Vundo trojans!! If I had a rocket launcher

Discussion in 'Malware Help (A Specialist Will Reply)' started by wayne campbell, Jul 13, 2009.

  1. wayne campbell

    wayne campbell Private E-2

    Problem appears to be infection Vundo related trojan. I have F-secure AV and FW installed since new.

    Before finding your website I managed to recover to the point of almost normal operation after running AntiMalware and latest Microsoft scanners and antimalware downloads, but am reinfected on reboot.

    I followed the steps/procedures on your website as close as I could. I had to use another computer and transfer software. I had to play around a lot to get things to run. Never could get SuperAntiVirus to install. I ran Antimalware again quickscan saw nothing, but full scan had found 7 items. The scan was very slow, so I aborted and was just going to use the quickscan log

    The remaining steps generated logs as attached. After Combofix, I have tried numerous reboots, safe mode, but not system restore points that were created (assuming this will just mess up registry again). No matter what, I have no user interface and must use taskmanager to get around. I cannot access Malwarebyte Anti-Malware to get the logs for some reason. not sure where avenger txt was generated, but it was part of the session last night so have attached it



    Hope this gives a clue

    Thanks
     

    Attached Files:

    wayne campbell, Jul 13, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Below are two logs from Malwarebytes that I would like you to attach.
    Code:
    C:\Documents and Settings\David\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\
Apr  5 2009        8564  "mbam-log-2009-04-05 (21-01-34).txt"
Jul 13 2009        1643  "mbam-log-2009-07-13 (00-56-59).txt"

    When Desktop functionality is restored, your Desktop needs to be cleaned up immediately. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\David\Local Settings\TEMP
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 14, 2009
    #2
  3. wayne campbell

    wayne campbell Private E-2

    I set up the CF script file, but all I have for a desktop is my background picture

    There are no tool bar, status bar, system tray file icons. So I can;t do the drag and drop is there another way to do the combofix?

    I have tried safe mode and last good configeration but result is the same....looking at system restore but haven't gotten serious about it yet and dont want to go back to an infected registry. I noticed others with a similar problem on the software forum had it fixed once there logs were clear

    Attached are the mbam logs for a start. I cleaned up the desktop to some degree just using the task manager to browse the directories.
     

    Attached Files:

    wayne campbell, Jul 14, 2009
    #3
  4. wayne campbell

    wayne campbell Private E-2

    Logs posted and mbam logs in previous post


    Figured out I could drag and drop in the task manager browse window
    The reason for the slight name change on the Combo fix file is that I ran it twice and thought the rename would keep the second from overwriting the first
    ...didn't work. The first run of CF I wasn't sure if i had actually exited firefox and I also noticed in the CF log that Fsecure was running. I had no systray to see if AV is running. I tried unistalling fsecure from taskmanager and trying some of the exe files. Pretty sure fsecure still running according to process window in taskmanager. Ran CF the second time on the chance results would be different with definite browsers off and maybe fsecure disabled.


    CF, CC Cleaner and MG getlogs.bat ran fine


    Still no desktop, but probably software/registry issue
     

    Attached Files:

    wayne campbell, Jul 14, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The ComboFix log you last attached is not the correct log. It is a log that was obtained by just running ComboFix. You need to attach the one from dragging the CFScript.txt file on top of ComboFix.exe as requested. If you already did this drag and drop then locate the last C:\ComboFix.txt log and attach it. Do not run it again if you already followed those steps. I believe the C:\combofix.txt log that I can see in your MGlogs files is the correct one but you just did not attach this one which is about 14 k in size. You incorrectly attached some test log you had on your Desktop which you should delete since ComboFix logs should always be located at C:\

    Your MBAM logs show that you are way out of date. Please try to get the current version installed and updated and run a new scan and attach the new log.

    From Task Manager, if you click File, New Task (Run...) and enter explorer.exe and click OK, does your Desktop appear.
     
    Last edited: Jul 17, 2009
    chaslang, Jul 17, 2009
    #5
  6. wayne campbell

    wayne campbell Private E-2

    Attached is combifix log from c directory. Lost a couple of days on that one I should have been more careful

    Once the trojan hit, I ran the mbam version I already had, then found your site and went through read and run. But was never able to get newer mbam to download and effictively run then. So you got the only logs I had. I have tried reinstall a few times while waiting for your last post.

    I tried again this morning to uninstalled mbam and downloaded new install and renamed to mb.exe. The installation runs in normal and safe mode but I get three errors: vbAccelerator SGrid lll Control Run Time (0), Malwarebytes Anti-Malware Automation (440), SETUP CreateInstance failed; code 0x80040154 Class not registered. The setup finishes and I can run the program, but I get the run time and automation errors immediately and Mbam stops

    I tried uninstall reinstall, with and without internet connection, running in safe mode, changing exe name....mbam always installs but with more or less same errors

    In the process window I tried to get rid of all the fs... processes which would be the fsecure AV. There is no AV in safe mode as far as I can tell, but get same error message so don't think AV is problem. I am going to try again to uninstall fsecure anyway. Will post mbam logs if I get them

    In terms of getting toolbars and status bars back,
    I tried explore.exe in task manager and going into windows folder and dclicking explorer.exe but nothing. I searched mgeeks and windows support for help. Some similar cases and ideas, but none of the ideas worked. Had a look at and compared mgeeks posts on possible registry fix( Image File Execution Option) but mine is ok. I ran sfc /scannow and got about 10 "Insert Windows XP Pro Service Pack 3 CD" and "XP Pro CD" messages. I dont' have the CD's but will get them. I have rebooted five or six times to try and get "last good configeration" to work but no luck...have heard it may take more trys

    I have not done system restore
    Don't want to change things until you have a look at combofix
     

    Attached Files:

    Last edited: Jul 17, 2009
    wayne campbell, Jul 17, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we will ignore this for now since the problems with your Windows OS that the sfc command revealed could be causing this.

    Yes it would be a good idea to uninstall all of
    COGECO Security Services right now since it may be complicating matters.


    You need to get this CD as it is important to get these issues resolved. These may be the cause of your problems.

    We do have a little more cleanup to do.


    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )




    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jul 17, 2009
    chaslang, Jul 17, 2009
    #7
  8. wayne campbell

    wayne campbell Private E-2

    Attached are logs


    Everything ran ok....Combofix in safe mode to avoid AV

    no change to computer, although seems to reboot quicker

    Working on getting CD's
     

    Attached Files:

    wayne campbell, Jul 17, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the F-secure stuff did not uninstall properly. Let's clean this up and also remove a couple other unwanted files.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 20, 2009
    #9
  10. wayne campbell

    wayne campbell Private E-2

    Seems like we are almost there on the trojan front, but have had no luck with the system CD's

    I took it into the dealer/repair store where I bought the machine and they have not been able to find a disk that works, including the XP Media Centre Edition sp3 that shows up as being installed. They say they have tried 7 different XP disks.

    They are still working on it.


    I do know that the desktop disappeared after running combofix the first time, as outlined in the first post on this thread. I searched the threads here for a bit but didn't see a comparable situation.

    .
    Will update, with scans , once I get the machine back, hopefully today
     
    wayne campbell, Jul 20, 2009
    #10
  11. wayne campbell

    wayne campbell Private E-2

    OK the word from the shop is that there is an sfc disable policy along with 13 other policies that have been changed by viruses. I'm not familar with how policies work. Still no success being able to restore desktop.

    Scanning turned up significant numbers/traces of viruses plus a couple of rootkits.

    Conclusion: A very bad case which might be repairable but windows may be slower than normal.

    Recommendation: Reformat/reload

    I hate to give up on this but am going to bite the bullet and take their recommendation.

    Chaslang, I really appreciate your time on this, a great site and a great learning experience for me, but as Neil Young wrote Comes a Time

    If you have any questions, I would be happy to answer them and will monitor thread for a while. I should get the machine back tomorrow

    If you have any comments, again thanks.


    Cheers
     
    wayne campbell, Jul 21, 2009
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not according to your logs and there was nothing disabling sfc. You were clearly able to run it before. You just did not have a disk to put it.

    Unlikely. These were most likely just things in quarantines we already removed or remnants in System Restore since we had not toggle it yet.

    You're welcome.

    Make sure you follow thru the below on you new install:

    How to Protect yourself from malware!
     
    chaslang, Jul 24, 2009
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds