Infection Checks on 2008-09-10

I ran further checks on September 10, 2008 on a system that I found infected with Virantix and other malware on September 9 (see Infection by Virantix - braviax.exe).

I scanned the system with Symantec AntiVirus Corporate Edition 8.1. It reported it fond files associated with Trojan.Pandex and Backdoor.Trojan, which it quarantined (see SAV Detected - 091008)

I ran a full scan of the system with Microsoft's Windows Defender at 1:48 PM using definition version 1.43.128.0 created on 9/5/2008 at 12:53 PM. It reported "No unwanted or harmful software detected. Your computer is running normally."

Since Spybot reported, when I scanned the system on Wednesday, September 9, 2008, that the system was infected with Virtumonde, I decided to scan the system with VundoFix, a freeware removal tool for many of the known variants of Trojan.Vundo, Trojan.Conhook and other similar infections.

To locate the VundoFix website, I performed a Google search. Google returned a lot of hits. I clicked on the link at the top of the list, which appeared to be for the developer's website at http://vundofix.atribune.org/. Instead, I was taken to http://67.29.139.253/jump2/?affiliate=ss22&subid=8624_61&terms=vundofix. I backed up and tried again. The second time I was taken to the correct URL. I tried the second link in the list. Again I was taken to a webpage other than the one to which the Google link pointed. I then tried the third link, which was to http://www.majorgeeks.com/download4954.html. I saw http://www.google.com/search?hl=en&q=vundofix&aq=f&oq= in the address bar for the webpage to which I was taken, but when I checked the properties of the webpage, I saw it was http://www.toseeka.com/search.php?q=vundofix, so, obviously, something was causing a redirection of webpages. The redirection only seemed to occur the first time I tried accessing a link.

I downloaded and installed VundoFix V7.0.6 and scanned the system with it. It reported that no infected files were found.

Since something appeared to be redirecting connectivity to links I found with Google to other webpages, I opened Spybot Search & Destory 1.6.0 on the system and switched to advanced mode. Then, under Tools, I checked the Browser Helper Objects (BHOs) installed on the system for Internet Explorer. The only one I saw was one for Spybot itself, Spybot-S&D IE Protection. I then checked for ActiveX applications, I saw one noted with a white "x: in a red circle, indicating Spybot considered it problematical. That one was associated with cpbrkpie.ocx (See Spybot ActiveX - cpbrkpie.ocx).

But when I searched the system for cpbrkpie.ocx, the only result returned was for C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CouponBar.zip, which was created when Spybot removed CouponBar malware from the system yesterday, Wednesday, September 9. So it wasn't likely the source of the webpage redirection. I had Spybot remove the entry for that ActiveX control, even though it no longer appeared to be active on the system.

I next downloaded BlackLight from F-Secure, which is a rootkit detector, and checked the system with it. It reported "no hidden items found." Note: other free rootkit detectors are listed at Rootkit Detection and Removal.