Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help. Problem With Adware.vundo Variant/rel


  • Please log in to reply
7 replies to this topic

#1 helplalaman1

helplalaman1

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 June 2008 - 10:45 PM

Ok, i have Windows XP Service pack 2, media center edition. My computer was infected with a virus called "Spyware Master" if i recall correctly, or something similar. My AVG didn't really pick up on it, well it did in the scans, but didn't seem to be deleting them. I dowloaded SuperAntiSpyware, and it worked. Problem is now when i do scans with SuperAntiSpyware I still have 1 more adware (which i'm guessing brings in more adware, since after a while of waiting then scanning, theres new adware found). This adware/spyware/virus whatever it is, is called " Adware.Vundo Variant/Rel " . How can I get rid of it? I used smitfraud, dont know if that worked, I used ComboFix , maybe incorrectly, and it still shows up. Does anyone have any information on a free program I can download to get rid of this? Or possibly give me instructions on how to manually remove it? I'm not too great with computers, so if you know ANYTHING about this, please help, thanks.
- Pat



Also, while i have this program, is it safe to go to websites i usually go to? Like should i refrain from going on facebook/myspace/msn/paypal ? What exactly does this adware.vundo varient/rel thing do?

Edited by Orange Blossom, 19 June 2008 - 10:56 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 June 2008 - 12:55 AM

Hi,

First: Please don't experiment with tools like ComboFix, SmitfraudFix etc, unless you know what you're doing! These tools are very 'aggressive', and using these tools without knowing what you're doing can result in damage to your mahine!

Delete ComboFix by going to Start > Run. Type this: combofix /u

Now, follow these steps:

1. Download ATF cleaner (by Atribune)

Doubleclick ATF cleaner to start the program.
At the tab "Main", place a mark at Select All.
Klick the button Empty Selected.

If you use FireFox:
Klick at the tab "Firefox", place a mark at Select All.
I you would keep the stored passwords in FireFox, please choose "No" at the window that opens.
(This deletes the mark at "Firefox saved passwords")
Klick the button Empty Selected.

If you use Opera:
Klick the tab "Opera", place a mark at Select All.
I you would keep the stored passwords in Opera, please choose "No" at the window that opens.
Klick the button Empty Selected.

Ga to the tab "Main" and click the button Exit to close the program.

2. Download the next programs, but do nothing more than that:3. Install the programs that are advised in step 2, and update them. :thumbsup:

4. Restart your computer in Safe Mode. See here for a tutorial how to do this.

5. Scan with the next programs:
  • Your anti-virusscanner.
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
  • MalwareBytes' Anti-Malware (Use "Perform quick scan")
    Post the results in your next answer
6. Restart your computer again, but now in Normal Mode.

7. Go to Kaspersky Online Scanner.
Klick at the button Accept.
This scanner is only compatible with Internet Explorer 6 and higher !!
It could be you must click at a yellow beam to activate ActiveX files that Kaspersky needs to run and download. Accept this.
  • The program will now start downloading the latest definition files. After this you need to click Next.
  • Than click Scan Settings.
    Beneath the text Scan using the following antivirus database: you need to choose the second option: extended - protect your .....
    Beneath the text Scan options: you need to check the following boxes: Scan Archives .... and Scan Mail Bases ....
  • Than click OK.
  • Now start the scan by clicking the text My Computer.
    Posted Image
    Note that this scan may take a while.
  • When the scan is finished, you'll get the option to save the scan report.
    Click at the button Save Report As. Save the report at your Desktop with the name kavscan.txt
Post this report in you next reply.

8. Now, post the logs/results in your next answer. Tell which problems you still have. I need the following reports:
  • The results of your anti-virus program
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
  • Kaspersky Online Scan
Good luck. :flowers:

Edited by superbird, 20 June 2008 - 01:06 AM.


#3 helplalaman1

helplalaman1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 20 June 2008 - 02:56 PM

Ok, sorry but I don't exactly know how to post the results from the scans, since only two of them could of saved the logs. Ill just try explaining it and post the log from Malware and Kasperksy. Also I just did a scan using SUPERAntiSpyware , but all it found was a tracking cookie, adware.vundo Variant/rel wasn't found this time, so thats good news :thumbsup:.

Ok, so AVG did the scan, found absolutely nothing no errors/no threats , saying my system was clean.

Spybot Search & Destroy found problems, but I couldn't print them (my labtop's not connected to a printer), I didn't know whether I could try posting the results while on Safe mode, so all I did was let it remove them. Although in the backup section if i open it now there are these things : Clickspring.Outerinfo , Zlob.Downloader.vdt, FunWeb, FunWebProducts. MyWay.MyWebSearch, MyWebSearch, Smitfraud-C.gp, SpyHunter, Virtumonde, WildTangent. Sorry for not being able/too ignorant too get more information from Spybot S&D.

Windows Defender found Name: " Trojan:Win32/Vundo.gen!M Alert level: Severe Action Taken: Quarantine Status: Succeeded. Also when I press the name of it, this comes up
Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\7410410f

runkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\7410410f

file:
C:\WINDOWS\system32\qvdqlolm.dll



And for adaware it found some sort of boot error I think, but no spyware.





And this is the Malware log:

Malwarebytes' Anti-Malware 1.18
Database version: 871

1:02:31 PM 20/06/2008
mbam-log-6-20-2008 (13-02-27).txt

Scan type: Quick Scan
Objects scanned: 37871
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7410410f (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qvdqlolm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mlolqdvq.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.

THe Kaspersky Scan:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 20, 2008 17:32:24
Records in database: 879805
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 85972
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:33:08


File name / Threat name / Threats count
C:\Documents and Settings\Patrick\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Patrick\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.






I am very very sorry for the lack of information I've provided for some parts like Adware, and I thank you greatly for taking your time of the day to help me out :flowers:.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 June 2008 - 03:02 PM

Did your virusscanner found anything? Can you post a logfile from your AV?

Scan again with Malwarebytes Anti-Malware, and post the logfile in your next reply.

EDIT: I'll answer to your logs tomorrow. Now I'm going to sleep. ;)

Edited by superbird, 20 June 2008 - 03:03 PM.


#5 helplalaman1

helplalaman1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 20 June 2008 - 04:33 PM

Thanks again.

Ok this was the test result for AVG

Report name: Complete test
Start time: 6/20/2008 11:58:12 AM
End time: 6/20/2008 12:57:25 PM (total: 59:12.3 Min)
Launch method: Scanning launched manually
Scanning result: No threats found
Report status : Scanning completed successfully

Object summary
Scanned: 94121
Threats found: 0
Cleaned: 0
Moved to vault: 0
Deleted: 0
Errors: 1

Sorry if thats not the logfile, dont know how to find it on AVG.




Malwarebytes' Anti-Malware 1.18
Database version: 871

5:32:27 PM 20/06/2008
mbam-log-6-20-2008 (17-32-27).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 119287
Time elapsed: 29 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

thats for malware, i think theres nothing bad left on my computer! yay, if this is all, then I'd like to thank you for telling me what programs to download. If theres more than I'll check back later. Have a good summer :thumbsup:

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 21 June 2008 - 03:37 AM

Please, don't apologize all the time, everybody makes mistakes, and you even don't make any mistakes. So, don't apologize. :thumbsup:

How is your computer running now?
- Are there still strange things?
- Is your computer slow?
- etc etc

#7 helplalaman1

helplalaman1
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 22 June 2008 - 04:32 PM

My computers normal speed now :thumbsup:. Theres nothing strange either anymore, so sweet. Should I install all the other programs? Or just keep them off until I need to use them again. I have AVG and SUPERAntiSpyware on at all times, but are the other ones necessary as well?

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 23 June 2008 - 01:48 AM

Hi,

I think the malware has been removed.

I advice you to keep these programs. Update them regularly.
Read this page for prevention tips: http://users.telenet.be/bluepatchy/miekiem...prevention.html

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users