TechSpot

Possible WinFixer Infection

By M0ntG0M3rY
Jul 23, 2007
Topic Status:
Not open for further replies.
  1. Possible VirtuMonde/WinFixer Infection

    Hi everyone, I'm new here!

    I'm experiencing a problem with the VirtuMonde/WinFixer, presumably.
    I've tried fixing the problem using VundoFix as outlined here: http://wiki.castlecops.com/Malware_Removal:_Virtumundo, but the infected files would be re-downloaded and appear in the system again under other names.

    Here are my HiJackThis and ComboFix logs. AVG Anti-Rootkit Free in-depth scan didn't find anything suspicious.

    Any help and suggestions will be highly appreciated! :)

    EDIT: Sorry, just realized I hadn't followed 15 steps thoroughly. Will re-post logs again as soon as I'm finished with those steps.
  2. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    OK, this time the only thing I didn't do was that I skipped the online scan, and also I did AVG Internet Security scan instead of AVG Anti-Spyware scan.

    Everything else is done following the instructions precisely. And it seems the problem is solved, at least there are no pop-ups now.

    Here are my logs, anyway. Any suggestions will be appreciated! :)

    In addition to these logs, I should say that AVG Anti-Rootkit scan revealed nothing, and AVG Internet Security Scan said the only malware was the "hacker tool" SmitfraudFix :) , and Ad-Aware scan only showed tracking cookies.
  3. tomrca

    tomrca Newcomer, in training Posts: 1,051

    hjt log looks very good. check the ip addresses in the 017 entries to see if you know them..
  4. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    thank you!

    IP addresses 207.172.3.8,207.172.3.9 belong to my ISP, they are primary & secondary DNS servers.

    160.92.121.6 belongs to Atos Worldline Primary IPv4 Subnet, and I have never heard of it...
  5. tomrca

    tomrca Newcomer, in training Posts: 1,051

  6. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    It looks to me as if ComboFix took care of the Vundo infection.

    Please run HijackThis and do a system scan. Place a check in the box next to the following entry (if there):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0D45C7C-9169-4B1B-B141-0B8B6BEC1B8B}: NameServer = 160.92.121.6

    Close all open programs except HijackThis and then click the Fix Checked button. Once it's done fixing, close HijackThis.

    Do you normally access the Web through a proxy server?

    Please rerun HijackThis and ComboFix and post their fresh logs.

    Regards :)
  7. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    Thanks for the answer! :)

    Will do as soon I get home.

    No, I don't use proxy server, but I believe it's in Internet Options unchecked - I used it before for some needs. If you uncheck it without deleting, the browser will keep IP address there. I will delete it and see if it's still in the log or not.
  8. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    Here are my logs.

    I deleted the proxy server IP.

    Thanks again!
  9. tomrca

    tomrca Newcomer, in training Posts: 1,051

    once you have completed the clean up, empty quarantine folders and in addition i find it best to clear old restore points, defrag and create new.
    this is a new one to you log and should be fixed unless kitty500cat disagrees: O1 - Hosts: 63.223.70.253 tc-boxing.com
  10. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    Please download the file CFScript.txt attached to my post and save it to the same folder as ComboFix.

    Referring to the image below, drag the CFScript.txt that you just downloaded over onto ComboFix.exe and release.

    [​IMG]

    This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your next reply, as well as a fresh HijackThis log.

    Regards :)

    Attached Files:

  11. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    thank you very much to you both!

    tc-boxing is a manually entered line to hosts file - I put in there myself when there were some DNS problems and I couldn't connect to this bittorrent tracker. I was renewing hosts file a day ago, that's why this entry didn't appear in the first HJT scan.

    I have a question about Messenger Plus! Its installation comes with the option "refuse sponsor support" - if this option chosen, I believe though I'm not sure for 100%, Messenger Plus! doesn't install any malicious software. I really like additional functionality given by this add-on and would prefer keep it. I've used it for quite long time, two years probably, and had no problem with it. What do you think on this?

    Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.

    No, have no idea.
     
  12. tomrca

    tomrca Newcomer, in training Posts: 1,051

    new one to me! looked and cant find anything on it
  13. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    If you've never had any problems with Messenger Plus!, I suppose you can keep it. If you did refuse the sponsor support, you should be good to go. And since you haven't experienced any problems with it, it sounds okay.

    Please navigate to www.virustotal.com.

    Click the Choose... button.

    Navigate to the following file:

    C:\WundF1x.exe

    Click Open. Then click Send File.

    Wait until it's done scanning, then copy and paste the results into a Notepad file and save it on your computer. Attach the file in your next reply, as well as fresh HijackThis and CFScript logfiles per the instructions in my last post.

    Regards :)

    P.S. You don't need to remove the Hosts file entry since you know that it's safe.
  14. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    Thank you! Will do.

    I still have a question though.
    The CFScript file has the following:
    Since I opted to keep MessengerPlus!, should I delete these entries before feeding ComboFix with CFScript?
  15. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    I have altered the instructions and the CFScript in my post above (from 7:44 AM today). Please follow those instructions.

    Regards :)
  16. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    Thank you!

    Here are my logs.

    WundF1x.exe appears to be an exactly the same file as VundoFix.exe with the changed name. All attributes are the same, size, icon, everything. I don't remember it renaming though, but maybe it's a mental block :) Well, I deleted this file.
  17. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

    Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.

    [​IMG]

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Thereafter, please post fresh HJT and AVG Antispyware logs from normal mode and the ComboFix log from the safe mode instructions as attachments into this thread.

    PS. It appears you use WildTangent Games. Several of their users have had a history of being infected by trojans from the games downloaded from Wildtangent. I would suggest you uninstall and remove anything related to it.


    Regards,
    Your friendly momok =)

    This thread is for the use of M0ntG0M3ry only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  18. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    thanks Momok for your attention!

    A question. I use AVG 7.5 Internet Security and never installed AVG Antispyware. Can I substitute AVG 7.5 Internet Security scan for AVG Antispyware?
  19. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    I would still recommend you get AVG antispyware as it has its role to play in our cleaning instructions. Several times it picks out hidden files and processes and appropriately quarantines them; its a real gem I would recommend you get even if you were not infected.

    Regards,
    Your friendly momok =)

    This thread is for the use of M0ntG0M3rY only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    Here are my logs. Thanks a lot momok!
  21. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    Please download and run CCleaner via step 9 of the instructions HERE.

    Apart from that, your logs appear to be clean already.

    1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
      You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of M0ntG0m3rY only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  22. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    thank you very much momok and others who contributed to my thread. I really appreciate this! :)
  23. M0ntG0M3rY

    M0ntG0M3rY Newcomer, in training Topic Starter Posts: 50

    I need a little consultation :)

    After I've finished cleaning my computer everything is fine with it, but there's just a little issue.

    I usually use FireFox, but sometimes websites have some services that only work with IE. So yesterday I had to use IE to access something that only worked with IE, and I couldn't use it: whenever I put a URL into the IE address bar, FireFox would start and proceed opening the URL in FF's window.

    I would like to know what causes this and how I can change this.

    Thank you!
  24. tomrca

    tomrca Newcomer, in training Posts: 1,051

    make sure that FF is closed down and try selecting IE as default browser. see if that does it
  25. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    I'm not really sure why that's happening.

    I recommend starting a new thread for your question.

    Regards :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.