Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundu.H, Hiloti, Zbot, Sodast.A mash


  • This topic is locked This topic is locked
4 replies to this topic

#1 aninkling

aninkling

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 01 March 2010 - 12:09 PM

I found a number of Symantec programs on the computer. Those programs appeared to be causing the initial errors I saw when the computer booted. I thought the process would be to remove Symantec and, if it was still needed, to reinstall it. I ran the latest Symantec uninstall tool and it would not run because it said Symantec Antivirus 2009 had to be removed first.

The computer seemed to be virtually crippled by Symantec error messages, making it difficult to interact at all. I didnít record the messages, but I did remove the various startup entries and some significant registry entries in order to cripple Symantec and remove the error messages.

I could not remove Symantec AV 2009 because it required a password. I did not know the password. In fact, the owner said he had never installed it, nor had anyone in his company.

I contacted the company and was given permission to remove all Symantec- they were no longer using it. About that time, I opened WORD to begin recording my events and ran into the AntiVirus XP 2010 scareware. So I began the bleepingcomputer script to remove this process.

Eventually I found the following Trojans and other badware on the computer and removed them:
o Vundu.H
o Hiloti
o Zbot
o Sodast.A

I removed all the Symantec services to remove Symantec from the picture.

I ran combinations of Malwarebytes, GMER, HijackThis, and Windows Security Essentials. Eventually, all came back "clean."

Though these were, technically, removed by the antispyware programs, I continued to get an error loading C:\Windows\etuyawebewahazuy.dll. This means there is a piece of bad code I am missing.

I looked through the running processes and found a possible lemon: csrss.exe

The properties of this process are:
ObjectDirectory =\Windows SharedSection=1024,3072,512,Windows=0...
Folder \\??\C:\WINDOWS\system32
Threads 12
Memory usage 2,228,224 Byte.

I will continue this discussion with another append containing the Hijackthis log.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:05 AM

Posted 01 March 2010 - 03:55 PM

Good evening. smile.gif

A "zbot" infection is also known as a backdoor infection and is regarded as the final straw for an operating system installation. This kind of malware gives somebody the same sort of access to a PC as if they were sat in front of the keyboard and raises too many possibilities of corrupted, infected or replaced files to consider the installation repairable with any great guarantee of cleanliness. You also have to consider the possibility that security settings have been compromised making reinfection more likely in future, which is another good reason to call it a day.

You should be aware of the potential for identity theft if the machine has been used for internet banking or shopping and you should monitor any cards or accounts that have been used or accessed via this machine.

If this was my computer I would back up any important data and then reformat and reinstall Windows as it offers the best way to clean the machine.

So long, and thanks for all the fish.

 

 


#3 aninkling

aninkling
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 03 March 2010 - 10:27 AM

OK. Well, before I do that, I tried to circumvent the problem by creating an entirely new account. If the problem was in the user's account information, the that would circumvent the problem. I'd just delete the current user account after moving the user's documents, etc over. (Sidebar: the primary user on the computer was using the Administrator account. Not good.)

After removing some roadblocks thrown up by Netware, I created that account. When I logged on to that account the first time, I got an error: Windows can not open this file: rundll.32. So... Is this consistent with the trojans' impact on the system? If so, I will close this and recommend reloading the operating system.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:05 AM

Posted 03 March 2010 - 03:11 PM

Good evening. smile.gif

The problem is that any and all possible changes to a system can be considered "consistent" with the infection - there isn't anything that can't be done if somebody feels the urge. I'd go with a reformat and cut your loses.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:05 AM

Posted 08 March 2010 - 03:51 PM

As this problem appears to have been resolved, this thread has been locked.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users