Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo and google redirect problems


  • This topic is locked This topic is locked
16 replies to this topic

#1 iaff284

iaff284

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 24 February 2009 - 04:25 PM

I picked up the vundo trojan and the malwarebytes was able to isolate and remove the trojan and I thought everything was fixed. My computer is running faster but I am still getting the redirects with google on both firefox and IE. I use the free AVG software and it shows everything is clean. I also ran the vundo fix software and no infections were found. The only issue other than the redirect is that I cannot run regedit from the start\run menu but I have a copy of rehence to access the registry. Any help would be appreciated.

Thanks

Mike Bayless

BC AdBot (Login to Remove)

 


#2 hopelessgirl

hopelessgirl

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:united kingdom
  • Local time:11:47 PM

Posted 24 February 2009 - 04:57 PM

wat about this topic did it help http://www.bleepingcomputer.com/forums/ind...p;#entry1073761
Posted Image

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 24 February 2009 - 05:44 PM

Hello.

@HopelessGirl

Important Note: For other users who are reading topics in the HJT-Malware Removal Forum,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

Therefore, I suggest you DO NOT follow the instructions in that topic (iaff284).

@iaff284

Please perform the following actions.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt


How to Restore from the ERUNT Backup
Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    If exist "C:\looking.txt" Del /q /s "C:\looking.txt"
    reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\looking.txt
    Notepad C:\looking.txt

    Exit

    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad will soon open. This is normal please do not panic. Once it's complete copy and paste the contents of notepad in your next reply.

Note: If you closed notepad accidentally, it can also be found at C:\looking.txt

I cannot run regedit from the start\run menu but I have a copy of rehence to access the registry.

What do you mean you have a copy of rehence? Refrence you mean, if so what refrence?

Run MBAM scan again. Update it first and then do a quick scan.

Post back with:
-Looking log
-MBAM Scan log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 24 February 2009 - 06:48 PM

I typed everything like you said and everything was backed up. The .bat file looked good. I double clicked on it and the icons disappeared on the desktop for a second and then everything came back up. There was no black box or notepad file that opened up and I did a search for the looking file and it is no where to be found. The registry program I have is reghance 2.1 sorry for the typo. Is there any other way to get the looking text??

Thanks

Mike

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 24 February 2009 - 09:15 PM

Hello.

Create the batch file again like last time but this time the contents of notepad should look like this instead:

@Echo off

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32" >> C:\looking.txt
Notepad C:\looking.txt
pause

Exit



Let me know how it goes and post hte Looking log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 24 February 2009 - 09:27 PM

Just tried the new .bat file and it still doesn't work....any other ideas??

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 24 February 2009 - 09:30 PM

Hello.

You said you "type it" do not type it.. Just copy and paste everything in the quotebox.. Also what OS are you using? Work perfectly fine here. Let me know what OS you are using as it may be different on different OS.

It's getting fairly late for me, so I need to go to bed. I'll take a look tomorrow. Let me know how it goes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 24 February 2009 - 10:13 PM

Sorry, I did copy and paste it. Still no luck. I am using windows xp sp3

#9 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 25 February 2009 - 09:03 AM

That is exactly the issue. I cannot run cmd, regedit, regedt32, or command, cmd or anything from the start\run menu. Every time I do I get the same issue as you that the task bar and icons disappear and then reappear a short time later. I have run malwarebytes, trend micro house call, avg antivirus, vundofix, and windows malicious malware removal tool. Any ideas from anyone would be greatly appreciated.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 25 February 2009 - 04:23 PM

Hello.

This seems like a depper infection. Not being able to use some of the windows command is a sign of infection going on. From what I see, it's not a pleasent infection at all.

I suggest you start another topic in the HJT-Malware removal forum as even if we can clear our the surface of the infection. There may be more things going on then just not being able to access those commands.

Preparation Guide before Posting: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
What to do when you do not have a reply for 5 days: http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 25 February 2009 - 08:41 PM

I had posted in the xp forums and got some help from extremeboy. And he decided I should post in this forum as there appears things are worse than I thought. I ran malwarebytes and it found the vundo trojan and deleted it. I was having an issue with redirecting google search results in firefox and IE. I use AVG, have ran the vundofix software, trend micro house call and nothing else had shown up but I was still getting the redirect. Extremeboy told me to access regedit and run a peek.bat and it would no work. I copy and pasted exactly what he put in there and it would remove the desktop icons and the sytem tray and then they would come back but the black box would not show up and no looking file would be created. I ran spybot and it found some issue last night when I had spybot fix them and reboot the desktop picture will show up but none of the desktop icons or the system tray will show up. I was finally able to get it to boot to safe mode. A friend told me to download the microsoft diagnostic and repair tool and load the iso file to a disk and try to repair the registry. I downloaded it and image burn but when I try and access the microsoft tool a warning is displayed that the administrator has not given permission for this even though I am logged in as the administrator and I cannot get image burn to open even though it is installed. I am in big trouble and hope some one is willing to tackle this one

#12 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 25 February 2009 - 08:47 PM

I just tried to run a dds check and the black box comes up for a second and then disappears immediatley with no txt files created. Any ideas would be helpful

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:47 PM

Posted 25 February 2009 - 11:33 PM

Hello iaff284,

As you were unable to produce the DDS logs to post in the HiJack This forum, I have merged your topic from there to your currently existing topic here.

Since you are unable to produce those logs, please try this:

Download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Please start a new topic and post your log in the HijackThis Logs and Malware Removal forum, NOT here.
  • Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 26 February 2009 - 04:32 PM

Hello.

See if RSIT works as mentioned by Orange Blossom. Let us know once you post the log so we can close this topic. Also, for your description I think you should add this part in as it's more important. Change the wording to fit your style etc...

When trying to access cmd, regedit, regedt32, command, cmd or anything from the the start>>Run menu will NOT work because nothing opens up.

Change anything you like. Let us know how it goes :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 iaff284

iaff284
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 26 February 2009 - 04:55 PM

extremeboy, I was able to get the hijack this log to work as orange blossom suggested and it has been posted on the hjt forum. I haven't gotten any responses yet.

Thanks for your and orange blossoms help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users