Vundo.gen!O, Log Files, Not clean...

[breaker012]

Hi I followed the steps in the Run & Read me first thread, and after performing the last one I restarted my computer and I am still having the same problem...
Description Of Problem:

I started having problems with Norton Online Security over a year ago. It had so many errors that it kept asking me to install and reinstall it over and over. I got tired of reinstalling it so I ignored any other messages until one day I was playing steam online and the game crashed and my web browser opened by itself and tried to open an MSN account all by itself. But Norton didn't detect any problem.

Right now I am using WIndows Live One Care, and it detected a recurrent trojan virus called "W32/Vundo.gen!O" and it keeps popping up with differnet file names (all numbers) in my windows 32 folder. Also, internet explorer keeps opening by itself mroe and more trying to create MSN and mail.ru accounts by itself. It even tries to write the image code, and sometimes it is difficult to go online because the web browser keeps changing from window to window even though there is only one visible...

I came by to your forums looking for an answer and I followed the Run & Read this first procedure downloading and executing all the steps required. I am trying to attach the log files created by the programs in this thread so hopefully you can help me get rid of this problem.

[breaker012]

Vundo.gen!O, Log Files, Not clean... Pt. 2
here is the last log file.
Thanks in advance

[chaslang]

Welcome to Major Geeks!

Actually based on your logs, your problems have been removed. Are you still having problems? If so, make sure that they are not just being reported in the System Volume Information folder which is System Restore. System Restore will be cleaned only after toggling System Restore.

[breaker012]

I am not sure how to check the system restore thing. But I am pretty sure I continue to have the same problem. My Windows Live One Care is still giving me alerts about having "W32/Vundo.gen!O", and then quarantines the infected file, and internet explorer still opens by itself and goes into MSN trying to open an account all by itself...it is so freaky.
I don't know if this helps but I'm attaching an image of where the browswer goes to when it does that, and the link that it opens to is:

"https://signup.live.com/signup.aspx?mkt=en-us&id=64855&ts=4520109&sh=7BSh&ru=http%3a%2f%2fmail.live.com%2f%3fnewuser%3dyes%26hm%3d1&rx=http%3a%2f%2fget.live.com%2fmail%2foptions&rollrs=12&lic=1"

without the quotation marks.

[chaslang]

Quote:

Originally Posted by breaker012

I am not sure how to check the system restore thing. But I am pretty sure I continue to have the same problem. My Windows Live One Care is still giving me alerts about having "W32/Vundo.gen!O", and then quarantines the infected file,

Unless you tell me where the infection is being found, I cannot help you. I don't need to know the name of the infection. You have already given that. I need to know what files or folder or registry keys exactly. Without that, all I can say is uninstall Windows Live One Care and use something that is more effective. Is your copy a legal copy. It looks like you may have just installed it and I'm not sure why the date of installation shows a date in the future:

Code:

2008-08-29 18:04 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-08-29 18:04 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-08-29 18:03 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-08-29 18:00 . 2008-08-14 16:23 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-08-29 17:52 . 2008-08-29 17:54 <DIR> d-------- C:\WINSSLog

Quote:

Originally Posted by breaker012

I don't know if this helps but I'm attaching an image of where the browswer goes to when it does that, and the link that it opens to is:

Not useful and does not mean anything to me at all. If I enter that long link you gave, it takes me to: http://get.live.com/


Can you put a copy of the below file into a ZIP file and attach it here?
C:\windows\system32\es.dll

[breaker012]

Hi Chaslang,
I do have a legal copy of Windows Live One Care, I really have no clue where that date came from. I have been deleting the virus as soon as it is detected by One care and it puts it in quarantine (also because that's what it said to do in the Read & Run Me first thread). Right now there is one of them in quarantine taht it detected today.The folder where it finds the infection is always in

"C:\WINDOWS\system32"

The File I currently have in quarantine is called

"C:\WINDOWS\system32\843197.exe"

and it is always some file name with all numbers like that.



I really don't know for sure if there are any registry keys infected, when I ran one of the programs in the read & run me first it said there were 23 registry items infected but I didn't get to see which ones, maybe it's in one of the logs I attached before?

I'd like to add that I am using a wireless connection and that most of the time when I try to "disable" the conneciton from the network connections, my computer shuts down by itself, and I'm wondering if it is due to the virus I have. It also shuts down for no reason repeatedly when I'm online but I know that could be for a wide range of different reasons... But that's one more thing to add to the description of the problem.

I am attaching a copy of the file you requested too.
Thanks for your help.

[chaslang]

Please download the lastest version of MGtools.exe and use it to get a new MGlogs.zip file.

Also run the below and attach the requested log:

Running GMER to detect rootkits

[breaker012]

Hi again Chaslang,
I used the MGTools.exe file from the link you posted in here. And I ran the GMER file as well with no internet connection as instructed. Here are the logs.

Thanks

[chaslang]

Your logs are not showing any problems. I suggest that you empty your quarantine and then disable System Restore. Then reboot and reenable System Restore.

[breaker012]

OK I will do that and I'll keep you posted if I get any more problems.
Thanks.

[chaslang]

You're welcome.


Now we need to cleanup some items from running ComboFix.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combo-fix" /u
     • Notes: The space between the combo-fix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combo-fix folder from combofix.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[breaker012]

Hi Chaslang, I copied the text into notepad and saved it as you said, once I closed the notepad there was no message saying it succesfully wrote it to the registry, but then I opened the file from the desktop and it asked me if I wanted to add it to the register and I clicked yes, then the succes message popped out. (Do I have to leave the file in the desktop, or is that the file that has to be deleted as you wrote later on the message?)

When uninstalling combo fix I just had to change the part where it says "combo-fix" to "combofix" because that's what it was saved as when I downloaded, and it was uninstalled succesfully.

When uninstalling HijackThis from the add/remove programs list an error message said that it may have already been uninstalled and asked if I wanted to remove it from the list so I clicked yes.

Everything is done. So far I haven't received any more message alerts from One Care about Vundo.gen!O, or I haven't seen internet explorer open by itself to create MSN accounts.

I'd like to wait at least till the end of the week to be sure because sometimes the messages don't appear for a couple of days and then they appear again. Thank you for your help Chaslang and Major Geeks.com. I appreciate your hard work. Thanks

[breaker012]

The Virus is back with a friend. One care is detecting the Vundo trojan once again, and now it just started detecting a worm called W32/Slenping.L, for which it keeps popping up a detection alert right after the other over and over again. (I am attaching a screen shot of the One Care message.)

I am kinda worried about my system now that these things keep popping up. What's the best course of action to take other than reinstalling windows because that really is a pain...

And if it does come to reinstalling windows, is there a post or instructions somewhere that can explain what the best way to do it would be?

I don't understand what could be causing these viruses...if the logs seem clean, I really haven't downloaded anything weird from the web. Any ideas?

I did a quick Scan with One Care of the PC and it says it didn't find anything harmful, but it also keeps giving me warnings about Slenping.L

[chaslang]

None of these infections are showing up in your logs. Obvsiously this is partially dues to One Care removing them. However it would appear that the source of your problems may be other PCs sharing the network. Perhaps you should be checking all other PCs on the network. Something else you could try is to completely disconnect this current PC from the network and run it for awhile (however long you think it would normally take for an infection to show up) and see if it stays clean while disconnected. Also very important is that you should uninstall or totally disable all instant messaging programs since this trojan often is spread via instant messengers.

You need to give more info on the Vundo.gen!O problem in the middle picture by clicking the arrow to get more details. I need to know where it is finding the problem.

[breaker012]

Hi Chaslang,
I made some progress with the One Care technicians last night, they were able to clean the Slenping.L worm and it appeared that the vundo infection was also cleaned until tonight when it restarted to appear in the System32 folder in Windows and this time it was creating the files even faster than before.

The One Care people told me I had a compromised "hosts" file from the "C:\Windows\System32\drivers\etc" folder. It had a bunch of corrupt lines of suspicious websites, adult sites, among others, and the technician said they were "rederecting" me and that was the reason why the malware kept coming back. He also deleted a bunch of files from temp, and prefetch folders, and deleted the malware from the system32 manually. (I have a summary he gave me on my email, I am attaching it as a .txt file here)

He attemted to clear the compromised lines from the file but he saved the new hosts file as "hosts.txt" and the old hosts file was left unchanged. There is one more computer (the host computer) which might be infected with a lot of other things because we hardly ever work on it and its antivirus is out dated, so I will disconnect from the Network as you instructed for a couple of days and see what happens.

Finally I'm posting some of the new vundo.gen!O warnings I'm getting from One Care. There are two just to emphasize the different file names that it creates (I assume randomly) but it's the same issue pretty much.

Anyways I think that what the OneCare technician did is get rid of the W32/Slenping.L worm infection but vundo just came back.

Thanks again.

[breaker012]

One last question. Assuming that the source of the problem is the host computer in the network would it be wise to replace that computer with a different one to get rid of the problem?
It's an older computer and extremely slow and full of add-ons and other useless junk, I have a feeling it would take a whole day to do all of the scans I did for this one all over on that one.

[chaslang]

Quote:

Originally Posted by breaker012

I made some progress with the One Care technicians last night, they were able to clean the Slenping.L worm and it appeared that the vundo infection was also cleaned until tonight when it restarted to appear in the System32 folder in Windows and this time it was creating the files even faster than before.

He did not clean anything and what the program is calling Slenping.L and Vundo are the same thing and neither is Vundo so One Care has some work to do in leanining what infections are what. You still need to do what I said in my last message! And you may need to look into a better antivirus program too.

Quote:

Originally Posted by breaker012

The One Care people told me I had a compromised "hosts" file from the "C:\Windows\System32\drivers\etc" folder. It had a bunch of corrupt lines of suspicious websites, adult sites, among others, and the technician said they were "rederecting" me and that was the reason why the malware kept coming back.

Well I'm sorry that I have to say this but the technician is a complete novice and has no clue what he is taking about. Those lines were put into your hosts file to protect you from those bad sites. They were added to your hosts file when you Immunize with Spybot (or a similar program). Anyone who has any experience in computers and malware removal knows this.

Quote:

Originally Posted by breaker012

Anyways I think that what the OneCare technician did is get rid of the W32/Slenping.L worm infection but vundo just came back.

As I said above, he did not fix anything and both infections ( if they really exist) are the samething. Look at the file names. They are all the same.

[breaker012]

Hi again Chaslang,
I started a new thread with the log files for the host computer here http://forums.majorgeeks.com/showthread.php?t=167771

I am going to try your suggestion on the computer for which I originally started the thread for about 3-5 days and see if the infection keeps reappearing and I will keep you posted.

Thanks

[breaker012]

One Last thing...Assuming the infection IS in my computer and not in another one in the network, and if I change to a different anti-virus (McAfee or one listed in your forums) is there a good chance that it will pick up this infection and get rid of it for good instead of leaving it hiding somewhere in my system?

[breaker012]

Hi Chaslang,
You're absolutely right about One Care, I should have changed the AV program in the first place. I installed McAfee last night and eventhough it didn't detect any new significant threats (only cookies) when I ran the scan, it's buffer overflow protection detected something. I think this infection gets triggered when I use the internet only. I have to install McAfee in my other computers and see if it picks up the same thing.

I am attaching a screen shot of the item detected. Since McAfee detected it I have not had any new files created into my system32 folder like before (I checked manually) The item it is stopping is in:
C:\WINDOWS\Explorer.EXE:ADVAPI32.RegCreateKeyExA
and it appears to be some sort of exploit.

However one thing I"m concerned with is that to check if Mcafee would pick up the same Vundo files as One Care did I restored one of the infected files from the One Care quarantine folder back into the system32 folder, then used McAfee to scan such file but it did not pick up any threat on the file...any clues why that might be? (I deleted the file after renaming it with a *.bad extension)

Another concern is that McAfee doesn't seem to have a firewall program, so I turned off the One Care antivirus but left on the One Care firewall. My computer seems to run fine with this configuration, but would this be a good thing to do in your opinion?

Finally, if the item that McAfee is detecting IS the source of my infection, how can I prevent it from continuing to mess up my computer? McAfee is only blocking it, and everytime I start my computer it gets blocked. Can this be deleted or is it being created by something else?

Thanks again in advance.