|
I've been dealing with Vundo, aka Virtumonde for a couple weeks. I think I actually removed it once, then got reinfected. Now my java is up to date and it will hopefully stay off my system. The first time I used combofix and malwarebytes to get rid of it. This time I just renamed all the suspected dlls in my system32 folder then rebooted into safemode and deleted them. I then ran Spybot to take care of the left over registry entries. I ran it twice, and it caught a single entry the second time, so I hope it isn't still alive somewhere. Finally, I ran the symantec removal tool (which took for loving ever) and it didn't find anything. I'll do another Spybot scan tonight and see if any signs of it are back.
|
#
¿
Dec 18, 2008 16:38
|
|
|
|
| # ¿ Apr 19, 2024 21:56 |
|
|
Has Vundo been known to do anything beyond just being annoying? I'm wondering about things like keylogging, password stealing, etc. All it seems to do on my system is slow things down and occasionally try to open tabs to defunct websites in firefox.
|
|
#
¿
Dec 18, 2008 20:55
|
|
|
I'd flatten and reinstall if it didn't take so long to get everything back to the way it was. First you have to install the OS and apply all the updates, which includes what seems like 50 reboots. You can save a little time by slip streaming in the latest service pack to the install disc, but it still sucks. Then you have to reinstall drivers. Then you have to reinstall all the applications and possibly update them. Then you have to reconfigure all the applications and little tweaks you've setup since the last reformat. I'd estimate that it takes me the better part of a week to rebuild my system and get it back to how it was just before infection.
|
|
#
¿
Dec 18, 2008 21:59
|
|
|
MeramJert posted:Why not make an image next time? Then any subsequent times you could just wipe the drive and put the image back on. I've done this in the past, and unless you make images on a regular basis, it only gets you so far. If you don't store a backlog of images then you run the risk of reverting to an infected one. There's probably a solution for this, but I don't know it. GREAT BOOK OF DICK posted:RootkitRevealer is okay, but I think GMER is a more robust version of RootkitRevealer. Not to mention RootkitRevealer hasn't been updated since 2001 I think. I think SDFix runs GMER as part of its process.
|
|
#
¿
Dec 19, 2008 05:32
|
|
|
It's like people forget every bit of common sense when on the internet. If a guy came up to these people on the street (or rang their doorbell) and told them that their house had problems, and they needed his product to fix it, 99% of these people would tell him to gently caress off. On the internet? *click*
|
|
#
¿
Dec 19, 2008 16:00
|
|
|
Something weird is still going on here. I just did a google search for Scene It: Box Office Smash I clicked the first link, which should be this: http://www.xbox.com/en-US/games/s/sceneitbos Instead it took me to here: http://www.shopica.com/search.php?q=office I hit back and clicked it again and it went to the right site. I did a scan in safemode using malwarebytes a day ago and it found nothing. Should I just throw some more programs at it and see what turns up?
|
|
#
¿
Dec 23, 2008 00:15
|
|
|
Just so I don't inadvertently infect myself with something, this is the correct download link for SUPERAntiSpyware right? http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
|
|
#
¿
Dec 23, 2008 02:35
|
|
|
webcomics thread posted:I just got it from zdnet's download.com, seems the safest way to find most things. I ran it and found a bunch of cookies, but not much else. It's mildly annoying in that it sets itself to run at startup though. Oh, my hosts file was normal btw. I haven't had the problem yet today, so I'm going to keep my fingers crossed and hope I'm clean.
|
|
#
¿
Dec 23, 2008 16:55
|
|
|
Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.
|
|
#
¿
Dec 24, 2008 17:23
|
|
|
fishmech posted:I'd advise alerting the owners of the sites that they may have been exploited, and posting what sites and search results are giving you redirects. I don't think this is it, since it's happening way too often, and with sites like walmart.com I did a google search for "christmas" and clicked the first link and it happened. It looks like it is redirecting through http://goougly.com Here's where the christmas link took me before it redirected to some other crap page: http://goougly.com/c.php?url=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26source%3Dweb%26ct%3Dres%26cd%3D4%26url%3Dhttp%253A%252F%252Fen. wikipedia.org%252Fwiki%252FChristmas%26ei%3DQ49SSZWLKce_tgeGn-nmBg%26usg%3DAFQjCNHBERwlZenm8jlqrLxALb-57ddTfw%26sig2%3D1UfxyEfkLC_AekJrHrKR4A&p=3&rf=http%3A%2F%2Fchristmas.asdos.com%2Findex.php Edit: This is with Firefox 3.0.5 Hillridge fucked around with this message at 20:27 on Dec 25, 2008 |
|
#
¿
Dec 25, 2008 20:21
|
|
|
I ran combofix again, and it quarantined a bunch of stuff. Judging from the file names of some of the .dlls it reported (8 letters, alternating vowel-consonant pattern), it looks like loving vundo was still kicking around. I haven't seen any redirects yet, but I'm not going to declare this machine clean until it stays that way for a few days. Also, I recently started having a problem where if I was running uTorrent any web browsing was incredibly slow, if not impossible. That seems to be fixed now. My dad just asked about antivirus 2009 popups, so I may get to repeat all this, only over the phone.
|
|
#
¿
Dec 25, 2008 22:58
|
|
|
Crap, still seeing goougly links in google. I found some info on it, but nothing helpful. I also turned off 3rd party cookies in Firefox. I think I'm going to drop into safe mode and run: spybot, superantispyware, ccleaner, malwarebytes, then combofix. If that combo doesn't cure it, I don't know what will.
|
|
#
¿
Dec 26, 2008 00:32
|
|
|
AceSnyp3r posted:It probably goes without saying, but have you tried changing your DNS server to something like OpenDNS temporarily, to make sure the redirects are only on your end, and not just your ISP's DNS's fault? I have not, but other PCs on my network do not have this problem. I just found a post in another forum from someone with a similar problem, and he was told to use GooredFix.exe I ran this, found a problem, removed it, and I think it is fixed. I'd still like to find the guy who wrote this browser hijack and punch him in the sack though. Hillridge fucked around with this message at 16:39 on Dec 27, 2008 |
|
#
¿
Dec 27, 2008 16:25
|
|
|
I think this may be a side effect of all the cleaning I did to get rid of my infection. Some text comes up like this in firefox. How do I fix this? Edit: It's not a font or encoding issue either. Hillridge fucked around with this message at 20:00 on Jan 1, 2009 |
|
#
¿
Jan 1, 2009 17:58
|
|
|
darkforce898 posted:Your system language might have been changed... try and see what it is set to It looks fine, though Asian languages are unchecked, and I'm almost positive I've installed them before. I don't think it's systemic because IE displays the text fine on that page. Jo posted:It would appear several of your vowels have become surprised. Give them time to calm down. I put on some smooth jazz and lit some candles...no help.
|
|
#
¿
Jan 1, 2009 23:29
|
|
|
BigKOfJustice posted:I never had a virus since 1991 on an Amiga. Same here, I got infected through a Java exploit before they patched it. The only way to be sure you never get anything is to unplug your network cable/kill wireless.
|
|
#
¿
Jan 3, 2009 16:42
|
|
|
ugh. I just spent 45 minutes on the phone with my dad trying to talk him through some fixes. combofix.exe won't even run in safemode. I sent him an email with some other things to try like SDfix, so we'll see if he gets anywhere.
|
|
#
¿
Jan 3, 2009 18:54
|
|
|
|
| # ¿ Apr 19, 2024 21:56 |
|
|
Ugh, my wife got her PC infected last night while looking for sheet music. A security center warning pops up that looks like a legitimate windows protection warning, saying that she is infected with win32.zafi.b, along with a button to "activate protection", which links to http://defender-review.com/[some string of characters]. It's obviously a BS error that routes you to a product that will no doubt install more problems on your PC if you're dumb enough to buy it. NOD32 didn't find anything, but it did throw a ton of "locked file" errors. I'm scanning with Malwarebytes now and doing some research on it while I wait for results.
|
|
#
¿
Jan 18, 2009 17:50
|
|