Likely Vundo infection

Status
Not open for further replies.
J

Javamonkey

Posts: 10   +0
Hello. I'm currently trying to sort out a PC which has been infected with plenty of malicious code.

It started with persistent ad pop-ups from Internet Explorer, which progressed to Windows Security Alerts saying there were harmful viruses. First thing I did was fire up AD-Aware and let it scan, and deleted the few items it could find, some cookies and a backdoor. After a restart, Windows started up very slowly and the normal wallpaper changed into a black wallpaper disclaiming "Warning. Your computer has been infected with dangerous spyware". I also got a taskbar popup claiming my system had been infected, which would direct me into an ad for what I understand to be a rogue antispyware program, and my task manager at this point had been "disabled by Administrator".

After this I scanned the computer with the Trial Version of Norton Antivirus, which found and apparently deleted some stuff as well.

After this I started following the 8 step guide found on this site. The wallpaper has changed from the flashing warning to plain grey, and the start up is still extremely slow. I've attached the logs you request.

Any help would be greatly appreciated.
 
Hello

P2P software/programs are a major contributor to your infections.

We reserve the right to withdraw our support:
If such programs are found in your logs
Should you not agree to their removal.
As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer

Uninstall:
[BitTorrent DNA] "C:\Program Files\DNA

If you decide to remove it, reboot, attach new hijackthis log.
 
Looks like it :)

You have two antivirus programs running, ESET(Nod32) and Norton.

Remove one of them from add/remove programs in controlpanel.

Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
 
Thanks for your help so far, here's the log. It does say that Norton scanning is turned on but I quickly disabled it before the program ran.
 
That's good to hear, unfortunately performance hasn't improved. Rebooting is becoming increasingly slower and more difficult, and google search links are being redirected into ad pages.

Both of the scans found nothing on the files, I've attached a copy + paste of the Additional Information from virustotal.com, hope it's what you need.
 
Ok. update malwarebyte, run a complete scan, have it to fix what it find.
Please attach new hijackthis log, along with malwarebyte log.
 
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [Altap] tskstsh
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Set] fuset.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Set] fuset.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msnmsgr.exe (file missing)…………………………………………………………………………………………..
O17 - HKLM\System\CCS\Services\Tcpip\..\{8640B1D0-7942-4431-8C86-B652997E1F0A}: NameServer = 192.168.1.1 if you don´t know this ISP ->>
192.168.0.0 - 192.168.255.255
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA

Reboot, and tell if there are any improvements ? If not, I suspect the Trial Version of Norton Antivirus are the cause. As Norton are hogging resources and slowing systems down.

What about replace Norton with a Free Antivirus program ?
 
Sadly the boot speed still hasn't improved. There's a minute or two of black screen after windows has finished loading, then finally the "welcome" screen pops up. After this the normal background pops up without shortcuts, and after a minute or two the shortcuts appear and the background becomes gray. The PC seems to be running fine otherwise though.

I'd like to replace Norton very much, it doesn't seem to be great and is due to expire anyway. I hear there's a tool for this?

I'm running out of ideas, maybe running a registry cleaner and defragmenting drives could speed things up?
 
Let´s remove Norton, and see if that can do the trick.

Download the Norton Removal Tool (SymNRT) to your Desktop.


http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.
Delete Nortonremoval tool from your Desktop.
Restart

Install Avira Free AntiVirus, from here ->
Avira
Or: Avast

Download and run Pagedefrag:
http://technet.microsoft.com/en-us/sysinternals/bb897426.aspx

(A dot in - Defrag on next boot)

See if it have improved boot speed
 
I ran the defrag tool and changed the background to normal. Either of those seemed to restore the boot speed to normal, so thank you. :)

However, after running a full scan with Avira it revealed a whole bunch of stuff. I've deleted them all from quarantine, but at least the Vundo.Gen trojan seems to be reappearing. I've attached a log of the scan.

EDIT: I did remove Norton as per your advice before installing Avira.
 
Here are the logs.

Every google search link is being redirected, and I can't seem to get rid of ESET NOD32. I can't even locate it on the computer, and I've removed it with the windows uninstall tool, yet it's scanner seems to be active.
 
Sorry for the shameless bump! I'm just wondering whether my logs are clean or not, and if you could maybe tell me how to clear up the last remnants of NOD32...?

Everything seems to be working okay, deleted stuff from Malwarebytes' quarantine folder and it seemed to fix the redirect problem, at least for now.
 
Hello again! I think I've gotten rid of NOD, but it seems the PC isn't clean still. :( Some websites won't load at all, and bookmarks + google search links get redirected to ad sites. I've attached a hijackthis log.
 
Status
Not open for further replies.

Similar threads

midian182
YouTube escalates battle against ad blockers, rolls out site slowdown (update)
2
Replies
47
Views
717
Benny26
Benny26
E
Linux could have been brought down by backdoor found in widely used utility
2
Replies
31
Views
406
ZedRM
ZedRM
Daniel Sims
YouTube begins fighting ad blockers by slowing down load times
2
Replies
29
Views
810
ZedRM
ZedRM

Latest posts

Back