Possible WinFixer Infection

Status
Not open for further replies.
M0ntG0M3rY

M0ntG0M3rY

Posts: 48   +0
Possible VirtuMonde/WinFixer Infection

Hi everyone, I'm new here!

I'm experiencing a problem with the VirtuMonde/WinFixer, presumably.
I've tried fixing the problem using VundoFix as outlined here: http://wiki.castlecops.com/Malware_Removal:_Virtumundo, but the infected files would be re-downloaded and appear in the system again under other names.

Here are my HiJackThis and ComboFix logs. AVG Anti-Rootkit Free in-depth scan didn't find anything suspicious.

Any help and suggestions will be highly appreciated! :)

EDIT: Sorry, just realized I hadn't followed 15 steps thoroughly. Will re-post logs again as soon as I'm finished with those steps.
 
OK, this time the only thing I didn't do was that I skipped the online scan, and also I did AVG Internet Security scan instead of AVG Anti-Spyware scan.

Everything else is done following the instructions precisely. And it seems the problem is solved, at least there are no pop-ups now.

Here are my logs, anyway. Any suggestions will be appreciated! :)

In addition to these logs, I should say that AVG Anti-Rootkit scan revealed nothing, and AVG Internet Security Scan said the only malware was the "hacker tool" SmitfraudFix :) , and Ad-Aware scan only showed tracking cookies.
 
hjt log looks very good. check the ip addresses in the 017 entries to see if you know them..
 
thank you!

IP addresses 207.172.3.8,207.172.3.9 belong to my ISP, they are primary & secondary DNS servers.

160.92.121.6 belongs to Atos Worldline Primary IPv4 Subnet, and I have never heard of it...
 
It looks to me as if ComboFix took care of the Vundo infection.

Please run HijackThis and do a system scan. Place a check in the box next to the following entry (if there):

O17 - HKLM\System\CCS\Services\Tcpip\..\{C0D45C7C-9169-4B1B-B141-0B8B6BEC1B8B}: NameServer = 160.92.121.6

Close all open programs except HijackThis and then click the Fix Checked button. Once it's done fixing, close HijackThis.

Do you normally access the Web through a proxy server?

Please rerun HijackThis and ComboFix and post their fresh logs.

Regards :)
 
Thanks for the answer! :)

Will do as soon I get home.

No, I don't use proxy server, but I believe it's in Internet Options unchecked - I used it before for some needs. If you uncheck it without deleting, the browser will keep IP address there. I will delete it and see if it's still in the log or not.
 
once you have completed the clean up, empty quarantine folders and in addition i find it best to clear old restore points, defrag and create new.
this is a new one to you log and should be fixed unless kitty500cat disagrees: O1 - Hosts: 63.223.70.253 tc-boxing.com
 
Please download the file CFScript.txt attached to my post and save it to the same folder as ComboFix.

Referring to the image below, drag the CFScript.txt that you just downloaded over onto ComboFix.exe and release.

CFScript.gif


This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your next reply, as well as a fresh HijackThis log.

Regards :)
 

Attachments

  • CFScript.txt
    180 bytes · Views: 5
thank you very much to you both!

tc-boxing is a manually entered line to hosts file - I put in there myself when there were some DNS problems and I couldn't connect to this bittorrent tracker. I was renewing hosts file a day ago, that's why this entry didn't appear in the first HJT scan.

I have a question about Messenger Plus! Its installation comes with the option "refuse sponsor support" - if this option chosen, I believe though I'm not sure for 100%, Messenger Plus! doesn't install any malicious software. I really like additional functionality given by this add-on and would prefer keep it. I've used it for quite long time, two years probably, and had no problem with it. What do you think on this?

Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.

kitty500cat said:
Do you know anything about this? > C:\WundF1x.exe
Click to expand...
No, have no idea.
 
M0ntG0M3rY said:
I have a question about Messenger Plus! Its installation comes with the option "refuse sponsor support" - if this option chosen, I believe though I'm not sure for 100%, Messenger Plus! doesn't install any malicious software. I really like additional functionality given by this add-on and would prefer keep it. I've used it for quite long time, two years probably, and had no problem with it. What do you think on this?
Click to expand...
If you've never had any problems with Messenger Plus!, I suppose you can keep it. If you did refuse the sponsor support, you should be good to go. And since you haven't experienced any problems with it, it sounds okay.

Please navigate to www.virustotal.com.

Click the Choose... button.

Navigate to the following file:

C:\WundF1x.exe

Click Open. Then click Send File.

Wait until it's done scanning, then copy and paste the results into a Notepad file and save it on your computer. Attach the file in your next reply, as well as fresh HijackThis and CFScript logfiles per the instructions in my last post.

Regards :)

P.S. You don't need to remove the Hosts file entry since you know that it's safe.
 
Thank you! Will do.

I still have a question though.
kitty500cat said:
Attach the file in your next reply, as well as fresh HijackThis and CFScript logfiles per the instructions in my last post.
Click to expand...

The CFScript file has the following:
Folder::
C:\Program Files\MessengerPlus! 3
Click to expand...
Since I opted to keep MessengerPlus!, should I delete these entries before feeding ComboFix with CFScript?
 
I have altered the instructions and the CFScript in my post above (from 7:44 AM today). Please follow those instructions.

Regards :)
 
Thank you!

Here are my logs.

WundF1x.exe appears to be an exactly the same file as VundoFix.exe with the changed name. All attributes are the same, size, icon, everything. I don't remember it renaming though, but maybe it's a mental block :) Well, I deleted this file.
 
Hi,

Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.

CFScript.gif


This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Thereafter, please post fresh HJT and AVG Antispyware logs from normal mode and the ComboFix log from the safe mode instructions as attachments into this thread.

PS. It appears you use WildTangent Games. Several of their users have had a history of being infected by trojans from the games downloaded from Wildtangent. I would suggest you uninstall and remove anything related to it.


Regards,
Your friendly momok =)

This thread is for the use of M0ntG0M3ry only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
thanks Momok for your attention!

A question. I use AVG 7.5 Internet Security and never installed AVG Antispyware. Can I substitute AVG 7.5 Internet Security scan for AVG Antispyware?
 
Hi,

I would still recommend you get AVG antispyware as it has its role to play in our cleaning instructions. Several times it picks out hidden files and processes and appropriately quarantines them; its a real gem I would recommend you get even if you were not infected.

Regards,
Your friendly momok =)

This thread is for the use of M0ntG0M3rY only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

Apart from that, your logs appear to be clean already.

  1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
    You may also delete the C:\avenger and C:\VundoFix Backups folder and its contents.

  2. Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

  3. After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

  4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of M0ntG0m3rY only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I need a little consultation :)

After I've finished cleaning my computer everything is fine with it, but there's just a little issue.

I usually use FireFox, but sometimes websites have some services that only work with IE. So yesterday I had to use IE to access something that only worked with IE, and I couldn't use it: whenever I put a URL into the IE address bar, FireFox would start and proceed opening the URL in FF's window.

I would like to know what causes this and how I can change this.

Thank you!
 
make sure that FF is closed down and try selecting IE as default browser. see if that does it
 
Status
Not open for further replies.

Similar threads

J
Solved Win32/Skeeyah.B!rfn and Win32/Fuerboos.D!cl infection
2
Replies
27
Views
7K
Broni
Broni
Julio Franco
  • Locked
Keeping it private: 5 VPNs that have been verified to keep no logs
Replies
23
Views
4K
Clappy5
C
wobbly
Inactive Possible Root Kit clean-up
Replies
9
Views
2K
Broni
Broni

Latest posts

Back