Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.h and package.200


  • Please log in to reply
13 replies to this topic

#1 racerboy76

racerboy76

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 12 March 2009 - 10:12 PM

Hello All,

I am at my wits end fighting this vundo.h virus. I have tried everything short of putting a bullet in my hard drive to get rid of this virus. I have it down now to Malwarebytes showing only 4 infections (3 vundo.h and 1 trojan.Agent) in the registry. What should be my next steps.

I own Norton 2009 and PC Tools Registry Mech

and in addtion to that I have already downloaded and tried

Avast,
Malwarebytes,
SuperAntispyware,
Spybot S & D,
HijackThis,
SDFix,
VirtumundoBeGone,
VundoFix,
IceSword,
ATF-Cleaner,
CC-Cleaner

I have downloaded ComboFix but after reading that is like giving a 2 year old a sledgehammer and sending him into a china shop I chose not to try it.

O and also norton keeps complaining about some package.200 it cant get rid of so any ideas on that would be greatful as well.

Other info / Things to note;

1. I am running Windows XP Pro sp2
2. On boot i get three popups saying certain dlls cannot be loaded becuase they are not found. (I killed those by changing the file ext and blew them away) :thumbsup:

3. I can clean it all up and have all scanners and software say its clean in safe mode but once I boot in normal mode things come back.

So where should I go from here? Any help / advice would be great appreciated.

Thanks in advance for anyones time. :flowers:

BC AdBot (Login to Remove)

 


#2 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 13 March 2009 - 12:05 AM

I am going to sign off for the evening, ill check back in the morning for any responses. Thanks all and good nignt :thumbsup:

#3 iearldtg

iearldtg

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 13 March 2009 - 12:28 AM

sys restore from the time before you got it.

#4 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 13 March 2009 - 08:41 AM

I would love to do that but system restore was off when this happend. :thumbsup: You can bet once this is clean it will be back on! Anywho, im off to work.

Edited by racerboy76, 13 March 2009 - 08:43 AM.


#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:01 PM

Posted 13 March 2009 - 08:26 PM

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 13 March 2009 - 10:35 PM

Hello garmanma,

Thanks a million for your reply. I just downloaded the software and I am going to start my scans. I'll post the logs after im done with your instructions.

I think I might have made some headway today. I was telling one of my co-workers about my strife with the registry entrys. He told me to check my spybot to see if Tea Timer was running. Indeed it was and when I turned it off and cleared the entries they went away. Im still a little gun shy tho and I would like to go over this to make sure all of this garbage is gone. I did notice one more symptom today and that is windows update will not start and when I try to start the service it says access denied.

Ill go one step at a time with your direction for now and keep you posted.

Thanks

Racerboy76

Edited by racerboy76, 13 March 2009 - 10:40 PM.


#7 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 14 March 2009 - 02:22 AM

Hello Again,

Here is the log from the full scan with Dr. Web Cureit

gtdownls_125.ocx;c:\windows\system32;Adware.Gdown;Incurable.Moved.;
RegUBP2b-Chad.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
ComboFix.exe.part/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Chad\Desktop\ComboFix.exe.part/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Chad\Desktop;Archive contains infected objects;;
ComboFix.exe.part;C:\Documents and Settings\Chad\Desktop;Container contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Chad\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Chad\Desktop;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Chad\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Chad\Desktop\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\Chad\Desktop;Archive contains infected objects;Moved.;
VirtumundoBeGone.exe\data005;C:\Documents and Settings\Chad\Desktop\VirtumundoBeGone.exe;Tool.Prockill;;
VirtumundoBeGone.exe;C:\Documents and Settings\Chad\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Chad\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Chad\Desktop\SmitfraudFix;Tool.ShutDown.14;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Install Files\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Install Files;Archive contains infected objects;;
ComboFix.exe;C:\Install Files;Container contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:01 PM

Posted 14 March 2009 - 07:41 PM

What I see pretty much are the quarantined items from all of the scans that you have done
Since you now have Teatimer disabled, update mbam and run a full scan and post the results
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 16 March 2009 - 11:13 PM

Hello Again,

Sorry for the long delay. Here is the MBAM scan log.

Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 5.1.2600 Service Pack 2

3/16/2009 9:12:08 PM
mbam-log-2009-03-16 (21-12-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187009
Time elapsed: 1 hour(s), 5 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 17 March 2009 - 08:50 AM

Good Morning,

I had MBAM clean up those issues and ran the scan again. Here is the new log.

Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 5.1.2600 Service Pack 2

3/17/2009 6:43:58 AM
mbam-log-2009-03-17 (06-43-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187029
Time elapsed: 57 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


However Norton is still saying I have the Packed.Generic.200. These are the files it says are infected.

globalroot\systemroot\system32\uacxdknbxrm.dll -- Listed twice


Thanks again

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:01 PM

Posted 17 March 2009 - 02:43 PM

Packed.Generic.200.
globalroot\systemroot\system32\uacxdknbxrm.dll

Wouldn't Norton delete those? It should have
Humor me and update superantispyware and run another scan
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 17 March 2009 - 11:07 PM

I figured it would to, but it keeps saying is failing when it try's to fix it. Ill go ahead and kick of the scan and post the results. I'm kinda leaning toward a false positive from norton. Log on the way

#13 racerboy76

racerboy76
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 March 2009 - 12:02 AM

Ok its done. Here be the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/17/2009 at 09:52 PM

Application Version : 4.25.1014

Core Rules Database Version : 3802
Trace Rules Database Version: 1757

Scan type : Complete Scan
Total Scan Time : 00:42:28

Memory items scanned : 526
Memory threats detected : 0
Registry items scanned : 6354
Registry threats detected : 0
File items scanned : 24829
File threats detected : 0

#14 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:01 PM

Posted 18 March 2009 - 04:12 PM

Mbam and SAS logs are clean. Try looking in Norton's quarantine section and see if that's where they are at
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users