

    Joined:
    Nov 20, 2003
    Messages:
    144
    That was telling it to unpack/install the package. Normally it is automatically recognized and unpacked/installed when xPUD mounts the usb filesystem, so one can go straight to running the kavscan script. I have not yet figured out why it sometimes fails to automatically mount the package. :confused:
     
  15. texmedic49

    texmedic49 Thread Starter

    Joined:
    Sep 20, 2010
    Messages:
    55
    Forgive my linux shell ignorance, long time windoze user, just recently started to get away from it. This just might push me over the edge to run linux exclusively. I guess it is just like anything else "new", you just have to get used to it and learn how to run it. Thanks for the explanation.

    As an aside to the problem at hand, do you guys know if I can install Ubuntu (or something similar) on a drive that has data, without erasing it? If I can get XP up and running, I might think about doing that with this machine. I guess a dual boot?

    I also wanted to add: The scanner is running, it will probably take a ridiculously long time to run judging by the progress in 15 minutes.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/951189

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice