Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.Possible_Website_Hijack and Vundo infection


  • Please log in to reply
9 replies to this topic

#1 sammyj

sammyj

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 16 February 2009 - 11:48 AM

Hi there,

I'm totally new so please bear with me.

I am trying to remove several (okay hundreds of...) viruses from my cousin's PC, the last of which is a Spyware.Possible_Website_Hijack infection coupled with a Virtumond/Vundo trojan.

I have Spyware Doctor and have run that nearly daily for the last two weeks or so, then today ran MBAM and Vundo-Fix. MBAM found lots of Vundo.H, Trojan.LOP and Trojan.Agent infections, which I asked it to clean. Then ran Vundo-Fix and it didn't find anything.

However, Spyware Doctor has now found this Website Hijack thing, and it's cleaning it but it's propagating itself out again. I have written down all the hosts that it's found (whatever they are) because I've seen other people on this forum do the same thing, so that info is available if you need it.

I have downloaded Hijack This but not run it yet.

I would be most grateful for any help you can offer.

Many thanks in advance.

Oh, by the way - he's running XP home on a bog standard old Dell, we did have Nod32 but now use the AV provided by Spyware Doctor, Firewall is on, and Automatic Updates enabled.

SammyJ

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 16 February 2009 - 12:11 PM

Welcome...
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.

Now SAS
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sammyj

sammyj
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 17 February 2009 - 05:19 AM

Hi Boopme

Thank you so much for the prompt reply - I'll let you know how I get on.

Whilst writing, I also started to get buffer overruns on Spoolsv.exe at startup - Not sure if that's related, but it started to happen half way through the cleaning process. Checked MS Support website and there does seem to be a known issue with the same symptoms, so I tried to re-install spoolsv.exe from the Dell disk provided but it didn't work so my guess is it's all pre-loaded and you can't use the CD ROM.

Bummer!

Any ideas or shall we deal with one thing at a time!!!!


SammyJ

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 17 February 2009 - 11:25 AM

Hi ,let's remove the malware first as that can be the caise of too many issues.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 sammyj

sammyj
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 18 February 2009 - 09:01 AM

Hi Boopme,

This is the scan log from MBAM- My cousin re-ran Spyware Doctor and cleaned the Spyware.Possible.... infection and it looks like it's gone for good, because MBAM found nothing!

Malwarebytes' Anti-Malware 1.34
Database version: 1773
Windows 5.1.2600 Service Pack 2

18/02/2009 13:57:16
mbam-log-2009-02-18 (13-57-16).txt

Scan type: Quick Scan
Objects scanned: 74880
Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I'll go on to do ATF and SAS and post the results back.

Many thanks

SammyJ



Hi again

Here's the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2009 at 04:22 PM

Application Version : 4.25.1012

Core Rules Database Version : 3764
Trace Rules Database Version: 1725

Scan type : Complete Scan
Total Scan Time : 02:07:02

Memory items scanned : 279
Memory threats detected : 0
Registry items scanned : 6119
Registry threats detected : 5
File items scanned : 95983
File threats detected : 48

Registry Cleaner Trial
HKU\S-1-5-21-1051864466-1935448190-3879766799-1006\Software\Registry Cleaner
C:\Program Files\Registry Cleaner Trial\AffCreatorDLL.dll
C:\Program Files\Registry Cleaner Trial\unins000.dat
C:\Program Files\Registry Cleaner Trial\unins000.exe
C:\Program Files\Registry Cleaner Trial
C:\Documents and Settings\Ben\Application Data\Registry Cleaner\Backups\2005-06-26,18-52 27 171.zip
C:\Documents and Settings\Ben\Application Data\Registry Cleaner\Backups
C:\Documents and Settings\Ben\Application Data\Registry Cleaner\RegClean.ini
C:\Documents and Settings\Ben\Application Data\Registry Cleaner

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-1051864466-1935448190-3879766799-1006\SOFTWARE\Microsoft\fias4013

Rogue.Component/Trace
HKU\S-1-5-21-1051864466-1935448190-3879766799-1006\Software\Microsoft\FIAS4018

Adware.Vundo/Variant-Stats
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\PAVOJEHA\PAVOJEHA.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WEJUWAVA\WEJUWAVA.DLL

Trojan.Dropper/Gen-SoftDev
C:\WINDOWS\SYSTEM32\BEKEHUTU.DLL
C:\WINDOWS\SYSTEM32\DOGUMIVU.DLL
C:\WINDOWS\SYSTEM32\EWDAXT.DLL
C:\WINDOWS\SYSTEM32\FAKUGUPU.DLL.TMP
C:\WINDOWS\SYSTEM32\GEDEKUYE.DLL
C:\WINDOWS\SYSTEM32\GIDOGUDI.DLL.TMP
C:\WINDOWS\SYSTEM32\GODISIDA.DLL
C:\WINDOWS\SYSTEM32\HIJIRIKE.DLL
C:\WINDOWS\SYSTEM32\HINILEZO.DLL
C:\WINDOWS\SYSTEM32\HUMBZK.DLL
C:\WINDOWS\SYSTEM32\JEGUGORE.DLL
C:\WINDOWS\SYSTEM32\JERIBEJO.DLL
C:\WINDOWS\SYSTEM32\JETEBEMI.DLL
C:\WINDOWS\SYSTEM32\JOJIMOFO.DLL.TMP
C:\WINDOWS\SYSTEM32\JURIYUYI.DLL
C:\WINDOWS\SYSTEM32\KOYITAWE.DLL.TMP
C:\WINDOWS\SYSTEM32\LEGAWEME.DLL
C:\WINDOWS\SYSTEM32\LIGIJOWE.DLL
C:\WINDOWS\SYSTEM32\LOLANAYO.DLL.TMP
C:\WINDOWS\SYSTEM32\LOYUVEJO.DLL
C:\WINDOWS\SYSTEM32\NAHATONA.DLL
C:\WINDOWS\SYSTEM32\PULAMIWA.DLL
C:\WINDOWS\SYSTEM32\RANUTOKA.DLL
C:\WINDOWS\SYSTEM32\SAPINISA.DLL
C:\WINDOWS\SYSTEM32\VOGUJESI.DLL
C:\WINDOWS\SYSTEM32\VUMEHIJO.DLL.TMP
C:\WINDOWS\SYSTEM32\WEJUWAVA.DLL.TMP
C:\WINDOWS\SYSTEM32\WESOKARU.DLL.TMP
C:\WINDOWS\SYSTEM32\WIFUKOLU.DLL
C:\WINDOWS\SYSTEM32\YOWOKIFO.DLL
C:\WINDOWS\SYSTEM32\YUMUNEYE.DLL
C:\WINDOWS\SYSTEM32\ZEPULABE.DLL.TMP

Adware.Vundo Variant/LVL
C:\WINDOWS\SYSTEM32\BIZOYUZA.DLL
C:\WINDOWS\SYSTEM32\RUNASATE.DLL
C:\WINDOWS\SYSTEM32\YABOHOYU.DLL

Adware.Vundo Variant/ESET
C:\WINDOWS\SYSTEM32\FINELENU.DLL

Adware.Vundo/Variant-ABBYY
C:\WINDOWS\SYSTEM32\FOMEKINU.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\LOMOKAFU.DLL

Still getting buffer overruns - no pop ups or anything else, Automatic Updates is still on, which was one of the symptoms before -it kept turning it off.

So far, so good!

SammyJ

Edited by sammyj, 18 February 2009 - 11:33 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:09 AM

Posted 18 February 2009 - 12:52 PM

Hi looks like we got the dropper. Ask about the Overruns in the XP forum. Let's clean up a little here first.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 sammyj

sammyj
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 19 February 2009 - 11:51 AM

Thanks Boopme,

I'll do that - I'm so impressed! thanks so much!!

Is there anything else I need to do? Particularly ongoing - what should I use to scan regularly?

Sam

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 AM

Posted 19 February 2009 - 12:52 PM

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:If using Windows Vista, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 sammyj

sammyj
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 20 February 2009 - 05:41 AM

Cheers Quietman, I'll read him the riot act on what sites to avoid - we are dealing with an 18 year old red blooded male, sadly...!

Boopme, no one's replied to my other topic yet, but I'll keep an eye out.

Thank you from the bottom of my heart for your help, it really is much appreciated. My best to New Jersey ...

Best regards

SammyJ

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:09 AM

Posted 20 February 2009 - 09:33 AM

boopme did all the work but you're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users