Vundo; Infostealer; W32 Spybot

By jshock
Dec 22, 2008
  1. My Trend program picked up one virus and supposedly "handled" it. My browser started trying to load pages, but Trend prevented. I obviously had some issues going on so I scanned with Trend and got no probs. Went to Symantec's online scanner and found trojan.vundo; infostealer.gampass; w32spybot.worm. Tried a few fixes, still had probs with the browser trying to access sites. Thank goodness for Trend stopping it, even though I am fairly annoyed it did not detect any malware on the scans. Why is that? I even tried going online to Trend and using Housecall - still no probs. Trend is supposed to be good stuff, right? Also, during my "fixes" Trend and Windows Security started giving me messages that they couldn't do updates or turn on the firewall, or protect against changes. Also, I couldn't get Super Anti-Spyware to update. Kept telling me that my firewall was preventing, although I did not have either Windows or Trend firewall active at the time.

    In any event, I followed the protocal and have attached the logs from my scans. Any help is much appreciated - thanks!
  2. rev_olie

    rev_olie TS Maniac Posts: 560

    Hi jshock

    Ive had a look through you log and everything appears clean.

    However as to your problem as to why Super anti spyware wont update is a mystery.

    Please for the record download Spybot S&D from Here

    Install it and see if you can update. If you can update run the program with a FULL SCAN and then attach the log file to your next post. IF you cannot update download and install the latest update from Here

    Also download the latest definitions for Superanti Spyware from here. Run it and install and you will have the latest SAS. Run a FULL scan with that and again post the results of the log

    In your next post i would like to see:

    Spybot S&D log
    Superanti Spyware (SAS) log
    FRESH Hijackthis Log
  3. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Thanks for your help. I'm running the scans and will post them later after work. Or, I could call my wife and walk her through it over the phone (wow, I needed that laugh). In the meantime, Symantec scan still is finding w32 and infostealer - I've posted the log here. Vundo appears to be gone now. The help.exe file indeed loads by itself and if I don't kill the process, has to be killed by Windows on shutdown. I'll post the other logs later.
  4. rev_olie

    rev_olie TS Maniac Posts: 560


    Disable System Restore
    Find out how here

    Download FixIEDef.exe by ShadowPuterDude to the Desktop

    Double-click FixIEDef.exe [​IMG]

    That will open the About FixIEDef screen. Click OK to continue

    Next, press the Scan! button

    A message will then pop up to say that it has successfully gained Admin rights. Click ok

    Wait for the scan to finish

    After the !!! All Finished !!! message is displayed, click Exit

    Download and run combofix from here

    BEFORE running disable all of your Antivirus. You can find out how here

    Follow these instructions on how to create the recovery console

    Scan your system by following the instructions above.


    Rescan with Symantec and post a fresh:
    Symantec log
    HJT log
    log from Superantispyware
    Log from Spybot S&D
    Log from Combofix

    Also tell me the results of the FixIEdef scan
  5. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Down to two viruses with four infected files, which is improvement, but we have a new file that is infected, though. Here are the logs. I couldn't figure out how to get a log from Spybot, but it found no immediate threats on the second scan (after it found one cookie and one trojan and I clicked fix the problems the ran a second scan).

    oops - forgot to tell you about the FixIEdef scan - everything it was supposed to find and fix was apparently cleared up.
  6. rev_olie

    rev_olie TS Maniac Posts: 560

    Hi jShock

    Sorry its taken so long to reply. Do you still have the problem?

    If so can you:

    Right click the Hijackthis icon
    In the name field can you rename hijack this analysethis.exe

    This is because some forms of malware can hide from HijackThis


    Can you Download SDFix

    Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button

    A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions as shown below


    Now please Boot into safe mode.

    Now follow the Instructions here from point 7 were i left off.

    Let the program run following through all of the steps. Then post the log from SDFix in your next post along with the freshly renamed HJT log.
  7. jshock

    jshock TS Rookie Topic Starter Posts: 16

    I still have the last remaining infected files. I really appreciate your help on this. I will follow your latest instructions and post them soon.

    Attached are the SDFix and Hijack (renamed) logs. I am restarting the 'puter and going to scan with Malwarebytes and Norton, which both have been picking up infections. I'll post those results separately.

    Mbam found two .exe files that were infected and Symantec found three .exe files that were infected. The only one that I really notice being active is the help.exe that's infected with infostealer. It loads up in processes with each start and if I forget to kill the process, Trend winds up blocking something it is trying to do. Here are the logs:

    Hi Rev Olie,

    Do we have another fix to try?
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    By the way, you will need to then restart, and run (and attach) a new HJT log
  9. rev_olie

    rev_olie TS Maniac Posts: 560

    I'm really sorry your post seems to have slipped by.

    Please do as Kimsland has advised. Malwarebytes should be used to re scan the system as it seems its picked up the Help.exe file as problematic. Another malwarebytes scan should remove the majority of the infection.
  10. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Here are the two logs - Malwarebytes then HiJack after restart. Malwarebytes has consistently only found two of the infected files - r.exe and stm.exe (both in the help directory). The help.exe file is only found by Norton scan. After the reboot and Hijack log, I rescanned with Malwarebytes and the r.exe and stm.exe files are still problems. What's the next step?

  11. rev_olie

    rev_olie TS Maniac Posts: 560

    hmmm ok then

    Whats your system been like since the malwarebytes scan?

    Can you do another symantec scan as well just so i can compare the results

    Were almost there :)
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Seeming the member is using Symantec :suspiciou
    This would be preferred

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  13. jshock

    jshock TS Rookie Topic Starter Posts: 16

    My anti virus is Trend. It is not picking up anything (along with Malwarebytes & Super Anti Spyware). Because of the hijacked browser stuff, I knew I had a problem so I used the Symantec online scan and found three infections. I also used Kaspersky this morning - log is attached. I don't care for the Norton stuff, which is why I used Trend, but the Symantec scan seems to be the only one that is picking up the help.exe infection. I seem to have three infected files with the help.exe file seeming to be the only one that is active as a process when I start Windows. I haven't noticed odd behaviors, but I do not have that computer connected to my network since I discovered I'm infected. When I have to do the online scans, I do a Chinese firedrill with my computers and router and no, it is not as fun as it sounds.

    I will hook my infected computer back up to my modem and rescan with Symantec and post results.

    Thanks again for your help.

    Here is the Symantec scan: two viruses/four files. Seems to have identified all of them except the r.exe file and maybe the one Kaspersky found on drive e. Not sure, though, of course as I'm not the expert. What's the next step?

    Thanks again
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    OK so this is what you got:
    Symantec Scan:
    And Kaspersky Scan:
    All up 4 Malicious files were found in C:\Windows folders
    and 1 in E Drive

    Please search and remove (delete) those files, manually
  15. jshock

    jshock TS Rookie Topic Starter Posts: 16

    C:\WINDOWS\system32\syssupdate.exe - Deleted
    C:\WINDOWS\system32\taksman.exe - Deleted
    C:\WINDOWS\Help\Help.exe - Can't find file (see note below)
    C:\WINDOWS\Help\stm.exe - Deleted
    E:\i386\Apps\App00577\comps\toolbar\toolbr.exe - See Note below

    Help.exe is the process that I kill in task manager whenever I restart my computer. Maybe that has something to do with my not finding it??

    E: is my backup partition. I get a big scary warning that deleting any files in this partition might cause the world to end. Or at least prevent me from restoring any data on it. Should I go ahead, find and delete?

    I also came across r.exe, which Malwarebytes finds and tries to quarantine. I delted this as well.

    Also, after deleting, I removed the files from my recycle bin. Next step?

    Thanks so much
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes it's here in HJT:
    Please run a scan with HJT and tick and fix that entry

    Hmm, that's a concern :suspiciou
    Deleting this file may break your image backup
    But it is malware
    ... :confused:

    I've pondered about it :rolleyes:
    Please delete it
  17. rev_olie

    rev_olie TS Maniac Posts: 560

    Is help.exe not a needed file though?. I was going to advise its removal earlier but i thought it had something to do with the OS?
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    C:\WINDOWS\Help\Help.exe infected with Infostealer.Gampass
    Not part of any Windows OS
    Note: Should have been picked up by SuperAntiSpyware scan
  19. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Okay, power outage at home while I was at work today so the computer was off when I got home. When I restarted, some of the files I deleted this morning were back (r.exe; stm.exe). Taksman.exe and syssupdate.exe are gone.

    I still could not find the Help.exe, although it showed up in processes. I Hijacked it and fixed it, and it is now gone after a restart.

    I cannot find a way into the recovery partition to access the toolbr.exe file and delete it. The partition is something called PC Angel that Gateway adopted from Emachines. Must be quality if Emachines was using it, right?

    It appears the active infections are gone - yeah! I'm left with three files - r.exe; stm.exe and the partition file toolbr.exe.
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    KillBox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.

    Other than that, I think it's time for => Combofix (run in Safe Mode ;) )
  21. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Killbox is a cool little tool! Zapped that partition file right outta there (for good, I hope).

    Here is the Combofix log.

    Thanks for your help
  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Ok, so now how is it running?

    Actually before answering that, do this:
    Un-install SuperAntiSpyware (if still installed)

    Clear & Reset System Restore's Cache

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

    Run CCleaner

    Then tell me :)
  23. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Uninstalled Super Anti Spyware

    Cleared and reset system restore cache

    Ran CC Cleaner

    Restarted computer, ran Norton scan and it found two infected files: Help.exe and stm.exe.

    Help.exe no longer loads as a process with restart, which is progress.

    I've attached the scan log.

  24. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That's strange, didn't we already remove that :confused:
    Please supply a new HJT log (after restart, just in case)
  25. jshock

    jshock TS Rookie Topic Starter Posts: 16

    Yes, we removed both those files (the stm.exe file was removed multiple times). Here is the latest Hijack file after a fresh restart.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...