Solved

Trojan.Vundo, Downloader.MisLeadApp, and Adware.Ezula Infection

Posted on 2007-12-05
12
3,842 Views
Last Modified: 2013-12-04
My computer is infected with Trojan.Vundo, Downloader.MisLeadApp, and Adware.Ezula. I've an up-to-date version of Norton Antivirus running and on a daily basis it quarantines Vundo and Ezula. I get popups now and again. I have SpyBot running and every morning when I wake up I have a list of registry entry keys that the system is attempting to change. I have run scans of SpyBot and Ad-Aware and Netcom3 but haven't been able to remove the spawning application.

This happened last Friday (it is now Wednesday). I posted a HijackThis log here: http://www.techsupportforum.com/search.php?searchid=2367013. Perhaps you need a more up to date log? Please let me know what needs to be done. I freelance from home and this bug is eating away at my time. I have only myself to blame for snooping the internet - I have learned my lesson. But how much longer do I need to be wacked!!!!!

I appreciate your help. Regards...
0
Comment
Question by:joibrooks
  • 7
  • 5
12 Comments
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20410408
Vundo is stubborn and nasty. Can't see your log because you need to sign up at the sight.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

Please also rename HijackThis to something else before running it and uploading your log.
0
 

Author Comment

by:joibrooks
ID: 20410705
i have sent the log files you requested. since i rebooted, i have another issue now. at a cold startup i get a rundll message:

Error Loading
c:/windows/system32/gebrpfgp.dll

when i click okay, the system boots.

thank you...
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20411439
>""Error Loading
c:/windows/system32/gebrpfgp.dll""<

That is one of the Vundo files. It is in one of your run keys. More work to do with combofix. I will give you a CFScript to run that will fix that. Just give me a bit to comb through the log and I will post a script for you with instructions.
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20411695
I would recommend you remove the Pando Toolbar and program. It is supported by Adware.
Also...Spyclean and or Netcom3 Cleaner is also a rogue Anti-Spyware application and should be removed.
You can try using Add or Remove Programs to get these first but we may need to make manual deletions.
I am going to include Spyclean removal in the combofix script.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\hggda.dll
C:\WINDOWS\system32\drvvih.dll
C:\WINDOWS\system32\gebbcdc.dll
C:\WINDOWS\system32\gebrpfgp.dll

Folder::
C:\Program Files\yzudexmv
C:\Program Files\Unezyuxj
C:\Program Files\Netcom3 Cleaner

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{299E86A2-BF77-41BC-84C2-FA57787C2BCE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376F3CEB-BB08-4FA1-B7FC-168A61DFA458}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62780D18-D103-03D3-323A-01F43008B839}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86F7CF81-69B0-4270-BC06-9D3D0CC42B87}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyClean"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9cac5db8"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbcdc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

0
 

Author Comment

by:joibrooks
ID: 20412097
okay. i've uploaded a new combo and hijackthis log file. doctor, what is the prognosis?
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
ID: 20412343
Looks better, how's it running?

A couple of Vundo files popped up or were missed. You can run another CFScript with them under files:, or just delete them manually.

C:\WINDOWS\system32\adggh.ini2
C:\WINDOWS\system32\adggh.ini
C:\WINDOWS\system32\pgfprbeg.ini

Also, still a service present for that Spyclean garbage program.

To remove...

Click Start -> Run...
Enter the following commands one at a time into the window and click [b]OK[/b] each time.

sc stop Netcom3
sc delete Netcom3

Run HijackThis and fix this item:

O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20412356
Sorry, left bbcode around "OK" above. There shouldn't be any [b]'s
0
 

Author Comment

by:joibrooks
ID: 20412679
okay. status:

after i ran sc stop and delete Netcom3, the comment doesn't show up in the HiJack log.

i created and ran the cfscript to delete the .dll files in the win system32 directory.

i'm very hopeful here!

should i get rid of  the SpyBot app?
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20412968
>""should i get rid of  the SpyBot app?""<

No, well, up to you....Spybot S&D is good for one time scans. And TeaTimer works well if it's not too annoying. But the program has been around since the dawn of spyware and is good.
0
 

Author Comment

by:joibrooks
ID: 20413127
that's a roger on spybot.

i'm going to leave this ticket open for a day. i'm VERY hopeful. by tomorrow you oughtta be 500 points richer. and tonight, if your ears are ringing it is because i'll be praising you at dinner time prayers. thank you for hanging in there with me.

-jb
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
ID: 20416074
No problem jb, glad we could help and thank you (lord knows I need all the prayers I can get ;))
Dave
0
 

Author Closing Comment

by:joibrooks
ID: 31412812
Prompt response, exceptional ability, professional and  knowledgable. Well deserved rating of  A++
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is CCleaner a virus?  Do you use CCleaner? 18 205
Videos Blocked on espn.com 7 139
antivirus on mac 8 73
Sophos EC migration to Cloud. 1 85
For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now