Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Malware Infection--assistance Very Much Appeciated.


  • Please log in to reply
6 replies to this topic

#1 venovel

venovel

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 13 November 2007 - 07:19 AM

For the past few days, my husband's computer has been showing incontrovertible evidence of persistent malware infection. I've googled several of the symptoms and it would appear to be a variant of Vundo/Virtumonde, apparently one of the most aggravatingly persistent malware monsters of all the malware monsters in the world . . . however, read on for more details.

- Upon almost every reboot, Norton Antivirus has come up with a warning box indicating that Adware.Ezula has been blocked as a potential threat. Tonight, Downloader.MisleadApp has also appeared as a blocked threat.

- Two desktop shortcuts, "Live Safety Center" and "Online Security Guide", both of which appear to direct to a "htepo.com" website, have been repeatedly deleted and return almost immediately.

- There have been pop-ups in the systray that mimic Windows alerts, warning of various virus infections and directing the user to click the "baloon" (yes, there are usually multiple typos) to obtain "protection" against these supposed infections.

- There have been pop-ups in the middle of the screen that mimic Windows system warning messages, also claiming to report bogus infections and instructing the user to click a Yes button to install supposed malware protection software.

- Internet Explorer pop-ups, also warning of supposed infections and directing the user to install some variety of protection software, have also been appearing tonight. Additionally, "Security Toolbar 7.1" has begun appearing in these pop-ups, and opening Internet Explorer shows that the browser has been hijacked to htepo.com. (My husband's usual browser is Mozilla Firefox; it does not appear to have been similarly hijacked or infiltrated.)

Scans with Spybot Search & Destroy have shown infections of Virtumonde and Virtumonde.rtk. Spybot reports success in cleaning these, but another scan always returns the same infections along with MicrosoftWindowsSecurityCenterDisabled. I have repeatedly run FixEzula.exe and FixVundo.exe from Symantec, and have only received messages that no infection was found.

Tonight, I finally remembered to turn off the Windows System Restore, then rebooted. I first ran FixVundo, which once again reported no infection. Ironically, the entire time the scan was running, the fake Windows errors and the pop-ups in systray and IE appeared repeatedly.

I ran a scan with Ad-Aware and removed tracking cookies, followed by a Spybot S&D scan which again returned Virtumonde, Virtumonde.rtk, and for the first time, Virtumonde.generic. Once again, Spybot was seemingly able to remove the infections, but the above-noted pop-ups continued to appear. I then ran a full system scan with Norton Antivirus. Just like the FixVundo result, NAV showed no problems found--while the three types of pop-up/fake errors noted continued to appear at intervals.

The computer was restarted again. While NAV has not reported Adware.Ezula, Downloader.MisleadApp, or any other previously noted "blocked threat", the aforementioned pop-ups/fake errors have continued to appear, and the two desktop shortcuts are back again.

Please help me to remove whatever garbage has invaded my husband's computer before I either take the system for professional repair, or heave the hard drive into a cement mixer so it can be permanently entombed. I am a technical support agent with roughly seven years' experience working with Windows; this infection's maddening persistence stings me on a professional level as well as digging right into my personal irritation button. :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 PM

Posted 13 November 2007 - 07:25 AM

See the following instructions for removing Vundo.

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

Then try running all your anti-virus and anti-spyware scans in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 13 November 2007 - 11:33 AM

Additionally, "Security Toolbar 7.1" has begun appearing in these pop-ups


If that is the case also, print out and follow the generic instructions for using SmitfraudFix in BC's self-help tutorial "How to remove the Smitfraud/Generic Zlob".
(scroll down to where it says Removal Instructions; ignore the part that shows symptoms in a HijackThis log as they will not apply your case.)
If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!

Next, download RogueRemover and save to you Desktop. (compatible with Windows 2000, NT, XP, Vista)
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
  • During installation an icon will automatically be created on your Desktop.
  • If the program does not open after installation, double-click on the RogueRemover icon to launch.
  • Select "Check for Updates" and click Download if any are found.
  • Wait for the updates to finish downloading, then Close the update window.
  • Select "Scan" and follow the onscreen directions to remove anything found.
  • If nothing is found, exit RogueRemover.
  • If RogueRemover finds something, it will present a list of detected items.
  • Click "Remove selected", then Yes at the prompt.
  • Wait for the removal to complete and then close RogueRemover.
If using Windows Vista be sure to Run As Administrator.

Then download and scan with SUPERAntiSpyware Free in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 venovel

venovel
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 13 November 2007 - 06:07 PM

I spoke too soon when I posted before . . .


I first ran VundoFix. It detected a DLL file, removed it, and prompted for restart. Upon restart, NAV again blocked Adware.Ezula.

Downloaded SmitFraudFix.exe, rebooted into Safe Mode, and ran the SmitFraudFix. However, the instructions indicated there should have been a red window showing "Computer will reboot now"; this window did not appear. Nor did the Windows desktop--it only showed a black screen with the Safe Mode note at each corner. I was able to reboot back into safe mode. (Irritatingly enough, Windows kept tossing up a box "You are running in Safe Mode" that I had to hit Yes on to proceed. Very, very annoying.)

Ran Spybot S&D; it found and removed Virtumonde and Virtumonde.rtk. Upon reboot into normal mode, NAV again found Ezula, and the fake warnings and IE popups started again.

Downloaded VirtumundoBegone and booted into safe mode. Attempted to run it, but it gave a notice "Your computer is set to reboot on a STOP error". Hitting OK on this message caused the system to reboot again, apparently with no fixes having been performed. I brought the system back up in Safe Mode and ran VirtumundoBegone, with what appeared to be success--it brought up a log file indicating that it had found and cleared several DLLs.

I then ran VundoFix again, and removed another DLL. Rebooted, and ran FixEzula.exe. Nothing was found. (However, when Windows restarted in normal mode, I again saw that Norton had blocked Adware.Ezula as a potential threat. I guess FixEzula's a soddin' liar.) I turned System Restore back on and rebooted again.

The system is now running in normal mode. I have just gotten another pair of fake malware messages (systray and Windows warning), and bringing up IE shows the Security Toolbar is back again.

Edited by venovel, 13 November 2007 - 06:12 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 13 November 2007 - 06:34 PM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 venovel

venovel
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 13 November 2007 - 06:44 PM

I am now running the HouseCall check on the system in preparation for the HJT log posting. Thanks for your help :thumbsup:

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 13 November 2007 - 06:46 PM

Your welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users