Help Sagipsul Vundo + other infections?

zyglur · Jan 13, 2009

Hello,

First excuse me for my poor english , I'm French
I hope I'll be clear enough and that my yranslation of on screen messages will be correct.

I experienced multiple popup windows in Firefox (my default internet explorer) directing to theses sites :
sagipsul.com
url.adtrgt.com

Adblock avoided displaying these pages but it is quite annoying and seems to be related to a malware ( trojan virus ?) infection.

I also notice that images this not display under internet explorer. (I never touched the box in the advanced settings of internet explorer)

I have ESET NOD32 Smart Security installed and I only had firewall alerts concerning different processes including csrssc trying to connect to internet. It recognized differents threats :
Virtumonde
Small.NEK Trojan
a variant of Trojan.Proxy.Wopla
a variant of KryptiK.DQ Trojan
Rustock.NGL Trojan

I turned to "Safe Mode" and followed the 8 Step tutorial :
I performed a virus scan. I can't find the log file it's not with regular logfile in the application. And the application automatically shutdown, I couldn't see anything when I came came back.
I ran CCleaner
I had no real time monitoring programs under safe mode
You will find attached the log files of
MAlwarebytes ... Found and removed different infections including vundo
SuperAntiSpyware .... Found and removed different infection including vundo
and HiJackthis (I ran it after renaming the program HJT.exe according to what i saw on another forum)
My Java is up to date

For now it seems There is no more popups.
I checked the "Display images" box in internet explorer advanced settings but I don't know if anything else was messed up
( I saw these in the HijackThis : AppInit_DLLs: nzwwih.dll bcxcyz.dll
But I'm not an advanced user, I don't know if there is anything else of interestand I need help now)

PLease inform me of the next steps to follow.

I thank you for all the time you take to help us. I hope I wasn't to long

Zyglur

Bobbye · Jan 13, 2009

Unfortunately, when you ran Malwarebytes, you did not check this line:

* Make sure that everything is checked, and click Remove Selected.

Because all the malware entries found in Malwarebytes show "No Action Taken"

It's possible you may not have checked the similar line in SuerAntispyware:

* Make sure everything found has a checkmark next to it,then press 'Next'.

Please update and rerun each of these programs again, being sure to check for the removal of malware.

You will need to run HijackThis again after the other two programs, but there are some entries we can remove now:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Ultimate Edition
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: ;Tag&rename
O2 - BHO: (no name) - {D5BF4552-94F1-42BD-F434-3604812C807D} - (no file)
O20 - AppInit_DLLs: nzwwih.dll bcxcyz.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Click on Start> Search> All Files & Folders> then go up to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> type each of the following into the Search box and if found, do a right click> Delete:

nzwwih.dll
bcxcyz.dll

GO back and re-hide the files and folders after the search.

Reboot into Normal Mode. Please run the programs in Normal Mode, including the next run of HijackThis.
Attach the new logs for review.

IMPORTANT: Do NOT use System Restore while we are cleaning. Malware can get into the restore points and the cleaning programs don't remove it from there. When the system is clean, we will have you remove the old restore points.

zyglur · Jan 14, 2009

Thank you for your quick and detailled answer

I thought I had checked and deleted any threat found by Malwarebytes and by SuperAntispyware, maybe I didn't do it right.

I'm at work for now but I began the cleaning and will get back to you afterwards.

Here are the steps I am following :
1 - I deactivated System restore
2 - under safe mode (with hidden files showed) : searched nzwwih.dll and bcxcyz.dll but didn't find them.
3 - back in normal mode : ran hiJackThis and deleted the lines you told me
4 - still in normal mode launched Malwarebytes...
5 - left for work and will see the results and delete anything found when i come back
6 - will run Superantispyware and HiJackthis again
7 - will post the logs this evenig (French Time) or tomorrow morning.

Thank you Very much

Bobbye · Jan 14, 2009

I thought I had checked and deleted any threat found by Malwarebytes and by SuperAntispyware,

This is why we like to "see" the logs! Sometime that one check mark can make all the difference! I did not think you would find those files on a search, but we had to try. We will probably us one additional program to be sure they are gone- I'll know after I see the new set of logs.

'See' you in the morning!

zyglur · Jan 14, 2009

ok, I performed the scans and deletes : you will find the logs atached to this post

I believe last time, I gave you the a log saved before the delete for malewarebytes

This time everything seems done according to your notifications (I hope).

MAlwarebytes found infections again but not as much
SuperAntiSpyware found only cookies

HiJacthis found these two keys again :
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

I had fixed these in my step n°3 for today (see preceding post), I fixed them again with HiJAckThis

Thank you again for your help.

I will now shutdown the computer for the night and hope that you'll tell me tomorow that everything is allright.

Bobbye · Jan 15, 2009

Bonjour mon ami!

You must have done something in your sleep! You should not be downloading anything while we are cleaning and using a file sharing site like BitComet exposes the system to more malware!

O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

And this also is new:
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

And another:
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] T:\WINDOWS\Olivier\LOCALS~1\Temp\winloggn.exe>> Winloggn.exe is Trojan/Backdoor.

This may be a long day for you because with new material on the system, especially from file sharing, all the scans need to be updated and redone.

zyglur · Jan 15, 2009

Good evening Bobbye

I do have bitcomet installed but it wasn't lauched since i discovered the infection.
I didn't download anything.
I'm not using the infected computer for anything but the cleaning.

Can that be explained by the first scan done in safe mode under admin account
And the latest done in normal mode under my personnal account (with admin rights) ?

The latest logs were generated by scans all done in a row with no reboot and no other program lauched except firefox for checking the techsopt forum.

Should I disable "DAEMON Tools Lite" before running the scans ?
Should I supress the winloggn entry with HiJackThis before running the three scans again ?

I will redo the scan this evening as you say it is necessary

Bobbye · Jan 15, 2009

Can that be explained by the first scan done in safe mode under admin account
And the latest done in normal mode under my personnal account (with admin rights) ?

I do have bitcomet installed but it wasn't lauched since i discovered the infection.

As long as it's on the system, you are at risk. It is auto-loading from the Registry or the Startup group.

Should I disable "DAEMON Tools Lite" before running the scans ?

Yes.

This program is marked as adware
· ADWARE INCLUDED - you can, however, UNCHECK that ADWARE at installation!
· Daemon tools Search Bar.
The software is trying to change your default search engine.
· The software is trying to change your default home page.
· Some security applications may detect this program as a threat because of the adware included. Therefore this is a false alarm, Daemon Tools does not contain any viruses, just bundled software that can be unchecked at installation. The software will also to change your browsers start page.

Should I supress the winloggn entry with HiJackThis before running the three scans again ?

Yes.

Reopen HijackThis and scan> Place aCHECK by the following:

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] T:\WINDOWS\Olivier\LOCALS~1\Temp\winloggn.exe>> Winloggn.exe is Trojan/Backdoor.
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet
\BitComet.exe/AddLink.htm

Close all Windows except HijackThis. Click on Fix Checked and reboot

Then do the rescans.

zyglur · Jan 15, 2009

Ok here is what I did this evening in normal mode under my personnal account :

1-Uninstalled Daemontools
2-ran CCleaner with advanced options checked
3-disabled programs in the system tray (gmail notifier and TaskSwitchXP)
4-ran HiJACKTHIS and deleted the entries you told me (the one concerning daemontools was gone after desinstall)
5- ran MAlwarebytes and deleted threats found (a vundo file again)
6- ran Superantispyware and deleted threats found and then reboot
7- renamed HiJackThis : HJT.exe
8- ran HJT.exe
9- open firefox then send logs on the forum
10- just after I'll shutdown the computer, I'll wait for your answer on the forum on another computer.

Thank you again for your help

PS : I updated Malwarebytes and Superantispyware just before each scan.

Bobbye · Jan 15, 2009

You have worked hard and done a good job. I am concerned that the Vundo is still being picked up. The HijackThis log is clean but I would like you to disable the Kaspersky Online Scanner for a bit:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab

You should find the process here:
Open Internet Explorer> Tools> Manage Add-ons> find CKAVWebScan Object> click to highlight> Disable. (Reboot after you Disable and you won't have to do anything in the HijackThis log.)

Then run the Vundo Fix:
Please download VundoFix.exe from HERE and Save to your desktop.

1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click OK.
7. Please attach the C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please update and scan with Malwarebytes and SuperAntispyware "after" running the Vundo Fix. If they are clean, we will be through.

Attach Vundo report and the two other logs. Bonne nuit.

zyglur · Jan 17, 2009

I think We are close to the end.

All scans (vundofix, malwarebytes and superantispyware) are clean.
You will find the logs attached.
I was suprised my antivirus (ESET NOD32 SMart Security) didn't prevent the infection, do you think I should change ? Should I install an antispyware ?
If, Yes : wich antivirus and wich antispyware ?

Thanks again for all your efforts

I'll know shut down this PC until I see on the forum that you confirm it is clean

Zyglur

Bobbye · Jan 17, 2009

Looking good- three clean logs! But I need to see one more HijackThis scan to make sure no malware entries remain. Attach the log and if clean we'll remove the cleaning tools and old restore points.

zyglur · Jan 17, 2009

The HijackThis log

Bobbye · Jan 17, 2009

Okay, I don't see any malware. You have a few extras loading at boot, but they are legitimate processes.

If you are not having a problem with the system and the original problem has been resolved, we can remove the cleaning programs:

Download OTCleanIt HERE & save it to your desktop.

Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

It's been a pleasure working with you. Let us know if we can be of more help.

zyglur · Jan 18, 2009

OTcleanit removed VundoFix
Reboot
I removed Malwarebytes, Superanipyware and HiJackThis
I created a new restore point

BUT... I can't find "cleanmgr" when I use Start->Run cleanmgr iget the answer : Windows can't find cleanmgr....
I check under Windows/system32 the application is not there
I used the search tool and there isn't any cleanmgr on my computer

Sorry to bother you again

Here is what I just did :
I copied cleanmgr.exe from another PC I have at Home
I ran it on the desktop and removed the old restore points (exept the last one)

I found this (sorry it's in french) link french computer help forum

I copied cleanmgr in c:/windows/system32
ran regsrv32 dataclen.dll

I'm now able to launch cleanmgr from start-> run

Thanks again for all your help

Tell me if i did something wrong

Zyglur

Bobbye · Jan 19, 2009

No, that's okay. You can also drop old restore points this way:

Control Panel> System> System Restore tab> CHECK 'turn off System Restore'> Apply> OK> Reboot
That will drop the old restore points.
Go back and UNCHECK 'turn off System Restore'> Apply> OK> Reboot.

Every once in a while I run into someone who can use the cleanmgr feature. You used you head and found the answer! Very good for you!

Another way to find the file is:
Right click on Start> Explore> Windows> System 32> look for cleanmgr.exe on the right screen.

zyglur · Jan 19, 2009

I am now using my computer normaly again with no remaining sign of infection.

I was suprised my antivirus (ESET NOD32 SMart Security) didn't prevent the infection, do you think I should change ? Should I install an antispyware ?
If, Yes : wich antivirus and wich antispyware ?

Thank you very much for all your help

Bobbye · Jan 19, 2009

I was suprised my antivirus (ESET NOD32 SMart Security) didn't prevent the infection, do you think I should change ? Should I install an antispyware ?
If, Yes : wich antivirus and wich antispyware ?

So many people ask this and I always give the same answer:

The first line of defense is the ISP. The more they keep out of their network, the less there is available to infect their customers.

The second line of defense is the user themselves. You were using BitComet. This file sharing program is almost guaranteed to expose the system to malware. And some of it almost always gets in.

My point is that no matter how much security is on the system-assuming it is the recommended layered protection of antivirus, firewall and at least 2 spyware/adware programs-if a user does not practice 'safe surfing,' the system is going to get malware. One example that few users think of is the way they handle email and attachments. Many think that the email from Aunt Sally is okay and the attachment is secure because Aunt Sally sent it. Not necessarily. Aunt Sally may not have good security and she has malware and it's included in what she sends you.

Keep the Eset Suite- it has Antivirus, Antispyware, Antispam and Personal Firewall. I use Nod32 also, but consider adding at least one more spyware/adware program. A very good deterrent is SpywareBlaster- it's free and it's good:
http://www.javacoolsoftware.com/spywareblaster.html

zyglur · Jan 20, 2009

Thank you, that was actually the answer I expected, I will try to be more carefull in what i get from internet.

I downloaded Spywareblaster and will install it ASAP. I had personnaly eared of Ad-Aware and of Spybot Search-Destroy are these programs out of date ?

I've also eared of using a Virtual Machine to test files you are not sure of, I'm afraid that way of doing isn't easy and only for VERY advanced users.
What I should do is "not sure" = TRASH

Thanks again for all the time you spent on my problem.

I'll try to inform my friends as well as I can and in case of trouble I will recommend Techspot.com

Bobbye · Jan 20, 2009

Thank you for your confidence. When a cleaning goes well, without having to keep running additional programs, it is always best.

As for you question:

What I should do is "not sure" = TRASH

Technically, my Rule of Thumb when you're not sure is to do nothing initially. Instead, identify the file using a search engine and/or do a right click non the file> Properties and look for additional information. Only then will you be able to decide if it is 'trash.'

zyglur · Jan 20, 2009

Bad surprise ? I'm not sure.

I had Spybot S/D installed on my computer so i was curious and ran a scan :

What suprised me is that it found 2 Virtumonde files and another malware.

As recommended, I disconnected from internet before cleaning and corrected this problem.

Then I rebooted still without internet and performed another scan : nothing left.
I then reconnected internet

Is it a problem or are these files armless leftovers by the previous infection ?

I joined the Spybot scan log

Thanks again

Bobbye · Jan 21, 2009

Curious! You shouldn't have has any 'left over' malware files. But it says Spybot "fixed" them. Run a scan again with Spybot S&D and follow with scan with updated AV. Be sure to delete any files that have been moved to the virus chest or quarantined.

zyglur · Jan 22, 2009

Spybot and Antivirus (ESET NOD32) scan yesterday were clean.

I think this all story is over.

Thank you again

Bobbye · Jan 22, 2009

You're welcome. Please let us know if you need any additional help in the future.

Help Sagipsul Vundo + other infections?

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Posts: 22 +0

Posts: 16,313 +36

Similar threads