Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

It Started with Vundo Trojan. Now Cannot Access Website 1

Status
Not open for further replies.

Variscite

MIS
Nov 3, 2003
42
US
User got Vundo trojan. He had previously upgraded from IE6 to IE7 and when that didn't work he loaded Firefox. McAfee didn't detected it (McAfee program and definitions were up-to-date). Noticed problem when website apollo.conbraco.com wouldn't load at all or would load with title bar "Cannot Find Server - Microsoft Internet Explorer". This website forwards to a aspx log in page.

I used AdAware and Windows Defender. Couldn't use McAfee because it displays just a blank page with McAfee Security Center as the title bar. AdAware found 555 infected files which I deleted. I also used a Vundo cleaning tool. I still get some ads and I still cannot access the website with Firefox or IE6 (I removed IE7).

Most of the time when I try to launch the site I get, "This page cannot be displayed" and a red box which reads "To attempt to fix network connectivity problems ...".

The website did work for a day when I had him running in selective startup mode with only Microsoft services running, but it stopped working again.

Any ideas of how to get this site working? Thanks.
 
Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.




Please download to your
desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click
YES
· Once you click yes, your desktop will go blank as it starts removing
Vundo.
· When completed, it will prompt that it will shutdown your computer, click
OK.
· Turn your computer back on.


Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!






Download SDFix and save it to your Desktop.


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should
appear;
* Select the first option, to run Windows in Safe Mode, then press
Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start
the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds
then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the
removal process then display Finished, press any key to end the script and
load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and
also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on
the forum).
* Finally paste the contents of the Report.txt back on the forum with a
new HijackThis log

_____________________________________________________________________

NOTE: If you have downloaded ComboFix previously please delete that
version and download it again!



Download ComboFix from
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe"]Here[/URL]
or
Here
to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just
before Windows starts to load. If done right a Windows Advanced Options menu
will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a
    HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its
running. That may cause it to stall




post a hijack this log, the vundo, combo and the sdfix log!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Thanks for the response. Internet Explorer and Mozilla Firefox both are not working properly. This began with Vundo. The server cannot reach certain sites still and cannot download. Have deleted the browsers, reinstalled them, reset settings to default and still no success in using them. I'll perform your steps and post back here.
 
ko try this , if you still can't get into some sites then download all the ttols on another pc and transfer them to yours, but download and run this tool first!

Or go to C:\windows\system32\drivers\etc and in this folder right click and delete the hosts file which probably has become infected and is blocking websites!


Download the HostsXpert 3.7 - Hosts File Manager.


* Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such
as C:\HostsXpert 3.7 - Hosts File Manager
* Run HostsXpert 3.7 - Hosts File Manager from its new home
* Click "Make Hosts Writable?" in the upper right corner (If available).
* Click Restore Original Hosts and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace
any of those entries yourself.


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
A belated thanks for your help. Everything has been working great on that PC for a couple of weeks.
 
ok you're welcome!


You should now turn off system restore to flush out the bad restore points
and
then re-enable it and make a new clean restore point.


How to turn off system restore







Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from




get the hosts file from here.Unzip it to a folder!





put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.






Use either Arovax or spyware terminator, you could try both and see
what one you like!


Arovax shield.



Spyware Terminator



In spyware terminator, click real time protection and tick the box to use
real time protection and tick all the boxes except file exceptions shield.
If your confident in using its advanced feature, click advanced and tick
the HIPS box.

If you want to install and uninstall programs it is best to
temporarily disable Spyware terminator and then re-enable it after you
have installed or uninstalled a program as it will create a lot of pop ups
asking you do you wish this to happen!

Right click spyware terminator on the bottom right of your status bar and
choose exit.Then tick the box and that is spyware terminator disabled!




I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
also a good
e-mail client.



Another good and free browser is Opera!



Read here to see how to tighten your security:



A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Thanks. I'll do all of that. Now there is a new problem. Let me know if this should be a new thread or in another forum.

We're using a Netgear Firewall/Router which notifies me if someone tries to access a restricted site. I just got this message: "2008-04-11 06:43:12 - Ip Spoofing - Source:169.254.2.17,0,LAN - Destination:255.255.255.255,0,WAN" and yesterday all the PCs rebooted after some non-automatic and non-requested update, then asked each user for their Network Identification. This request was from 64.71.41.34 which was Alliance Internet.

I've been monitoring this since yesterday. Any idea what is going on?
 
nope, who is Alliance internet, your ISP?

It looks like someone on your LAN is pinging your WAN, if it is and it is internal and not an external ping coming from the internet then you should be ok!


you could post that question at the firewall forum at Wilders, someone there will be better able to explain that!

Start a thread at wilders at the link below!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
No, Alliance is not our ISP. I'll post the question at the place you suggest. Thanks.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top