Vundo infection?

barryusa · Oct 12, 2007

Started last Friday, 10-5-07.

All kinds of pop-ups, Bowser hijack, lost Control Panel, both Admin and Owner accounts were restricted.

Had all kinds of problems with downloading and installing the recommended software in the READ & RUN ME FIRST because of restrictions.

Have finally gotten the machine working OK but still have many problems. Finally got my Control Panel back and removed the restrictions.

Based on the logs of BitDefender and HJT it appears that it is partly a problem with Virtumonde/Vundo (BitDefenders ID).

Based on this I ran the VundoFix program from the special removal thread, and it did detect Vundo but after trying and trying it still cannot remove the file geebb.dll. After that reinfections start showing up again.

I have tried doing the removal in safe mode both as Admin and Owner, letting it try to remove on reboot as both Admin and Owner, no luck.

I have gone as far as I can, I am including all the usual requested logs except for AVG which I will explain in the following message.

I am also including the log from VundoFix.

Thank you

barryusa · Oct 12, 2007

When I ran AVG it showed no reports available.

It however did show 3 infections;
WNLOADER.SMALL.FWW and WNLOADER.TINY.ID

After I did the "Apply all actions" there was a screen that had the following;

2 tags deleted in the following locations
C:\System volume Information\_restore {FFBD187E-F34F4058-9643-156E1C120EAB\RP476\(all 3 the same to this point)
A0037135.EXE Loader.Tiny.ID
A0035992.EXE Loader.Small.fww
A0035991.EXE Loader.Small.fww

I did verify the setting in AVG to "Automatically genrate a report after every scan" so I do not know why there was no report.

The remainder of the logs are attached.

Thank you!

abri · Oct 12, 2007

Hi barry!
Welcome to Major Geeks!

Please run the below scan. After you've finished the Combofix scan, please post the log for Combofix, and fresh logs for ShowNew, GetRunKeys and HijackThis.

Run this utility:

1. Download this file - Combo Fix
2. Double click combofix.exe & follow the prompts.
Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.
3. When finished, it will produce a log for you. Attach this log to your next reply.
Click to expand...

Logs:
- Combofix
- Newfiles.txt
- Runkeys.txt
- HijackThis.log

abri

barryusa · Oct 12, 2007

Ran ComboFix as directed.

An error message showed up during part 8

sed.cfexe has encountered a problem and needs to close. We are sorry for the inconveince.

If you were in the middle of something the information may be lost.

Send report or Dont Send

The same message occured again after reboot.

the Combofix screen showed:
Preparing for log
Do not run any programs...

then the same message came up.

Also I ran the log reports in the order that you showed (newfile and runkeys were reversed from the other proceedures)

HJT log in a seperate reply

abri, Thank you for your quick response!

barryusa · Oct 12, 2007

HJT log

Thank you.

chaslang · Oct 13, 2007

Let's begin by stopping and disabling a malware service.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Microsoft Internet Explorer

then right click the entry, select Properties and press Stop Service.

When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

Click OK until you get back to Windows.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: hggefec - C:\WINDOWS\SYSTEM32\hggefec.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Check the 'Input script manually' box.

Click on the magnifying glass icon.

Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\Program Files\hlpsrv.exe
C:\Program Files\ini.ini
C:\WINDOWS\TMPCPYIS.BAT
C:\WINDOWS\TMPDELIS.BAT
C:\WINDOWS\system32\EA.tmp
C:\WINDOWS\system32\RunOnce3.tmp
C:\WINDOWS\system32\xodwerbx.ini
C:\WINDOWS\system32\hggefec.dll
C:\WINDOWS\system32\_bbeeg.ini
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\_svchost.exe

Folders to delete:
C:\Program Files\ISM2
C:\WINDOWS\T3duZXI
C:\WINDOWS\system32\bc1
C:\WINDOWS\system32\rev2
C:\WINDOWS\system32\sas1
C:\WINDOWS\system32\vMW10a

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggefec

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Click to expand...

Now click the 'Done' button.

Click on the traffic light icon and OK the prompt.

You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

Avenger

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

abri · Oct 14, 2007

Thanks Chas!

I checked the two carefully. I'm still missing things ... which is annoying. What is the sulimo? I've been looking at that all week in different posts.

barryusa · Oct 13, 2007

Things are working much better,

Thanks

Here are the logs that you requested.

barryusa · Oct 13, 2007

And the HJT log.

In your first part in services.msc the service was already stopped and was set to "automatic", now set to "disable".

That was the only thing I noticed that was different.

Thank you!

chaslang · Oct 14, 2007

Your logs are clean. Now you need to complete are final instructions which include steps for getting your PC properly protected. You are not currently protected properly since you have no antivirus and you are only using the inadequate built-in Windows firewall.

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

barryusa · Oct 15, 2007

Everything seems to be working fine so far.

I will take care of the rest today.

Thank you.

chaslang · Oct 15, 2007

You're welcome. Surf safely.

Log in or Sign up

Vundo infection?

barryusa Private E-2

Attached Files:

VundoFix.txt

bdscan.txt

Activescan.txt

barryusa Private E-2

Attached Files:

runkeys.txt

newfiles.txt

hijackthis.log

abri MajorGeek

barryusa Private E-2

Attached Files:

ComboFix_log.txt

newfiles.txt

runkeys.txt

barryusa Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

abri MajorGeek

barryusa Private E-2

Attached Files:

avenger.txt

runkeys.txt

newfiles.txt

barryusa Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

barryusa Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member