Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Hijacked After Vundo Removal


  • Please log in to reply
3 replies to this topic

#1 lynthral

lynthral

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 25 January 2007 - 03:54 PM

Greetings! I was recently infected with vundo, and after two days of work and reading these forums, I pretty much have everything back to where I was before the infection (last time anyone else gets to use my machine!). For the most part, everything is fine; no slow-downs or virus detections (from McAffee). The only problem that I have remaining is that IE occasionally pops up and goes to some random web site. My default browser is Firefox.

AdAware and Spybot don't detect anything before the popup but will detect an assortment of tracking cookies afterward. Stinger or other tools don't detect anything either. The size of the popup window is usually that of one of my open (file) explorer windows. Before the popup, IE tries to connect to localhost on a random port and after that another connection to a random (?) website with the ads, which then installs the tracking cookies. I am now blocking those localhost connections, which prevents the popup, but I'm looking to remove these illicit requests. Occasionally, after blocking the initial localhost connection, I will get an error popup in Firefox referring to an unspecified file error, but I'm not sure if that's from the websites that I am visiting (like this one) or the IE popup.

Ok, something new *just* happend.... firefox opened an unsolicited tab to a webpage for "WinAntiVirus Pro 2006" (link: http://www.winantiviruspro.com/pages/newco...mp;lid=soft%3E)
So it looks like things have migrated to Firefox, as well. Javascript and cookies are disabled in Firefox unless I explicitly allow them.


Any and all help is greatly appricated.


--------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:48:46 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
G:\Program Files\Network Associates\VirusScan\mcshield.exe
G:\Program Files\Network Associates\VirusScan\vstskmgr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\ABAQUS\Documentation\monitor.exe
G:\WINDOWS\system32\MsPMSPSv.exe
G:\ABAQUS\Documentation\monitor.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
G:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\svchost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trillian\trillian.exe
G:\Documents and Settings\Michael Pantiuk\Desktop\Spyware Utilities\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "G:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128452899984
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - G:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - G:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - G:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - G:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - G:\ABAQUS\Documentation\monitor.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:23 AM

Posted 29 January 2007 - 05:56 AM

Hi lynthral and welcome to the Forums :flowers:

Let's see if vundo is hiding from HjT...

Rename HijackThis.exe to Scanner.exe

Run a new scan with Scanner.exe and post th elog to here :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 lynthral

lynthral
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 29 January 2007 - 08:44 AM

Mr_Jak3,

It did seem that Vundo and some other trojan was hiding from hjt, as I discovered over the weekend. After much scanning and rebooting, I'm pretty sure I've gotten everything now, but I'd appriciate it if you could take a look at the "scanner" log, just to be sure. Oddly enough, the only way I was able to detect anything at all was in safe mode, with networking (safe mode w/o networking looked clean). All in all, it took about three iterations of scanning and removing with hjt, spybot, adaware, and avg to get everything back to normal, with various detections and removals (beyond tracking cookies) in each scan. The fourth scan (and each one thereafter) was clean! I have not experienced any problems/unusual behavior at all since late Saturday afternoon.

Thank you, and everyone else in these forums, for helping out. I know your time is valuable, but without these forums I doubt I would have been able to clean my computer on my own. I now know more about hijacking a computer than I ever expected to use.


-lyn


(log from "scanner.exe")
-----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:22:15 AM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\Comodo\Firewall\cmdagent.exe
G:\Program Files\Network Associates\Common Framework\FrameworkService.exe
G:\Program Files\Network Associates\VirusScan\mcshield.exe
G:\Program Files\Network Associates\VirusScan\vstskmgr.exe
G:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\ABAQUS\Documentation\monitor.exe
G:\WINDOWS\system32\MsPMSPSv.exe
G:\ABAQUS\Documentation\monitor.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
G:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
G:\Program Files\Comodo\Firewall\CPF.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Mozilla Thunderbird\thunderbird.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Michael Pantiuk\My Documents\Spyware Utilities\HijackThis\Scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "G:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "G:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] G:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128452899984
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - G:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - G:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - G:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - G:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - G:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: StyleXPService - Unknown owner - G:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - G:\ABAQUS\Documentation\monitor.exe

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:23 AM

Posted 30 January 2007 - 04:17 AM

Hi, the HijackThis log looks good now :thumbsup:

I would recomeend that you run one more scanner just in case.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users