Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo And Other Problems


  • Please log in to reply
21 replies to this topic

#1 A_21

A_21

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 03 January 2008 - 10:25 PM

i keep going on all these forums that talk about a vundo virus that i might be having trouble with. its the same problem throughout; my symantec norton gives me a message whenever i right click saying "Please wait while Windows configures Symantec Antivirus". also, everytime i use google and click on a link, i get redirected to a site called webcry?

are these two different problems or are they caused by the same thing?.... i tried spybot search and destroy and adaware se and all these other spyware/malware detecting programs but none can delete it.

then the forums usually tell the user to post up a hijackthis log but is each one different? if it is can someone help me post one for my computer?

Also, every now and then my computer just freezes lol... you might say my pc is messed up bigtime. whats worse is i dont know how many problems there are to fix, whether its just one (the vundo file specifically mljii.dll) or if theres more than one problem.

im using windows xp and im not sure which symantec version im using... if its important i can check but please someone help me!!!

i have a culminating due in four days and all my hard work is on my computer and useless until i clean it up.

Thanks, ive read a couple of posts and it seems this forum is one of the most knowledgeable so im in your hands

{MOD Edit: Moved out of HJ Log forum to more appropriae place~~boopme}

Edited by boopme, 03 January 2008 - 10:56 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 03 January 2008 - 11:15 PM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 A_21

A_21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 04 January 2008 - 01:37 PM

Hi quietman 7, thanks for the help :thumbsup:

i followed the steps as you said and rebooted my comupter when i was prompted but when my computer opened i got this black screen that says theres a problem and you need a liscence registration or renewal,something to that effect. then the black screen turns to white and theres a smaller window that gives me two options, whether to download my update through a public channel which they say takes too long or to download it through a private channel which only takes 35 seconds, but to do that i needed a liscence of some sort. These screens come up after SUPERAntiSpyware automatically opens. i see their sign and logo but the main screen never comes up instead i get what i described.

when i saw this i didnt want to click anything incase i mess up something important. so i rebooted the computer and before the screen comes again i opened the internet. from there i sent myself the vundofix.txt file as an attachement and viewed it on my mail, copy pasted it from there. however i could not get the SUPERAntiSpyware log because i cant reach the desktop or navigate away from that update screen.

This is what was in the vundofix.txt file:






VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 11:39:59 PM 1/3/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\ijjlm.ini
C:\WINDOWS\SYSTEM32\ijjlm.ini2
C:\WINDOWS\SYSTEM32\mljji.dll
C:\WINDOWS\SYSTEM32\NCTAudioCDGrabber2.dll
C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll
C:\WINDOWS\SYSTEM32\NCTAudioPlayer2.dll
C:\WINDOWS\SYSTEM32\NCTAudioRecord2.dll
C:\WINDOWS\SYSTEM32\NCTAVIFile.dll
C:\WINDOWS\SYSTEM32\NCTQuickTimeFile.dll
C:\WINDOWS\SYSTEM32\NCTVideoCoreM.dll
C:\WINDOWS\SYSTEM32\NCTWMAFile2.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ijjlm.ini
C:\WINDOWS\SYSTEM32\ijjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ijjlm.ini2
C:\WINDOWS\SYSTEM32\ijjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\mljji.dll
C:\WINDOWS\SYSTEM32\mljji.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTAudioCDGrabber2.dll
C:\WINDOWS\SYSTEM32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll
C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTAudioPlayer2.dll
C:\WINDOWS\SYSTEM32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTAudioRecord2.dll
C:\WINDOWS\SYSTEM32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTAVIFile.dll
C:\WINDOWS\SYSTEM32\NCTAVIFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTQuickTimeFile.dll
C:\WINDOWS\SYSTEM32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTVideoCoreM.dll
C:\WINDOWS\SYSTEM32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\NCTWMAFile2.dll
C:\WINDOWS\SYSTEM32\NCTWMAFile2.dll Has been deleted!

Performing Repairs to the registry.
Done!

#4 A_21

A_21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 04 January 2008 - 02:20 PM

Hello again,

i borrowed my friend's laptop so i can copy the message that i was talking about. This is what it says:

ERROR: Browser Security and Antiadware Software component license expirited!

then there is a smaller window that says: Live Update is downloading updates to the following products components:

Product Status
Virus Definitions Updates Success
Live Update Success
General Files and Privacy protection Waiting

NOTE: Downloading via Public Channel. You can activate VIP channel. Estimateed download tme via Private Channel : 35 seconds. Click here to activate it right now.


Failed (too many connections). Retrying
Public Channel
Prvate Channel: Waiting for license acivation
Click to activate new license Private Channel
Download time after ativation: 35 seconds.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 04 January 2008 - 02:41 PM

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
.

When done, please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 A_21

A_21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 04 January 2008 - 02:46 PM

but what about that notice? the one about the updating my software by activating a bew license? that message doesnt allow me to go to the desktop... i only got a 5 second window to open anything before that message pops up otherwise it takes over the whole screen

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 04 January 2008 - 02:51 PM

Ok, I thought it was just a message at startup. Didn't realize it affected more than that.

Try using System Restore or System Restore from a command prompt in "Safe Mode" to return to a previous state before this occurred. We may return some of the malware already removed and have to start over.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 A_21

A_21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 04 January 2008 - 02:52 PM

i just noticed something that might be useful... that message i keep mentioning.... i think its a pop up because at the bottom i have the internet tool bar that tells me the site im going on to and has the loading bar. i also spotted the site's name when i rebooted just now... its called "backdoor" what is that?


thanks again for your help qman... your all over this forum, you have the answer to everything lol

A_21

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 04 January 2008 - 02:57 PM

From what you describe, it appears you were infected by something more while we were trying to clean up the current problems. A backdoor refers to a backdoor Trojan which is dangerous but this could be a bogus warning. Try returning to an earlier date with System Restore like I suggested.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 A_21

A_21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 04 January 2008 - 03:06 PM

i tried going to my computer, properties, and so on in safe mode. when i get to the system restore tab the "turn system restore off" button is checked but when i try to uncheck it and turn it on a message that says:

System Restore has been turned off and cannot be turned on in Safe Mode. To turn on System Restore, restart in Normal mode and then run System Restor again.

The same message appears when i follow the instructions for "System Restore from a comand prompt"

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 04 January 2008 - 03:20 PM

That means System Restore is turned off so that is not an option. Since you can access safe mode, choose Safe Mode with Networking and start performing some Online Virus Scans like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

Since this occurred after the SAS scan, while in safe mode, launch it and restore whatever it placed in quarantine if you have not deleted anything yet. I'm not sure its related but lets cover all bases.

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances the infection may have caused so much damage to your system that it cannot be successfully cleaned and recovery is not possible. In those cases, the only option is to reformat/reinstall the OS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 A_21

A_21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 04 January 2008 - 04:52 PM

i performed an online scan using bitdefender... do you need the statistics of the scan? i wrote it down on a piece of paper just incase....

i also opened SAS and restored everything it quarantined.....


where do i go from here?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 04 January 2008 - 06:53 PM

I know you are waiting but I'm still investigating other options.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 04 January 2008 - 07:16 PM

Download and scan with AVG Anti-Spyware 7.5 in "Safe Mode".
Be sure to print out and follow the AVG Anti-Spyware Install-Scan Instructions

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key or Alt + Spacebar to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

If you have a problem installing AVG AS in safe mode, then download and scan with Dr.Web CureIt instead. Follow the instructions here for performing a scan in "Safe Mode".

If doing that does not find/remove the responsible malware, then try another online virus scan:
ESET Nod32 Online Scanner <- Vista compatible but Internet Explorer must be Run as Administrator.
F-Secure Online Scanner. <- Follow the directions on the F-Secure page for proper Installation. (also checks for rootkits) (Vista compatible)
Kaspersky Webscan. <- check the option to use the Extended database; does not remove anything but will provide a log of anything it finds)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 AM

Posted 05 January 2008 - 12:16 AM

I found some info on a possible offending file and a registry key.

Search for and delete the following file(s)/folder(s) in bold if they are present. You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them.

Files:
C:\WINDOWS\locker.exe <- this file

To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file.

Please download RegSearch.zip by Bobbi Flekman and save it to your desktop.
  • Extract (unzip) the file to your desktop. (click here if your not sure how to do this)
  • Open the regsearch folder on your desktop.
  • Double-click regsearch.exe to start the program.
  • In the text boxes under Enter search strings, please enter the following strings (one per line):

backdoor check

  • Click OK and Registry Search will search the Registry and report what it finds.
  • Copy and paste the results into your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users