Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Fixed?


  • This topic is locked This topic is locked
10 replies to this topic

#1 goom

goom

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 28 August 2008 - 07:03 PM

well, i recently got vundo/virtumonde and a few other trojans on my computer.
i ran malwarebytes and superantispyware and thought i had cleaned it mostly up, but it recently popped up again.

here is my log:

thanks very much :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 PM

Posted 01 September 2008 - 07:59 AM

Hello Goom and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, and you're notified a more current version is available, please download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 goom

goom
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 02 September 2008 - 08:51 PM

thanks, will do.
and yeah, i'm using vista, so i shouldn't download the recovery console first?

i'll post my log, one sec.

#4 goom

goom
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 02 September 2008 - 09:35 PM

okay here is my log.

i noticed when the combofix thing started that it deleted a few items (maybe 9?) from C:\Windows\system32\ (a few .dlls)
were those viruses, or do i need to get those back? :)

thanks :thumbsup:

Attached Files



#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 PM

Posted 03 September 2008 - 03:42 AM

Hello Goom,

The files removed by ComboFix were are indeed malware files. :)

Just some minor cleaning up to do :
Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\Windows\pdoskegl.dll
Folder::
C:\VundoFix Backups

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder

Side note : please don't use 2 AV scanners side-by-side : Nod32 & AVG.
They'll probably interfere with each other. :thumbsup:
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 goom

goom
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 03 September 2008 - 08:43 AM

oh, i thought i'd disabled AVG. sorry about that ;)

i'll get to posting my new log, thanks for the help.

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 PM

Posted 03 September 2008 - 10:45 AM

No problem, Goom

I'll see your logs later then. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 goom

goom
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 03 September 2008 - 06:39 PM

okay here are my new 2 scans. :thumbsup:

Attached Files



#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 PM

Posted 04 September 2008 - 03:25 AM

Looking good, Goom :thumbsup:

Please make sure you keep UAC enabled,
it may be a drag sometimes, but it's also an important safety measure.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 goom

goom
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 September 2008 - 04:56 PM

thank you very much.
i'd already deleted combofix from my desktop, so i didn't do that last step, but my clock is back to normal and file extensions and hidden files are hidden anyways.

and i'll be sure to re-enable user account control :thumbsup:

Edited by goom, 05 September 2008 - 05:00 PM.


#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 PM

Posted 05 September 2008 - 05:38 PM

Glad we could help, Goom :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users