Author Topic: [VUNDO] spyware that adds nasty JavaScript do webpages- how to fix it?  (Read 8957 times)

0 Members and 1 Guest are viewing this topic.

zoki123

  • Guest
I am not sure what is it... I got a spyware that adds some nasty JavaScript code to html webpages in browsers.... also on one site it switched the picture and put its own.. I attached the pic.

also, here's the logfile of Hijack this:

Quote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:15 AM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\totalcmd\TOTALCMD.EXE
H:\Install\HiJackThis.exe
C:\Program Files\Opera\opera.exe

O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\geBqQKAq.dll
O2 - BHO: (no name) - {E6430F8C-9BB1-4C30-A80E-BB21ECD7061B} - C:\WINDOWS\system32\ssqPjjHa.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [318a33ee] rundll32.exe "C:\WINDOWS\system32\bfcoxlyb.dll",b
O4 - HKLM\..\Run: [BM32b90072] Rundll32.exe "C:\WINDOWS\system32\jdsgjxgh.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: geBqQKAq - C:\WINDOWS\SYSTEM32\geBqQKAq.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4662 bytes
« Last Edit: June 20, 2008, 12:54:03 PM by zoki123 »

zoki123

  • Guest
Re: spyware that adds nasty JavaScript do webpages
« Reply #1 on: June 20, 2008, 12:23:34 PM »
so I guess I have Trojan:Win32/Vundo.gen!M and Trojan.Win32.Monder.vaaa

Please how do I get rid of these???  ???

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
1st, never follow that fake links. It won't clean, on contrary, you'll get infected.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

A log will be produced which you can post in your next response.
The best things in life are free.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
C:\WINDOWS\system32\geBqQKAq.dll
C:\WINDOWS\system32\ssqPjjHa.dll
C:\WINDOWS\system32\bfcoxlyb.dll
C:\WINDOWS\system32\jdsgjxgh.dll

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis. This will allow avast! and other AV's to add the detections.

If VundoFix doesn't work, run HijackThis again and fix all the entries for the above files and reboot.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4140
  • Some days..... MOS...this bug's for you
Hi Tech and zoki123

Some info on Vundofix. I don't know if it applies here. They are attempting to correct this

Vundofix has some issues with Asian versions of the Windows Operating system. Use of vundofix may delete critical system files and Windows may not be able to boot after use.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Vundofix has some issues with Asian versions of the Windows Operating system. Use of vundofix may delete critical system files and Windows may not be able to boot after use.
Thanks for the info.
The best things in life are free.

zoki123

  • Guest
thanks all... but since Vundofix is not avaialable for download now, I had to reformat c drive and put winXP again.... It's a new computer anyways so...

I am using Avast and ZoneAlarm.... Can somebody tell me or point me in the right direction about which other software I should be running in order to be protected from SPyware/malware etc.... ?

Also, should I turn off "System restore" ?

Thanks in advance.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Vundo infections are usually the result of out-of-date and insecure software. The best thing I can recommend is:

https://psi.secunia.com/
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
zoki123:
Quote
"...I am using Avast and ZoneAlarm.... Can somebody tell me or point me in the right direction about which other software I should be running in order to be protected from SPyware/malware etc.... ? "
Avast! and ZoneAlarm is a good combo to protect yourself . Additional programms I would suggest and worth looking into would be , Spyware Blaster , MVPS HOSTS file , SUPERANTIspyware
 
, and as you've just re-installed Win XP , go Windows update , and also update all your drivers and visit https://psi.secunia.com/ as FreewheelinFrank suggests .
Common sense when browsing is always a great defence against " SPyware/malware etc "  ;)
 
 

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4140
  • Some days..... MOS...this bug's for you
Hi, too bad about the reformat. The above suggestions are good. I would like to add a little if I may.

You should have a resident antispyware program and an on demand one.
Either of these will fit the bill for the resident

Winpatrol
http://www.winpatrol.com/

Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

For on demand

Superantispyware
http://www.superantispyware.com/

Malwarebytes' Anti-Malware from
http://www.besttechie.net/tools/mbam-setup.exe


zoki123

  • Guest
thanks for replies...

I Installed Winpatrol, SuperAntispyware and Secunia.

Should I run SuperAntispyware all the time?

Should I run Secunia all the time?
« Last Edit: June 21, 2008, 10:23:28 AM by zoki123 »

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
Hi zoki123 . From your previous post I gathered you had installed Avast! and Zone Alarm .
Quote
I am using Avast and ZoneAlarm....
Avast! is a Resident Anti Virus . ZoneAlarm is a Firewall . I hope this is the case as of this moment , that you have Avast! Home or Pro installed and running , all the time , as a resident (Active always) protection ; and ZoneAlaram Firewall .
Quote
I Installed Winpatrol, SuperAntispyware and Secunia.
Winpatrol will notify you if certain changes occur within your Computer . These may include changes to start up programs , Hosts File , File associations , etc. Winpatrol will alert you of system changes, not protect you from a virus .   Read about what you have installed so you know how best to utilise the tools which are designed to help you .
SuperAntispyware can be used as a Resident (Active always) AV , but if you have Avast! installed , and Active , you do NOT run SuperAntispyware ..."all the time?" as it will conflict with Avast! . You can use SuperAntispyware to Scan your computer on a regular basis though , after updating to its latest virus database .
Quote
Should I run Secunia all the time?
No , just each week or so to make sure the programs it detects are up to date . Some programs you will need to check manually for updates .
I hope this clarifies things for you zoki123


zoki123

  • Guest
Hi,

I implemented changes that you have recommended.

btw should I keep System restore on or off?

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87664
  • No support PMs thanks
Once you confirm your system is clean then yes you should enable system restore again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security