Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo (oh No!)


  • Please log in to reply
12 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 10 February 2008 - 09:41 PM

Good evening
I am not too computer technically oriented. I use it every day but with the satiability that I have enjoyed with XP problems have been few. When I bought this computer in 2006 I vowed to do updates automatically and to keep the(as recommended By Dell) McAfee Security center up to date and subscribed to.
I am going to give a little history of the problem. This thing is tying my stomach in knots but I felt it best to try and calmly tell what has been occurring.
About a week and a half ago I started getting odd warning popups. As the syntax of the warnings wasn’t quite right I suspected a virus. I did receive some pop ups by McAfee warning of security problems. I always accepted the prompts to remove or quarantine.
I ran McAfee scans which detected ad ware and other things. These were quarantined. The sequence of events tends to blur but by last Wednesday McAfee was detecting Vundo Trojans. I tried the Ewido free online scan which detected about 275 Tracking cookies and other things. These were removed as recommended. Popups then started to appear on the desk top and on the tool bar. I realized the problem was not fixed. I tried McAfee chat but they were not much help. Didn’t seem to really understand my problem. I tried Ewido again but it was blocked and terminated before it could finish. Searching different forums I saw some recommendations for Superantispyware. I downloaded and ran this. It detected lots of tracking cookies and Vundo. These were quarantined as recommended
Currently I have some new icons (Lucky me!) “ Help and Support center” and “Windows Update” I have gotten a couple of hits with McAfee scans and SAS scans this weekend. Also I see lots of pos XXX (number and letter) tmp files in My Documents.
I know this thing has not been solved and needs to be taken care of before it really grabs hold.
Your help and advice will be GREATLY!!! Appreciated.
My Thanks in Advance
Nawtheasta

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:57 AM

Posted 10 February 2008 - 09:58 PM

Welcome to Bleeping Computer Nawtheasta. You didn't mention your Operating system.

First you will need to follow the instructions in our Tutorial
How To Remove Vundo/Winfixer InfectionHow To Remove Vundo/Winfixer Infection

A text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt.
Please copy & paste the contents of that text file into your next reply.

Also post the Scan log of the SUPERAntispyware scan, from the date you scanned.
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the log from the date you scanned and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 10 February 2008 - 11:21 PM

Thanks boopme for the quick reply.
System is Windows XP home edition, Service Pack 2.
In reading the instructions for How To Remove Vundo/Winfixer Infection
It does not mention running in safe mode unless I need to run VirtumundoBegone. I assume I can run Vundo fix on my normal desktop?
You mention a text file named vundofix.txt that will be found at C:\vundofix.txt.
I apologize if this seems like a strange question but how will I find this? Do I have to go into DOS or can I access this file from my normal desktop. I have not needed to go to DOS with this computer and will need to determine how to do it if necessary.
I have scanned several times with SAS. I do a complete scan but I have not altered the default preferences that SAS came with. I last scanned with superantispyware today (Feb.10). That one picked up some Ad Ware. Do you want that log or should I scan again after vundofix and post that log?
Thnaks in advance for your patience and help.
Best Regards
P.S. It will be tomorrow before I can proceed as instructed.

#4 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 11 February 2008 - 03:11 PM

Dear Community
I currently have a Vundo infection which I have posted on the appropriate forum and have requested help. Thankfully the infection does not seem a bad as some others are dealing with. . The reason for this post is that I am anticipating being advised to end all programs before I run the fixes that will be listed. The Kodak software updater agent runs all the time. It has not given any problems. I have noticed that when I Google about this many people say it is difficult to end this task. Is this something that I need to end before I do vundofix? Would any one have any suggestions on an easy way to turn it off.
I ask this question in the spirit of its better to ask then just start clicking away and hoping for the best! I don’t want to do anything that is going to interfere with killing Vundo.
Thanks in advance for any suggestions
Best regards
Nawthesta
P.S. If it is not proper to post this here as a separate topic please let me know and I will send it as a question on the Vundo topic I started.

Mod Edit:Topics merged for continuity ~TMacK

Edited by TMacK, 11 February 2008 - 05:20 PM.


#5 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:03:57 AM

Posted 11 February 2008 - 04:45 PM

We usually advise NOT to start seperate threads in other forums while you are cleaning up an infection. This is something you need to ask in your Vundo topic.
The security folks are more likely to see it there.
And for what it's worth-you really don't need the Kodak Updater.
After you get your computer cleaned up, you can-if you want to do this-uninstall it.
It should be listed as backweb in Add/Remove Programs.

For info on backweb:

http://www.cexx.org/dlgli.htm

Edited by Queen-Evie, 11 February 2008 - 05:00 PM.


#6 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 12 February 2008 - 11:53 AM

Please find below the information requested. After posting this I am going to update Java and remove the old version. Am I clean now?????
P.S. I still have a lot of pos files in My documents. Also the icon for drive C in My Computer is a big red X. If these are harmless remnants of the infection then they do not bother me and I could live with them. Do I need to clean these up also??
Thanks in advance for your help.
Best Regards
Nawtheasta
text of vundofix.txt

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 11:15:05 AM 2/12/2008

Listing files found while scanning....

C:\windows\system32\tixcphzd.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\tixcphzd.dllbox
C:\windows\system32\tixcphzd.dllbox Has been deleted!

Performing Repairs to the registry.
Done!


Text of Superantispyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2008 at 07:31 AM

Application Version : 3.9.1008

Core Rules Database Version : 3400
Trace Rules Database Version: 1392

Scan type : Complete Scan
Total Scan Time : 00:37:14

Memory items scanned : 758
Memory threats detected : 0
Registry items scanned : 5828
Registry threats detected : 0
File items scanned : 44618
File threats detected : 0

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 12 February 2008 - 12:28 PM

I still have a lot of pos files in My documents. Also the icon for drive C in My Computer is a big red X


This is a newer type of infection which will create thousands of pos*.tmp files in the root of the system volume (usually your C: Drive) and may put a Red X on your drive icon(s). Deleting the files will only lead to their replacement. The malware may also attack legit programs and create new filenames with space(s) in the name before its extension. Removal will require further investigation and the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 15 February 2008 - 10:17 AM

Thanks very to Boopme, Queen-Evie & quietman7 for your advice and time. I am beginning the prep for the HJT log. Due to my work schedule it is difficult to find time to do this all at once.
I will post to the appropriate forum as soon as possible.

Currently, as of this morning I still have no obvious symptoms other then the remaining pos TMP files and the Red X Icon for the C drive. The pos files are all dated Feb. 6. I realize that this is a new variant and not all is known about it. Should I check back here to learn if other fix options become known?? Several SAS scans and McAfee scans since I did vundofix. have detected nothing.
Best Regards

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 15 February 2008 - 10:40 AM

Just go ahead and post your log first chance you get. There is a tool that should take care of the pos*.tmp files but we don't use it routinely in this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 20 February 2008 - 03:30 PM

Dear community
I am in the process of doing the prep for a HJT log, as time and work allow.
I got to the part were I am requested to scan with Panda. I tried and after the scan was complete it found 13 spyware and 2 suspicious items. One of the suspicious items appeared to be my printer. (??) When I tried to get more info. it appeared Google was blocking popups. I clicked to allow but on refreshing the scan info. was gone and I was back to the start.
Spybot and AdAware did pick up and successfully deal with Trojans and cookies. Bit defender found nothing. I have had no seeming active symptoms of infection for a while now However when panda was installing and asking for different permissions McAfee alerted to a iexplore file wanting to install. I have only read bad things about iexplorer.As I could see no reference to Panda in the McAfee box I blocked this. I am still not sure if this is related to Panda
I am trying to be diligent on doing the HJT prep requested. Would it be ok to skip Panda??
Thanks in advance for the advice.
Best Regards

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:57 AM

Posted 20 February 2008 - 03:39 PM

Yes you can skip Panda.

Just so you know, Panda ActiveScan uses non-encrypted virus definitions so you its best to disable your resident anti-virus program before scanning in order to avoid "false positive" detections of its files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:57 AM

Posted 20 February 2008 - 08:12 PM

Dear community
When I ran Spybot S&D during my HJT log prep.it found some Virtumondo (3) in registry. Text was in Red so Spybot dealt with it appropriately, I guess. Since these were registry items would this effect my computer at start up? I haven’t restarted since I ran spybot.
Thanks in advance for your input!
Best regards

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:57 AM

Posted 20 February 2008 - 09:44 PM

For the most part you'll have to reboot to finish the cleaning process. Removing any corupt registry entries.

Edited by boopme, 20 February 2008 - 09:46 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users