I ran further checks on September 10, 2008 on a system that I found infected
with Virantix and other malware on September 9 (see
Infection by Virantix -
braviax.exe).
I scanned the system with Symantec AntiVirus Corporate Edition 8.1.
It reported it fond files associated with Trojan.Pandex
and Backdoor.Trojan, which it quarantined (see
SAV Detected - 091008)
I ran a full scan of the system with Microsoft's Windows Defender at 1:48 PM using definition version 1.43.128.0 created on 9/5/2008 at 12:53 PM. It reported "No unwanted or harmful software detected. Your computer is running normally."
Since Spybot
reported, when I scanned the system on Wednesday, September
9, 2008, that the system was infected with Virtumonde, I decided
to scan the system with VundoFix,
a freeware removal tool for many of the known variants of Trojan.Vundo,
Trojan.Conhook and other similar infections.
To locate the VundoFix website, I performed a Google search. Google returned a lot of hits. I clicked on the link at the top of the list, which appeared to be for the developer's website at http://vundofix.atribune.org/. Instead, I was taken to http://67.29.139.253/jump2/?affiliate=ss22&subid=8624_61&terms=vundofix. I backed up and tried again. The second time I was taken to the correct URL. I tried the second link in the list. Again I was taken to a webpage other than the one to which the Google link pointed. I then tried the third link, which was to http://www.majorgeeks.com/download4954.html. I saw http://www.google.com/search?hl=en&q=vundofix&aq=f&oq= in the address bar for the webpage to which I was taken, but when I checked the properties of the webpage, I saw it was http://www.toseeka.com/search.php?q=vundofix, so, obviously, something was causing a redirection of webpages. The redirection only seemed to occur the first time I tried accessing a link.
I downloaded and installed VundoFix V7.0.6 and scanned the system with it. It reported that no infected files were found.
Since something appeared to be redirecting connectivity to links I found
with Google to other webpages, I opened Spybot Search & Destory 1.6.0
on the system and switched to advanced mode. Then, under Tools,
I checked the
Browser Helper Objects (BHOs) installed on the system for Internet
Explorer. The only one I saw was one for Spybot itself, Spybot-S&D IE
Protection. I then checked for ActiveX applications, I saw one noted with
a white "x: in a red circle, indicating Spybot considered it problematical.
That one was associated with cpbrkpie.ocx (See
Spybot ActiveX - cpbrkpie.ocx).
But when I searched the system for cpbrkpie.ocx, the only result
returned was for C:\Documents and Settings\All Users\Application
Data\Spybot - Search & Destroy\Recovery\CouponBar.zip, which was
created when Spybot removed CouponBar malware from the system
yesterday, Wednesday, September 9. So it wasn't likely the source of the
webpage redirection. I had Spybot remove the entry for that ActiveX control,
even though it no longer appeared to be active on the system.
I next downloaded BlackLight from F-Secure, which is a rootkit detector, and checked the system with it. It reported "no hidden items found." Note: other free rootkit detectors are listed at Rootkit Detection and Removal.
