Win32/Heur + TR/Vundo.Gen, possibly some others

[sithhar]

The Short version:

I was having problems that, through research I figured was Vundo, I ran VundoFix, it found 8 infected files, I cleaned them, problems didn't stop, so I decided to install AV software.

AVG said I have Win32/Heur. I ran it, it quarantined some crap but it was giving me some troubles so I uninstalled it. - Quarantined files deleted.

I then installed AntiVir PE Classic and it says I have TR/Vundo.Gen. It found 27 infected files and moved them all to quarantine.

I then ran CCleaner.

I then ran Malwarebytes' Anti-Malware. It found 24 infected files and quarantined and deleted all of them.

I then ran SUPERAntiSpyware Scanner, it found 4 files, but all 4 were tracking cookies. - Deleted.

So while everything got deleted, from what I can tell this Virus is just spewing out new DLL files and I don't trust that any of this has gotten rid of it.

I ran everything in order per the 8 steps post and attached are all of the requested logs, plus my AV scan and VundoFix.​

The Extended version:

My first sign of problem was awhile back, I rebooted and got this error:

Windows - Drive Not Ready
Exception Processing Message c0000093 Parameters 75b6bf7c 4 75b6bf7c

Or something like that.

My first thought was - my HD is about to go, so I immediatly backed up issentials. Then while investigating the error I started getting random pop ups in Firefox, sometimes it would even just start IE7 on its own and pop up "scan antispyware scanner" fake webpages. I searched for info on the fake page that kept trying to auto load and didn't have much luck, but wrote it off as some spyware/malware crap.

Since I had backed up everything, and windows was getting kind of messy anyway - I decided to format.

After a fresh install and a fully updated windows (xp pro sp3) I started reinstalling apps, I opened Firefox to download some drivers and bang, scan antispyware scanner pops up again.

I did some more research, didn't have much luck and I wrote it off as "some russian webpage I visted for some software had a browser jacker in it" so anyway, since I had all the drivers, nothign was really on my PC, I formated again, and this time didn't go to that webpage.

Things seemed fine for awhile so I figured it was ok, until I got another pop up over the weekend, then after a reboot, I got the Drive Not Ready error. I ran VundoFix and it found 8 infected files and it actually stopped the Drive Not Ready errorrs, but I wasn't confident that the problems had stopped, so I installed AV software.​

Please help!!!
Jess

 

[almcneil]

There are 2 anti-spyware utilities I use that you didn't mention. Both can be found in the Donwload section at this site:

1) Ad-Aware 2008
2) Spybot Search & Destroy

It's Spybot that I think can help you. I find it detects/removes the really OFFENDING type of spyware. Usually, it's the spyware that is trying to change something on your computer. See if it helps solve your problem.

-- Andy

 

[kimsland]

@almcneil, please read here: https://www.techspot.com/vb/showpost.php?p=680345&postcount=4

@sithhar someone will be along to check your logs
Presently I am not able to, but I will check back later if another support person has not replied

 

[sithhar]

I would just like to add that since I posted these logs Avira's Guard thing has popped up this notice 3 times:

Virus or unwanted program 'TR/Trash.Gen [trojan]'
detected in file 'C:\System Volume Information\_restore{B356288B-C7A8-4814-A4C8-7DB4DDDF7141}\RP23\A0005447.dll.
Action performed: Deny access

I have been clicking Deny Access, as it seems to be the default action.

@almcneil, before I formated I had S&D+Tea Timer and Adaware installed, they found nothing, that lead me to VundoFix which also at the time found nothing - but I have not reinstalled them as I just formated and was following the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions here which says nothing about S&D and Adaware.

 

[kimsland]

Wow!, lots of found and quarantined\Deleted issues so far.
You must be very thankful to find this 8-step removal process

---------------

Bonjour service found. Please read here: http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/

C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

---------------

ToolTipFixer running, info here: http://neosmart.net/dl.php?id=10
I would recommend removing this startup service (actually un-installing in Add\Remove programs would be better)

C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
O23 - Service: ToolTipFixer - NeoSmart Technologies - C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe

---------------

Still running HJT, tick and fix the following "file missing" entries

O2 - BHO: (no name) - {0CEDA882-1427-4028-A2CB-4DF3DA6D942F} - C:\WINDOWS\system32\khfFXoPF.dll (file missing)
O2 - BHO: (no name) - {1C7978A4-250C-4D8D-B53B-F77B0D552D85} - C:\WINDOWS\system32\wurvcdyo.dll (file missing)
O2 - BHO: (no name) - {22329824-086E-401E-927B-F7BE79CD72B4} - C:\WINDOWS\system32\geBstrsR.dll (file missing)
O2 - BHO: (no name) - {38F2F148-250C-4D8D-B53B-F77B0D552D85} - C:\WINDOWS\system32\tvawrbpl.dll (file missing)
O2 - BHO: (no name) - {71E5E290-250C-4D8D-B53B-F77B0D552D85} - C:\WINDOWS\system32\tvawrbpl.dll (file missing)

---------------

Still running HJT, tick and fix the following entries

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

---------------

Still running HJT, tick and fix the following entry

O20 - AppInit_DLLs: ixsllw.dll

Pretty sure a Trojan
---------------

Java

Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 10
Scroll to Java Runtime Environment (JRE) 6 Update 7 and click on the download button
http://java.sun.com/javase/downloads/index.jsp

(if you don't want the google toolbar -- uncheck this option before installing Java.)

Click on the Accept License Agreement button
Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
Download Now! Windows Offline Installation, Multi-language

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

NEXT-remove all older versions of Java
Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Close any programs you may have running - especially your web browser.
Repeat as many times as necessary to remove each older Java versions.
Reboot your computer once all Java components are removed.
---------------

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

If you are using Netware services then disregard this part
You may need to contact your ISP if they believe it is required too
But if you are on a Home computer without Network to other computers then it is safe to remove, here's how:

Download LSPFix
http://www.cexx.org/LSPFix.exe

Run it

Tick the box "I know what I'm doing"

Select (single click) on nwprovau.dll

Select the

arrows

Select Finish
---------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK
---------------




Please reply once all this is done (and probably after a few restarts!) with a fresh HJT log

 

[sithhar]

Thanks for the response - All done - Oh except the Netware services, I am networked with a couple PC's.

 

[kimsland]

Well, I cannot see any more Virus\Malware issues

You can now un-install SUPERAntiSpyware, if you haven't already
And re-confirm System Restore was reset (I'm sure it was)

How do you feel it is all going?
Are you having anymore issues?

By the way, I hope member almcneil, learns from all this (but we shall see!)

 

[sithhar]

I appreciate all your help I feel better now at least, but I'm still worried there's some residue leftover I don't know about. I really have the urge to format again, but as I said before, nothing went away with my previous format, and if thats the case whats to stop it from coming back?

I'm pretty smart about goign to bad webpages/downloading things, I have not had a virus or malware/spyware issues in years.

So far I have not had any issues, but they were rather sparatic before. I'll run my virus scan again and see if it finds anything.

 

[kimsland]

Well that Trojan you had was a nasty one
With all those Windows folder entries (there were lots of them!)

You must have got the Trojan from somewhere??

Anyway, if you install Windows clean one day, at least presently it's clean for backing up purposes (Although hold this thought, until your reply on your present scan)

 

[sithhar]

Sorry for the delay, I had to fix lunch while it was running, but it came back clean.

I'm sure I got it some where It just doesn't make sense to me how it can come back after a format - I reinstalled windows (didn't use backed up mirrors or anything) and I didn't even reinstall any software, just Fallout 3.

 

[kimsland]

Well presently clean anyway :grinthumb

We shall see

By the way, you could download this Hosts file, it will block lots of ads (But sometimes in certain websites, the ads are required to continue to the next step)
More info on it here
There's a "readme.txt" file in the Zip too
Important! Windows Vista requires special instructions

[click here]


By the way it is reversable

You know what? Just do it

 

[sithhar]

Lol, alright, thanks. I will see how it goes for a few days - If I do decide to format I suppost the best thing to do once I'm in windows is update + install new java +hosts file +av stuff.

 

[kimsland]

That's a whole new subject really

I usually recommend backing up
then removing the Partition, (during Windows setup process)
then install Windows,
then activate
then Service Packs
then install all drivers
then install all other Windows updates
then install Adobe and whatnot
then install Antivirus

Yes that's right AntiVirus is last
For that reason, you do not Google or anything when installing all this stuff

But, don't format just yet

 

[sithhar]

I won't The only reason I don't mind doing it at this point is I haven't put any of my backed up stuff back so its not to big of a deal. But for now, I'll just watch my AV software and maybe scan once a day while I'm cooking or something.

I really appreciate your help

 

[sithhar]

Hello again kimsland! I just ran my virus scan today and it found this:

Begin scan in 'D:\'
D:\System Volume Information\_restore{87F38DFC-F31C-4E17-B1CA-BC73BC5AA3B2}\RP453\A0190757.exe
[DETECTION] Is the TR/Crypt.NSPM.Gen Trojan
[NOTE] The file was moved to '49435e8f.qua'!

I deleted system restore points (thats what that is I believe?) for both drives when you asked me to and I have not been surfing any nefarious pages.

I attached a new HJT log and the full log from the AV scan, but other than that 1 detection, I have not had any other problems.

 

[kimsland]

I cannot see any infection in your HJT log

I did see these entries though:

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

The "RunOnce" means that this startup should only happen after next startup but not after that again

These entries were not in your old logs, and they look as though you have been updating your Video card software, but unsure

Did you end up doing the "Hosts file" update?

There is the possibility that your AntiVirus software has done an automatic update, and then found another Trojan, through updated definitions

The fact that it was in System Restore suggests that there may be a duplicate copy somewhere on your system. But your AV scan has not picked up anymore. So it is strange I agree.

Oh the above entries in the HJT log can be removed, unless you were doing a video driver update

 

[sithhar]

Yes, I installed the Hosts file. No I did not update my Video card software and Yes I did update my AV definitions. Oh, and I did uninstall SuperAntiSpyware.

The only thing I have installed since my last post is a program called UltraUXThemePatcher. Its nothing illegal or anything, it just patches Windows so you can use custom VisualStyle/Theme's.

 

[kimsland]

Ah huh!?

Well here is one report of that patcher: http://virscan.org/report/f8b70815a3254d6d8a790bd54670cda9.html

Well I hope you have not re-infected yourself
But if you have, then we now know how!

 

[sithhar]

Lol, interesting! And, that web page is very cool.

Anyway, I uploaded my file to that page and it was negative on all scans. Unfortunetly the copy/paste feature on the page isn't working so I can't copy my results, other than this:

File Name : UltraUXThemePatcher-1.3.0.0.exe.exe
File Size : 87906 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0f3de4369abbe7ba4e708d641a05a420
SHA1 : 98f34c61ed94014398b49c08d0221177b4def6b5

Scanner results : All Scanners reported not find malware!
Time : 2008/08/16 08:30:07 (EDT)

 

[kimsland]

Yes but maybe your Antivirus has already disinfected it
But before it did, the Trojan also copied itself into your System Restore folder

Obviously if you can copy it or upload it presently, it is not being picked up by your Antivirus as an issue.

Anyway, I still believe that's where the System Restore trojan came from
Either the program, or the site you went to.

Your log is clean!

 

[sithhar]

I'm not saying your wrong but, wouldn't my virus scan have picked it up before? I checked my AV logs and it never detected anything in the file.

 

[kimsland]

Well lets look at the logic

You fully scanned yesterday and found nothing
I said you were clean, all done

Somehow a Virus came on your system, and your Antivirus did not pick it up entering your system
Today you re-scanned and found a virus in your system (detected by your Antivirus)

There is no other option, than your Antivirus has done an automatic update, and now found a virus.

Please note: No antivirus in the world can pick up a brand new virus that your detections have not been updated to

That is all

 

[Blind Dragon]

Not really true with today's technology heuristics have come a long way - what I mean by that is the ability of the program to look at a programs behavior rather than strictly definitions - Comodo was the first that I know of to do this with their Defense+ HIPS on the firewall scanner

With the heuristics you also get false positives because legit programs can often behave similar to malicious programs

-------------------------

Now, I had a feeling that you were not clean after following the thread because you never really looked that deep into the registry - this could be done with a few different programs, but the easiest for you and us would be a basic online scan.

--------------------------

First run a temp file cleaner such as CCleaner or ATF cleaner (instructions provided upon request)

Then

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[sithhar]

@kimsland, I know, your right

@Blind Dragon, ran ccleaner, kaspersky is downloading, it will be a few though as my Internet is the suck.

 

[sithhar]

Took friggin forever, but here it is