Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie7 And Firefox Recurring Web Page Popups


  • Please log in to reply
4 replies to this topic

#1 WalterK

WalterK

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 12 July 2008 - 08:55 PM

I SAW THE POST LEADING TO THE CURRENT FIX VIA AN INTERNET SEARCH--REALIZE IT WAS IN THE HJT FORUM LOCATION--SINCE THE STEPS DESCRIBED BELOW DID NOT UTILIZE THE TREND MICRO Hijack This PRODUCT, AM POSTING IN THE MORE GENERAL FORUM.

I, too, had found redirects and recurring popup webpages to perhaps half a dozen sites using IE7 and Firefox over the past 2 days, similar to many others' experiences.

Began with frequent "not responding" behavior at legitimate websites, disabling and disappearance of the volume icon in the notifications bar, repeated Adobe Flash Installer download exe files, failure to download files from MSFT Update and Download sites with 0x80070422 and 0x8DDD0018 errors which didn't respond to the usual MSFT Knowledge Base article measures.

Was running McAfee antivirus and firewall products free via Comcast.net subscription on a home wireless Linksys router system with XP Home and Windows Defender in place.

Started (?) also when was "cleaning out" various toolbars and shopping search programs on another user's account on the same laptop.

McAfee virus scan was negative!!

Tried new MSFT OneCareLive online scanner which showed Trojan Win32 Vundo.gen!R and !T and TrojanDropper Win 32 Nuwar.gen. Program unable to remove all and quarantined some. I noted the various Registry keys listed and tried to remove as many as I could with no change. Unfortunately, at some point I jumped the gun and tried System Restore with a recent restore point and probably only perpetuated the problem.

Then searched Vundo.gen!T and saw the post by S.BRWN213 listed, followed "Steam"'s advice, saw the Kaspersky scan used the term Monderb.gen (? if same as Vundo.gen?), had no problem with the ComboFix, and so far no popups in IE or in safe-mode Firefox.

Afraid to see if can start Automatic Updates in Services and/or download via Microsoft Update or Windows Update--don't want to be disappointed right now, but will have to try.

Reinstalled McAfee and Defender FOR NOW, but will probably soon pay up and swithc to more dedicated offerings from Kaspersky and Malwarebytes.

Can't believe the number of posts with similar problems--I thought I and S.BRWN213 were the only ones!

Posting the KAV.txt and Malwarebytes log files:--------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 12, 2008 19:40:49
Records in database: 945956
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 32807
Threat name: 3
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 00:48:46


File name / Threat name / Threats count
C:\WINDOWS\system32\fccaXPff.dll/C:\WINDOWS\system32\fccaXPff.dll Infected: Trojan.Win32.Monderb.gen 3
C:\WINDOWS\system32\nondfyrd.dll/C:\WINDOWS\system32\nondfyrd.dll Infected: Trojan.Win32.Monderb.gen 7
C:\WINDOWS\system32\mcuyel.dll/C:\WINDOWS\system32\mcuyel.dll Infected: Trojan.Win32.Monderb.gen 1
C:\Documents and Settings\Walter\Local Settings\Temporary Internet Files\Content.IE5\DBTAU58L\kb767887[1] Infected: Trojan.Win32.Monderb.gen 1
C:\Documents and Settings\Walter\Local Settings\Temporary Internet Files\Content.IE5\WPVOO1UO\kb456456[1] Infected: Trojan.Win32.Monderb.gen 1
C:\Program Files\Uninstall Fun Web Products.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cu 1
C:\WINDOWS\system32\akvtlwwh.dll Infected: Trojan.Win32.Monder.alx 1
C:\WINDOWS\system32\bncuth.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\dgvnlfwo.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\fccaXPff.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\fcgjnjea.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\kvttbmmq.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\kxosjj.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\mcuyel.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\mnjjxl.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\nondfyrd.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\pnxepcwx.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\xwthieix.dll Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\system32\zhmauz.dll Infected: Trojan.Win32.Monderb.gen 1

The selected area was scanned.





Malwarebytes' Anti-Malware 1.20
Database version: 942
Windows 5.1.2600 Service Pack 2

5:56:30 PM 7/12/2008
mbam-log-7-12-2008 (17-56-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 73880
Time elapsed: 21 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 23
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccaXPff.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\nondfyrd.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{881f0caa-bde3-4638-a15b-44717d81b79d} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{881f0caa-bde3-4638-a15b-44717d81b79d} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\diginkbho.diginkbho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\diginkbho.diginkbho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{73fc67a7-bdd3-48d0-b358-3a11bab21720} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0822cf76 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccaxpff -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccaxpff -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fccaXPff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ffPXaccf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ffPXaccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akvtlwwh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwwltvka.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nondfyrd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dryfdnon.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vsyydywo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owydyysv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Walter\Local Settings\Temporary Internet Files\Content.IE5\WPVOO1UO\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP391\A0043414.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP391\A0043415.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP391\A0043416.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP391\A0043418.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP391\A0043419.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP391\A0043423.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044803.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044812.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044814.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044815.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044818.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044820.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044821.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044823.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044826.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044827.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044828.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044833.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP399\A0044834.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP400\A0044846.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FE8FA61C-38DA-4813-B4E8-24773281C3B2}\RP400\A0044847.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bncuth.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgvnlfwo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.



(ComboFix log report available.)

I will monitor the situation and reward Steam for his help and efforts if all this succeeds, and to switch to Kaspersky and Malwarebytes very soon, probably getting rid of Defender and OneCare.

Hope this will help others.

P.S. I found the OneCareLive bundle annoying with repeated messages to start Automatic Updates in Security Center when there was no fix for the problem., among other aggravations such as "forced" daily tuneups with disk defragmentation,...


WalterK

Edited by WalterK, 12 July 2008 - 09:04 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:49 PM

Posted 12 July 2008 - 10:46 PM

hello heres some other tools u can use . download atf cleaner http://www.atribune.org/ccount/click.php?id=1
and save to desktop dont open yet. then download http://www.superantispyware.com/ and save to desktop dont run yet.



Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by fireman4it, 12 July 2008 - 10:46 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 WalterK

WalterK
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 13 July 2008 - 09:25 PM

Thank you. I will review your suggestions and consider for future use.

I will post a new topic post stating the initial steps did not completely remove infected .dlls, registry keys, etc. Recurring popups but at a reduced rate.

Had to use Malwarebytes a 2nd time, then printed out all the log files from Kaspersky online virus scan and Malwarebytes and reviewed LINE BY LINE that each infected item was removed--in System32 and the Registry--and if not, deleting them also using custom shredding of the deleted dlls using (for the short term) McAfee's recycle bin shredder.

All OK now, access to MSFT Update and Automatic Updating in Services restored, no popups, etc.

The only problem remaining is loss of sound volume.exe entry in System 32 so no volume icon in the system or notifications tray (error message when trying to check the place sound volume icon in tray related to missing sndvl32 entry and I cannot restore it as my son must have the original XP Home disc with him at school in Chicago. Before I finally discovered the Vundo, etc. infection, the first unusual sign of a major problem was that when I right clicked the volume icon a message box stated "cannot adjust due to hardware problem" probably related to the infection. I have sound and can adjust volume via Control Panel but cumbersome so I downloaded a clean file which reproduced the speaker effects and volume by clicking a desktop icon.

WalterK

#4 WalterK

WalterK
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 13 July 2008 - 11:18 PM

ADDENDUM TO MY LAST POST:


The file I downloaded IS the sndvol32.exe file from Microsoft. I do NOT need the XP Home CD to reinstall or "expand" the missing file.

I copied and placed it into Sytem32, went back to Control Panel, checked the "place volume icon in system tray", and there it is with no error message!

Seems the only place I found a sndvol32.exe file to download (without need for CD installation, cmd prompts, other laborious workarounds listed elsewhere) was at this link at computing.net
in the 3rd reply to a post by Orin in 2006:

www.relaxingsoftware.com/sndvol32.exe

My mistake. I thought it was just a desktop shortcut solution. It's now fixed permanently--in seconds-- with no need for multistep Registry binary value deletions in TrayNotify, and so forth.

No excuse for a trip to Chicago, unfortunately.


WalterK

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:49 PM

Posted 14 July 2008 - 03:51 AM

that rootkit uses beep.sys to reload at bootup, SDFix is now replacing the file to fix your computer when the rootkit is removed
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users