Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer is infected by Vundo!grb and HTML/FakeAV


  • Please log in to reply
8 replies to this topic

#1 giz831

giz831

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 15 February 2009 - 02:53 AM

Hello. My name is Branson and I have a serious problem.

My computer was recently infected by 2 Trojans named Vundo!grb and HTML/FakeAV
My operating system Is Microsoft Windows XP Home Edition Version 2002, Service pack 3
I Get a lot of random pop-up ads, my computer performance has been slowed down tremendously
My Windows Security alerts/ automatic updates will not work or update no longer, and McAfee pops up with multiple threats detected yet none could be healed or removed only quarantined. McAfee is still picking up threats as I type this post.

If it helps, here are some of the quarantined items/files that were detected and quarantined by McAfee Virus Scan:

The ones Suspected to be related to the Vundo!grb Trojan by McAfee are
hjowgncu.ini
ovexmyou.ini
A0030483.ini
A0030484.ini

The one Suspected to be related to the HTML/FakeAV trojan is
freescan[1].htm

If there is more information that needs to be submitted for your review to help me solve this problem, I will be more than
cooperative and provide you with any needed in doing so.

Thank you.

Edited by The weatherman, 15 February 2009 - 08:38 AM.
Moved to a more appropriate forum~TW


BC AdBot (Login to Remove)

 


#2 patbox

patbox

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 15 February 2009 - 06:13 AM

Hi,

did you run Spybot S&D? And be sure to run Malwerbytes (donwload both from www.download.com).

And before you restart go to START/RUN and type msconfig see the Services tab and disable all services which are not from Microsoft. Then in the Start up Tab disable most of the programmes that you dont need. In fact you do not need much or anything from from start up. Then restart, and run all your antivirus programmes again. In particular Spybot and Malwerbytes. Let Sybot install an aplication called Teatime to your start up. This will protect you.

Finally, go to START/RUN and type command type color 9f (just my preference) and type mrt and do the scan.

Cheers,
Patbox
Message from Patbox: I AM LOOKING FOR A GIRLFRIEND (PM if interested) :-)

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:57 PM

Posted 15 February 2009 - 10:06 AM

@patbox

I have used msconfig in the past as you have suggested here, but doing so interfers with malware removal

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:


here's an excerpt from the standard canned response used in such cases

Also when replying to an obviously infected thread that was misposted in the wrong forum and will be moved to this forum you need to follow the rules

http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

I don't make the rules but they are in the best interest of posters looking for help

Another note if you search this forum and the HJT forum for teatimer you will see it's one of the first items to be disabled as to allow malware removal

It's a very powerful but dangerous tool/protection

thanks
Chewy

No. Try not. Do... or do not. There is no try.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:57 PM

Posted 15 February 2009 - 10:33 AM

@ giz831

:thumbsup:

It does look like McAfee let something thru, now the problem is, will it let us fix it?

I would like you to download ATFCleaner and MBAM, install MBAM and update it, then disconnect from the internet.

Next I would like you to disable McAfee's resident protection

MCAFEE ANTIVIRUS

Please navigate to the system tray on the lower right corner of your desktop and look for the red McAfee "M" icon.

* Right-click the icon > "Exit."

* A popup will show that protection has been disabled. Click on "Yes" to confirm.

* Verify this by opening the McAfee. Click on Configuration. Make sure that you have disabled anti-virus, system guard, and anti-spyware from inside the program.

Next run ATFCleaner and MBAM


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

after MBAM finishes removing what it found please turn McAfee back on before reconnecting to the internet
Chewy

No. Try not. Do... or do not. There is no try.

#5 -KiKi-

-KiKi-

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:57 PM

Posted 15 February 2009 - 02:10 PM

Hello. My name is Branson and I have a serious problem.

My computer was recently infected by 2 Trojans named Vundo!grb and HTML/FakeAV
My operating system Is Microsoft Windows XP Home Edition Version 2002, Service pack 3
I Get a lot of random pop-up ads, my computer performance has been slowed down tremendously
My Windows Security alerts/ automatic updates will not work or update no longer, and McAfee pops up with multiple threats detected yet none could be healed or removed only quarantined. McAfee is still picking up threats as I type this post.

If it helps, here are some of the quarantined items/files that were detected and quarantined by McAfee Virus Scan:

The ones Suspected to be related to the Vundo!grb Trojan by McAfee are
hjowgncu.ini
ovexmyou.ini
A0030483.ini
A0030484.ini

The one Suspected to be related to the HTML/FakeAV trojan is
freescan[1].htm

If there is more information that needs to be submitted for your review to help me solve this problem, I will be more than
cooperative and provide you with any needed in doing so.

Thank you.

I have a McAfee antivirus program also and it alerted me of the same Vundo Trojan and HTML/FakeAV trojan. My McAfee program showed that they were both deleted.

#6 giz831

giz831
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 15 February 2009 - 03:33 PM

@DaChew

Hi, I have done what you have instructed and here is my first log before the reboot to remove the remaining items to be cleaned:

Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

2/15/2009 3:12:40 PM
mbam-log-2009-02-15 (15-12-40).txt

Scan type: Quick Scan
Objects scanned: 60814
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\byXNfCUL.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\icgobgek.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUlKAtt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wtpbyttb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pyddiq.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{004b3610-697b-48d4-b841-fadbc8f5a36c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{004b3610-697b-48d4-b841-fadbc8f5a36c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtulkatt (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ea42beb-d28b-4c6f-8f24-e9ce58146b75} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ea42beb-d28b-4c6f-8f24-e9ce58146b75} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{004b3610-697b-48d4-b841-fadbc8f5a36c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\imeshmediabar.stockbar (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6c380604-92b2-4633-becb-bde03fa45980} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4481c34a-10df-4c96-92a6-0ef31b6b95d6} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f9c23cd1-6da9-4e0b-8367-c6f9f1f78baf} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\imeshmediabar.stockbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\94d15a18 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\byxnfcul -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxnfcul -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\byXNfCUL.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\LUCfNXyb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LUCfNXyb.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUlKAtt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pyddiq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\icgobgek.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wtpbyttb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odpeyxqq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tqktwmfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uoymxevo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\upksxz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmzspt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


And now, here is the log file for after the scan was completed after the reboot:

Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

2/15/2009 3:27:41 PM
mbam-log-2009-02-15 (15-27-41).txt

Scan type: Quick Scan
Objects scanned: 60383
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Does this mean that it all had worked?
Thanks.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:57 PM

Posted 15 February 2009 - 03:47 PM

It looks like it worked, the second scan was slower, I assume McAfee kicked back in or you were doing something during the scan

Would you try this program next, it's a little time consuming but a good crosscheck

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#8 giz831

giz831
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 15 February 2009 - 07:52 PM

@DaChew

Hey it's me again, I have downloaded the SuperAnti-Spyware Free Edition and had fallowed your instructions and here is my log that has been given to me after all steps were completed and my computer was restarted:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2009 at 05:57 PM

Application Version : 4.25.1012

Core Rules Database Version : 3755
Trace Rules Database Version: 1719

Scan type : Complete Scan
Total Scan Time : 01:37:55

Memory items scanned : 210
Memory threats detected : 0
Registry items scanned : 5096
Registry threats detected : 7
File items scanned : 58083
File threats detected : 2

Rogue.Component/Trace
HKLM\Software\Microsoft\94D14896
HKLM\Software\Microsoft\94D14896#94d14896
HKLM\Software\Microsoft\94D14896#Version
HKLM\Software\Microsoft\94D14896#94d1e516
HKLM\Software\Microsoft\94D14896#94d18cf3
HKU\S-1-5-21-3911399277-3259641198-3996788366-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-3911399277-3259641198-3996788366-1003\Software\Microsoft\FIAS4018

Adware.Vundo/Variant-S129
C:\WINDOWS\SYSTEM32\INTGIUWN.DLL

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\WUXELF.DLL

hopefully this was the finishing blow to this nasty infection. I really appreciate all your help and your expertise on this problem. Thank you.

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:57 PM

Posted 15 February 2009 - 08:41 PM

hopefully this was the finishing blow to this nasty infection


Keep an eye on it, that is looking good, make sure there are no symptoms left
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users