Jump to content

Vundo et al


H_D
 Share

Recommended Posts

Hello

Friend's son's laptop displayed message about being infected. Asked if I could have a look at it. I took one look at it and decided you guys were the best to deal with this.

A note about the laptop:

It was bought from eBay. It looks like it is an ex-company laptop as it is tightly locked down. You have to use winkey+r to start anything and certain controls such as display properties have been disabled. My Computer is not accessible via Start menu or desktop. The laptop will not shut-down.

I think the laptop is in a pretty bad state, but if you people can help me clean it up first, I can see about improving it.

Thanks.

Link to comment
Share on other sites

Hey, H_D.

Definitely Vundo, and looks to have been on the system for a while.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Hi, ShadowPuterDude

Many thanks for taking the time to help me out with this.

I downloaded combofix as requested and ran it. It took a long time to get started, about 10 minutes, and then displayed the following error message on screen:

combofix2.jpg

It then asked to downloaded and install the MS recovery console.

After doing that and restarting the laptop it ran. It detected rootkit activity and requested that the following files be noted:

C:\Windows\system32\TDSSl.dll

C:\Windows\system32\drivers\tdssserv.sys

C:\Windows\system32\drivers\TDSSserv.sys

It then requested a reboot and ran before anything else loaded. It reported that various files and registry keys were being deleted. It requested a third restart and then compiled the log.

Total run time for combofix was about 50mins.

Ran Highjackfree, ISeeYouXP and A2Free.

Log files are attached.

After the last reboot, the laptop is much more responsive. All the links seem to be back in place on the Start Menu and the scans are running much faster than they did first time round. The date in the System Tray is still succeeded by VIRUS ALERT. Is this a MS thing? I've never seen it before. Also, I can now shut down the laptop from the Shutdown command which was not possible before.

Link to comment
Share on other sites

Microsoft Office 2007 is not legitimate. The a-squared log shows that it was actived by means of a Keygen.

-----------------------------------------------------------

Instructions for correcting the VIRUS ALERT! in the task tray can be found HERE

-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

Driver::
CDAVFS

File::
c:\documents and settings\owner\desktop\virusremover2008.lnk
c:\documents and settings\owner\application data\microsoft\internet explorer\quick launch\virusremover2008.lnk
c:\documents and settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert\host.html
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert\referrer.html
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert\script.html
C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007\Microsoft OFFICE 2007 FULL Edition  + KEYGEN [VISTA comp]\Office [Keygen].exe
C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007\Microsoft OFFICE 2007 FULL Edition  + KEYGEN [VISTA comp]\setup.exe
C:\Program Files\Common Files\System Doctor\dcmon.exe
c:\windows\DUMP2f2d.tmp
C:\WINDOWS\system32\antlfqui.dll
C:\WINDOWS\system32\bgdeiygl.dll
C:\WINDOWS\system32\byXNddeC.dll
C:\WINDOWS\system32\fcccdCtR.dll
C:\WINDOWS\system32\hgGawUoM.dll
C:\WINDOWS\system32\htdtxi.dll
C:\WINDOWS\system32\jaxpcxbv.dll
C:\WINDOWS\system32\jjabec.dll
C:\WINDOWS\system32\jouvlyhy.dll
C:\WINDOWS\system32\kaxjve.dll
C:\WINDOWS\system32\kvthmy.dll
C:\WINDOWS\system32\mlJApPHa.dll
C:\WINDOWS\system32\mlJYpOFy.dll
C:\WINDOWS\system32\nrlqxvfa.dll
C:\WINDOWS\system32\ocrppwgb.dll
C:\WINDOWS\system32\ogdmngln.dll
C:\WINDOWS\system32\pjydppns.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssserf1.dll
C:\WINDOWS\system32\tuvWmKeE.dll
C:\WINDOWS\system32\vxtackpg.dll
C:\WINDOWS\system32\wkfihlkn.dll
C:\WINDOWS\system32\wvUkLFyv.dll
C:\WINDOWS\system32\xlovou.dll
c:\windows\system32\drivers\CDAVFS.sys

Folder::
C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\Scam Alert
c:\documents and settings\Owner\Local Settings\Application Data\CyberDefender
C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007\Microsoft OFFICE 2007 FULL Edition  + KEYGEN [VISTA comp]
C:\Documents and Settings\Owner\My Documents\Microsoft OFFICE 2007
C:\Program Files\Common Files\System Doctor

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=-
[-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=-
[-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"=-
[-HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[-HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Download Avenger from HERE and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to delete:
    C:\WINDOWS\system32\avg_sr.dll
    C:\WINDOWS\system32\avirasafe.dll


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

HiJackFree logs are imcomplete.

Attach fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Re-ran Highjackfree and attached the log. The program crashed after I saved the log.

The first time I ran Avenger I forgot to tick both boxes so I ran it a second time with them ticked using the same script. These are avenger1 and avenger2 respectively.

Regarding the illegal Office installation. I am unable to find an Add/Remove entry for the program, and it is not present on the start menu.

[Edit]

Laptop is still running fine.

Link to comment
Share on other sites

Office 2007 is showing in the list of installed apps in the ISeeYouXP log. You will probably need to use the Microsoft Installer Cleanup tool to remove the MS Office items.

c:\documents and settings\owner\application data\funkitron 	detected: Trace.Directory.GameFiesta 5 Card Slingo Deluxe!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Dekovir\Path --> AlphaBall 	detected: Trace.Registry.GameFiesta Ballistik!A2
C:\Program Files\Shockwave.com\Atomaders\product\Atomaders.exe 	detected: Trojan-Dropper.Agent!IK
C:\Program Files\Shockwave.com\Clash N' Slash\Clash N' Slash.exe 	detected: Backdoor.Win32.Rbot.aahp!A2
C:\Program Files\Shockwave.com\Heavy Weapon Deluxe\product\Heavy Weapon Deluxe.exe 	detected: Backdoor.Rbot!IK
C:\Program Files\Shockwave.com\Ricochet Lost Worlds - Recharged\product\Ricochet.exe 	detected: Backdoor.Rbot!IK

I'm not overly concerned about these A2 entries. You can remove those if you want or leave them.

HiJackFree still isn't finsihing properly. We'll change to OTListIT.

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to comment
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
    O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
    
    :Files
    C:\WINDOWS\*.tmp
    C:\WINDOWS\System32\*.tmp
    C:\WINDOWS\System32\tdssinit.dll
    C:\Documents and Settings\All Users\Application Data\System Doctor Free
    C:\Documents and Settings\Owner\Application Data\VirusRemover2008
    @C:\Documents and Settings\All Users\Application Data\TEMP:1F5BDFD0
    @C:\Documents and Settings\All Users\Application Data\TEMP:57A1A321
    @C:\Documents and Settings\All Users\Application Data\TEMP:6DEDE595
    @C:\Documents and Settings\All Users\Application Data\TEMP:B2374AE9
    @C:\Documents and Settings\All Users\Application Data\TEMP:48F85300
    @C:\Documents and Settings\All Users\Application Data\TEMP:173772E9
    @C:\Documents and Settings\All Users\Application Data\TEMP:E2EA479C
    @C:\Documents and Settings\All Users\Application Data\TEMP:6FE54CC2
    @C:\Documents and Settings\All Users\Application Data\TEMP:833F31B3
    @C:\Documents and Settings\All Users\Application Data\TEMP:EECACB54
    @C:\Documents and Settings\All Users\Application Data\TEMP:5BB67B56
    @C:\Documents and Settings\All Users\Application Data\TEMP:8004C9F0
    @C:\Documents and Settings\All Users\Application Data\TEMP:4267FFCC
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Link to comment
Share on other sites

Something is still not right with the system clock, VIRUS ALERT! stills shows next to the system time in the ISeeYouXP log for Scheduled Tasks.

Download to your Desktop:

- Malwarebytes' Anti-Malware

Double-click mbam-setup.exe and follow the prompts to install the program. Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version.

  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save the log to a convenient location, attach the log with your next reply.

Link to comment
Share on other sites

Thanks. I will post the log later after I return from work.

Cyber Defender was moved out from ..\Program files by one of the tools that have been run - Combo-fix, I think. The files now reside in ..\Qoobox\. From the very start there has not been any visible reference to Cyber Defender on the Desktop, Start Menu, System Tray or Add/Remove Programs.

After seeing the Spoofing reference in the A2 Free logs for Cyber Defender I thought it was not a legitimate security program. A little searching on the Internet revealed undesirable effects from the installation of the program.

Up until last night, I had not made any changes to the laptop. Last night I uninstalled Stopzilla because it's trial period was at an end.

Link to comment
Share on other sites

CyberDefender gets mixed reviews from my peers in the security community. Some will call it a rogue application, yes they at one time produced an application that Eric Howes labeled as rogue, but they appear to have moved beyond that point in time. Personally, I would not call CyberDefender "Rogue". There a several applications I recommend for use and CyberDefender isn't one of them.

sUBs apparently thinks the application is "Rogue" as ComboFix will remove CyberDefender if present on the system.

-----------------------------------------------------------

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstall
    Note: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present)

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

CFscript.txt

dds.scr

dds.pif

DisableAutoRuns.reg

fixes.bat

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Win32kDiag.exe

Win32kDiag.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\Avenger.txt

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\Avenger

C:\AvoidTDSSS

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run CCleaner

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4. Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Thanks a lot for your help, ShadowPuterDude.

I've removed all the programs, plus some extra folders and files not listed.

I'm still unable to find any reference to Cyber Defender on the PC, and WSC still thinks it is installed despite deleting the Combo-Fix folder that contained the moved files.

However, this copy of Windows XP is woefully out of date. Once I've updated everything and installed and run some AV software I'll let you know how it's running.

Cheers!

Link to comment
Share on other sites

That was it - thank you very much.

Your help is truly appreciated.

My friend and his son will be coming over next week to collect the laptop, and although his son is a little shame-faced, they are both very grateful for your work.

Thanks!

Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...