Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo I Think.


  • Please log in to reply
8 replies to this topic

#1 arpithicus

arpithicus

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 04 April 2008 - 01:29 PM

Hello Sirs or Madams,

I have been infected with what I think is the Vundo Virus. I have some computer knowledge so before I bothered you guys I did some research. I checked all the sites and this one seemed to be very savvy about fixing the Vundo. I tried to use fixvundo, vundofix, killbox, adaware, and of course good of fashioned Avira. Avira finds Vturp.dll and seems to be having a hard tiem deleting it. It continues to want to quarintine the file but apparently can not do that either because it is still there. The Vundo fix proggy deleted 5 things the first time and then 3 things the next before failing to find any more. Avira is still detecting the Vundo Virus but alas I can not get rid of it. I have Hijack this if that is needed. Thank you in advance.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:18 PM

Posted 04 April 2008 - 05:12 PM

Download and Install SuperAntiSpyware Free
  • Launch SuperAntiSpyware
  • Click Check for Updates and update to the latest definitions.
  • Click Scan your Computer
    • Check all boxes in the Scan Location box.
    • Check the Complete Scan radio button.
    • Click Scanning Preferences/Control Centre button.
      • Uncheck Ignore files larger than 4MB (recommended)
      • Check Scan Alternate Data Streams.
      • Click Close.
    • Click Next
  • SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
  • When finished it will present you with a summary of its findings.
  • Click OK.
  • The Removal Screen will open.
    • Check the items in the list to mark them for Quarantine.
    • Click Next and SAS will Quarantine them.
Please send me the log.
  • Click the Preferences button.
    • Click the Statistics/Logs tab.
    • Logs are listed by date and time, click on the latest one to highlight it (at the top).
    • Click View log.
  • This will open a log page.
  • Copy/Paste the contents in your next post please.
CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

For this problem I would suggest running the scan from safe mode after installing and updating and setting scan preferences

Use the F8 method only for safe mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Edited by DaChew, 04 April 2008 - 10:32 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:18 PM

Posted 04 April 2008 - 10:58 PM

When done with the above, continue as follows:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 arpithicus

arpithicus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 05 April 2008 - 10:16 AM

Thanks for the prompt help guys. I only ran the regular program I did not like the sentence may make my computer inoperable. If I need to run the other one let me know and I will. Thanks Again. I will not do the next step.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/05/2008 at 00:59 AM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 01:55:00

Memory items scanned : 602
Memory threats detected : 1
Registry items scanned : 7014
Registry threats detected : 22
File items scanned : 187057
File threats detected : 46

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\VTURP.DLL
C:\WINDOWS\SYSTEM32\VTURP.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}
HKCR\CLSID\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}
HKCR\CLSID\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}\InprocServer32
HKCR\CLSID\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQPPP.DLL
HKLM\Software\Classes\CLSID\{419E769D-1404-4F8B-89AF-398680A17036}
HKCR\CLSID\{419E769D-1404-4F8B-89AF-398680A17036}
HKCR\CLSID\{419E769D-1404-4F8B-89AF-398680A17036}\InprocServer32
HKCR\CLSID\{419E769D-1404-4F8B-89AF-398680A17036}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A5790A18-DE14-4018-8920-9A1C542E2913}
HKCR\CLSID\{A5790A18-DE14-4018-8920-9A1C542E2913}
HKCR\CLSID\{A5790A18-DE14-4018-8920-9A1C542E2913}\InprocServer32
HKCR\CLSID\{A5790A18-DE14-4018-8920-9A1C542E2913}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBYY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{419E769D-1404-4F8B-89AF-398680A17036}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5790A18-DE14-4018-8920-9A1C542E2913}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}
HKCR\CLSID\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{8E95B93E-A076-4AAA-B468-EB8B3E274D6F}
HKCR\CLSID\{8E95B93E-A076-4AAA-B468-EB8B3E274D6F}
HKCR\CLSID\{8E95B93E-A076-4AAA-B468-EB8B3E274D6F}\InprocServer32
HKCR\CLSID\{8E95B93E-A076-4AAA-B468-EB8B3E274D6F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E95B93E-A076-4AAA-B468-EB8B3E274D6F}

Adware.Tracking Cookie
C:\Documents and Settings\Kat and Arp\Cookies\kat_and_arp@ar.atwola[2].txt
C:\Documents and Settings\Kat and Arp\Cookies\kat_and_arp@atwola[1].txt

Unclassified.Unknown Origin
C:\DOCUMENTS AND SETTINGS\KAT AND ARP\LOCAL SETTINGS\TEMP\KBDUMMY.0
C:\DOCUMENTS AND SETTINGS\KAT AND ARP\LOCAL SETTINGS\TEMP\KBDUMMY.1

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\PRUTV.INI
C:\WINDOWS\SYSTEM32\PRUTV.INI2

Trace.Known Threat Sources
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WTU38XMR\slideshow_0009[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\XTSOURA4\slideshow_0001[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\XTSOURA4\slideshow_0006[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\MH1WGENZ\slideshow_0007[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\HRST64TU\slideshow_0004[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\GLE70H6Z\slideshow_0008[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\MH1WGENZ\prompt[1].js
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TG431P8D\slideshow_0006[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M5RW1WFY\logging[1].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\GLE70H6Z\slideshow_0010[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WTU38XMR\logging[2].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\XTSOURA4\slideshow_0004[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\HRST64TU\slideshow_0002[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TG431P8D\logging[1].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0M2F7W3V\slideshow_0008[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TG431P8D\slideshow_0001[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M5RW1WFY\slideshow_0008[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0M2F7W3V\prompt[2].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WTU38XMR\slideshow_0003[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0M2F7W3V\slideshow_0002[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\GLE70H6Z\slideshow_0003[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\MH1WGENZ\index[3].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\M5RW1WFY\slideshow_0007[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\MH1WGENZ\slideshow_0006[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\XTSOURA4\ErrorHandler[1].js
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0M2F7W3V\slideshow_0010[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TG431P8D\logging[2].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\HRST64TU\slideshow_0009[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0M2F7W3V\slideshow_0001[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0M2F7W3V\prompt[1].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TG431P8D\logging[3].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TG431P8D\prompt[1].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\MH1WGENZ\slideshow_0005[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WTU38XMR\prompt[1].htm
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\GLE70H6Z\slideshow_0001[1].jpg
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\XTSOURA4\slideshow_0010[1].jpg

#5 arpithicus

arpithicus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 05 April 2008 - 10:41 AM

And for the second part. Well the good news is that everything seems to be quarantining and deleting successfully. Thanks again CHEW and Quiet. My wife has been yelling at me for breaking the computer and it will be nice to tell her that it is fixed. Of course I will be taking all the credit, you guys understand every little bit helps in a marriage. THANKS AGAIN.

Malwarebytes' Anti-Malware 1.10
Database version: 593

Scan type: Quick Scan
Objects scanned: 44431
Time elapsed: 18 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kat and Arp\Local Settings\Temp\grcvxurf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kat and Arp\Local Settings\Temp\jbnwprln.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkihf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:18 PM

Posted 05 April 2008 - 11:18 AM

Being able to boot into safe mode safely is an essential tool if you expect to fight malware and win.

http://www.malwareremoval.com/tutorials/safemodeboot.php
Chewy

No. Try not. Do... or do not. There is no try.

#7 arpithicus

arpithicus
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 05 April 2008 - 12:35 PM

I can boot in safe mode without a snag. I guess I should have read your last post better. I thought it could harm the computer even in safe mode. It sounds like that is not the case. Should I run the other proggy in safe mode now? I ran Avira and nothing was detected. What is your thoughts. THanks Again.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:18 PM

Posted 05 April 2008 - 01:47 PM

If I have even a hit of trouble and pick up something on a scan, I always reboot to safe mode and scan again, if it finds anything I kill it, reboot and scan again in normal mode.

It may seem like a lot of trouble and a waste of time, but rather safe than sorry.

I got hit by a driveby malware after surfing where I shouldn't have last summer, I ran spybot, trojanhunter and norton's and vundo fixes, I missed one registry value and a hidden trojan downloader and when I connected back to the internet it started all over again. Saw a post by Quietman showing how to use ATF cleaner and SAS from safe mode, I set them up and disconnected from the internet and ran them.
Chewy

No. Try not. Do... or do not. There is no try.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:18 PM

Posted 05 April 2008 - 04:56 PM

MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact it loses some effectiveness for detection & removal when used in safe mode.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users