Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Monster Virus - Vundo-conhook-etc...


  • Please log in to reply
12 replies to this topic

#1 sifusylvain

sifusylvain

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:05:54 PM

Posted 15 September 2008 - 09:21 AM

Hi.
I am new here and desparate.
I found this site looking for combofix recommended by an IT friend.
I have been out of IT for ten years and things have changed a bunch.
I will try to be brief in recap of the events of the last week as pertain to this monster virus.

I am using a laptop to communicate as my desktop Dell box is constantly updated and attacked via the internet connection and this virus (plague!)

The desktop (infected unit) is running Win XP SP3 and IE7

After clicking what looked like a youtube link, a moment of peace was followed by a barrage of warnings and download screens for everything from MSAntivirus to Deffender and even dating services.

I have SpyNoMore installed on the box (or that is I did...)
SNM (SpyNoMore) detected several Trojan (Vundo etc...), Hijackers, Adware, Randsomware, and Registry modifiers like drive letters disappearing, task maneger disappearring, no Microsoft updates allowed and a clever cookies setting enforcing "Accept all cookies" no matter how many times you reset it... and the ConHook.aa program constantly replacing and updating itself in the HKEY_LOCAL_MACHINE\Microsoft\Software\ms juan registry entry.

I noticed several behaviours that scared me beyond the infection itself.

1 - any action in IE (Internet Explorer) requiring a window refresh re-instantiated the ms juan directory in the registry.
2 - when i did a google search for combofix, the registry entry for ms juan created a string of new subkeys just for combofix with google addresses etc...!!!!! This thing is watching!
3 - finally, a file named GenericPUP.x was created twice (that i saw). first in the root\windows directory, and after I removed it using McAfee detection, it reappeared in Program Files\SpyNoMore\SNM.exe rendering SNM disabled!!!

The tech help at SNM was working on this but we are now severed comunications.

I am trying to install combofix but cannot get it to run either.
I downloaded combofix from your site on the infected box.
Then I downloaded the console as directed on your site on my laptop, transfered it to CD and copied onto the infected box.
When I drag the new recovery console icon onto combofix, per your instruction SNM (?) alerts to a registry addition in RunOnce and McAfee alerts to the combofix program entry. I selected the "trust" program option from McAfee and "Allow" for the registry change in SNM alert.

Then .... nothing.

SO I then tried to run the existing winnt32.exe file resident on the box, both in teh "Run" command as per your instruction and by draging it onto combofix. I then get a message that the file cannot run because the file "on the computer" is newr than the one I am trying to run????

I am soooo stuck. Please send help....

Thank You

Sylvain
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

BC AdBot (Login to Remove)

 


#2 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 15 September 2008 - 09:44 AM

The most effective way to kill a virus is if it is sleeping... use taskmanager or tasklist to kill them first then run whatever anti-virus programs you want. If a file or folder just keeps on re-appearing then it is most likely that you are deleting the wrong virus file.

#3 sifusylvain

sifusylvain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:05:54 PM

Posted 15 September 2008 - 10:17 AM

using the task manager is only possible if you know the name f the viruses...

This virus even disabled the task manager and reinvents itself so quickly that i cannot track its possible monikers.

can you help me get combofix to run???
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 15 September 2008 - 10:34 AM

I found this site looking for combofix recommended by an IT friend.

Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sifusylvain

sifusylvain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:05:54 PM

Posted 15 September 2008 - 10:48 AM

thanks quietman...

as i stated, i have worked in IT and was the architect of the ecommerce development for Canon computers for 6 years, so i am not the "average" user. But I will take your advice and go at it with yet another spyware tool.

I hope the one you suggest is more up to date than SpyNoMore... which cost me 35 bucks.

The internet is very difficult to use as this virus continues to corrupt IE and cause it to "automatically" shutdown...

I'll post results after I give it a go...

Thanks.
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 15 September 2008 - 11:04 AM

SpyNoMore

SpyNoMore is an program that was previously listed as a rogue on the Rogue/Suspect Anti-Spyware Products List because of concerns with false positives. It has been been de-listed as a rogue because the vendor has taken some actions to correct these concerns. I am still skeptical and would only recommend a proven track record like those mentioned in BC's Freeware Replacements For Common Commercial Apps or Trustworthy Anti-Spyware Products.

When compared to other security tools like Spybot S&D and Ad-Aware, the advantage of MBAM is that it is able to detect a wide spectrum of threats including active rootkits.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 dhants20

dhants20

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 15 September 2008 - 11:09 AM

The most effective way to kill a virus is if it is sleeping... use taskmanager or tasklist to kill them first then run whatever anti-virus programs you want. If a file or folder just keeps on re-appearing then it is most likely that you are deleting the wrong virus file.


since you are not an average user, then you most likely know what programs should be running on your system, so just end the processes of all the programs that you don't know. It's not gonna damage your files anyway. If your taskmanager is disabled here's the command so that you can enable that again.

in command prompt type this

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /t REG_DWORD /d 0 /f
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskmgr /t REG_DWORD /d 0 /f

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 15 September 2008 - 11:15 AM

There is no need to be making changes with the registry yet as MBAM should be able to dealt with this automatically.

Further, whenever giving instructions to use the registry, you should include a warning about backing up.

Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 sifusylvain

sifusylvain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:05:54 PM

Posted 15 September 2008 - 03:33 PM

Well....

Malwarebytes' Anti-Malware is robust and up to date evidentely! It seems to have conquered the remainder of the infection...YEAY!

I am running the extended scan now for the past 1 1/2 hours to verify more deeply.

I am deeply appreciative of your assistance and have already posted several bulletins and emails directing folks to your website. Thank you so very much...

Assuming all is now stable and well, my only 2 remainning issue were
1- deleting SpyNoMore. It was listed in add/remove programs although it would not "delete". So I "manually" deleted it as well as all references in the registry, after which the control panel simply allowed me to "delist" it from the programs list.
2- How do I get a refund from Ilysoft for my 7 day old purchase?! I have emailed tham for a refund, but I have heard nothing back from them on either the refund or the "custom fix"...

Any thoughts?
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

#10 sifusylvain

sifusylvain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:05:54 PM

Posted 15 September 2008 - 04:30 PM

oooops... may have spoken too soon...

Anti-Malware found 12 new infections under C:\System Volume Information\_restore {202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP776\ named as "A0117727.dll" etc...

The weird thing is that McAfee started alerting to the Generic PUP.x program in the same location but with a different name? One that Anti_Malware did not list in its log. and, McAfee continued to alert and claim removal of the other files AFTER Anti-Malware hade run "remove" or "delete"...

I am rebooting and going to run scan again...
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 15 September 2008 - 04:38 PM

The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, they may detect and place these files in quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can then delete it at any time.

If the anti-virus cannot move the files to quarantine, then following the instructions to Create a New Restore Point and purge all but the most recent restore point with Disk Cleanup should also remove the infected files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 sifusylvain

sifusylvain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:05:54 PM

Posted 18 September 2008 - 01:19 PM

Thanks all!!!

I think we are about ready to close this thread or Bug report...

THe only remaining issues were making sure to go to all my securioty and internet options settings and set them properly (to settings prior to the viral attack)... The settings are now holding, which is indication that no permanent damage was made.

The "shrink image to fit" option in IE print preview seems to have been affected though, and I haven't figured out how to get that to work again.

So far, everything looks OK

Well, except for the annoying McAfee pleas to buy buy buy and its drain on startup resources...
Sifu Sylvain Chamberland-Nyudo
NAMUMYOHORENGEKYO
Founder Threefold Lotus Kwoon
http://threefoldlotus.com
Fine Artist
http://artsylvain.com

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:54 PM

Posted 18 September 2008 - 01:27 PM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users