Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan, Virtumudo, Zlob Trojan Help!


  • Please log in to reply
22 replies to this topic

#1 Ostranza

Ostranza

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 05 November 2007 - 12:06 AM

Ok I've stumbled upon this site repeatedly searching for numerous solutions to my situation(s) and it seems like quite a few people know what they're talking about. I've spent about 15 hrs or more on trying to fix my comp starting with search terms like "spyware.cyberlog-x" "smitfraud" "networm-i" "IE popups while using firefox" "vundo" and "zlob"............after the initial attempts I've managed to stop the IE popups and used FileAssassin to remove the core.cache.dsk (spelling?) and I'm grateful but I'm finally down to the "zlob" and "vundo" terms where they will come up on spyhunter and others everytime I run these apps and delete them. HOW DO I RID THEM ONCE AND FOR ALL!?!? I consider myself a fairly good technical person but not to the point of knowing much how to interpret HijackThis logs unfortunately, so here it is.....

Attached Files


Edited by Ostranza, 05 November 2007 - 12:08 AM.


BC AdBot (Login to Remove)

 


#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 06 November 2007 - 01:07 AM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 06 November 2007 - 09:04 PM

THANK YOU!!

fyi, I removed Norton IS2007 in the middle of all this since it kept failing liveupdate and etc. , I think I'll wait till I get a clean bill of health before I reinstall unless otherwise told.

Also, forget what I said about fixing the IE popups....they're back with a vengence :/

Many thanks again!



(posting from my laptop which is not infected too I hope since they share a wireless connection, seems fine though..)

#4 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 06 November 2007 - 09:30 PM

Hey Ostranza,

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Posted Image


#5 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 06 November 2007 - 11:18 PM

Ok here it is, I ran combofix a second time since it seemed that Spybot's Resident (detects changes in files?) was interfering a lot....maybe like it should but thought it might be blocking good stuff.....the latest one should be titled "combofix" without the "2"



Thanks again for your help!

Attached Files


Edited by Ostranza, 06 November 2007 - 11:36 PM.


#6 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 07 November 2007 - 01:24 AM

Hello again,

Step 1
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Step 2
Please download the Norton Removal Tool from HERE and Save it to your Desktop
  • Close all programs and double click the Norton_Removal_Tool.exe
  • Follow the on-screen instructions
  • Restart the computer if asked
  • Then delete Norton_Removal_Tool.exe from your desktop
  • Now open the Program Files folder on your local disk ( normally C: )
  • Find and delete the following folders (if present)
  • Norton AntiVirus
  • Norton Internet Security
  • Norton SystemWorks
  • Norton Personal Firewall
Step 3
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {5853A9AB-434B-4EE4-B1FA-1868B2376DB8} - (no file)
O2 - BHO: (no name) - {6763B20D-9B59-4827-AE7F-7DB44BD73A3A} - (no file)
O2 - BHO: (no name) - {6BAE7479-A4CB-46B4-952A-BF54F6626D13} - C:\Program Files\Common Files\meroz4444.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kwqxjmxv.dll
O2 - BHO: (no name) - {B9AB1B87-747E-4D62-AD88-1914AC0AE658} - (no file)
O2 - BHO: (no name) - {D28C0A38-8D37-45D3-BC2C-CDC9147FEB52} - (no file)
O2 - BHO: (no name) - {E82E2815-1E1F-4F69-B55B-C8BEC983F338} - (no file)
O2 - BHO: (no name) - {F8303497-8163-4CA7-9D81-A2BDACF1F9E5} - C:\Program Files\Common Files\meroz83122.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kwqxjmxv.dll
O4 - HKLM\..\Run: [302F3834383A383D3] D5D4DDD9DDDFDDE.exe
O20 - Winlogon Notify: kwqxjmxv - C:\WINDOWS\SYSTEM32\kwqxjmxv.dll
O20 - Winlogon Notify: nnnllmm - C:\WINDOWS\


Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 4
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ddblmkpx.exe
C:\WINDOWS\system32\qagabxqv.dll
C:\WINDOWS\system32\uxmmcjbb.dll
C:\WINDOWS\system32\kwqxjmxv.dll
C:\WINDOWS\system32\fwwfnwwt.dll
C:\WINDOWS\system32\gebxwtq.dll
C:\WINDOWS\system32\awtttuu.dll
C:\WINDOWS\system32\urqnolm.dll
C:\WINDOWS\system32\ktghtskg.dll
C:\WINDOWS\system32\D5D4DDD9DDDFDDE.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\mljjige.dll
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\bwUnin-7.2.0.137-8876480SL.exe
C:\Program Files\Common Files\meroz83122.dll

DirLook::
C:\8b478a24e75fc3de8c7359f4
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\E8E7F0ECF0F2F0F
C:\WINDOWS\system32\dirdvr8

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.


Posted Image


#7 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 07 November 2007 - 11:48 PM

Attached are the files.

Kinda weird, I just downloaded that Norton Removal kit a few days ago...apparently it didn't get it all or maybe my system restore point nullified it?

Attached Files



#8 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 08 November 2007 - 01:09 AM

Also, I should mention this cause I don't know what it means. Everytime computer starts I get Error loadding C:\WINDOWS\system32\tmgumdip.dll

#9 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 08 November 2007 - 08:50 AM

Hello again,

Step 1
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kwqxjmxv.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kwqxjmxv.dll
O4 - HKLM\..\Run: [50954072] rundll32.exe "C:\WINDOWS\system32\tmgumdip.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O20 - Winlogon Notify: kwqxjmxv - C:\WINDOWS\SYSTEM32\kwqxjmxv.dll


Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\dirdvr8
    C:\WINDOWS\system32\E8E7F0ECF0F2F0F
    C:\WINDOWS\system32\Mz02r
    C:\WINDOWS\system32\Mz08r
    C:\WINDOWS\SYSTEM32\kwqxjmxv.dll
    C:\WINDOWS\winshow.exe
    C:\WINDOWS\system32\tmgumdip.dll


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Step 3
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step 4
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-secure.com/enu/home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient


Posted Image


#10 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 08 November 2007 - 02:30 PM

Ran HijackThis and removed items you listed but didn't find the first two lines and the line with "winshow" in it.

Here is results from OT:
C:\WINDOWS\system32\dirdvr8 moved successfully.
Folder move failed. C:\WINDOWS\system32\E8E7F0ECF0F2F0F\CBCAD3CFD3D5D3D scheduled to be moved on reboot.
C:\WINDOWS\system32\E8E7F0ECF0F2F0F moved successfully.
C:\WINDOWS\system32\Mz02r moved successfully.
C:\WINDOWS\system32\Mz08r moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\kwqxjmxv.dll not found.
File/Folder C:\WINDOWS\winshow.exe not found.
File/Folder C:\WINDOWS\system32\tmgumdip.dll not found.

Created on 11/08/2007 11:07:17

VundoFix came up clean, no finds!!

F-Secure Online Scan below:

Scanning Report
Thursday, November 08, 2007 11:29:39 - 12:22:47

Computer name: OSTRANZA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 5 malware found
HTML/IFrame (virus)

* C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\RTEMEHDOWU.HTML (Renamed & Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System

Trojan-Downloader.Win32.VB.bqc (virus)

* C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\MZ02R\MZ02R1065.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 29109
* System: 3954
* Not scanned: 4

Actions:

* Disinfected: 1
* Renamed: 2
* Deleted: 0
* None: 2
* Submitted: 2

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{66D0FA51-7176-4D5C-A619-095EAE530990}.BIN

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-11-06
* F-Secure AVP: 7.0.171, 2007-11-08
* F-Secure Orion: 1.2.37, 2007-11-08
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2007-10-05

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics


HijackThis Log attached!!

I've noticed sooooooo much improvement!!!! This is awesome! :thumbsup:

Attached Files



#11 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 10 November 2007 - 02:34 PM

Hello,

Nice job your log looks clean!
How is it running?
Please use the following suggestion to help prevent reinfection.

You may now reinstall Norton. Please make sure to do this due to the fact that in todays world, not having an Anti - Virus is like suicide for your PC.

Please double-click OTMoveIt.exe to run it.
  • Click the CleanUp! button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click NO to the reboot, and just delete the OTMoveIt program from your desktop
You may remove all the tools that we had you download for the analysis and cleaning process. They are no longer needed.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)Now we need to make a new System Restore Point for your PC, please do the following
  • Click Start, Settings, Control Panel
  • Double-click the System icon
  • Click the Performance tab, File System, Troubleshooting tab
  • Check "Turn off System Restore" and click "Apply". Please give a moment as it will delete the old System Restore points
  • Then uncheck "Turn off System Restore" which will create a new System Restore point
  • Click OK
I highly recommend downloading the following programs, to keep malware of your computer to begin with.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

SUPERAntiSpyware - A very powerful tool which searches and kills malware that infects your system.

SpywareBlaster - Great prevention tool to keep malware from installing on your system.
**Tutorial on installing & using this product can be found HERE**

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
**Tutorial on installing & using this product can be found HERE**

IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
**Tutorial on installing & using this product can be found HERE**

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders.

Antivirus Program An Antivirus program is a must in today's digital world! I recommend avast! 4 Home Edition, AVG, or Anti-Vir.
DO NOT install more than one Antivirus program. They will conflict, and provide less protection, not more.

Firewall A firewall is definitely a must have to protect your computer from hackers. I recommend Comodo, Zone Alarm, or Outpost.
**Tutorial on Firewalls can be found HERE**

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

You must stay on top of your updates at all times, for the above mentioned applications.

It is vitally important to stay on top of your critical updates provided by Microsoft.

And finally a little Posted Image How did I get infected in the first place?(by Tony Klein)

Good luck and safe surfing :thumbsup:


Posted Image


#12 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 22 November 2007 - 12:20 AM

Thank you sooooo much for all your help. I appear to be out of the woods and everything is gravy! :thumbsup:

Thanks again and hope you got my donation!

-Ostranza

#13 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 24 November 2007 - 09:40 PM

Hello and thanks,

Just to be sure I got your donation, what is the name that would show up on the PayPal so I can verify it went through?


Posted Image


#14 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:49 PM

Posted 04 December 2007 - 08:43 AM

as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :blink:

thank you MoNsTeReNeRgY22 :thumbsup:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#15 Ostranza

Ostranza
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 07 December 2007 - 12:44 PM

Here is latest HJT log, thanks for looking over it again!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users