Vundo and possible other infections

CadmusofThebes · 06-30-2009, 01:09 PM

Hello,

I will briefly summarise the history of my problem. I'm running Wndows XP SP2 with ZoneAlarm and manually updated PC-cillin which I am planning to replace with AVG.

After noticing computer was slow I ran AdAware. During the process the computer crashed and I could not start Windows as pci.sys was missing. I downloaded a recovery console for Windows XP Home Edition with SP2 included (I have a legal copy of Windows XP Home Edition) and managed to repair the system by running chkdsk /r. I ran Malwarebytes which reported a Vundo infection and attempted to clean it but it kept coming back. I ran VundoFix (as I had this problem before) and it further cleaned 3 files. Connecting to the internet resulted in a reinfection which was again "cleaned". Malwarebytes at the moment reports no infection and neither does VundoFix. I also ran HJT a couple of times and repaired entries which I confirmed online were Vundo entries.

However, I am unable to see any drives in Disk Management. When I plug in a USB stick, it reports it as a hi-speed stick plugged into a slow port but the drive never shows up in My Computer. Computer gets suspiciously "worked up" and slow when it connects to the internet. On Windows startup I've had Acrobat Distiller being reported as encountering a problem and needing to close.

I tried running GMER as advised but I got the blue screen od death (fatal error) when I started the scan. Twice. I am therefore not in position to post ark.txt, sorry. Is there an alternative? I have the DDS logs attached. Will that suffice? I can also produce a HJT log.

Please let me know and thanks for the advice.

Cadmus

CatByte · 06-30-2009, 01:29 PM

Hi,

Please do the following:

NOTE: It is extremely important to disable your security programs while Combo-Fix runs

Please download ComboFix from Here or Here to your Desktop.
**Note:**In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.**
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

NOTE: If the renamed Combo-Fix will not run in normal mode, try it in safe mode.

CadmusofThebes · 06-30-2009, 02:27 PM

Thanks for the response.

Would you mind telling me the reason why Combofix is prescribed as the solution please? I understand it is powerful tool which should not be used without good reason and supervision.

I am in the process of backing up my personal data and once it is done I will report back with a log from Combofix.

Thanks.

CatByte · 06-30-2009, 02:35 PM

Quote:

Would you mind telling me the reason why Combofix is prescribed as the solution please? I understand it is powerful tool which should not be used without good reason and supervision.

I am the supervision.

If you follow my instructions precisely, I will assist you in cleaning your machine.

You have a Vundo infection. ComboFix is the best tool to use in cleaning a computer from this infection.

If you are unclear of anything, please stop and ask.

CadmusofThebes · 06-30-2009, 03:46 PM

double post

CadmusofThebes · 06-30-2009, 03:49 PM

I had a problem starting ComboFix.

The message I got was "ComboFix.exe - No Disk; There is no disk in the dirve. Please insert a disk into drive /Device/Harddisk/DR3".

After pressing Cancel or Try Again the scanner eventually started. The scan is now in progress.

CadmusofThebes · 06-30-2009, 04:38 PM

I am attaching the ComboFix log and awaiting further instructions.

Cheers!

CatByte · 06-30-2009, 06:16 PM

Hi,

Please do the following:

Please delete the copy of ComboFix you have from your desktop, then download a fresh copy from one of the links provided previously. No need to rename it this time. Allow ComboFix to install the Recovery Console.

Install ComboFix but say NO to continuing a scan as we are going to use ComboFix with a script this time.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/390454-vundo-possible-other-infections.html#post2215987

Collect::
c:\windows\system32\giweruru.dll
c:\windows\system32\vevesojo.dll
c:\windows\system32\drivers\qftabvfworxuwqib.sys
c:\program files\udhwwbtg.txt

File::
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

CadmusofThebes · 07-01-2009, 12:09 AM

I downloaded it again and started it in the hope it will install the recovery console but instead it just started scanning and going through the stages. How vital is the recovery console and what should I do in order to have it installed before running it with the script provided?

Thanks.

CatByte · 07-01-2009, 04:32 AM

Manually installing the Windows Recovery Console

In the event that the automatic install of Recovery Console was not possible, you should follow the steps listed here in order to manually install it. The Windows recovery console is a tool that will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XPand have a Windows CD, then you can follow the instructions found in the tutorial listed below.
How to install and use the Windows XP Recovery Console

Windows Vista users can use their Windows DVD to boot up into the Vista Recovery Environment.

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:
1. Click on the following link to go to Microsoft's Web site:
http://support.microsoft.com/kb/310994
2. At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.
1. Click on the Start button.
2. Click on the Run menu option.
3. In the Open: field type the following: sysdm.cpl and then click on the OK button.
4. A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack. When you are done determining this information continue with Step 2.
3. Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.

4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.
Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. If you wish to continue, then press the Yes button and continue reading the tutorial from here.

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'No' to run the full ComboFix scan.

CadmusofThebes · 07-01-2009, 03:13 PM

Thanks for the guidance.

I managed to install the recovery console and I ran Combofix with the script. After the scan, some files were uploaded to a server (I don't like not knowing which files or where) and a log popped up which I saved on the desktop. However my desktop was missing and I was forced to restart the computer.

I am attaching the log of the last scan.

Thank you.

CatByte · 07-01-2009, 03:25 PM

Hi,

Thank-you.

I collected the files for the developer of Combofix.

these were the files in the script that were sent:

Collect::
c:\windows\system32\giweruru.dll
c:\windows\system32\vevesojo.dll
c:\windows\system32\drivers\qftabvfworxuwqib.sys
c:\program files\udhwwbtg.txt

These are bad malware files, that are now identified. This assists in our fight against malware.

Sorry to have alarmed you. Please be assured, I will not knowingly do anything improper or harmful to your computer. I am here only to help and assist you in getting clean.

Please do the following:

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

MBAM Log
Kaspersky report

Note: The TFC program will clean out all of your temporary files. This will enable the scanners to do a more efficient job.

The scanners are required to be run to check for any leftover malware files that ComboFix doesn't target.

Thank-you

CadmusofThebes · 07-02-2009, 03:17 PM

Short update: I have run TFC and after restarting I again got the report on Acrobat Distiller not working. I ran Malwarebytes but Kespersky is taking a long time which I don't have so I will probably be able to post a log within 24 hours.

CadmusofThebes · 07-02-2009, 11:31 PM

I am sorry, I seem to be unable to finish the Kaspersky scan. I've done it twice now and it always gets to 26% and simply stops there (while scanning QuickTime Installer.exe). At that point it detects 5 infections. Is there an alternative? Thanks

Malwarebytes log attached

CatByte · 07-03-2009, 01:23 AM

Hi Yes,

Kaspersky can be finicky at times.

Please try this alternate scanner:

Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

CadmusofThebes · 07-03-2009, 12:57 PM

Cheers, I'm running the scan now but it seems awfully slow at the most odd times (e.g. scanning a simple .ico or .txt file). Vile stuff is being reported, including backdoor trojans (Spy.Banker trojan), Virtumondo, Downloader.Wren. Fingers crossed it doesn't freeze.

CadmusofThebes · 07-03-2009, 01:49 PM

Here is the ESET log.

Could these entries be quarantined old infections?

CatByte · 07-03-2009, 06:17 PM

Hi,

Most of the infected files are in quarantine of old backups which cannot harm the computer unless restored.

There are a couple of files that should be deleted:

Please do the following:

Please download OTM by OldTimer.

Save it to your desktop.
Please click OTM and then click >> run.
Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes
explorer.exe

:Files
C:\WINDOWS\inf\tenpct.ini
C:\WINDOWS\s4Setp.exe
C:\Documents and Settings\Korisnik\My Documents\My Software\Antivirus\VundoFix (older).exe
C:\Documents and Settings\Korisnik\My Documents\My Software\swfmediabrowser.zip
C:\Documents and Settings\Korisnik\My Documents\My Software\BorgQueen Desktop Theme.exe
C:\Documents and Settings\Korisnik\My Documents\My Software\borgqnsyacht desktop theme.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next

Your Java is out of date.
Java(TM) 6 Update 10 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.

Please post the OTM log as well as describe how your computer is running now and if there are any outstanding issues

CadmusofThebes · 07-04-2009, 02:42 AM

Java reported I have the latest version. My computer is behaving relatively ok ever since Combofix but for whatever reason I still keep getting the message that "Acrobat Distiller has encountered a problem and needs to close..." on startup (although not every time).

Here's the latest log.

CatByte · 07-04-2009, 05:08 AM

Hi,

The problem is likely with the Distiller installation itself rather than malware related:

I suggest you repair the installation. Select Help > Repair Acrobat Installation to have the program test and repair any potential errors.

Now some final cleanup to do:

Please do the following:

Follow these steps to uninstall Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an addon available for both Firefox and IE
For Firefox, I highly recommend this add-on to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

06-30-2009, 01:29 PM	#2 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Hi, Please do the following: NOTE: It is extremely important to disable your security programs while Combo-Fix runs Please download ComboFix from Here or Here to your Desktop. Note:In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before** performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** NOTE: If the renamed Combo-Fix will not run in normal mode, try it in safe mode. __________________ ASAP & UNITE Member

06-30-2009, 02:27 PM	#3 (permalink)
CadmusofThebes Registered User Join Date: Jun 2009 Posts: 14 OS: XP SP2	Re: Vundo and possible other infections Thanks for the response. Would you mind telling me the reason why Combofix is prescribed as the solution please? I understand it is powerful tool which should not be used without good reason and supervision. I am in the process of backing up my personal data and once it is done I will report back with a log from Combofix. Thanks. Last edited by CadmusofThebes; 06-30-2009 at 02:29 PM.

06-30-2009, 03:46 PM	#5 (permalink)
CadmusofThebes Registered User Join Date: Jun 2009 Posts: 14 OS: XP SP2	Re: Vundo and possible other infections double post Last edited by CadmusofThebes; 06-30-2009 at 03:49 PM.

06-30-2009, 03:49 PM	#6 (permalink)
CadmusofThebes Registered User Join Date: Jun 2009 Posts: 14 OS: XP SP2	Re: Vundo and possible other infections I had a problem starting ComboFix. The message I got was "ComboFix.exe - No Disk; There is no disk in the dirve. Please insert a disk into drive /Device/Harddisk/DR3". After pressing Cancel or Try Again the scanner eventually started. The scan is now in progress.

06-30-2009, 06:16 PM	#8 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Hi, Please do the following: Please delete the copy of ComboFix you have from your desktop, then download a fresh copy from one of the links provided previously. No need to rename it this time. Allow ComboFix to install the Recovery Console. Install ComboFix but say NO to continuing a scan as we are going to use ComboFix with a script this time. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/390454-vundo-possible-other-infections.html#post2215987 Collect:: c:\windows\system32\giweruru.dll c:\windows\system32\vevesojo.dll c:\windows\system32\drivers\qftabvfworxuwqib.sys c:\program files\udhwwbtg.txt File:: c:\windows\Internet Logs\xDB4.tmp c:\windows\Internet Logs\xDB5.tmp c:\windows\Internet Logs\xDB2.tmp c:\windows\Internet Logs\xDB3.tmp Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. __________________ ASAP & UNITE Member

07-01-2009, 12:09 AM	#9 (permalink)
CadmusofThebes Registered User Join Date: Jun 2009 Posts: 14 OS: XP SP2	Re: Vundo and possible other infections I downloaded it again and started it in the hope it will install the recovery console but instead it just started scanning and going through the stages. How vital is the recovery console and what should I do in order to have it installed before running it with the script provided? Thanks.

07-01-2009, 04:32 AM	#10 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Manually installing the Windows Recovery Console In the event that the automatic install of Recovery Console was not possible, you should follow the steps listed here in order to manually install it. The Windows recovery console is a tool that will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XPand have a Windows CD, then you can follow the instructions found in the tutorial listed below. How to install and use the Windows XP Recovery Console Windows Vista users can use their Windows DVD to boot up into the Vista Recovery Environment. If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions: 1. Click on the following link to go to Microsoft's Web site: http://support.microsoft.com/kb/310994 2. At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information. 1. Click on the Start button. 2. Click on the Run menu option. 3. In the Open: field type the following: sysdm.cpl and then click on the OK button. 4. A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack. When you are done determining this information continue with Step 2. 3. Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image. 4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. If you wish to continue, then press the Yes button and continue reading the tutorial from here. --------------------------------------------------------------------- Transfer all files you just downloaded, to the desktop of the infected computer. -------------------------------------------------------------------- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. At the next prompt, click 'No' to run the full ComboFix scan. __________________ ASAP & UNITE Member

07-01-2009, 03:25 PM	#12 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Hi, Thank-you. I collected the files for the developer of Combofix. these were the files in the script that were sent: Collect:: c:\windows\system32\giweruru.dll c:\windows\system32\vevesojo.dll c:\windows\system32\drivers\qftabvfworxuwqib.sys c:\program files\udhwwbtg.txt These are bad malware files, that are now identified. This assists in our fight against malware. Sorry to have alarmed you. Please be assured, I will not knowingly do anything improper or harmful to your computer. I am here only to help and assist you in getting clean. Please do the following: Download TFC to your desktop Close any open windows. Double click the TFC icon to run the program TFC will close all open programs itself in order to run, Click the Start button to begin the process. Allow TFC to run uninterrupted. The program should not take long to finish it's job Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean It's normal after running TFC cleaner that the PC will be slower to boot the first time. NEXT Please open your MalwareBytes AntiMalware Program Click the Update Tab and search for updates If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish, so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. <-- very important When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXT Run an on-line scan with Kaspersky Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply In your next reply please include MBAM Log Kaspersky report Note: The TFC program will clean out all of your temporary files. This will enable the scanners to do a more efficient job. The scanners are required to be run to check for any leftover malware files that ComboFix doesn't target. Thank-you __________________ ASAP & UNITE Member

07-02-2009, 03:17 PM	#13 (permalink)
CadmusofThebes Registered User Join Date: Jun 2009 Posts: 14 OS: XP SP2	Re: Vundo and possible other infections Short update: I have run TFC and after restarting I again got the report on Acrobat Distiller not working. I ran Malwarebytes but Kespersky is taking a long time which I don't have so I will probably be able to post a log within 24 hours.

07-03-2009, 01:23 AM	#15 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Hi Yes, Kaspersky can be finicky at times. Please try this alternate scanner: Go here to run an online scanner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activeX control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. __________________ ASAP & UNITE Member

07-03-2009, 12:57 PM	#16 (permalink)
CadmusofThebes Registered User Join Date: Jun 2009 Posts: 14 OS: XP SP2	Re: Vundo and possible other infections Cheers, I'm running the scan now but it seems awfully slow at the most odd times (e.g. scanning a simple .ico or .txt file). Vile stuff is being reported, including backdoor trojans (Spy.Banker trojan), Virtumondo, Downloader.Wren. Fingers crossed it doesn't freeze.

07-03-2009, 06:17 PM	#18 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Hi, Most of the infected files are in quarantine of old backups which cannot harm the computer unless restored. There are a couple of files that should be deleted: Please do the following: Please download OTM by OldTimer. Save it to your desktop. Please click OTM and then click >> run. Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Code: :Processes explorer.exe :Files C:\WINDOWS\inf\tenpct.ini C:\WINDOWS\s4Setp.exe C:\Documents and Settings\Korisnik\My Documents\My Software\Antivirus\VundoFix (older).exe C:\Documents and Settings\Korisnik\My Documents\My Software\swfmediabrowser.zip C:\Documents and Settings\Korisnik\My Documents\My Software\BorgQueen Desktop Theme.exe C:\Documents and Settings\Korisnik\My Documents\My Software\borgqnsyacht desktop theme.exe :Commands [purity] [emptytemp] [start explorer] [Reboot] Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTM Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Next* Your Java is out of date. Java(TM) 6 Update 10 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; > follow the prompts. Please post the OTM log as well as describe how your computer is running now and if there are any outstanding issues __________________ ASAP & UNITE Member

07-04-2009, 05:08 AM	#20 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,185 OS: XP sp3	Re: Vundo and possible other infections Hi, The problem is likely with the Distiller installation itself rather than malware related: I suggest you repair the installation. Select Help > Repair Acrobat Installation to have the program test and repair any potential errors. Now some final cleanup to do: Please do the following: Follow these steps to uninstall Combofix Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there. NEXT Now to remove the rest of the tools that we have used in fixing your machine: Make sure you have an Internet Connection. Download OTC to your desktop and run it A list of tool components used in the Cleanup of malware will be downloaded. If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so. Click Yes to begin the Cleanup process and remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes. NEXT Below I have included a number of recommendations for how to protect your computer against malware infections. Keep Windows updated by regularly checking their website at : http://windowsupdate.microsoft.com/ This will ensure your computer has always the latest security updates available installed on your computer. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict. Make Internet Explorer more secure Click Start > Run Type Inetcpl.cpl & click OK Click on the Security tab Click Reset all zones to default level Make sure the Internet Zone is selected & Click Custom level In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Next Click OK, then Apply button and then OK to exit the Internet Properties page. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE For Firefox, I highly recommend this add-on to keep your PC even more secure. NoScript - for blocking ads and other potential website attacks Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: Think Prevention. PC Safety and Security--What Do I Need?. **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Thank you for your patience, and performing all of the procedures requested. Please respond one last time so we can consider the thread resolved and close it, thank-you. __________________ ASAP & UNITE Member