Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vmalum.czui Infection


  • Please log in to reply
4 replies to this topic

#1 ann35

ann35

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 20 May 2008 - 09:26 AM

Please help! I have Windows XP operating system and use CA Internet Security Suite.

My CA Antivirus said I had the following infection: Win32/VMalum.CZUI
Filename C:\WINDOWS\system32\C:\WINDOWS\system32\


The antivirus hasnt deleted it, only shown that there is an infection. A few days ago, another message popped up with a different file infection. That was
File infection: C:\WINDOWS\system32\DefLib.sys is Win32/Meldsimp trojan

The CA Realtime Scanner Log shows the following:

4/16/2008 9:22:59 AM File infection: C:\Documents and Settings\AT\Local Settings\Temporary Internet Files\Content.IE5\UGRYFEAG\performances[1].html is infected with HTML/Mafext virus. Clean failed

5/13/2008 8:07:46 AM File infection: C:\WINDOWS\herjek.config is Win32/Sintun trojan. Deleted

5/13/2008 8:07:46 AM File infection: C:\WINDOWS\herjek.config is Win32/Sintun trojan.

5/13/2008 8:07:55 AM File infection: C:\WINDOWS\herjek.config is Win32/Sintun trojan.

...... (this message is repeated probably 100 times)

5/13/2008 8:07:58 AM File infection: C:\WINDOWS\herjek.config is Win32/Sintun trojan.

5/16/2008 14:31:25 PM File infection: C:\WINDOWS\system32\DefLib.sys is Win32/Meldsimp trojan.

5/16/2008 14:31:25 PM File infection: C:\WINDOWS\system32\DefLib.sys is Win32/Meldsimp trojan.

5/20/2008 9:38:41 AM File infection: C:\WINDOWS\system32\win32osf.exe is Win32/VMalum.CZUI infection.

5/20/2008 9:38:42 AM File infection: C:\WINDOWS\system32\win32osf.exe is Win32/VMalum.CZUI infection.

5/20/2008 10:10:34 AM File infection: C:\WINDOWS\system32\win32osf.exe is Win32/VMalum.CZUI infection.

5/20/2008 10:12:01 AM File infection: C:\WINDOWS\system32\win32osf.exe is Win32/VMalum.CZUI infection.

5/20/2008 10:12:01 AM File infection: C:\WINDOWS\system32\win32osf.exe is Win32/VMalum.CZUI infection.



I have run the CA Antivirus scan many times and it shows no viruses. I am frustrated as to why this infection still exists and how it isnt getting cleaned out by the antivirus.

Any help would be greatly appreciated.

Thank you.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:19 AM

Posted 20 May 2008 - 01:37 PM

One or more of the identified infections is related to a rootkit component. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?", "Help: I Got Hacked. Now What Do I Do?" and "Reformatting the computer or troubleshooting; which is best?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

If you're using Windows 2000/XP, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ann35

ann35
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 21 May 2008 - 04:42 PM

Hello quietman7,

Thanks for your reply. I ran SDFIX and after connecting to the internet to run mbam (I made sure my AV, Firewall, etc was on), I got another message that the Sintun.EY infection was back. Also a few other messages. So I disconnected from the internet and didn't do the next step. I think I will just go ahead clean the drive, reformat and reinstall. Also I noticed that my internet security license expiry date changes from day to day. it resets itself to a year from the current day everyday for the past few days. I don't know if this is from the infections that have taken over my computer.

Thanks again for your help.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:19 AM

Posted 21 May 2008 - 08:56 PM

I feel you've made the wise choice. :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:19 AM

Posted 22 May 2008 - 06:03 AM

I agree with boopme.

Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.

In case you need help with this, please review "How to partition and format a hard disk in Windows XP".

These links include step by step instructions:
"Clean Install Windows XP".
"Reformat & Clean Install Windows".
"XP Clean Install Interactive Setup".

Reformatting a hard disk deletes all data. If you decide to reformat, you should back up all your important documents, data files and photos. The safest practice is not to backup any .exe files because they may be infected. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive. Don't forget you will have to go to Microsoft Update and apply all Windows security patches.

Also see "How to keep your Windows XP activation after clean install".

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users