Removing Trojan Vundo and many others

[Raquel_99]

I have followed all of your preliminary removal instructions for spyware/malware and have attached the appropriate logs. The antirootkit scan showed no problems.

Symptoms are as follows: The computer is excruciatingly slow, numerous pop-ups will not allow use of the internet, the desktop photo is gone though it appears after the splash screen, there is a big red X showing as the icon for the c: drive, Norton Antivirus keeps being disabled though I've reinstalled it several times, and installation and running of programs is ridiculously slow.

I've updated to XP SP2 and the new IE7 with pop-up blocker. I've supposedly removed Vundo and about 123 other trojans several times, but they keep coming back. I'm desperate. I've disconnected the computer from the internet completely and hope you can help me.

I'm familiar with computers but am a novice at removing spyware. Please be detailed with any instructions.

Thank you in advance for your assistance.

 

[Raquel_99]

I'm sorry. I was unable to delete this reply.

 

[Route44]

My first, best advice to you is to read the stickies at the top of this forum by Julio. There is some great, sound advice plus I know there will be knowlegeable people that will help as well.

And when your machine is clean again there are much better options than Norton for protection that you can explore. Are you running behind a router?

 

[Blind Dragon]

This has been going around a lot lately. I am not sure where everyone is picking it up. You are infected with a set of programs that pose as anti-malware, if you scan with them they will even find viruses that aren't real. They will say you have to buy their software to remove the fake threats. Needless to say DO NOT PURCHASE THEIR SOFTWARE>

Now, with that out of the way. These are not fun to remove, as this is the 3rd one today I have seen.

Go to Start -> control panel -> add/remove programs-> Remove the following:
SpyGuardPro
WebRebates
TopSearch
My Web Search
BullsEye Network

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Afterwards please run combofix again and attach a log as well as rapport.txt

 

[Raquel_99]

Follow-up

Thank you both for responding so quickly.

In answer to Route44:
There is no router. What are these better options for protection that you mention?

In response to Blind Dragon:
I could not find any of the five programs you mentioned listed in add/remove programs or in CCleaner.

Rapport.txt and the new ComboFix log are attached as instructed.

I keep getting Norton AV messages saying "unexpected error occurred." Should I re-install it again now or wait until the computer is clean?

It still takes about 4.5 minutes for Windows to load fully.

 

[Route44]

Wait until the computer is clean. When you are clean run out and get yourself a good router. Netgear and Linksys are both good, but others may tell you some other options as well.

Routers are your first, best defense for protection.

Second, there are some very nice free anti-virus programs for home users that are very good: Anti-vir, Avast, AVG are to name a few. They also have $ versions as well.

For pay Kaspersky and NOD32 though NOD32 takes some configuration. Both have excellent detection rates.

Antis-spyware: AVG, SUPERantispyware are to name just two. There are others.

Firewalls that are free and excellent: Comodo 3 and Online Armor.

* Some work with Vista, others haven't quite got there yet so make sure they'll work with your operating system.

* Read here on this forum and notice the advice given.

* Keep following Blind Dragon's instructions. The man knows what he is talking about.

 

[Blind Dragon]

download FindAWF and save it to your desktop.
· Double-click on the FindAWF.exe file to run it.
· It will open a command prompt and ask you to "Press any key to continue".
· Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
· It may take a few minutes to complete so be patient.
· When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
· Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

 

[Raquel_99]

This was the result of the scan:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 02/27/2008
The current time is: 23:09:32.95

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

 

[Blind Dragon]

That's a good thing, I was concerned about some of the backup folders
-----------------------------------------------------------------------------------------------------------
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\mrofinu572.exe
c:\windows\totaj.exe
c:\temp\salm.exe
C:\Program Files\Common Files\AOL\1164130721\ee\AOLSoftware.exe

Folder::
C:\Program Files\WebRebates4
C:\Program Files\TopSearch
C:\PROGRA~1\MYWEBS~1
C:\Program Files\Media Gateway
C:\Program Files\Rytcyf
C:\Program Files\BullsEye Network

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A0223D-3944-440D-953D-A00527628BBB}]
C:\WINDOWS\System32\awvtq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gugqjsvp]
C:\Program Files\Rytcyf\Guvjhqy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\1164130721\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
C:\Program Files\Media Gateway\MediaGateway.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
c:\temp\salm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TopSearch]
C:\Program Files\TopSearch\TopSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\totaj]
c:\windows\totaj.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webrebates]
C:\Program Files\WebRebates4\webrebates.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"runner1"=C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

And just as a reminder for myself we are going to fix that red X soon

 

[Raquel_99]

Thank you for your continued help, Blind Dragon. I don't know how you manage to help so many of us, but we appreciate it.

I've attached the requested files. I hope the CF file is okay. Comodo caused it to hang, and I had to re-run it.

 

[Blind Dragon]

Crap Cleaner

• Download from HERE
• Close all browsers.
• Run the program and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
• Click the run cleaner button. Do this several times

-----------------------------------------------------------------------------------------------------------
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Folder::
C:\Program Files\Dot1XCfg

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

--------------------------------------------------------------------------------------------------------
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:

R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: (no name) - {50A0223D-3944-440D-953D-A00527628BBB} - C:\WINDOWS\System32\awvtq.dll (file missing)
O8 - Extra context menu item: &Search - ?p=ZJxdm088MGUS
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Select Fix checked

Reboot the computer into Normal Mode

Run a new Hijackthis scan after reboot

After you are back in normal mode please post Combofix.txt and a new Hijackthis log

 

[Raquel_99]

Although I checked twice, when I ran HJT in Safe Mode, the following two items did not appear on the list of things to check (though they do appear in the log):
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJxdm088MGUS

I did see these two items in the list of things to check when I ran HJT in normal mode. However, I will do nothing with them until so instructed.

Attached are the requested logs. Thank you!

 

[Blind Dragon]

Go ahead and fix these 2 from Normal Mode
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJxdm088MGUS


This one is optional(remove from safe mode):
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
"Slyware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers.

If you want you can fix this one from Safe Mode, then navigate and delete
C:\windows\system32\ALCXMNTR.EXE while still in safe mode.


* Your logs are looking a lot better, I am going to have somebody double check it

 

[Raquel_99]

The three items have been removed, and the HJT log is attached in case you need it.

The computer is still running slowly, and it still takes 4.5 minutes to load Windows. Once the spyware and trojans are completely removed, is there something else that needs to be done to restore the speed it had before the infection?

Also, I read that java needs to be updated, as an old version can lead to re-infection. Is this true?

Thank you for your help!

 

[Blind Dragon]

can you post the log from Normal mode

and if you want to remove Norton Anti-virus that should speed up the system, let me know if you want to do this and I will give instructions to get it off of there. It eats a lot of resources.

 

[Raquel_99]

The HJT from normal mode is attached as requested.

I can remove Norton, but I'll need to replace it with another AV program. Do you have any suggestions for one that uses less resources?

Also, Comodo seems to take a very long time to load. Is there any way to speed that up?

 

[kritius]

you could use Avast! or AVG Free both are very good.

How long does Comodo take to load up? You may find that once the system is clean and Norton is gone (good riddence) it may speed up a bit.

EDIT\ Also HERE is a link with tips to speed up xp once the system is clean, hope its usefull for you.

 

[Blind Dragon]

yes i agree with the above recommendations. Let's go ahead and remove norton and see how it does.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Please click on the link for the product that you have.

Then download and run the uninstaller.

 

[Raquel_99]

I have removed Norton AV with the removal tool. Windows and Comodo now load in about 2.5 minutes (better but still slow). Other programs are still sluggish. Is the computer now completely clean? Also, what do I do about the red X for the c: drive and the desktop photo that will not appear?

 

[Blind Dragon]

The desktop photo you will have to set up again, just like before, it should be in the same folder you had it in.

--------------------------------------------------------------------------------------------------------------
As for the red X
Start -> Run -> Paste what is in the code box below

cmd /c Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons" /s >find.txt && find.txt

Show me what opens in notepad
--------------------------------------------------------------------------------------------------------------

I'm going to have 1 more look at your previous logs

 

[Raquel_99]

Blind Dragon:

When I pasted your code into the Run box, a command prompt box flicked quickly on and off, but nothing else happened. I repeated this to make sure I had copied your code correctly, and the same thing happened. The red X is still showing as the icon for the c: drive.

The file for the desktop picture used to be in the Windows folder and would appear in the display properties list. However, when I clicked on it, it would not appear on the desktop (though it would show briefly while Windows was loading). Today it no longer appears in that folder. It seems to have disappeared. Is there a reason for that? I'm hoping my aunt will not be too upset at the loss of that picture of her kids.

Does the above indicate that there is still a problem with this computer? It remains disconnected from the internet.

Kritius:

Comodo takes a little under two minutes to load. It also interrupts me a lot every time I open a program. I'm hoping the frequency of these interruptions will diminish with time and use. Thank you for the link to the XP tweaks. I've started implementing some on my own computer and have seen an increase in boot and shut-down speeds. How memory intensive/resource hungry is Avast? Is AVG still free? I had heard otherwise.

 

[Route44]

Both Avast and AVG are fine on resources and their free versions are reliable. Just make sure you have a router.

Some people have issues with Comodo and it does take some tweaking. it needs to "learn" what you want and not want. There is a Comodo forum. You might want to search or ask concerning Comodo and slow load times.

Another excellent firewall option for XP (they are very close to a Vista release) is Online Armor free edition. It has tremendous protection.

 

[Blind Dragon]

You must be logged in with Administrator privileges to execute the Run command. Are you on a different user account from the main administrator account. Also, try Going to Start, all programs, accessories, command prompt. then pasting the code in the box below

/c Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \DriveIcons" /s >find.txt && find.txt

copy it from here, then at the command prompt click the command icon at the top left of the box, go down to edit, and select paste

then press enter.

Just navigate to the picture in the Windows folder and right click it, then select 'Set as desktop background'

 

[Raquel_99]

This was what opened in Notepad after running your command:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Explorer\Driveicons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Explorer\Driveicons\c

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Explorer\Driveicons\c\DefaultIcon
<NO NAME> REG_SZ %SystemRoot%\system32\shell32.dll,131

 

[Blind Dragon]

Start -> All Programs -> Accessories -> Command Prompt -> paste the code box Make sure you copy the entire code box

/c Reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Explorer\Driveicons\c