Results 1 to 14 of 14
  1. #1
    Star Lounger
    Join Date
    Sep 2001
    Location
    Rennes, France
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Fellow loungers,

    I've been infected! I got nasty behavior from a web site and then startup monitor notification of a change to the startup options and then what is clearly an infection. I cannot access Zonealarm and any online antivirus scans tell me that I need a newer version of internet explorer, but I'm using Firefox! I've never been infected like this before and have no idea what to do. I've tried starting in safe mode (administrator and my account) and accessing ZoneAlarm for a scan but I can't get ZoneAlarm to start. I'm afraid I don't know what to do or where to begin.

  2. #2
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts
    Perhaps you have the Conficker / Downadup worm. To test for this, visit Conficker Eye Chart. If one or more pictures in the top row aren't displayed, you may be infected.

    See How to remove the Downadup and Conficker worm (Uninstall Instructions) for removal instructions.

    (And from now on, please use a good antivirus program, and keep it religiously up-to-date).

  3. #3
    Star Lounger
    Join Date
    Sep 2001
    Location
    Rennes, France
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello Hans,

    I managed to run SpyBot Search and Destroy in Safe Mode and it came back with the following finds:
    virtumonde.prx
    Microsoft Windows SecurityCenter FirewallBypass
    Virtumond.Dll

    I treated for all of these and then rebooted again in Safe Mode and am now running SpyBot again. I haven't yet tried to access ZoneAlarm. And I'm really religious about this: I have ZoneAlarm running updates every hour and the ironic thing is that the infection came just after coming out of a daily scan! I've never had such problems before!

  4. #4
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts
    Good!

    "Microsoft Windows SecurityCenter FirewallBypass" is probably a false positive - any third-party firewall such as ZoneAlarm will disable Microsoft's built-in firewall.

    Virtumonde (aka Vundo) is a well-known Trojan. It's puzzling that you got infected, though, it's been out there for over 5 years. All serious security programs should protect against it...

  5. #5
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='alarson' post='773554' date='03-May-2009 17:28']I managed to run SpyBot Search and Destroy in Safe Mode and it came back with the following finds:
    virtumonde.prx
    Microsoft Windows SecurityCenter FirewallBypass
    Virtumond.Dll

    ...... I haven't yet tried to access ZoneAlarm.[/quote]

    I would run all my AV & anti-malware programs in Safe Mode and then try booting normally and checking to be certain that the infections are gone. This trojan can be difficult to excise if it gets it's hooks in deep, but you seem to have caught it in the act and stopped most of the damage and depth of the infection.

    As Hans said, it has been around awhile, but I have noticed several recent infections on client's computers and it is one of the more common infections that I've seen on the BleepingComputer.com help forum, so there must be some new method of delivery or variant of the bug. Of course, it also could have a lot to do with people not keeping everything up to date.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    [quote name='alarson' post='773544' date='03-May-2009 14:04']I cannot access Zonealarm and any online antivirus scans tell me that I need a newer version of internet explorer, but I'm using Firefox![/quote]
    Make sure that you keep IE, and all other components of Windows, up-to-date.

    Also, if your antivirus software let you down, consider another product. Do you use the full ZoneAlarm Internet Security Suite? If you use just the ZoneAlarm firewall, what AV software are you running?

  7. #7
    Star Lounger
    Join Date
    Sep 2001
    Location
    Rennes, France
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Do you use the full ZoneAlarm Internet Security Suite? If you use just the ZoneAlarm firewall, what AV software are you running?

    I'm running the full ZoneAlarm security suite, which has always been rock solid for me. Again, very surprised that this happened. All of my problems seemed to start a couple of weeks ago when I had trouble installing a recent Windows XP security update. I have my updates scheduled to install manually so that I see what I'm getting myself in to and one update failed. It was KB956572 update. Following the advice given by Hans in this thread, I installed the update after a clean boot. I suspect, like eromittal says at the end of the aforementioned thread, a virus was the reason for this problem. Then came this attack. And honestly, I have never had anything like since the way old days of viruses floating around in e-mail when e-mail was new and exciting. I was looking at some admittedly trashy Italian press articles about S. Berloscini and firefox was clearly taken over and I watched the infection unfold before my eyes, shutting ZoneAlarm down. After two washes with SpyBot last night, the last bits of the virus were taken over and then StartUp Monitor caught the last wrinkle in the startup tray before ZoneAlarm caught what I hope was the last piece this morning. I did have to reboot after running Windows update this afternoon and making sure I had all the latest patches and I noticed the ZoneAlarm didn't load in the notification tray. I think to keep my sanity, I'll follow Doc's advice and do one last run through with all the virus and malware detection programs in Safe Mode. Should I do this in the administrator account or in my own account in XP?

  8. #8
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,592
    Thanks
    5
    Thanked 1,059 Times in 928 Posts
    [quote name='alarson' post='773664' date='04-May-2009 13:57']Do you use the full ZoneAlarm Internet Security Suite? If you use just the ZoneAlarm firewall, what AV software are you running?

    I'm running the full ZoneAlarm security suite, which has always been rock solid for me. Again, very surprised that this happened. All of my problems seemed to start a couple of weeks ago when I had trouble installing a recent Windows XP security update. I have my updates scheduled to install manually so that I see what I'm getting myself in to and one update failed. It was KB956572 update. Following the advice given by Hans in this thread, I installed the update after a clean boot. I suspect, like eromittal says at the end of the aforementioned thread, a virus was the reason for this problem. Then came this attack. And honestly, I have never had anything like since the way old days of viruses floating around in e-mail when e-mail was new and exciting. I was looking at some admittedly trashy Italian press articles about S. Berloscini and firefox was clearly taken over and I watched the infection unfold before my eyes, shutting ZoneAlarm down. After two washes with SpyBot last night, the last bits of the virus were taken over and then StartUp Monitor caught the last wrinkle in the startup tray before ZoneAlarm caught what I hope was the last piece this morning. I did have to reboot after running Windows update this afternoon and making sure I had all the latest patches and I noticed the ZoneAlarm didn't load in the notification tray. I think to keep my sanity, I'll follow Doc's advice and do one last run through with all the virus and malware detection programs in Safe Mode. Should I do this in the administrator account or in my own account in XP?[/quote]

    You should use your own account as long as it is a member of the admin group. That way you won't chance infecting the administrator account.

    Joe
    Joe

  9. #9
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,420
    Thanks
    33
    Thanked 195 Times in 175 Posts
    [quote name='alarson' post='773544' date='03-May-2009 22:04']I've been infected![/quote]
    Virtumonde is nasty - I had to clear it off a friend's PC a few months ago.

    I used Malwarebytes AntiMalware. probably in Safe Mode as well as ordinary mode. If you can download it on the infected machine, make sure that you do a (definitions) Update after you install it and before you start running it. Perhaps try Quick Scan first, and if you find anything, try Full Scan next. Beware that it could take over an hour, depending on how big and full your hard disk is.
    BATcher

    Time prevents everything happening all at once...

  10. #10
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    [quote name='alarson' post='773664' date='04-May-2009 11:57']...firefox was clearly taken over and I watched the infection unfold before my eyes, shutting ZoneAlarm down.[/quote]
    Hmmm, maybe it was a Flash exploit. There are so many bits and pieces to keep updated these days.

  11. #11
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts
    [quote name='alarson' post='773664' date='04-May-2009 14:57']....... I was looking at some admittedly trashy Italian press articles about S. Berloscini and firefox was clearly taken over and I watched the infection unfold before my eyes, shutting ZoneAlarm down. After two washes with SpyBot last night, the last bits of the virus were taken over and then StartUp Monitor caught the last wrinkle in the startup tray before ZoneAlarm caught what I hope was the last piece this morning. I did have to reboot after running Windows update this afternoon and making sure I had all the latest patches and I noticed the ZoneAlarm didn't load in the notification tray. I think to keep my sanity, I'll follow Doc's advice and do one last run through with all the virus and malware detection programs in Safe Mode. Should I do this in the administrator account or in my own account in XP?[/quote]

    This sounds a lot like a variant of the old Backdoor Trojan or Sub Seven bug from the Windos 9X days. I had one many years ago and found the hook by accident in my address book while backing up my critical data. I've attached a couple documents describing the things to look for. I would get a copy of Malwarebytes and see if you can install and update it now, while the computer is infected. If you can, then run it in Safe Mode and let it remove what it finds. If not, then you may have to remove the drive to scan it using another computer with Malwarebytes installed. But we can cross that bridge if we get to it.
    Attached Files Attached Files
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  12. #12
    Star Lounger
    Join Date
    Sep 2001
    Location
    Rennes, France
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts
    [quote name='DocWatson' post='773759' date='05-May-2009 03:31']I would get a copy of Malwarebytes and see if you can install and update it now, while the computer is infected. If you can, then run it in Safe Mode and let it remove what it finds. If not, then you may have to remove the drive to scan it using another computer with Malwarebytes installed. But we can cross that bridge if we get to it. [/quote]

    Many thanks Doc and to all others for help. I did indeed download Malwarebytes last night and ran a quick scan with it and it managed to turn up a couple of registry entries that SpbyBot S&D had not. ZoneAlarm, on the other hand, caught nothing. I have not had time to run a Safe Mode scan and plan on doing a full scan in Safe Mode tonight but I think I might have this licked. Having said that, there were some odd double e-mail downloads with Outlook today. Messages came through twice at odd intervals. Very odd.

    On that note, in spite of having e-mail notification ticked in my profile, I don't get e-mail notification on this topic; thus my slow responses to everyone's helpful comments. Did I miss something with the new lounge?

  13. #13
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts
    [quote name='alarson' post='773832' date='05-May-2009 20:44']On that note, in spite of having e-mail notification ticked in my profile, I don't get e-mail notification on this topic; thus my slow responses to everyone's helpful comments. Did I miss something with the new lounge?[/quote]
    There is an ongoing issue involving notifications which can take over 24 hours to appear. We're working on it and hope to get things back to normal shortly

  14. #14
    Star Lounger
    Join Date
    Sep 2001
    Location
    Rennes, France
    Posts
    65
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Once again, many thanks to everyone for the fast and expert help. I did runs of all antivirus and malware programs last night in safe mode and nothing came back positive. I think I managed to nip this in the bud. Once again, the Lounge comes through in expert form.

    Thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •