TechSpot

Win32/Heur + TR/Vundo.Gen, possibly some others

By sithhar
Nov 4, 2008
  1. The Short version:
    I was having problems that, through research I figured was Vundo, I ran VundoFix, it found 8 infected files, I cleaned them, problems didn't stop, so I decided to install AV software.

    AVG said I have Win32/Heur. I ran it, it quarantined some crap but it was giving me some troubles so I uninstalled it. - Quarantined files deleted.

    I then installed AntiVir PE Classic and it says I have TR/Vundo.Gen. It found 27 infected files and moved them all to quarantine.

    I then ran CCleaner.

    I then ran Malwarebytes' Anti-Malware. It found 24 infected files and quarantined and deleted all of them.

    I then ran SUPERAntiSpyware Scanner, it found 4 files, but all 4 were tracking cookies. - Deleted.

    So while everything got deleted, from what I can tell this Virus is just spewing out new DLL files and I don't trust that any of this has gotten rid of it. :(

    I ran everything in order per the 8 steps post and attached are all of the requested logs, plus my AV scan and VundoFix.​

    The Extended version:
    My first sign of problem was awhile back, I rebooted and got this error:

    Windows - Drive Not Ready
    Exception Processing Message c0000093 Parameters 75b6bf7c 4 75b6bf7c

    Or something like that.

    My first thought was - my HD is about to go, so I immediatly backed up issentials. Then while investigating the error I started getting random pop ups in Firefox, sometimes it would even just start IE7 on its own and pop up "scan antispyware scanner" fake webpages. I searched for info on the fake page that kept trying to auto load and didn't have much luck, but wrote it off as some spyware/malware crap.

    Since I had backed up everything, and windows was getting kind of messy anyway - I decided to format.

    After a fresh install and a fully updated windows (xp pro sp3) I started reinstalling apps, I opened Firefox to download some drivers and bang, scan antispyware scanner pops up again.

    I did some more research, didn't have much luck and I wrote it off as "some russian webpage I visted for some software had a browser jacker in it" so anyway, since I had all the drivers, nothign was really on my PC, I formated again, and this time didn't go to that webpage.

    Things seemed fine for awhile so I figured it was ok, until I got another pop up over the weekend, then after a reboot, I got the Drive Not Ready error. I ran VundoFix and it found 8 infected files and it actually stopped the Drive Not Ready errorrs, but I wasn't confident that the problems had stopped, so I installed AV software.​

    Please help!!!
    Jess
     
  2. almcneil

    almcneil TS Guru Posts: 1,277

    There are 2 anti-spyware utilities I use that you didn't mention. Both can be found in the Donwload section at this site:

    1) Ad-Aware 2008
    2) Spybot Search & Destroy

    It's Spybot that I think can help you. I find it detects/removes the really OFFENDING type of spyware. Usually, it's the spyware that is trying to change something on your computer. See if it helps solve your problem.

    -- Andy
     
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  4. sithhar

    sithhar TS Rookie Topic Starter

    I would just like to add that since I posted these logs Avira's Guard thing has popped up this notice 3 times:

    I have been clicking Deny Access, as it seems to be the default action.

    @almcneil, before I formated I had S&D+Tea Timer and Adaware installed, they found nothing, that lead me to VundoFix which also at the time found nothing - but I have not reinstalled them as I just formated and was following the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions here which says nothing about S&D and Adaware.
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Wow!, lots of found and quarantined\Deleted issues so far.
    You must be very thankful to find this 8-step removal process

    ---------------

    Bonjour service found. Please read here: http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/
    ---------------

    ToolTipFixer running, info here: http://neosmart.net/dl.php?id=10
    I would recommend removing this startup service (actually un-installing in Add\Remove programs would be better)
    ---------------

    Still running HJT, tick and fix the following "file missing" entries
    ---------------

    Still running HJT, tick and fix the following entries
    ---------------

    Still running HJT, tick and fix the following entry
    Pretty sure a Trojan
    ---------------

    Java

    Please follow these steps to remove older version Java components and update.

    Download the latest version of Java Runtime Environment (JRE) 6 Update 10
    Scroll to Java Runtime Environment (JRE) 6 Update 7 and click on the download button
    http://java.sun.com/javase/downloads/index.jsp

    (if you don't want the google toolbar -- uncheck this option before installing Java.)

    Click on the Accept License Agreement button
    Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
    Download Now! Windows Offline Installation, Multi-language

    Now close all windows, including your browser.
    Double click on the Java installation that you downloaded and follow the prompts.

    NEXT-remove all older versions of Java
    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    Select it and click Remove.
    Close any programs you may have running - especially your web browser.
    Repeat as many times as necessary to remove each older Java versions.
    Reboot your computer once all Java components are removed.
    ---------------

    If you are using Netware services then disregard this part
    You may need to contact your ISP if they believe it is required too
    But if you are on a Home computer without Network to other computers then it is safe to remove, here's how:

    Download LSPFix
    http://www.cexx.org/LSPFix.exe

    Run it

    Tick the box "I know what I'm doing"

    Select (single click) on nwprovau.dll

    Select the [​IMG] arrows

    Select Finish
    ---------------

    CLEAR & RESET SYSTEM RESTORE'S CACHE

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply

    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK
    ---------------




    Please reply once all this is done (and probably after a few restarts!) with a fresh HJT log :)
     
  6. sithhar

    sithhar TS Rookie Topic Starter

    Thanks for the response - All done - Oh except the Netware services, I am networked with a couple PC's.
     
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well, I cannot see any more Virus\Malware issues

    You can now un-install SUPERAntiSpyware, if you haven't already
    And re-confirm System Restore was reset (I'm sure it was)

    How do you feel it is all going?
    Are you having anymore issues?

    By the way, I hope member almcneil, learns from all this (but we shall see!)
     
  8. sithhar

    sithhar TS Rookie Topic Starter

    I appreciate all your help :) I feel better now at least, but I'm still worried there's some residue leftover I don't know about. I really have the urge to format again, but as I said before, nothing went away with my previous format, and if thats the case whats to stop it from coming back?

    I'm pretty smart about goign to bad webpages/downloading things, I have not had a virus or malware/spyware issues in years.

    So far I have not had any issues, but they were rather sparatic before. I'll run my virus scan again and see if it finds anything.
     
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well that Trojan you had was a nasty one
    With all those Windows folder entries (there were lots of them!)

    You must have got the Trojan from somewhere??

    Anyway, if you install Windows clean one day, at least presently it's clean for backing up purposes (Although hold this thought, until your reply on your present scan)
     
  10. sithhar

    sithhar TS Rookie Topic Starter

    Sorry for the delay, I had to fix lunch while it was running, but it came back clean.

    I'm sure I got it some where :) It just doesn't make sense to me how it can come back after a format - I reinstalled windows (didn't use backed up mirrors or anything) and I didn't even reinstall any software, just Fallout 3.
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well presently clean anyway :grinthumb

    We shall see

    By the way, you could download this Hosts file, it will block lots of ads (But sometimes in certain websites, the ads are required to continue to the next step)
    More info on it here
    There's a "readme.txt" file in the Zip too
    Important! Windows Vista requires special instructions [​IMG] [click here]


    By the way it is reversable

    You know what? Just do it :)
     
  12. sithhar

    sithhar TS Rookie Topic Starter

    Lol, alright, thanks. I will see how it goes for a few days - If I do decide to format I suppost the best thing to do once I'm in windows is update + install new java +hosts file +av stuff.
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That's a whole new subject really

    I usually recommend backing up
    then removing the Partition, (during Windows setup process)
    then install Windows,
    then activate
    then Service Packs
    then install all drivers
    then install all other Windows updates
    then install Adobe and whatnot
    then install Antivirus

    Yes that's right AntiVirus is last
    For that reason, you do not Google or anything when installing all this stuff

    But, don't format just yet :(
     
  14. sithhar

    sithhar TS Rookie Topic Starter

    I won't :) The only reason I don't mind doing it at this point is I haven't put any of my backed up stuff back so its not to big of a deal. But for now, I'll just watch my AV software and maybe scan once a day while I'm cooking or something.

    I really appreciate your help :)
     
  15. sithhar

    sithhar TS Rookie Topic Starter

    Hello again kimsland! I just ran my virus scan today and it found this:
    I deleted system restore points (thats what that is I believe?) for both drives when you asked me to and I have not been surfing any nefarious pages.

    I attached a new HJT log and the full log from the AV scan, but other than that 1 detection, I have not had any other problems.
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I cannot see any infection in your HJT log

    I did see these entries though:
    The "RunOnce" means that this startup should only happen after next startup but not after that again

    These entries were not in your old logs, and they look as though you have been updating your Video card software, but unsure :confused:

    Did you end up doing the "Hosts file" update?

    There is the possibility that your AntiVirus software has done an automatic update, and then found another Trojan, through updated definitions

    The fact that it was in System Restore suggests that there may be a duplicate copy somewhere on your system. But your AV scan has not picked up anymore. So it is strange I agree.

    Oh the above entries in the HJT log can be removed, unless you were doing a video driver update
     
  17. sithhar

    sithhar TS Rookie Topic Starter

    Yes, I installed the Hosts file. No I did not update my Video card software and Yes I did update my AV definitions. Oh, and I did uninstall SuperAntiSpyware.

    The only thing I have installed since my last post is a program called UltraUXThemePatcher. Its nothing illegal or anything, it just patches Windows so you can use custom VisualStyle/Theme's.
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  19. sithhar

    sithhar TS Rookie Topic Starter

    Lol, interesting! And, that web page is very cool.

    Anyway, I uploaded my file to that page and it was negative on all scans. Unfortunetly the copy/paste feature on the page isn't working so I can't copy my results, other than this:

     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes but maybe your Antivirus has already disinfected it
    But before it did, the Trojan also copied itself into your System Restore folder

    Obviously if you can copy it or upload it presently, it is not being picked up by your Antivirus as an issue.

    Anyway, I still believe that's where the System Restore trojan came from
    Either the program, or the site you went to.

    Your log is clean!
     
  21. sithhar

    sithhar TS Rookie Topic Starter

    I'm not saying your wrong but, wouldn't my virus scan have picked it up before? I checked my AV logs and it never detected anything in the file.
     
  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well lets look at the logic

    You fully scanned yesterday and found nothing
    I said you were clean, all done

    Somehow a Virus came on your system, and your Antivirus did not pick it up entering your system
    Today you re-scanned and found a virus in your system (detected by your Antivirus)

    There is no other option, than your Antivirus has done an automatic update, and now found a virus.

    Please note: No antivirus in the world can pick up a brand new virus that your detections have not been updated to

    That is all :)
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Not really true with today's technology heuristics have come a long way - what I mean by that is the ability of the program to look at a programs behavior rather than strictly definitions - Comodo was the first that I know of to do this with their Defense+ HIPS on the firewall scanner

    With the heuristics you also get false positives because legit programs can often behave similar to malicious programs

    -------------------------

    Now, I had a feeling that you were not clean after following the thread because you never really looked that deep into the registry - this could be done with a few different programs, but the easiest for you and us would be a basic online scan.

    --------------------------

    First run a temp file cleaner such as CCleaner or ATF cleaner (instructions provided upon request)

    Then

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  24. sithhar

    sithhar TS Rookie Topic Starter

    @kimsland, I know, your right ;)

    @Blind Dragon, ran ccleaner, kaspersky is downloading, it will be a few though as my Internet is the suck.
     
  25. sithhar

    sithhar TS Rookie Topic Starter

    Took friggin forever, but here it is
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...