Vundo symptoms -- not Vundo trojan

Ancient Wisdom · 11-17-2008, 06:41 PM

Compaq laptop
Windows XP home
MS Auto updates -- disabled on Win startup
Auto updates cannot be enabled
Auto updates process cannot be started
Browser hijacked
pop ups
blank "404" when navigating to search engines or virus detection sites
System is bogged down with 100% cpu activity -- if connected to internet
System available if internet connection is disabled, NIC / wireless unplugged

Symantec vundo scanner in safe mode turns up no hits
Eset may have quaranteed and deleted some of the malware -- msg regarding 'Virtumondo', though it did not prevent escalation of system takeover by attack.

When I found this site (techsupportforum.com), I followed instructions to provide attached files.

Thanks for any help identifying and eliminating this problem. I like the apparent 'upgrades' to the HJT file/logs (attached from your scanners -- nice job). Impressive. I would like to learn more from you. Thank you very much for being available.
Keith

**Glaswegian** · 11-20-2008, 03:00 PM

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system. It looks like Vundo is indeed still present on your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Combofix
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ancient Wisdom · 11-22-2008, 04:22 PM

combo fix run, log attached. Cool tool indeed

I am able to use the internet on this machine again; windows update has been restored and is working. It appears that combofix found and resolved quite a number of malware issues. Impressive.

Very Good! Please advise.

**Glaswegian** · 11-23-2008, 05:30 AM

Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

File::
c:\documents and settings\All Users\Application Data\0D091DCC25.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"EnCfgApp"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

DirLook::
c:\documents and settings\All Users\Application Data\wnsnsxov
c:\Program Files\mjvoykf

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt for further review.

Ancient Wisdom · 11-23-2008, 01:28 PM

hello Gwegian and thank you for your time,

script run, log attaced.
Kw

**Glaswegian** · 11-24-2008, 03:22 PM

Hi again

How is your system running now?

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

Folder::
c:\documents and settings\All Users\Application Data\wnsnsxov
c:\Program Files\mjvoykf

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt for further review.

Online Scan
Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Ancient Wisdom · 11-25-2008, 06:25 PM

Gwegian-
this system is back on its hind legs, movin' about like it was kid again. You have charmed my cpu with your stuff. The cookies tell the story don't it >>

here are some logs fer ya. You are great indeed, my Scot friend. Thank you for your generous efforts. What do you think?
Kw

**Glaswegian** · 11-26-2008, 04:16 PM

Hi again

Looks good. This file ppal3ppc.exe is an installer for the PeoplePC PeoplePal Toolbar – see here for more info.

Apart from that all your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below

Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:

ComboFix /u

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware 2007
Download and install Ad-Aware 2007. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system

Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!.

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

Ancient Wisdom · 11-26-2008, 05:58 PM

Glaswegian,

A nice list of reads and fixes in your final post. I will indeed pursue your advice. I appreciate your effort. Thank you.
Kw

11-20-2008, 03:00 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,559 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Vundo symptoms -- not Vundo trojan Hi and welcome to TSF. My name is Iain and I will be helping you clean your system. It looks like Vundo is indeed still present on your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Combofix Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log for you. Please include the C:\ComboFix.txt in your next reply. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums.** PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-23-2008, 05:30 AM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,559 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Vundo symptoms -- not Vundo trojan Hi again Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: File:: c:\documents and settings\All Users\Application Data\0D091DCC25.sys Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "EnCfgApp"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- DirLook:: c:\documents and settings\All Users\Application Data\wnsnsxov c:\Program Files\mjvoykf Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ComboFix.txt for further review. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-24-2008, 03:22 PM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,559 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Vundo symptoms -- not Vundo trojan Hi again How is your system running now? Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: Folder:: c:\documents and settings\All Users\Application Data\wnsnsxov c:\Program Files\mjvoykf Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ComboFix.txt" Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ComboFix.txt for further review. Online Scan Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log to your reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-26-2008, 04:16 PM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,559 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Vundo symptoms -- not Vundo trojan Hi again Looks good. This file ppal3ppc.exe is an installer for the PeoplePC PeoplePal Toolbar – see here for more info. Apart from that all your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Referring to the image below Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK: ComboFix /u Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: General Protection Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. Ad-aware 2007 Download and install Ad-Aware 2007. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ERUNT & NTREGOPT ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash. NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system Additional Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Think Prevention!. Have a look here if your PC is still running a bit slow Is your PC running slow...? Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

11-26-2008, 05:58 PM	#9 (permalink)
Ancient Wisdom Registered User Join Date: Nov 2008 Location: Gold Coast of Southern California Posts: 36 OS: WinXP Pro sp3	Back in service Glaswegian, A nice list of reads and fixes in your final post. I will indeed pursue your advice. I appreciate your effort. Thank you. Kw