Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I'm Infected With Vundo/virtumundo


  • This topic is locked This topic is locked
13 replies to this topic

#1 drumnminitruckr

drumnminitruckr

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 March 2008 - 03:26 PM

For the past few days I've been experiencing problems with my pc. Every time I reboot a message pops up saying "Error in C:\users\Neil\Appdata\Local\Temp\yniblmxf.dll Missing entry:run"
The .dll file given is usually different each time. I've written most down if anyone would like to see them.

After downloading the latest version of Ad-aware and scanning it came back showing I have the Virtumundo malware on my system.

It's been causing all sorts of pop ups whenever I use IE, which I normally only use for school work, I mainly use firefox.

I'm running Vista home premium.

I've tried using Windows defender to try to find files associated with the problem but have had no luck.

Thank you for help in advance.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 18 March 2008 - 05:59 PM

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 drumnminitruckr

drumnminitruckr
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 20 March 2008 - 10:57 AM

Sorry It took so long to reply, I thought I had it sett o send me an email when someone replied.

The VundoFix scan didn't find any infected files. And it I couldn't find a log file for it to post.


thanks

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 21 March 2008 - 04:18 AM

Have you tried emptying your temp files?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 drumnminitruckr

drumnminitruckr
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 March 2008 - 09:12 AM

OK, I cleaned out all my temporary internet files and Temporary files using the disk clean up manager. The scan still didn't pick any thing up.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 21 March 2008 - 12:25 PM

I mean, do you still get the error after you have cleaned your Temp files?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 drumnminitruckr

drumnminitruckr
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 March 2008 - 01:31 PM

oh my mistake, I'll restart and let you know.

#8 drumnminitruckr

drumnminitruckr
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 March 2008 - 01:40 PM

I still got the error message upon restarting.

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 21 March 2008 - 04:37 PM

We'll try one more tool, if not I'll guide you through how to post a HijackThis log. Please download VirtumundoBeGone.exe and save the file to your Desktop.
  • Close ALL running programs including your Internet Browser.
  • Double-click VirtumundoBeGone.exe to launch.
  • Read the introductory information, and then click "Continue".
  • Click "Start".
  • When asked if you want to continue, click "Yes" to run the fix.
  • Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
  • When finished it will create a log named VBG.TXT on your desktop.
  • Reboot your PC and post the VBG.TXTin your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 drumnminitruckr

drumnminitruckr
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 23 March 2008 - 03:52 PM

heres the VBG log

[03/23/2008, 16:55:01] - VirtumundoBeGone v1.5 ( "C:\Users\Neil\Desktop\VirtumundoBeGone.exe" )
[03/23/2008, 16:55:08] - Detected System Information:
[03/23/2008, 16:55:08] - Windows Version: 6.0.6000,
[03/23/2008, 16:55:08] - Current Username: Neil (Admin)
[03/23/2008, 16:55:08] - Windows is in NORMAL mode.
[03/23/2008, 16:55:08] - Searching for Browser Helper Objects:
[03/23/2008, 16:55:08] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/23/2008, 16:55:08] - BHO 2: {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} (McAfee Phishing Filter)
[03/23/2008, 16:55:08] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/23/2008, 16:55:08] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[03/23/2008, 16:55:08] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/23/2008, 16:55:08] - BHO 6: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[03/23/2008, 16:55:08] - Finished Searching Browser Helper Objects
[03/23/2008, 16:55:09] - Finishing up...
[03/23/2008, 16:55:09] - Nothing found! Exiting...

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 23 March 2008 - 04:13 PM

Since the scanners are not finding anything malicious, I think we should try a manual removal, so please follow the advice below to create and post a HijackThis log for analysis from one of our experts. Please follow our Preparation Guide For Use Before Posting a HijackThis Log; running all of the scans before posting your HijackThis log. Do not post your log here, but instead use our HijackThis Logs and Analysis Forum.
After posting a log you should NOT make further changes to your computer except those that are advised by a member of the HijackThis Team; doing so can cause system changes that may not be visible in your log. Please be patient whilst waiting for a response, our HJT Team is currently very busy, and as we try to deal with logs on a "first come first served" basis, you may have to wait a short while.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 peterjwfrench

peterjwfrench

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, Cheshire
  • Local time:01:36 AM

Posted 25 March 2008 - 06:11 AM

Since the scanners are not finding anything malicious, I think we should try a manual removal, so please follow the advice below to create and post a HijackThis log for analysis from one of our experts. Please follow our Preparation Guide For Use Before Posting a HijackThis Log; running all of the scans before posting your HijackThis log. Do not post your log here, but instead use our HijackThis Logs and Analysis Forum.
After posting a log you should NOT make further changes to your computer except those that are advised by a member of the HijackThis Team; doing so can cause system changes that may not be visible in your log. Please be patient whilst waiting for a response, our HJT Team is currently very busy, and as we try to deal with logs on a "first come first served" basis, you may have to wait a short while.


I have the same problem as the other user however I have done all above I also ran trendmicro.com the housecall, but I just can't remove it all i get now is that anoying red cross in the bottom right hand corner in the systray i have also done all above but can't seem to run hijackthis at all as it won't allow me to run, usally i can run it fine is their a way of getting hijackthis to exacute in the cmd line ?

thanks
pete

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:36 PM

Posted 25 March 2008 - 08:10 AM

Hello peterjwfrench

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more people in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:06:36 PM

Posted 25 March 2008 - 05:08 PM

Hi drumnminitruckr,

Now that you have a HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users