Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Virtumonde Trojan Malware, plus ?


  • This topic is locked This topic is locked
9 replies to this topic

#1 texasbulldog

texasbulldog

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 22 December 2008 - 03:18 PM

My computer has been acting up for the last few weeks, it has gone from an occasional occurance to a major pain in the you know what!

I seem to be having problems with pop ups, and pop ups inside of pop ups. When navigationg from one web site to another by a link the page tries to open as a pop up, and is blocked. I have had problems with my browser being shanghied, and taken to websites I did not direct it to. I think the Active X settings have also been tampered with.
And everytime I try to acess Windows Update, I am taken to msn.com.

I have been trying to rid myself of this problem for the last few days, but seem to be thwarted with every new direction I go to. When trying to down load recommended virus and malware programs, I have been met with page not found, the download window does not come up, or if the program is able to download it will not update. I am so frustrated. Please help!!!!

I have already downloaded and updated Malwarebytes Anti Malware, and was able to update it :thumbsup:

I ran a quick scan, in normal mode and here is a copy of the log

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3

12/22/2008 1:23:59 PM
mbam-log-2008-12-22 (13-23-59).txt

Scan type: Quick Scan
Objects scanned: 51171
Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Then I rebooted, and ran the full scan in normal mode, here is a copy of that log

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3

12/22/2008 2:14:39 PM
mbam-log-2008-12-22 (14-14-39).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 133644
Time elapsed: 42 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:10 PM

Posted 22 December 2008 - 04:49 PM

Hi and welcome. lets run this and post back the report.
SmitFraudFix by S!Ri
The report can be found at the root of the system drive, usually at C:\rapport.txt.

Now Open MBAm again . Update it,then perform a Quick scan. Post that log also,thank you.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 texasbulldog

texasbulldog
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 22 December 2008 - 06:01 PM

SmitFraudFix v2.387

Scan done at 16:15:03.64, Mon 12/22/2008
Run from C:\Documents and Settings\Maria\My Documents\MARIA\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

207.46.226.17 windowsupdate.microsoft.com

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Maria


C:\DOCUME~1\Maria\LOCALS~1\Temp


C:\Documents and Settings\Maria\Application Data


Start Menu


C:\DOCUME~1\Maria\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Wireless-N USB Network Adapter #5 - Packet Scheduler Miniport
DNS Server Search Order: 85.255.112.167
DNS Server Search Order: 85.255.112.187
DNS Server Search Order: 1.2.3.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{89F7A904-3DAF-4F4C-8BA6-E7D18766C3A1}: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4


Scanning for wininet.dll infection


End




Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 3

12/22/2008 4:59:31 PM
mbam-log-2008-12-22 (16-59-31).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 134006
Time elapsed: 40 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:10 PM

Posted 22 December 2008 - 09:04 PM

Hello again..
Disconnect from the Internet and reset your router with a strong logon/password so the malware cannot gain control before connect again. Many users seldom change the default username/password on the router and are prone to this type of infection.
Change the Default Password on a Network Router

Double-click smitfraudfix.exe to start the tool again.
Select option #5 - Search and clean DNS Hijack by typing 5 and press "Enter".
After running SmitFraudFix, a text file named rapport.txt will have automatically been saved to the root of the system drive at C:\rapport.txt.


Once Again open MBAm. Update it,then perform a Quick scan. Post that log also and Reboot,thank you
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 texasbulldog

texasbulldog
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 22 December 2008 - 09:28 PM

SmitFraudFix v2.387

Scan done at 20:26:34.04, Mon 12/22/2008
Run from C:\Documents and Settings\Maria\My Documents\MARIA\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Wireless-N USB Network Adapter #5 - Packet Scheduler Miniport
DNS Server Search Order: 85.255.112.167
DNS Server Search Order: 85.255.112.187
DNS Server Search Order: 1.2.3.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{89F7A904-3DAF-4F4C-8BA6-E7D18766C3A1}: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{89F7A904-3DAF-4F4C-8BA6-E7D18766C3A1}: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4
HKLM\SYSTEM\CS3\Services\Tcpip\..\{89F7A904-3DAF-4F4C-8BA6-E7D18766C3A1}: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=85.255.112.167 85.255.112.187 1.2.3.4

DNS After Fix

#6 texasbulldog

texasbulldog
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 22 December 2008 - 09:40 PM

12/22/2008 8:35:54 PM
mbam-log-2008-12-22 (20-35-54).txt

Scan type: Quick Scan
Objects scanned: 50963
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{89f7a904-3daf-4f4c-8ba6-e7d18766c3a1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.167 85.255.112.187 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:10 PM

Posted 22 December 2008 - 10:43 PM

Ok, I asked the Security boss here (quietman70 to look and we agree that you will need to post a HiJackThis log. Something is allowing this to regenerate and they will dig it out. Please go here and follow steps 6 & 7.
Preparation Guide For Use Before Posting A Hijackthis Log
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 texasbulldog

texasbulldog
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 23 December 2008 - 10:08 AM

Thank you for your help, and wish me luck!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:10 PM

Posted 23 December 2008 - 10:23 AM

You are welcome and Good luck.tho you're in the best hands with the BC HJT team :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:10 PM

Posted 23 December 2008 - 06:42 PM

Hello texasbulldog,

Now that your log is posted here: http://www.bleepingcomputer.com/forums/t/188741/suspect-vundovirtamunde/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users