TechSpot

Possible trojan, spyware etc on Vista

By tranquillo
Mar 8, 2008
  1. Hi.

    I've read and followed the 3 pages long instruction on removing spyware somewhere here in the forum... the tip was to download and run about 10 000 applications plus running a online scan twice. some applications found and removed dirt and some didn't. now I have a stack of applications asking me stupid questions like if windows update, or msn, should be allowed to connect to the internet...
    And I still get annoying popups everytime I open IE or explorer... google gets hijacked by random and sometimes I have to click a google result 4-5 times (click, notice the link is hijacked, click back and click the link again) before getting where I want...

    heres my latest hijackthis log... pleeeaaassee, tell me what to do...
     
  2. kritius

    kritius TS Guru Posts: 2,084

    First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

    Next please follow these instructions. Your version of Hijackthis is out of date

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • Go to its folder and rename the .exe file to crusty or something similar.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

    please do the following then we will better know where the infection is.
     
  3. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    here it is...
     
  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Just an fyi....

    i've already swapped privates with Julio noting the typo in the Spyware post. The latest HijackThis installed via the link in his post is v2.0.2 not v2.0.0.2
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Cheers for that, I kept meaning to say to someone about it.

    @ tranquillo

    Please download HostsXpert extract it tp ypur desktop and run it, When it opens, click on the Restore Original Hosts button and then exit HostsXpert.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    If you stopped your antivirus or firewall you can restart them again.

    Run HJT after these are completed and post a new log, I need to check and see whats different.
     
  6. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    i hope tranquillo doesn't mind me stealing some bandwidth from the thread but if i could ask kritius a couple questions
    • Am just curious..I can go through a HJT log or most any tool's log and know how to verify/validate entries to identify the suspicious/malware/etc entries. But wondering where u picked up (and is there a database?) of all the various tools and removal instructions that go with those various entries once identified?
    • I've seen combofix often recommended by a number of different people for malware removal. I've never needed it but of course went to look at it out of geek curiosity. I see it warning about having a Recovery Console installed but not sure i recall that ever mentioned in posted instructions. Just wondered is it pretty rare that combofix should do something that requires the need for Recovery Console?
     
  7. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    LookinAround -> steal away ;)

    Kritius -> here's the new log... thanks for your help...
     
  8. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    hehe... forgot to add the file...
     
  9. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    after the running of the vast amount of anti spyware, scans and whatever... I suspect that this may be a problem that comes back when I restart the computer... so I restarted and made a new log... just in case...
     
  10. tomrca

    tomrca TS Rookie Posts: 1,000

    disable this: O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
    then run combo fix and post a fresh log.
    i would suggest tat you get a more reliable av programme and also install a firewall. it also seems that you may be running more than one av programme. only one is advisable.
    did you run smitfraud? if not please do it. run it in safe mode after disabling the 023 entry then run combofix
     
  11. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    lol... right...

    quick google result:
    "SmitFraud attacks show fake antispyware programs popups on your screen"
    "Trojan.Smitfraud is a group of programs that are used to download rogue security products"

    this is something I should run?
     
  12. tomrca

    tomrca TS Rookie Posts: 1,000

    yes. after running it you may lose your desktop background, don't worry just reset it when all is finished. you may also need to run virtumundobegone too
     
  13. tomrca

    tomrca TS Rookie Posts: 1,000

  14. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    did all those things (except disabling VundoFix Service... don't know how or where... the vundofix is one of the softwares I downloaded from the instructions) and now it seems like the popups are gone, but google links are still hijacked and mostly points to some (probably fake) anti spyware/ anti virus software sites... my guess is that the popups will come back soon to, as they allways do after cleaning up with various softwares and scanners...
     
  15. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    I'm guessing the next step is to reinstall windows?
     
  16. tomrca

    tomrca TS Rookie Posts: 1,000

    don't give up yet!
    to stop this service: start>run>type "services.msc" but without the quotations>ok>look for the service VundoFixSvc by attribune>right click and stop/disable.
    please post the logs from hjt, combofix and smitfraud

    can you give a little more information on the pop-ups eg, what they are advertising etc and if there is any name at the top of the add, such as "outer info" for example. is there any unknown icons in the service tray?
     
  17. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    did all the above except stopping vundofix and combofix did not return a log... just a small progress bar saying it was running and then it went away... I'll give it another try... first smitfraud, save the log, then combofix, try and find a log somewhere then hjt...
     
  18. tomrca

    tomrca TS Rookie Posts: 1,000

    were you not able to stop the service?
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Hey tomrca,
    long time no speak.
     
  20. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    looks like it was never running...

    here's a bunch of logs...
     
  21. kritius

    kritius TS Guru Posts: 2,084

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode and show all hidden files and folders,

    Go to start>run and type services.msc
    VundoFix Service (VundoFixSvc)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    VundoFixSVC.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.
     
  22. tomrca

    tomrca TS Rookie Posts: 1,000

    you seemed to have acquired 2 new entries in your hjt log. are cleaning your pc between projects?

    perhaps it may be best if you start again should kritius's instructions fail.

    if so go HERE and follow these instructions. i must add that all instructions must be followed to the letter
     
  23. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    if you mean from previous hjt logs, I've actually removed two entrys from the host file that I'm sure to be ok since I put them there myslef, but I didn't bother to remove them from the latest log...

    when it comes to the process of the latest scan/clean I did everything exactly as instructed with the exception that I restarted the computor before running combofix and hjt...

    I'll look into the instructions above in a minute...
     
  24. kritius

    kritius TS Guru Posts: 2,084

    Quick question tranquillo,

    What antivirus program do you use? I noticed in your logs that it mentions AVG 8, where did you download this from? How long have you had it for?
     
  25. tranquillo

    tranquillo TS Rookie Topic Starter Posts: 23

    my guess is that it was one of the 1000 downloads in the basic instructions I followed a couple of days ago.
    before all this, I had windows defender and the symantec... now I'm not sure any more after all the downloads...


    here's the hjt log...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...