BleepingComputer.com: Infected with Trojan Vundo

Powered down everything (modem, router, computer). Started up everything again. Same result as last post.

The desktop icons changed with the 10.1 version. Figures!

So here is another means of restoring the registry. Give this a go...

Offline Registry Restore

Please note: This fix is specifically designed for this user only. If you are not this user do not follow these steps.

Print these instructions. Pay close attention to the steps. Do them exactly as I have outlined or the process will fail. This may not work. If you are uneasy about proceeding then please stop and tell me about it.

• Reboot into HBCD
  
• Double click HBCD Menu
  
• Choose Menu
  
• Then Registry
  
• Choose Registry
  
• Choose Registry Restore Wizard
  
• Select the Windows directory C:\Windows
  
• Choose Next
  
• Check Fix the system registry to that of a previous state
  
• Select Next
  
• Choose a Restore Point that preceded your infection
  
• Follow the prompts.
  
• When completed re-boot into Normal Windows
  
• Success?
  
  • Create an ethernet (wired) Internet Connection
    
  • Double click the Network Support icon on the HBCD desktop
    
  • A computer screen will appear in the lower right corner system tray
    
  • Double click HBCD Menu on your HDCD desktop
    
  • Choose Menu
    
  • Then Browsers
    
  • Then Opera
    
  • Success?

If this fails to restore your registry then you have a decision to make.

Option 1

Back up all your data. Format the drive. Reinstall Windows.

Option 2

Continue with cleanup of your sick computer. It might restore your original settings if were lucky but no promises.

Kind regards,
~ t

I am posting this message from my infected machine. I got online using HBCD MiniWindows XP as you instructed! I looked at the Registry steps you outlined in your last post and I see that my only choices for restore points are the past 11 days, and my original registry settings (July 2004 I believe). I have a couple questions before I continue... if I restore to 2004, will I lose access to software files that were installed after that date? (I am mainly concerned with uTorrent & ProTools, as those are the programs I use often). Also, since I didn't lose my profile until well after I started trying to get rid of the virus, I was thinking about going back to a restore point prior to when I lost my profile, even if I have to start over in trying to get rid of the virus. I am worried that maybe I deleted the wrong registry key or something when I was followin the instructions on the Symantec site for manual removal...

What do you think?

Also, now that I am back online, I was thinking about trying the other steps you listed in post #18.

I am willing to keep trying things before reformatting the drive, as long as you are willing to keep helping me!

Hurray!!!

===

Quote

This is exactly what I had in mind!!

===

Quote

Unpredictable. Lets avoid that.

===

Quote

Happens all the time. Lesson learned yes?? In the future avoid messing with the registry. If you feel you must mess with it then back it up 1st. Erunt is a great choice.

Quote

===

Quote

Just try the registry restore for now.

===

Quote

I do this because I enjoy sharing my expertize with others. Its my pleasure to help you out.

Kind regards,
~ t

Tried registry restore wizard in mini windows. I used 11/19 & 11/21 restore points. No luck...

So, next move?

Sorry.

Let's see if cleaning up the computer helps to restore the corrupted settings.

Boot into normal windows again....

RKill by Grinler

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  
• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
  
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
  
• If the tool does not run from any of the links tell me about it.

==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Right click and delete your current copy of Combofix.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  
  
  
• Double click on thcbytes.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

With your next post please provide:

* Exehelper log
* Combofix.txt
* How is your computer running?
* Copy and paste the logs please.

Kind regards,
~t

I can only get online in mini windows XP. Can I DL those files that way, then use them in regular windows? I already have rkill... should I get rid of it and DL it again?

Now your getting the hang of the power of a boot CD. Indeed yes. Bootup HBCD and download by this route. Just make sure you save to the locations I have outlined. Remember you will have 2 different drives and 2 different Desktops. We want to save to C:\. Do not try to run the apps while booted in HBCD though. No need to re-download RKill.

OK, I will try it tonight and hopefully post results by 10 PM my time. Thanks!

Finishing Combofix scan now (I am obviously posting from a different computer). The reason for this post is that I have a question: I disabled Norton Corporate as instructed, and I am getting the the little red sheild, with the Windows balloon telling me that Norton Corporate is turned off and my computer is at risk. However, when I first disabled it, I checked the task manager and noticed that "rtvscan" was still a running process no matter how many times I disabled Norton. I thought that seeing rtvscan meant that Norton was running?

I will switch computers and post logs in a minute, thc, so if you are reading right now, wait a sec...

exeHelper by Raktor
Build 20091122
Run at 20:20:25 on 12/02/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I ran Combofix, however, when my computer rebooted, there was no log to save and I could not find one anywhere. When my computer started up, I got two error messages:

Error signature
BCCode: 1000000a BCP1: 09943DD7 BCP2: 0000001C BCP: 00000001
BCP4: 804E1630 OSVer: 5_1_2600 SP: 3_0 Product: 256_1

"The following files will be included in this error report:
c:\DOCUME~1\TEMP\LOCALS~1\Temp\WER35ec.dir00\mini120209.dmp
C:\DOCUME~1\TEMP\LOCALS~1\Temp\WER35ec.dir00\sysdata.xml"

Sigh... The only thing I could find that was close to a log was this:

ComboFix 09-12-02.05 - Joe 12/02/2009 20:34:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2145 [GMT -5:00]
Running from: C:\Documents and Settings\Joe\Desktop\thcbytes.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.


Should I try combofix again? Or maybe delete reinstall & try again??

This post has been edited by GSBJoe: 02 December 2009 - 09:43 PM

Try this...

Please remove all older versions of ComboFix you currently have.

Re-run RKill

Carefully follow these instructions.

Download a new version of ComboFix from any of the links below and save it to your Desktop.

• Download ComboFix (ComboFix.exe) - #1
  
• Download ComboFix (ComboFix.exe) - #2

Now please run ComboFix using these instructions:

• Close all applications and windows (including this one) so that you have nothing open and are at your Desktop.
  
• Go to Start -> Run...
  
• Copy the entire contents inside the CODE box below (do NOT copy the word "CODE" from the CODE box!), and paste them into the empty "Open:" box provided:
  

  "%userprofile%\Desktop\ComboFix.exe" /killall

  
  
• Click OK and follow the on-screen prompts. When you click Yes at the prompt to allow ComboFix to download and install the Microsoft Windows Recovery Console, you will get the following prompt: "You do not appear to be connected to the internet. Kindly connect before clicking 'OK'". At that point, do NOT click OK yet, but instead, please do this:
  • Go to Start -> Control Panel -> Network and Internet Connections -> Network Connections
    
  • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click Repair
    
  • Once done, click Close and exit the Network Connections window.
  
  
• Now click OK in order to let ComboFix download the Recovery Console.
  
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
• When the RC is successfully installed, click Yes to continue scanning for malware.
  
• When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleaning the system.

thcbytes, on Dec 2 2009, 10:20 PM, said:

This may be a dumb question but, which desktop do you mean? I can only go online in mini Windows... That desktop? Or do I need to find my profile and save it to my old desktop folder? Or to the default Windows desktop that comes up everytime I start up in Windows (is that even possible)?

Also, and keep in mind I have no idea what any of this means, is there supposed to be a space before /killall in the code? Sorry about all the questions... just want to make sure I follow everything exactly.

This post has been edited by GSBJoe: 03 December 2009 - 04:37 PM

It is a good question!

I would like you to save it to the current desktop that loads with Windows.

Do this......

Boot normal Windows and right click anything on that desktop. Choose properties. Kindly note the correct path to that Desktop. Now boot HBCD, download CF and save it to the path to your current Windows desktop.

Boot into normal Windows again. Right click Combofix and post the exact path to the application for my perusal. Do not run anything yet. I will make certain the script I have written guides you to that application.

Make sense?

Thanks,
~ t