Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE redirect to google---vundo infection?


  • This topic is locked This topic is locked
16 replies to this topic

#1 albert galick

albert galick

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 10 June 2009 - 06:33 PM

This was the top install on a multiboot system and was just supposed to be for playing and learning, until TurboTax didn't support W98. After cleaning up stuff, including trying to rip out SQL Server, did a disk image/partition resize with Acronis True Image Home (so 500M TurboTax install would fit!) and all OSes booted. Windows Update gets redirected to google, and HJT reports

Potential Threat Detected

TROJ_VUNDO.ATI - E:\WIN2K\system32\tuvsqom.dll

Ran dds.scr as instructed and pasted the DDS.txt log below. Attach.txt is also attached. Please advise! Thanks!


DDS (Ver_09-05-14.01) - FAT32x86
Run by Administrator at 18:55:39.64 on Wed 06/10/2009
Internet Explorer: 6.0.2600.0000
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.1.1033.18.768.569 [GMT -4:00]


============== Running Processes ===============

E:\WIN2K\system32\spoolsv.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\AVANQU~1\Fix-It\mxtask.exe
E:\WIN2K\System32\llssrv.exe
E:\WIN2K\System32\nvsvc32.exe
E:\WIN2K\system32\regsvc.exe
E:\WIN2K\system32\MSTask.exe
E:\WIN2K\System32\snmp.exe
E:\WIN2K\system32\stisvc.exe
E:\WIN2K\System32\WBEM\WinMgmt.exe
E:\WIN2K\system32\Dfssvc.exe
E:\WIN2K\Explorer.EXE
F:\Iomega\DriveIcons\ImgIcon.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = http=AdSubtract:4445
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [Iomega Startup Options] f:\iomega\common\ImgStart.exe
mRun: [Iomega Drive Icons] f:\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] f:\iomega\driveicons\deskup.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /install
mRun: [VirusScannerPro] f:\avanqu~1\fix-it\MemCheck.exe
mRun: [!AVG Anti-Spyware] "f:\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRunServices: [winmodem] WINMODEM.101\wmexe.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
Trusted Zone: aol.com\free
Trusted Zone: errorsafe.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: pandasecurity.com\www
Trusted Zone: turbotax.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
DPF: DirectAnimation Java Classes - file://e:\win2k\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://e:\win2k\java\classes\xmldso.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.116.57 85.255.112.156
TCP: {10D203A0-660D-439E-A4B2-F8F3D28E8830} = 85.255.116.57,85.255.112.156
AppInit_DLLs: NVDESK32.DLL
SSODL: IEFilter - {74175B93-71C7-4687-BAD8-FD78C6FD8E4E} - No File
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - f:\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 DfsDriver;DfsDriver;e:\win2k\system32\drivers\dfs.sys [1999-12-7 74448]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;f:\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;e:\win2k\system32\drivers\AvgAsCln.sys [2008-4-4 10872]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;f:\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
R2 nxsIO32;NextSensor Kernel I/O Driver;e:\win2k\system32\drivers\nxsIO32.sys [2008-1-12 2208]
R2 Tmfilter;Tmfilter;f:\avanqu~1\fix-it\Tmfilter.sys [2007-8-31 252352]
R3 als4k;Avance Wave Audio Miniport Driver (WDM);e:\win2k\system32\drivers\als4000.sys [2006-10-23 25658]
R3 ALS4KMF;ALS4KMF;e:\win2k\system32\drivers\mf.sys [1999-9-27 57264]
R3 alsgame;Gameport for ALS4000 (WDM);e:\win2k\system32\drivers\alsgame.sys [2006-10-23 10012]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;e:\win2k\system32\drivers\el90xbc5.sys [2002-8-28 61712]
R3 WRSWanDD;iVasion PoET Adapter;e:\win2k\system32\drivers\WrKPoETNic2000.sys [2002-8-28 73772]
S2 LDAPSVCX;Site Server ILS Service;e:\win2k\system32\inetsrv\inetinfo.exe --> e:\win2k\system32\inetsrv\inetinfo.exe [?]
S3 3cpciadi;3Com Windows Modem Driver PCI ADI;e:\win2k\system32\drivers\3cpciadi.sys [2008-11-25 801072]
S3 MailScan;MailScan;f:\avanqu~1\fix-it\MailScan.sys [2008-8-26 20496]
S3 NtFrs;File Replication;e:\win2k\system32\ntfrs.exe [2008-4-15 745232]
S3 spud;Special Purpose Utility Driver;e:\win2k\system32\drivers\spud.sys --> e:\win2k\system32\drivers\spud.sys [?]
S3 TDASYNC;TDASYNC;e:\win2k\system32\drivers\tdasync.sys [2002-8-28 12664]
S3 TDIPX;TDIPX;e:\win2k\system32\drivers\tdipx.sys [2002-8-28 20760]
S3 TDNETB;TDNETB;e:\win2k\system32\drivers\tdnetb.sys [2002-8-28 18392]
S3 TDSPX;TDSPX;e:\win2k\system32\drivers\tdspx.sys [2002-8-28 18264]
S3 TrkSvr;Distributed Link Tracking Server;e:\win2k\system32\SERVICES.EXE [1999-12-7 89360]
S3 WrKPoET2000;WrKPoET2000;\??\e:\program files\verizononlinedsl\winpoet\wrkpoet2000.sys --> e:\program files\verizononlinedsl\winpoet\WrKPoET2000.sys [?]
S4 IsmServ;Intersite Messaging;e:\win2k\system32\ismserv.exe [2008-4-15 25872]
S4 kdc;Kerberos Key Distribution Center;e:\win2k\system32\LSASS.EXE [1999-12-7 33552]

=============== Created Last 30 ================

2009-06-10 18:55 16,384 a------- e:\win2k\system32\Perflib_Perfdata_3b4.dat
2009-06-10 18:53 16,384 a------- e:\win2k\system32\Perflib_Perfdata_328.dat
2009-05-31 20:54 16,384 a------- e:\win2k\system32\Perflib_Perfdata_3d8.dat
2009-05-31 20:54 <DIR> --d----- e:\program files\trend micro
2009-05-31 20:50 16,384 a------- e:\win2k\system32\Perflib_Perfdata_31c.dat

==================== Find3M ====================

2009-05-01 21:05 16,384 a------- e:\win2k\system32\Perflib_Perfdata_2f0.dat
2009-04-19 11:50 16,384 a------- e:\win2k\system32\Perflib_Perfdata_390.dat
2002-08-28 12:21 21,952 ----h--- e:\program files\folder.htt
2002-08-28 12:21 271 ----h--- e:\program files\desktop.ini
1999-12-07 20:00 32,528 a------- e:\win2k\inf\wbfirdma.sys

============= FINISH: 18:55:59.36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 19 June 2009 - 08:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 21 June 2009 - 03:26 PM

Hello!

My situation has not changed, in fact the computer has been turned off. As the title suggests, the main problem is that Windows Update redirects to google. The situation is complicated by the fact that it's running on a new hard drive imaged (with resized partitions) by Acronis True Image Home 10. Another complication is that it was and is a multiboot setup (NT, 98, 2K Advanced Server). I had started cleaning up and uninstalling things, including SQL Server, from the 2K partition before I imaged it. This is the third re-image. I messed up the first one, and the second one had the MBR or 2K partition blown away by OTListIT.exe. All OS'es have booted on one image or another, so I think the filesystems are OK. I ran RSIT.exe (HJT) on the original image---the most remarkable entry in info.txt is:

Potential Threat Detected

TROJ_VUNDO.ATI - E:\WIN2K\system32\tuvsqom.dll.

I've run DDS.scr again and attached Attach.zip and posted DDS.txt again below. I intend to add some (free) firewall, antispyware, and AV software, though I had serious problems with Online Armor 2. I'm thinking about using Jetico 1 or Comodo 2 (because they're free and hopefully simple). I disabled uPNP on my router so maybe that will suffice as a firewall. Any pointers would be appreciated. Thanks for your help!


DDS (Ver_09-05-14.01) - FAT32x86
Run by Administrator at 13:32:18.73 on Sun 06/21/2009
Internet Explorer: 6.0.2600.0000
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.1.1033.18.768.604 [GMT -4:00]


============== Running Processes ===============

E:\WIN2K\system32\spoolsv.exe
F:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\AVANQU~1\Fix-It\mxtask.exe
E:\WIN2K\System32\llssrv.exe
E:\WIN2K\System32\nvsvc32.exe
E:\WIN2K\system32\regsvc.exe
E:\WIN2K\system32\MSTask.exe
E:\WIN2K\System32\snmp.exe
E:\WIN2K\system32\stisvc.exe
E:\WIN2K\System32\WBEM\WinMgmt.exe
E:\WIN2K\system32\Dfssvc.exe
E:\WIN2K\Explorer.EXE
F:\Iomega\DriveIcons\ImgIcon.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = http=AdSubtract:4445
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [Iomega Startup Options] f:\iomega\common\ImgStart.exe
mRun: [Iomega Drive Icons] f:\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] f:\iomega\driveicons\deskup.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /install
mRun: [VirusScannerPro] f:\avanqu~1\fix-it\MemCheck.exe
mRun: [!AVG Anti-Spyware] "f:\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRunServices: [winmodem] WINMODEM.101\wmexe.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
Trusted Zone: aol.com\free
Trusted Zone: errorsafe.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: pandasecurity.com\www
Trusted Zone: turbotax.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
DPF: DirectAnimation Java Classes - file://e:\win2k\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://e:\win2k\java\classes\xmldso.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.116.57 85.255.112.156
TCP: {10D203A0-660D-439E-A4B2-F8F3D28E8830} = 85.255.116.57,85.255.112.156
AppInit_DLLs: NVDESK32.DLL
SSODL: IEFilter - {74175B93-71C7-4687-BAD8-FD78C6FD8E4E} - No File
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - f:\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 DfsDriver;DfsDriver;e:\win2k\system32\drivers\dfs.sys [1999-12-7 74448]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;f:\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;e:\win2k\system32\drivers\AvgAsCln.sys [2008-4-4 10872]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;f:\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
R2 nxsIO32;NextSensor Kernel I/O Driver;e:\win2k\system32\drivers\nxsIO32.sys [2008-1-12 2208]
R2 Tmfilter;Tmfilter;f:\avanqu~1\fix-it\Tmfilter.sys [2007-8-31 252352]
R3 als4k;Avance Wave Audio Miniport Driver (WDM);e:\win2k\system32\drivers\als4000.sys [2006-10-23 25658]
R3 ALS4KMF;ALS4KMF;e:\win2k\system32\drivers\mf.sys [1999-9-27 57264]
R3 alsgame;Gameport for ALS4000 (WDM);e:\win2k\system32\drivers\alsgame.sys [2006-10-23 10012]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;e:\win2k\system32\drivers\el90xbc5.sys [2002-8-28 61712]
R3 WRSWanDD;iVasion PoET Adapter;e:\win2k\system32\drivers\WrKPoETNic2000.sys [2002-8-28 73772]
S2 LDAPSVCX;Site Server ILS Service;e:\win2k\system32\inetsrv\inetinfo.exe --> e:\win2k\system32\inetsrv\inetinfo.exe [?]
S3 3cpciadi;3Com Windows Modem Driver PCI ADI;e:\win2k\system32\drivers\3cpciadi.sys [2008-11-25 801072]
S3 MailScan;MailScan;f:\avanqu~1\fix-it\MailScan.sys [2008-8-26 20496]
S3 NtFrs;File Replication;e:\win2k\system32\ntfrs.exe [2008-4-15 745232]
S3 spud;Special Purpose Utility Driver;e:\win2k\system32\drivers\spud.sys --> e:\win2k\system32\drivers\spud.sys [?]
S3 TDASYNC;TDASYNC;e:\win2k\system32\drivers\tdasync.sys [2002-8-28 12664]
S3 TDIPX;TDIPX;e:\win2k\system32\drivers\tdipx.sys [2002-8-28 20760]
S3 TDNETB;TDNETB;e:\win2k\system32\drivers\tdnetb.sys [2002-8-28 18392]
S3 TDSPX;TDSPX;e:\win2k\system32\drivers\tdspx.sys [2002-8-28 18264]
S3 TrkSvr;Distributed Link Tracking Server;e:\win2k\system32\SERVICES.EXE [1999-12-7 89360]
S3 WrKPoET2000;WrKPoET2000;\??\e:\program files\verizononlinedsl\winpoet\wrkpoet2000.sys --> e:\program files\verizononlinedsl\winpoet\WrKPoET2000.sys [?]
S4 IsmServ;Intersite Messaging;e:\win2k\system32\ismserv.exe [2008-4-15 25872]
S4 kdc;Kerberos Key Distribution Center;e:\win2k\system32\LSASS.EXE [1999-12-7 33552]

=============== Created Last 30 ================

2009-06-21 13:29 16,384 a------- e:\win2k\system32\Perflib_Perfdata_3b8.dat
2009-06-21 13:27 16,384 a------- e:\win2k\system32\Perflib_Perfdata_32c.dat
2009-06-10 18:53 16,384 a------- e:\win2k\system32\Perflib_Perfdata_328.dat
2009-05-31 20:54 16,384 a------- e:\win2k\system32\Perflib_Perfdata_3d8.dat
2009-05-31 20:54 <DIR> --d----- e:\program files\trend micro
2009-05-31 20:50 16,384 a------- e:\win2k\system32\Perflib_Perfdata_31c.dat

==================== Find3M ====================

2009-05-01 21:05 16,384 a------- e:\win2k\system32\Perflib_Perfdata_2f0.dat
2009-04-19 11:50 16,384 a------- e:\win2k\system32\Perflib_Perfdata_390.dat
2002-08-28 12:21 21,952 ----h--- e:\program files\folder.htt
2002-08-28 12:21 271 ----h--- e:\program files\desktop.ini
1999-12-07 20:00 32,528 a------- e:\win2k\inf\wbfirdma.sys

============= FINISH: 13:32:36.02 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:24 PM

Posted 21 June 2009 - 05:20 PM

Hi albert galick,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:24 PM

Posted 21 June 2009 - 05:36 PM

Hi albert galick,

We need to do this.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 21 June 2009 - 07:04 PM

Hi mOle!

I'm going through the instructions carefully, and I just wonder if the Microsoft Windows Recovery Console installation by ComboFix is going to blow away my multiboot setup in the MBR. The recovery option isn't so vital to me anyway, since I could just re-image the new drive from the original if something went wrong. Should I skip that part?

Thanks!

Edited by albert galick, 21 June 2009 - 07:09 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:24 PM

Posted 22 June 2009 - 11:32 AM

Hi albert galick,

Okay, it is against my recommendations but as you seem to know what you're doing you can skip the recovery console install.

We can always reverse any changes. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 22 June 2009 - 12:19 PM

Thanks for your vote of confidence, m0le. It turns out ComboFix doesn't run at all on my system. I get the message

"Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP"

I guess it doesn't like my NT and 98 installations. How to proceed?

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:24 PM

Posted 22 June 2009 - 01:39 PM

Okay, well RSIT detected Vundo, a nasty duplicating trojan. Combofix deals with that really well.

However, not with NT and 98. :)

Let's try a different approach.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Following that please do the following online scan

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
If any Vundo is around MBAM will find it. Let's see what it throws up. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 22 June 2009 - 02:30 PM

I did the mbam scan and removed 14 items and rebooted. The BitDefender onine scan is running now. Here's the mbam log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.0.2195 Service Pack 4

6/22/2009 3:22:03 PM
mbam-log-2009-06-22 (15-22-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 201064
Time elapsed: 19 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.57 85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{10d203a0-660d-439e-a4b2-f8f3d28e8830}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.57,85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.57 85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{10d203a0-660d-439e-a4b2-f8f3d28e8830}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.57,85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.57 85.255.112.156 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{10d203a0-660d-439e-a4b2-f8f3d28e8830}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.57,85.255.112.156 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
e:\WIN2K\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
E:\WIN2K\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
E:\WIN2K\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WIN2K\tcb.pmw (Malware.Trace) -> Quarantined and deleted successfully.

#11 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 22 June 2009 - 07:15 PM

Here's the report BitDefender sends back to the mothership:

BitDefender Online Scanner - Real Time Virus ReportBitDefender Online
Scanner - Real Time Virus Report
Generated at: Mon, Jun 22, 2009 - 19:51:24




Scan Info
Scanned Files508240
Infected Files8


Virus Detected
Trojan.Generic.17737111
Trojan.Generic.17836011
Trojan.Zlob.213231
Trojan.Bat.Sdel.AC1
Exploit.HoneyMoo.A1
Adware.Timesink.J1
Adware.Generic.506941
Trojan.Generic.2677031





This summary of the scan process will be used by the BitDefender Antivirus
Lab to create agregate statistics about virus activity around the world.


And the full scan results export...well, I've attached the file 'cause it doesn't paste in well.

Wow, what a mess, huh m0le? I seem to have gotten sloppy with my housecall quarantine and my archive of freeware (AlGoodstuff, etc.).

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:24 PM

Posted 23 June 2009 - 03:11 PM

Yes, it's a bit of a mess Albert. :)

BitDefender and MBAM have done their bit but has the redirecting problem gone away?

Okay, we need to run some more removal scanners.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Then

We need to run MBAM again to see if it's still picking up the same malware. Post the log as before.

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 24 June 2009 - 09:42 AM

Windows Update isn't redirected! :thumbup2: It wants me to install the latest version of Windows Update (which I didn't do, yet).

Reboot complains about ending the "DDE Server Window", whatever that is, so I just hit "End Now."

DrWeb-CureIt Express scan found no viruses.

In the middle of the Complete scan, it complained about atclient.exe again (an old WebEx installer):

"Archive contains infected objects

Move?"

and I clicked "Yes to All". Hope that was correct. No "Select all" button, or any others, were highlighted afterwards. Here's the DrWeb report:

atclient.exe\\Disk1\ieatgpc.dll;F:\Stuff I use a lot\atclient.exe;Adware.WebEx;;
atclient.exe;F:\Stuff I use a lot;Archive contains infected objects;Moved.;
Mailserv.exe;F:\Captools;Trojan.PWS.Banker.origin;Incurable.Moved.;

MBAM reports "No malicious items were detected" :)

I guess I'm good to go (once I delete the housecall quanrantine and other stuff that BitDefender flagged)?

Do you have any recommendations, in particular about (free) firewall, AV, or antispyware software?

Many thanks, m0le! You guys are the greatest!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:24 PM

Posted 24 June 2009 - 10:04 AM

Yes, it's looking good. There's quite a lot of remnants left from malware that has been part-removed.

Remember to delete them all, albert :thumbup2:

Thanks for the thanks, you are welcome. recommendations are two-fold. I use Avast, Spybot and have MBAM on hand too.

The final instructions will link to all recommended options and that's worth a look.


Let's firstly do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Here's a list of ways you can avoid problems in the future:

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it albert, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#15 albert galick

albert galick
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 24 June 2009 - 10:42 AM

"E:\Documents and Settings\Administrator\Desktop\Combo-Fix" /u complains about "Incompatible OS" again. I had just moved it to the Recycle bin. Is that not sufficient?

I don't know where DrWeb-CureIt moves stuff, and I'm reining in my initiative to clean up the BitDefender finds (what do I know, maybe OTC will scan logs and clean up for me...).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users