TechSpot

Help Sagipsul Vundo + other infections?

By zyglur
Jan 13, 2009
  1. Hello,

    First excuse me for my poor english , I'm French
    I hope I'll be clear enough and that my yranslation of on screen messages will be correct.

    I experienced multiple popup windows in Firefox (my default internet explorer) directing to theses sites :
    sagipsul.com
    url.adtrgt.com

    Adblock avoided displaying these pages but it is quite annoying and seems to be related to a malware ( trojan virus ?) infection.

    I also notice that images this not display under internet explorer. (I never touched the box in the advanced settings of internet explorer)

    I have ESET NOD32 Smart Security installed and I only had firewall alerts concerning different processes including csrssc trying to connect to internet. It recognized differents threats :
    Virtumonde
    Small.NEK Trojan
    a variant of Trojan.Proxy.Wopla
    a variant of KryptiK.DQ Trojan
    Rustock.NGL Trojan

    I turned to "Safe Mode" and followed the 8 Step tutorial :
    I performed a virus scan. I can't find the log file it's not with regular logfile in the application. And the application automatically shutdown, I couldn't see anything when I came came back.
    I ran CCleaner
    I had no real time monitoring programs under safe mode
    You will find attached the log files of
    MAlwarebytes ... Found and removed different infections including vundo
    SuperAntiSpyware .... Found and removed different infection including vundo
    and HiJackthis (I ran it after renaming the program HJT.exe according to what i saw on another forum)
    My Java is up to date

    For now it seems There is no more popups.
    I checked the "Display images" box in internet explorer advanced settings but I don't know if anything else was messed up
    ( I saw these in the HijackThis : AppInit_DLLs: nzwwih.dll bcxcyz.dll
    But I'm not an advanced user, I don't know if there is anything else of interestand I need help now)

    PLease inform me of the next steps to follow.

    I thank you for all the time you take to help us. I hope I wasn't to long

    Zyglur
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Unfortunately, when you ran Malwarebytes, you did not check this line:
    Because all the malware entries found in Malwarebytes show "No Action Taken"

    It's possible you may not have checked the similar line in SuerAntispyware:
    Please update and rerun each of these programs again, being sure to check for the removal of malware.

    You will need to run HijackThis again after the other two programs, but there are some entries we can remove now:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Click on Start> Search> All Files & Folders> then go up to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> type each of the following into the Search box and if found, do a right click> Delete:
    GO back and re-hide the files and folders after the search.

    Reboot into Normal Mode. Please run the programs in Normal Mode, including the next run of HijackThis.
    Attach the new logs for review.

    IMPORTANT: Do NOT use System Restore while we are cleaning. Malware can get into the restore points and the cleaning programs don't remove it from there. When the system is clean, we will have you remove the old restore points.
     
  3. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    Thank you for your quick and detailled answer

    I thought I had checked and deleted any threat found by Malwarebytes and by SuperAntispyware, maybe I didn't do it right.

    I'm at work for now but I began the cleaning and will get back to you afterwards.

    Here are the steps I am following :
    1 - I deactivated System restore
    2 - under safe mode (with hidden files showed) : searched nzwwih.dll and bcxcyz.dll but didn't find them.
    3 - back in normal mode : ran hiJackThis and deleted the lines you told me
    4 - still in normal mode launched Malwarebytes...
    5 - left for work and will see the results and delete anything found when i come back
    6 - will run Superantispyware and HiJackthis again
    7 - will post the logs this evenig (French Time) or tomorrow morning.

    Thank you Very much
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This is why we like to "see" the logs! Sometime that one check mark can make all the difference! I did not think you would find those files on a search, but we had to try. We will probably us one additional program to be sure they are gone- I'll know after I see the new set of logs.

    'See' you in the morning!
     
  5. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    ok, I performed the scans and deletes : you will find the logs atached to this post

    I believe last time, I gave you the a log saved before the delete for malewarebytes

    This time everything seems done according to your notifications (I hope).

    MAlwarebytes found infections again but not as much
    SuperAntiSpyware found only cookies

    HiJacthis found these two keys again :
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    I had fixed these in my step n°3 for today (see preceding post), I fixed them again with HiJAckThis

    Thank you again for your help.

    I will now shutdown the computer for the night and hope that you'll tell me tomorow that everything is allright.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Bonjour mon ami!

    You must have done something in your sleep! You should not be downloading anything while we are cleaning and using a file sharing site like BitComet exposes the system to more malware!
    And this also is new:
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

    And another:
    O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] T:\WINDOWS\Olivier\LOCALS~1\Temp\winloggn.exe>> Winloggn.exe is Trojan/Backdoor.

    This may be a long day for you because with new material on the system, especially from file sharing, all the scans need to be updated and redone.
     
  7. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    Good evening Bobbye

    I do have bitcomet installed but it wasn't lauched since i discovered the infection.
    I didn't download anything.
    I'm not using the infected computer for anything but the cleaning.

    Can that be explained by the first scan done in safe mode under admin account
    And the latest done in normal mode under my personnal account (with admin rights) ?

    The latest logs were generated by scans all done in a row with no reboot and no other program lauched except firefox for checking the techsopt forum.

    Should I disable "DAEMON Tools Lite" before running the scans ?
    Should I supress the winloggn entry with HiJackThis before running the three scans again ?

    I will redo the scan this evening as you say it is necessary
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    As long as it's on the system, you are at risk. It is auto-loading from the Registry or the Startup group.

    Yes.
    Yes.

    Reopen HijackThis and scan> Place aCHECK by the following:
    Close all Windows except HijackThis. Click on Fix Checked and reboot

    Then do the rescans.
     
  9. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    Ok here is what I did this evening in normal mode under my personnal account :

    1-Uninstalled Daemontools
    2-ran CCleaner with advanced options checked
    3-disabled programs in the system tray (gmail notifier and TaskSwitchXP)
    4-ran HiJACKTHIS and deleted the entries you told me (the one concerning daemontools was gone after desinstall)
    5- ran MAlwarebytes and deleted threats found (a vundo file again)
    6- ran Superantispyware and deleted threats found and then reboot
    7- renamed HiJackThis : HJT.exe
    8- ran HJT.exe
    9- open firefox then send logs on the forum
    10- just after I'll shutdown the computer, I'll wait for your answer on the forum on another computer.

    Thank you again for your help

    PS : I updated Malwarebytes and Superantispyware just before each scan.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have worked hard and done a good job. I am concerned that the Vundo is still being picked up. The HijackThis log is clean but I would like you to disable the Kaspersky Online Scanner for a bit:
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab

    You should find the process here:
    Open Internet Explorer> Tools> Manage Add-ons> find CKAVWebScan Object> click to highlight> Disable. (Reboot after you Disable and you won't have to do anything in the HijackThis log.)

    Then run the Vundo Fix:
    Please download VundoFix.exe from HERE and Save to your desktop.
    Please update and scan with Malwarebytes and SuperAntispyware "after" running the Vundo Fix. If they are clean, we will be through.

    Attach Vundo report and the two other logs. Bonne nuit.
     
  11. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    I think We are close to the end.

    All scans (vundofix, malwarebytes and superantispyware) are clean.
    You will find the logs attached.
    I was suprised my antivirus (ESET NOD32 SMart Security) didn't prevent the infection, do you think I should change ? Should I install an antispyware ?
    If, Yes : wich antivirus and wich antispyware ?

    Thanks again for all your efforts

    I'll know shut down this PC until I see on the forum that you confirm it is clean

    Zyglur
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looking good- three clean logs! But I need to see one more HijackThis scan to make sure no malware entries remain. Attach the log and if clean we'll remove the cleaning tools and old restore points.
     
  13. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    The HijackThis log
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I don't see any malware. You have a few extras loading at boot, but they are legitimate processes.

    If you are not having a problem with the system and the original problem has been resolved, we can remove the cleaning programs:

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:

    It's been a pleasure working with you. Let us know if we can be of more help.
     
  15. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    OTcleanit removed VundoFix
    Reboot
    I removed Malwarebytes, Superanipyware and HiJackThis
    I created a new restore point

    BUT... I can't find "cleanmgr" when I use Start->Run cleanmgr iget the answer : Windows can't find cleanmgr....
    I check under Windows/system32 the application is not there
    I used the search tool and there isn't any cleanmgr on my computer

    Sorry to bother you again

    Here is what I just did :
    I copied cleanmgr.exe from another PC I have at Home
    I ran it on the desktop and removed the old restore points (exept the last one)

    I found this (sorry it's in french) link french computer help forum

    I copied cleanmgr in c:/windows/system32
    ran regsrv32 dataclen.dll

    I'm now able to launch cleanmgr from start-> run

    Thanks again for all your help

    Tell me if i did something wrong

    Zyglur
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, that's okay. You can also drop old restore points this way:

    Control Panel> System> System Restore tab> CHECK 'turn off System Restore'> Apply> OK> Reboot
    That will drop the old restore points.
    Go back and UNCHECK 'turn off System Restore'> Apply> OK> Reboot.

    Every once in a while I run into someone who can use the cleanmgr feature. You used you head and found the answer! Very good for you!

    Another way to find the file is:
    Right click on Start> Explore> Windows> System 32> look for cleanmgr.exe on the right screen.
     
  17. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    I am now using my computer normaly again with no remaining sign of infection.

    I was suprised my antivirus (ESET NOD32 SMart Security) didn't prevent the infection, do you think I should change ? Should I install an antispyware ?
    If, Yes : wich antivirus and wich antispyware ?

    Thank you very much for all your help
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    So many people ask this and I always give the same answer:

    The first line of defense is the ISP. The more they keep out of their network, the less there is available to infect their customers.

    The second line of defense is the user themselves. You were using BitComet. This file sharing program is almost guaranteed to expose the system to malware. And some of it almost always gets in.

    My point is that no matter how much security is on the system-assuming it is the recommended layered protection of antivirus, firewall and at least 2 spyware/adware programs-if a user does not practice 'safe surfing,' the system is going to get malware. One example that few users think of is the way they handle email and attachments. Many think that the email from Aunt Sally is okay and the attachment is secure because Aunt Sally sent it. Not necessarily. Aunt Sally may not have good security and she has malware and it's included in what she sends you.

    Keep the Eset Suite- it has Antivirus, Antispyware, Antispam and Personal Firewall. I use Nod32 also, but consider adding at least one more spyware/adware program. A very good deterrent is SpywareBlaster- it's free and it's good:
    http://www.javacoolsoftware.com/spywareblaster.html
     
  19. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    Thank you, that was actually the answer I expected, I will try to be more carefull in what i get from internet.

    I downloaded Spywareblaster and will install it ASAP. I had personnaly eared of Ad-Aware and of Spybot Search-Destroy are these programs out of date ?

    I've also eared of using a Virtual Machine to test files you are not sure of, I'm afraid that way of doing isn't easy and only for VERY advanced users.
    What I should do is "not sure" = TRASH

    Thanks again for all the time you spent on my problem.

    I'll try to inform my friends as well as I can and in case of trouble I will recommend Techspot.com
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for your confidence. When a cleaning goes well, without having to keep running additional programs, it is always best.

    As for you question:
    Technically, my Rule of Thumb when you're not sure is to do nothing initially. Instead, identify the file using a search engine and/or do a right click non the file> Properties and look for additional information. Only then will you be able to decide if it is 'trash.'
     
  21. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    Bad surprise ? I'm not sure.

    I had Spybot S/D installed on my computer so i was curious and ran a scan :

    What suprised me is that it found 2 Virtumonde files and another malware.

    As recommended, I disconnected from internet before cleaning and corrected this problem.

    Then I rebooted still without internet and performed another scan : nothing left.
    I then reconnected internet

    Is it a problem or are these files armless leftovers by the previous infection ?

    I joined the Spybot scan log

    Thanks again
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Curious! You shouldn't have has any 'left over' malware files. But it says Spybot "fixed" them. Run a scan again with Spybot S&D and follow with scan with updated AV. Be sure to delete any files that have been moved to the virus chest or quarantined.
     
  23. zyglur

    zyglur TS Rookie Topic Starter Posts: 22

    Spybot and Antivirus (ESET NOD32) scan yesterday were clean.

    I think this all story is over.

    Thank you again
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Please let us know if you need any additional help in the future.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.