Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Virtumonde Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 ann6dash5

ann6dash5

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 24 December 2008 - 12:32 PM

Hi,

My system was infected the the Vundo/Virtumonde infection recently. My computer slowed down a lot, and I also received a pop up ad in IE. My McAfee firewall kept notifying me of new applications trying to access the internet, and also my WinPatrol program started notifying me of new applications that would try to start up whenever my computer booted up. My firewall, Windows automatic update, and Symantec Antivirus auto-protect were also disabled by the virus (but I could turn them back on myself). I was able to detect parts of the virus through ad-aware and symantec scans.

I found instructions to remove the infection on bleepingcomputer.com and followed those. I ran a Symantec Antivirus scan, Malwarebytes Anti-Malware, VundoFix, and Vundobegone. I removed about 40 vundo-related files through Malwarebytes, and also some vundo-related files through the Symantec scan. The symantec auto-protect also detected and removed a few files for me. I ran both VundoFix and Vundobegone after these removals, and they both said that no infection was detected.

The applications that my McAfee firewall detected that were trying to access the internet were: PRUNNET.EXE (which was found in system32), and WINVSNET.TMP, WAVVSNET.TMP, CSMXONERAW.TMP, XPRE.TMP, XWSOECAMRN.TMP (these were all found in documents and settings\local settings\temp). All of these were removed by the Malwarebytes scan. After I ran this scan and removed them, my firewall said "Program no longer exists" under their application descriptions.

However, one application (wnorcxmsae.tmp) was not removed. I currently have it blocked with my firewall. I am not sure if this is significant, but it was one of the virus files and I can't seem to remove it.

The last activity of the virus I noticed was that my auto-protect for symantec was disabled. This happened a few hours ago and I have not noticed anything else. I re-allowed access to IE and I have not had any pop-up ads.

I was wondering if you could tell me if my system is clean, and what I can do to make sure that the virus is fully removed. Below I am posting my DDS scan, Malwarebytes log, Kapersky scan, and I have attached the attached.txt file.

Thank you so much, I have spent hours and hours on this problem and appreciate any help. Please let me know if there is anything else I can do or provide. Also, if you notice any other malware or anything else that I could do to improve my computer, please let me know too. Thanks again!


---------------------------------------------------------


DDS (Version 1.1.0) - NTFSx86
Run at 2:22:35.17 on Wed 12/24/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.376 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfConsole.exe
C:\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.espn.go.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://development.erols.com/ie5/welcome
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareBlock Class
BHO: N/A: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe
uPolicies-explorer: Btn_Back = 1 (0x1)
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: Btn_Forward = 1 (0x1)
uPolicies-explorer: Btn_Stop = 1 (0x1)
uPolicies-explorer: Btn_Refresh = 1 (0x1)
uPolicies-explorer: Btn_Home = 1 (0x1)
uPolicies-explorer: Btn_Search = 1 (0x1)
uPolicies-explorer: Btn_History = 2 (0x2)
uPolicies-explorer: Btn_Favorites = 1 (0x1)
uPolicies-explorer: Btn_Folders = 2 (0x2)
uPolicies-explorer: Btn_Fullscreen = 1 (0x1)
uPolicies-explorer: Btn_Tools = 2 (0x2)
uPolicies-explorer: Btn_MailNews = 1 (0x1)
uPolicies-explorer: Btn_Size = 1 (0x1)
uPolicies-explorer: Btn_Print = 1 (0x1)
uPolicies-explorer: Btn_Edit = 2 (0x2)
uPolicies-explorer: Btn_Discussions = 2 (0x2)
uPolicies-explorer: Btn_Cut = 2 (0x2)
uPolicies-explorer: Btn_Copy = 2 (0x2)
uPolicies-explorer: Btn_Paste = 2 (0x2)
uPolicies-explorer: Btn_Encoding = 2 (0x2)
IE:
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Trusted Zone: amaena.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: CShellExecuteHookImpl Object: {54D9498B-CF93-414F-8984-8CE7FDE0D391} - c:\program files\ewido\security suite\shellhook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\ldl4lk03.default\
FF - prefs.js: browser.startup.homepage - www.espn.go.com
FF - plugin: c:\documents and settings\brian\application data\mozilla\firefox\profiles\ldl4lk03.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-7-20 574808]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-7-19 169632]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido\security suite\ewidoctrl.exe [2004-11-11 16448]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe [2005-8-31 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-8-31 122368]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2006-9-27 1813232]
R3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-7-19 192160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081219.005\naveng.sys [2008-12-19 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081219.005\navex15.sys [2008-12-19 876112]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-5-31 245760]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2006-9-27 116464]

=============== Created Last 30 ================

2008-12-24 01:17 <DIR> --d----- C:\VundoFix Backups
2008-12-24 00:10 <DIR> --d----- c:\docume~1\brian\applic~1\Malwarebytes
2008-12-24 00:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 00:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 00:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-02-17 15:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2005-09-27 02:37 32 a----r-- c:\documents and settings\all users\hash.dat
2005-09-29 08:55 422,726 ---sh--- c:\windows\system32\kmllm.bak1
2005-10-01 13:27 425,162 ---sh--- c:\windows\system32\kmllm.bak2

============= FINISH: 2:23:26.35 ===============



---------------------------------------------------------



Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 2

12/24/2008 1:02:50 AM
mbam-log-2008-12-24 (01-02-50).txt

Scan type: Quick Scan
Objects scanned: 69343
Time elapsed: 21 minute(s), 20 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
C:\Documents and Settings\Brian\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\wavvsnet.tmp (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\winvsnet.tmp (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\wavvsnet.tmp (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\winvsnet.tmp (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\acnwresxmo.tmp (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\oncwmaresx.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\cbXPiIxW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ljJBTmkh.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c87f8ab8-4036-46db-872c-90a9336f673a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c87f8ab8-4036-46db-872c-90a9336f673a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjbtmkh (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c87f8ab8-4036-46db-872c-90a9336f673a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxpiixw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxpiixw -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbXPiIxW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WxIiPXbc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WxIiPXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJBTmkh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Brian\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\wavvsnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\winvsnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\acnwresxmo.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\Local Settings\Temp\oncwmaresx.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\kernel32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMgebBR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



---------------------------------------------------------



Wednesday, December 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 01:11:44
Records in database: 1507057
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 48181
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:12:55

No malware has been detected. The scan area is clean.
The selected area was scanned.

Attached Files



BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 05 January 2009 - 04:26 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

I am reviewing your log. In the meantime, please address the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are an employee and this system is owned by your employer, do you have permission to make changes to it?

* If you are using any cracked (illegal) software, please uninstall that.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
There is a list here: http://spywarehammer.com/simplemachinesfor...php?topic=110.0

* Please understand it is very important that you follow the instructions given to you during the cleaning of malware. This can sometimes be a tricky process and often requires things be done in a certain sequence to be effective. Please do not wait days between steps in this process. It is requested you respond at least within 48 hours. Any longer and it becomes necessary to update all information and start over. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

* I see McAfee Security Center and Symantec Anti-virus. Which are you using for your realtime anti-virus?:

I look forward to your reply so we can begin removing the malware.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 ann6dash5

ann6dash5
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 05 January 2009 - 05:40 PM

Hi,

I have not tried to do anything else with my computer since my last post, so my last post is still current. I have also not posted on any other forums and meet the requirements that you asked for. Since my last post, I haven't received any pop-up ads and my antivirus/firewall/windows updates have not been turned off by the infection. I am still not sure if I have gotten rid of the infection though. I am only using McAfee for the personal firewall. Everything else, including the real time antivirus, is through Symantec Anti-virus. Let me know if you need any more information. Thanks for your help!

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 05 January 2009 - 06:55 PM

Thank you for the information. I see a few things I'd like to check.
Let's reset your Trusted Zones. There are some baddies in there. Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.

Once it is finished your Zones should be reset.
**Note: this will remove all entries in the Trusted Zone and Restricted Zone, and entries you had will need to be entered again. You will have to re-immunize with SpywareBlaster, and/or Spybot after doing this.
You’ll need to reinstall IESpyads (if you use any of these programs).

Following that, please update your MBAM, run a scan, and please post the log.

Edited by Bugbatter, 05 January 2009 - 06:56 PM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 ann6dash5

ann6dash5
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 08 January 2009 - 01:13 AM

Hi,

I installed the DelDomains.inf and ran an updated MBAM scan. I don't think I said it before, but the browser that I use is Firefox. Also, I was not exactly sure about what you meant when you said:
"**Note: this will remove all entries in the Trusted Zone and Restricted Zone, and entries you had will need to be entered again. You will have to re-immunize with SpywareBlaster, and/or Spybot after doing this.
You’ll need to reinstall IESpyads (if you use any of these programs)."


Thanks for your quick reply and here is the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2

1/8/2009 1:12:18 AM
mbam-log-2009-01-08 (01-12-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153583
Time elapsed: 1 hour(s), 33 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 08 January 2009 - 11:54 PM

So far, so good. It has been a while since you posted your first log. Please let me know exactly what symptoms of malware you are still experiencing. Thanks.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#7 ann6dash5

ann6dash5
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 09 January 2009 - 04:53 PM

Since all of the cleanup that I stated I did on my first post, I really haven't had any malware problems actually. My computer speed has been a little slow (but I am not sure if that can be attributed to the malware). The other symptoms that I initially got have stopped since my first post. Since your reply, I was trying to check with you to see if my computer had been cleared of the infection, as I wasn't sure how to check this myself. Thanks again for your help and let me know if you think there is anything else I can further do.

#8 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 09 January 2009 - 08:18 PM

Thank you for the information. Your outdated Java made you vulnerable to this infection . Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 1.6.0.
  • Scroll down to where it says " Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • NOTE: As always during installations, beware of any pre-checked option to install MSN/Windows Live Toolbar.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java along with their older updates.
  • Do NOT delete C:\Program Files\JavaVM =this folder, if found!
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
  • NOTE: If you are offered to install a toolbar and you do not want it, Uncheck that option when installing Java.
After installing, you can test here to see if the update has installed:
http://www.java.com/en/download/installed.jsp

Finally, please update MBAM, run a new scan, and please post the MBAM log. If everything is still running well, we'll flush System Restore, and you'll be in good shape.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#9 ann6dash5

ann6dash5
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 10 January 2009 - 02:51 AM

I updated Java and ran another MBAM scan. My computer seems to be in good condition according to MBAM.

Here is the log:

1/10/2009 2:47:51 AM
mbam-log-2009-01-10 (02-47-51).txt

Scan type: Quick Scan
Objects scanned: 74075
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 January 2009 - 09:46 AM

That's great news! :thumbsup:


After something like this it is a good idea to purge the Restore Points and start fresh.
If everything is running well, let's purge System Restore.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig.
Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

You may have already taken some of the following steps, and depending on your current security, you may not need to implement all of these:

1. Visit Windows Update
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

2. You might consider installing SpywareBlaster
Tutorial HERE
Periodically check for updates.

3. Please use a firewall and realtime anti-virus. Keep your antivirus software and firewall software up to date.
Zone Labs has a free version of their firewall for home users: Zone Alarm Free Version or Alternate Link

4. You might consider installing Mozilla Firefox

5. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

6. Before using or purchasing any Spyware/Malware protection/removal program, always check these links: Rogue/Suspect Spyware List
Rogue Applications List
It will save you a lot of grief, as well as money if you are thinking of purchasing.
* If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above links work, check HERE for an independent comparison of several anti-spyware programs.

7. If you have not already done so, you might want to install CCleaner and run it in each user's profile.
** Uncheck the option to install the Yahoo toolbar.

8. Here are some helpful articles:
“How did I get infected?”
HERE

“I'm not pulling your leg, honest”
by Sandi Hardmeier
HERE

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#11 ann6dash5

ann6dash5
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 10 January 2009 - 06:43 PM

thanks so much for your help, i really appreciate it

#12 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 January 2009 - 11:47 PM

You're most welcome. I'm glad we could help.
Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users