Vundo.gen!O, Log Files, Not clean...

Hi I followed the steps in the Run & Read me first thread, and after performing the last one I restarted my computer and I am still having the same problem...
Description Of Problem:

I started having problems with Norton Online Security over a year ago. It had so many errors that it kept asking me to install and reinstall it over and over. I got tired of reinstalling it so I ignored any other messages until one day I was playing steam online and the game crashed and my web browser opened by itself and tried to open an MSN account all by itself. But Norton didn't detect any problem.

Right now I am using WIndows Live One Care, and it detected a recurrent trojan virus called "W32/Vundo.gen!O" and it keeps popping up with differnet file names (all numbers) in my windows 32 folder. Also, internet explorer keeps opening by itself mroe and more trying to create MSN and mail.ru accounts by itself. It even tries to write the image code, and sometimes it is difficult to go online because the web browser keeps changing from window to window even though there is only one visible...

I came by to your forums looking for an answer and I followed the Run & Read this first procedure downloading and executing all the steps required. I am trying to attach the log files created by the programs in this thread so hopefully you can help me get rid of this problem.

 

Vundo.gen!O, Log Files, Not clean... Pt. 2
here is the last log file.
Thanks in advance

 

I am not sure how to check the system restore thing. But I am pretty sure I continue to have the same problem. My Windows Live One Care is still giving me alerts about having "W32/Vundo.gen!O", and then quarantines the infected file, and internet explorer still opens by itself and goes into MSN trying to open an account all by itself...it is so freaky.
I don't know if this helps but I'm attaching an image of where the browswer goes to when it does that, and the link that it opens to is:

"https://signup.live.com/signup.aspx?mkt=en-us&id=64855&ts=4520109&sh=7BSh&ru=http%3a%2f%2fmail.live.com%2f%3fnewuser%3dyes%26hm%3d1&rx=http%3a%2f%2fget.live.com%2fmail%2foptions&rollrs=12&lic=1"

without the quotation marks.

 

Hi Chaslang,
I do have a legal copy of Windows Live One Care, I really have no clue where that date came from. I have been deleting the virus as soon as it is detected by One care and it puts it in quarantine (also because that's what it said to do in the Read & Run Me first thread). Right now there is one of them in quarantine taht it detected today.The folder where it finds the infection is always in

"C:\WINDOWS\system32"

The File I currently have in quarantine is called

"C:\WINDOWS\system32\843197.exe"

and it is always some file name with all numbers like that.



I really don't know for sure if there are any registry keys infected, when I ran one of the programs in the read & run me first it said there were 23 registry items infected but I didn't get to see which ones, maybe it's in one of the logs I attached before?

I'd like to add that I am using a wireless connection and that most of the time when I try to "disable" the conneciton from the network connections, my computer shuts down by itself, and I'm wondering if it is due to the virus I have. It also shuts down for no reason repeatedly when I'm online but I know that could be for a wide range of different reasons... But that's one more thing to add to the description of the problem.

I am attaching a copy of the file you requested too.
Thanks for your help.

 

Hi again Chaslang,
I used the MGTools.exe file from the link you posted in here. And I ran the GMER file as well with no internet connection as instructed. Here are the logs.

Thanks

 

OK I will do that and I'll keep you posted if I get any more problems.
Thanks.

 

Hi Chaslang, I copied the text into notepad and saved it as you said, once I closed the notepad there was no message saying it succesfully wrote it to the registry, but then I opened the file from the desktop and it asked me if I wanted to add it to the register and I clicked yes, then the succes message popped out. (Do I have to leave the file in the desktop, or is that the file that has to be deleted as you wrote later on the message?)

When uninstalling combo fix I just had to change the part where it says "combo-fix" to "combofix" because that's what it was saved as when I downloaded, and it was uninstalled succesfully.

When uninstalling HijackThis from the add/remove programs list an error message said that it may have already been uninstalled and asked if I wanted to remove it from the list so I clicked yes.

Everything is done. So far I haven't received any more message alerts from One Care about Vundo.gen!O, or I haven't seen internet explorer open by itself to create MSN accounts.

I'd like to wait at least till the end of the week to be sure because sometimes the messages don't appear for a couple of days and then they appear again. Thank you for your help Chaslang and Major Geeks.com. I appreciate your hard work. Thanks

 

Re: Vundo.gen!O, Log Files, It's back...

The Virus is back with a friend. One care is detecting the Vundo trojan once again, and now it just started detecting a worm called W32/Slenping.L, for which it keeps popping up a detection alert right after the other over and over again. (I am attaching a screen shot of the One Care message.)

I am kinda worried about my system now that these things keep popping up. What's the best course of action to take other than reinstalling windows because that really is a pain...

And if it does come to reinstalling windows, is there a post or instructions somewhere that can explain what the best way to do it would be?

I don't understand what could be causing these viruses...if the logs seem clean, I really haven't downloaded anything weird from the web. Any ideas?

I did a quick Scan with One Care of the PC and it says it didn't find anything harmful, but it also keeps giving me warnings about Slenping.L

 

Re: Vundo.gen!O, Log Files, It's back...

Hi Chaslang,
I made some progress with the One Care technicians last night, they were able to clean the Slenping.L worm and it appeared that the vundo infection was also cleaned until tonight when it restarted to appear in the System32 folder in Windows and this time it was creating the files even faster than before.

The One Care people told me I had a compromised "hosts" file from the "C:\Windows\System32\drivers\etc" folder. It had a bunch of corrupt lines of suspicious websites, adult sites, among others, and the technician said they were "rederecting" me and that was the reason why the malware kept coming back. He also deleted a bunch of files from temp, and prefetch folders, and deleted the malware from the system32 manually. (I have a summary he gave me on my email, I am attaching it as a .txt file here)

He attemted to clear the compromised lines from the file but he saved the new hosts file as "hosts.txt" and the old hosts file was left unchanged. There is one more computer (the host computer) which might be infected with a lot of other things because we hardly ever work on it and its antivirus is out dated, so I will disconnect from the Network as you instructed for a couple of days and see what happens.

Finally I'm posting some of the new vundo.gen!O warnings I'm getting from One Care. There are two just to emphasize the different file names that it creates (I assume randomly) but it's the same issue pretty much.

Anyways I think that what the OneCare technician did is get rid of the W32/Slenping.L worm infection but vundo just came back.

Thanks again.

 

Re: Vundo.gen!O, Log Files, It's back...

One last question. Assuming that the source of the problem is the host computer in the network would it be wise to replace that computer with a different one to get rid of the problem?
It's an older computer and extremely slow and full of add-ons and other useless junk, I have a feeling it would take a whole day to do all of the scans I did for this one all over on that one.

 

Hi again Chaslang,
I started a new thread with the log files for the host computer here http://forums.majorgeeks.com/showthread.php?t=167771

I am going to try your suggestion on the computer for which I originally started the thread for about 3-5 days and see if the infection keeps reappearing and I will keep you posted.

Thanks

 

One Last thing...Assuming the infection IS in my computer and not in another one in the network, and if I change to a different anti-virus (McAfee or one listed in your forums) is there a good chance that it will pick up this infection and get rid of it for good instead of leaving it hiding somewhere in my system?

 

Hi Chaslang,
You're absolutely right about One Care, I should have changed the AV program in the first place. I installed McAfee last night and eventhough it didn't detect any new significant threats (only cookies) when I ran the scan, it's buffer overflow protection detected something. I think this infection gets triggered when I use the internet only. I have to install McAfee in my other computers and see if it picks up the same thing.

I am attaching a screen shot of the item detected. Since McAfee detected it I have not had any new files created into my system32 folder like before (I checked manually) The item it is stopping is in:
C:\WINDOWS\Explorer.EXE:ADVAPI32.RegCreateKeyExA
and it appears to be some sort of exploit.

However one thing I"m concerned with is that to check if Mcafee would pick up the same Vundo files as One Care did I restored one of the infected files from the One Care quarantine folder back into the system32 folder, then used McAfee to scan such file but it did not pick up any threat on the file...any clues why that might be? (I deleted the file after renaming it with a *.bad extension)

Another concern is that McAfee doesn't seem to have a firewall program, so I turned off the One Care antivirus but left on the One Care firewall. My computer seems to run fine with this configuration, but would this be a good thing to do in your opinion?

Finally, if the item that McAfee is detecting IS the source of my infection, how can I prevent it from continuing to mess up my computer? McAfee is only blocking it, and everytime I start my computer it gets blocked. Can this be deleted or is it being created by something else?

Thanks again in advance.

 

Hi Chaslang,
I haven't disconnected from the network yet because I have had to use my computer over the weekend, but I am going to do it either tomorrow or monday. However I guess we both wrote posts around the same time and maybe you just missed the one I wrote, it's below yours.

Could that be the source of the infection?

Oh and is the One Care Firewall considered good?

I will run the Gmer again tonight, but I had done that earlier on, I don't know if you want me to redo it or forgot we did that already, but I'll do it anyway and I'll post the logs.

Thanks

 

I checked my updates on windows and everything is up to date.

I uninstalled McAfee, then turned on the Windows One Care AV again. New detections of malware popped up. I am attaching the One Care log which is more specific about the new infections (TrojanDropper:W32/Tofsee.A and Worm:W32/Slenping.gen!A )

I currently don't have any of the old vundo files quarantied I deleted all of them from the OneCare quarantine. The above infection of the Slenping worm was quarantined, I restored, then attempted to upload it into http://www.virustotal.com without succes, it gives an error message about the file being empty in (0 bytes) size.

I also ran again GMER and it sucessfullly detected "rootkit activity". I am attaching the logs here. The first scan I ran while still being connected to the internet, and the second one without a connection. I forgot to disconnect the first time I ran the scan so I am adding both in case there is a major difference but both of the scans said they detected rootkit activity.

That's all the new activity I'm getting and the progress I"m making. This thing is a pain ...
Your help is greatly appreciated Chaslang.

THanks

 

Ignore this message, see the one below, thanks!

 

Hi Chaslang,
I did the disable-enable System restore again, and just today I got a new malware alert from One Care but this time back in the system32 folder in Windows. It's the TrojanDropper:W32/Tofsee.A

I never got to disconnect from the network for a couple of days so I'll do that and I'll get back to you.

Also if I keep getting this alerts I"ll uninstall One Care then install Mcafee, that seemed to get rid of the problem somehow while it was on.

Why does One Care keep giving me these alerts and I still get files being created in the system32 folder? I really don't know what the source of the malware could be. But thinking back I did get some kind of infection through WIndows LIve Messenger as a file called photos.zip or something like that over 6 months ago, but I don't know how it can still be in the computer after all these scans...

Thanks