Vundo trojan, advanced infection

[Armanno]

Hey, so before I would keep getting these vundo trojans over and over, I would use malwarebytes anti-malware to scan and delete them but they kept coming back no matter how many times i updated and scanned. They seemed harmless at first, but then on startup i would get messages saying windows could not open files like "login uii" to protect my computer. Now, malewarebytes would not run and everytime i tried to reinstall it it would not work. The virus even somehow blocked me from using this website (I'm on my dad's computer).

Eventually it started stopping explorer.exe and I couldn't even get into safe mode. At one point It wouldn't even let me open task manager, which was the only way I was getting onto the internet at all. Eventually I could get on the internet, and used a bleepingcomputer.com guide to use rkill.exe and download a version of MBAM under a different name so it could run. I couldn't update because I couldn't connect to the mbam website, but i did a full scan and deleted around 34 objects, then restarted but there were still problems and I kept getting the popups and error messages. I also have suspicious processes running, mostly scvhosts that would take up alot of memory and computer usage, so my computer would run really slow because they took up so much memory.

Also, I doubt this is relevant, but before this i forwarded my router ports so I could play in xbox games with my friend when our networks were conflicting, and I just want to make sure this wasn't allowing the viruses to keep coming back.

Thanks for any help, and sorry to type so much, I just want to include as much info as possible.

[negster22]

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  
• Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - click the Rootkit/Malware tab,and then select the Scan button.
  
• Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as detox.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
    

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  

1. Double click on the renamed combofix.exe (detox.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

MBAM manual updating:

You can download the definition updates from MBAM here (on a clean PC if necessary and then transfer mbam-rules.exe to your infected PC):

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Then double-click on mbam-rules.exe to install.

Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware (for XP) or C:\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (for Vista and Windows 7) from that system to a usb stick or CD and then copy it to the equivalent directory on the infected machine.

Please post (do NOT attach) your last MBAM log, ARKQ.txt and C:\ComboFix.txt in your next reply.

[Armanno]

Hey, thanks for the help.

But, I'm trying to run combofix and i renamed it like you said, but when i open it and i say yes to the agreement, it says it's unsafe to continue, and that my combofix has been compromised, even after i tried redownloading it about 3 times.

Also, everytime i reboot, i have internet usage for about 5-10 minutes, and then it wont connect to any site again and i have to reboot, so once that gets fixed i can send the rootkit scan, which took a long time.

[negster22]

OK post the rootkit scan and how about the new MBAM scan with manual definition updates applied.

Can you run the Malicious Software Removal Tool (MSRT):

http://www.mydigitallife.info/2007/08/29/h...p-2000-and-2k3/

[Armanno]

Uh, ok now i just rebooted and it only shows the desktop background, no icons or taskbar, and task manager wont come up, and also i cant go into safe mode, everytime i click it it restarts.

[negster22]

Are you contacting me thru a clean computer then, because your system sounds basically non-operational?

[Armanno]

Yeah I'm on my dad's computer, cause even when my computer could get on the internet before, this website was blocked.

so yeah its been a pain to email the links and logs back and forth, but now my comp is pretty much unusable

[negster22]

I think your last resort is to create a bootable Linux ResQ CD with an onboard Antivirus on the clean PC.

Then you can boot to that CD on the infected machine, update the virus definitions, and conduct a scan.

You will have to change the boot order in the BIOS to boot to the CD BEFORE the hard drive.

Then you insert the CD in the infected PC's CDROM drive and power down and power up

Upon power up, you should then be booted to the operating system on the CDROM, and follow the prompts.

Directions to create the CD in the clean PC:

• Download the F-Secure Rescue CD ISO:
  http://www.f-secure.com/en_EMEA/security/s...ices/rescue-cd/
  
• Insert a blank CD-R into your CD drive.
  
• Using your CD Burner program, Click the "Burn ISO" button
  
• Next browse to the location of the f-secure-rescue-cd-3.11.23804 .iso file on your desktop or clck desktop and enter the file name.
  
• Click f-secure-rescue-cd-3.11.23804 .iso, and then click open
  
• The F-Secure-Rescue-CD-3.11.23804 .iso will be burnt to the CR-R you have inserted
  
• When the CD is finished, "burning completed" will be logged in the white display area.
  

You are now ready to boot to the Linux CD you have just created on the infected PC, and perform an F-Secure AV scan.

• Restart your PC
  
• Before the BIOS loads you will see a function key to press to "Change the Boot Order". Usually this key is F12.
  
• Press the required key to change the boot order.
  
• When the Linux CD boots, Accept the End User License Agreement, and then follow the prompts, to update and run the antivirus scan
  
• Be very careful, because you can only use the keyboard (the mouse is unavailable)
  
• F-Secure antivirus renames all malware found on the computer.
  

--------------------

Here's another bootable ResQ CD option from Avira:

Download the Avira AntiVir Rescue System:

http://www.free-av.com/en/tools/12/avira_a...cue_system.html

Place a blank CD in your burner and double-click on the downloaded file named rescuecd.exe

The program will automatically burn the CD for you.

Place the burned CD into the affected computer and start the computer from this CD.

On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

Click on the Configuration button.

Select Scan all files

Select Try to repair infected files and Rename files, if they cannot be removed

Select Scan for dialers

Select Scan for joke programs (Jokes)

Select Scan for games

Select Scan for spyware (SPR)

Click on Virus scanner

Click on Start scanner at the bottom of the screen

Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

[Armanno]

Sorry for the late reply, had alot going on recently. Anyways, now it's not completely unbootable, but it seems unusable. If I wait a really long time on startup, it actually loads explorer.exe and i can get access to my files, but the internet is now completely unusable, theres no sound etc.

and I tried using a flash drive to transfer some of my logs/programs you gave me, but the computer wont recognize it, and I can't figure out how to access it. Also, I had an experience in the past where I had a flash drive in my computer when I had a virus, and it ended up getting infected, and then infected my dad's old computer when he put it in, so I was wondering if that is something I should worry about, and if there's any other way to get those files you sent me onto my computer without having to use the Rescue Cd. (Or to save some files from my infected computer incase something happens).

Also, I might get a hand from a family friend who's good with fixing computers to help out, so that might make this easier.