Likely Vundo infection

By Javamonkey · 18 replies
May 3, 2009
  1. Hello. I'm currently trying to sort out a PC which has been infected with plenty of malicious code.

    It started with persistent ad pop-ups from Internet Explorer, which progressed to Windows Security Alerts saying there were harmful viruses. First thing I did was fire up AD-Aware and let it scan, and deleted the few items it could find, some cookies and a backdoor. After a restart, Windows started up very slowly and the normal wallpaper changed into a black wallpaper disclaiming "Warning. Your computer has been infected with dangerous spyware". I also got a taskbar popup claiming my system had been infected, which would direct me into an ad for what I understand to be a rogue antispyware program, and my task manager at this point had been "disabled by Administrator".

    After this I scanned the computer with the Trial Version of Norton Antivirus, which found and apparently deleted some stuff as well.

    After this I started following the 8 step guide found on this site. The wallpaper has changed from the flashing warning to plain grey, and the start up is still extremely slow. I've attached the logs you request.

    Any help would be greatly appreciated.
  2. touch

    touch TS Rookie Posts: 978


    P2P software/programs are a major contributor to your infections.

    We reserve the right to withdraw our support:
    If such programs are found in your logs
    Should you not agree to their removal.
    As they are normally set to bypass your Firewall and Anti-Virus software
    Filesharing/P2P Programs serves as a constant threat to your computer

    [BitTorrent DNA] "C:\Program Files\DNA

    If you decide to remove it, reboot, attach new hijackthis log.
  3. Javamonkey

    Javamonkey TS Rookie Topic Starter

    It should be gone now, here's the new log file.
  4. touch

    touch TS Rookie Posts: 978

    Looks like it :)

    You have two antivirus programs running, ESET(Nod32) and Norton.

    Remove one of them from add/remove programs in controlpanel.

    Download HostsExpert:

    Choose one of the servers at the file on your desktop

    Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    Run HostsXpert 4.2 - Hosts File Manager from its new home
    Click on "File Handling".
    Click on "Restore MS Hosts File".
    Click OK on the Confirmation box.
    Click on "Make Read Only?"
    Click the X to exit the program.

    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Please download Combofix:

    And save to the desktop.

    Close all other browser windows.

    Please connect all your external hard drive/flash drive before running Combofix, if you have any

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
  5. Javamonkey

    Javamonkey TS Rookie Topic Starter

    Thanks for your help so far, here's the log. It does say that Norton scanning is turned on but I quickly disabled it before the program ran.
  6. touch

    touch TS Rookie Posts: 978

  7. Javamonkey

    Javamonkey TS Rookie Topic Starter

    That's good to hear, unfortunately performance hasn't improved. Rebooting is becoming increasingly slower and more difficult, and google search links are being redirected into ad pages.

    Both of the scans found nothing on the files, I've attached a copy + paste of the Additional Information from, hope it's what you need.
  8. touch

    touch TS Rookie Posts: 978

    Ok. update malwarebyte, run a complete scan, have it to fix what it find.
    Please attach new hijackthis log, along with malwarebyte log.
  9. Javamonkey

    Javamonkey TS Rookie Topic Starter

    Here are the two logs. It seems Malwarebytes didn't find anything.
  10. touch

    touch TS Rookie Posts: 978

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Policies\Explorer\Run: [Altap] tskstsh
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [Set] fuset.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [Set] fuset.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe (file missing)
    O9 - Extra 'Tools' menuitem: MSN Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8640B1D0-7942-4431-8C86-B652997E1F0A}: NameServer = if you don´t know this ISP ->> -
    Internet Assigned Numbers Authority
    4676 Admiralty Way, Suite 330
    Marina del Rey, CA

    Reboot, and tell if there are any improvements ? If not, I suspect the Trial Version of Norton Antivirus are the cause. As Norton are hogging resources and slowing systems down.

    What about replace Norton with a Free Antivirus program ?
  11. Javamonkey

    Javamonkey TS Rookie Topic Starter

    Sadly the boot speed still hasn't improved. There's a minute or two of black screen after windows has finished loading, then finally the "welcome" screen pops up. After this the normal background pops up without shortcuts, and after a minute or two the shortcuts appear and the background becomes gray. The PC seems to be running fine otherwise though.

    I'd like to replace Norton very much, it doesn't seem to be great and is due to expire anyway. I hear there's a tool for this?

    I'm running out of ideas, maybe running a registry cleaner and defragmenting drives could speed things up?
  12. touch

    touch TS Rookie Posts: 978

    Let´s remove Norton, and see if that can do the trick.

    Download the Norton Removal Tool (SymNRT) to your Desktop.
    Once downloaded please close ALL open browsers, also save any work because this may require a restart.

    Go to your desktop and double click on the removal tool and then click Setup.
    Once open Click Next
    Accept the license agreement and click Next
    Type in the letters/numbers that you see into the text box then click Next.
    Then click Next and the tool will start running.
    Once finished restart the PC and run the tool again to ensure everything has been removed.
    Delete Nortonremoval tool from your Desktop.

    Install Avira Free AntiVirus, from here ->
    Or: Avast

    Download and run Pagedefrag:

    (A dot in - Defrag on next boot)

    See if it have improved boot speed
  13. Javamonkey

    Javamonkey TS Rookie Topic Starter

    I ran the defrag tool and changed the background to normal. Either of those seemed to restore the boot speed to normal, so thank you. :)

    However, after running a full scan with Avira it revealed a whole bunch of stuff. I've deleted them all from quarantine, but at least the Vundo.Gen trojan seems to be reappearing. I've attached a log of the scan.

    EDIT: I did remove Norton as per your advice before installing Avira.
  14. touch

    touch TS Rookie Posts: 978

    Ok. Please attach new combofix log, along with new hijackthis log
  15. Javamonkey

    Javamonkey TS Rookie Topic Starter

    Here are the logs.

    Every google search link is being redirected, and I can't seem to get rid of ESET NOD32. I can't even locate it on the computer, and I've removed it with the windows uninstall tool, yet it's scanner seems to be active.
  16. Javamonkey

    Javamonkey TS Rookie Topic Starter

    Sorry for the shameless bump! I'm just wondering whether my logs are clean or not, and if you could maybe tell me how to clear up the last remnants of NOD32...?

    Everything seems to be working okay, deleted stuff from Malwarebytes' quarantine folder and it seemed to fix the redirect problem, at least for now.
  17. touch

    touch TS Rookie Posts: 978

  18. Javamonkey

    Javamonkey TS Rookie Topic Starter

    Hello again! I think I've gotten rid of NOD, but it seems the PC isn't clean still. :( Some websites won't load at all, and bookmarks + google search links get redirected to ad sites. I've attached a hijackthis log.
  19. touch

    touch TS Rookie Posts: 978

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...