Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo ,varient, redirects maybe cured -I hope so


  • This topic is locked This topic is locked
4 replies to this topic

#1 doccbst

doccbst

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 01 May 2009 - 02:49 PM

After 2 weeks of fighting this malware that almost destroyed my system I may be rid of it.
edit No: I'm still getting redirects computer seems stable and relatively fast
I cant be sure some issues have disappeared or may be back later.
i have read numerous post and used all tools mention on bleeping com and a few from elsewhere.
here is my DDS log and attach file if someone could scan thru and check them out.
You will see some or all of the weapons used. I will be glad to post all after final verdict comes in.
Note: still getting re-directs on firefox can this be killed, maybe combofix with assistance.
Thanks Doccbst


DDS (Ver_09-03-16.01) - NTFSx86
Run by Cecil Collins at 15:29:32.12 on Fri 05/01/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.622 [GMT -4:00]


============== Running Processes ===============

F:\WINDOWS\system32\svchost -k rpcss
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\System32\sstray.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Documents and Settings\Cecil Collins\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=f:\windows\system32\userinit.exe,d:\windows\system32\userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - f:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - f:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - f:\program files\google\google toolbar\GoogleToolbar.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SpybotSD TeaTimer] f:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] f:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [nForce Tray Options] sstray.exe /r
mRun: [Google Desktop Search] "f:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] f:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://f:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://f:\windows\java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - f:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli f:\windows\system32\topapope.dll

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\cecilc~1\applic~1\mozilla\firefox\profiles\5giqc1bw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: f:\documents and settings\all users.windows\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: f:\documents and settings\all users.windows\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: f:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: f:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: f:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: f:\program files\mozilla firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;f:\windows\system32\drivers\si3112r.sys [2003-1-1 89610]
R0 SiWinAcc;SiWinAcc;f:\windows\system32\drivers\SiWinAcc.sys [2003-1-1 10112]
R1 aswSP;avast! Self Protection;f:\windows\system32\drivers\aswSP.sys [2009-5-1 114768]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 avast! Antivirus;avast! Antivirus;f:\program files\alwil software\avast4\ashServ.exe [2009-5-1 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;f:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;f:\program files\alwil software\avast4\ashWebSv.exe [2009-5-1 352920]
R3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S2 gupdate1c9c76ea7e2abf0;Google Update Service (gupdate1c9c76ea7e2abf0);f:\program files\google\update\GoogleUpdate.exe [2009-4-27 133104]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;f:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-7 30192]

=============== Created Last 30 ================

2009-05-01 15:21 1,060,864 a------- f:\windows\system32\MFC71.dll
2009-05-01 15:21 499,712 a------- f:\windows\system32\MSVCP71.dll
2009-05-01 15:21 348,160 a------- f:\windows\system32\MSVCR71.dll
2009-05-01 11:59 <DIR> --d----- f:\documents and settings\cecil collins\DoctorWeb
2009-05-01 11:48 288,417 a------- f:\windows\system32\SrchSTS.exe
2009-05-01 11:48 82,944 a------- f:\windows\system32\IEDFix.C.exe
2009-05-01 11:48 80,384 a------- f:\windows\system32\o4Patch.exe
2009-05-01 11:48 78,336 a------- f:\windows\system32\Agent.OMZ.Fix.exe
2009-05-01 11:48 53,248 a------- f:\windows\system32\Process.exe
2009-05-01 11:48 <DIR> --d----- f:\documents and settings\cecil collins\SmitfraudFix
2009-05-01 11:44 <DIR> a-d----- F:\autorun.inf
2009-05-01 09:38 <DIR> --d----- f:\program files\CCleaner
2009-04-30 17:58 <DIR> --d----- f:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-04-30 17:58 <DIR> --d----- f:\docume~1\cecilc~1\applic~1\SUPERAntiSpyware.com
2009-04-30 17:42 <DIR> --d----- f:\windows\ERUNT
2009-04-30 17:28 5,632 a------- f:\windows\system32\ptpusb.dll
2009-04-30 17:28 150,528 a------- f:\windows\system32\ptpusd.dll
2009-04-30 17:28 14,208 ac------ f:\windows\system32\dllcache\usbscan.sys
2009-04-30 17:28 14,208 a------- f:\windows\system32\drivers\usbscan.sys
2009-04-27 18:56 20,480 ac------ f:\windows\system32\dllcache\hidserv.dll
2009-04-27 18:56 20,480 a------- f:\windows\system32\hidserv.dll
2009-04-27 18:56 9,600 ac------ f:\windows\system32\dllcache\hidusb.sys
2009-04-27 18:56 9,600 a------- f:\windows\system32\drivers\hidusb.sys
2009-04-27 18:49 21,760 ac------ f:\windows\system32\dllcache\usbstor.sys
2009-04-27 18:44 80 a------- f:\windows\system32\blka
2009-04-27 18:23 <DIR> --d----- f:\program files\common files\Online Solutions Shared
2009-04-27 18:21 <DIR> --d----- f:\program files\Online Solutions
2009-04-27 17:05 102,664 a------- f:\windows\system32\drivers\tmcomm.sys
2009-04-27 17:04 <DIR> --d----- f:\documents and settings\cecil collins\.housecall6.6
2009-04-27 16:28 410,984 a------- f:\windows\system32\deploytk.dll
2009-04-27 16:15 664 a------- f:\windows\system32\d3d9caps.dat
2009-04-27 16:04 1,294,336 ac------ f:\windows\system32\dllcache\dsound3d.dll
2009-04-27 14:06 326 a------- f:\windows\wininit.ini
2009-04-27 14:02 <DIR> --d----- f:\docume~1\cecilc~1\applic~1\Malwarebytes
2009-04-27 14:01 15,504 a------- f:\windows\system32\drivers\mbam.sys
2009-04-27 14:01 38,496 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 14:01 <DIR> --d----- f:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-27 13:41 <DIR> --d----- f:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-04-27 11:41 <DIR> --d----- f:\docume~1\alluse~1.win\applic~1\Avira
2009-04-27 10:21 41,472 ac------ f:\windows\system32\dllcache\nsepm.dll
2009-04-27 10:20 74,752 ac------ f:\windows\system32\dllcache\dayi.ime
2009-04-27 10:19 488 a---hr-- f:\windows\system32\logonui.exe.manifest
2009-04-27 10:19 749 a---hr-- f:\windows\WindowsShell.Manifest
2009-04-27 10:19 749 a---hr-- f:\windows\system32\wuaucpl.cpl.manifest
2009-04-27 10:19 749 a---hr-- f:\windows\system32\sapi.cpl.manifest
2009-04-27 10:19 749 a---hr-- f:\windows\system32\nwc.cpl.manifest
2009-04-27 10:19 749 a---hr-- f:\windows\system32\ncpa.cpl.manifest
2009-04-27 10:19 155,648 ac------ f:\windows\system32\dllcache\icwhelp.dll
2009-04-27 10:19 73,728 ac------ f:\windows\system32\dllcache\icwtutor.exe
2009-04-27 10:19 61,440 ac------ f:\windows\system32\dllcache\icwres.dll
2009-04-27 10:19 57,344 ac------ f:\windows\system32\dllcache\icwconn.dll
2009-04-27 10:19 45,056 ac------ f:\windows\system32\dllcache\icwutil.dll
2009-04-27 10:19 40,960 ac------ f:\windows\system32\dllcache\trialoc.dll
2009-04-27 10:19 24,576 ac------ f:\windows\system32\dllcache\icwrmind.exe
2009-04-24 17:14 10,435,072 a------- f:\windows\system32\ALSNDMGR.CPL
2009-04-24 17:14 463,932 a------- f:\windows\system32\drivers\ALCXWDM.SYS
2009-04-24 17:14 141,016 a------- f:\windows\system32\ALSNDMGR.WAV
2009-04-24 17:14 57,344 a------- f:\windows\SOUNDMAN.EXE
2009-04-24 17:14 164 a------- f:\windows\avrack.ini
2009-04-24 17:14 765,952 a------- f:\windows\system\crlds3d.dll
2009-04-24 17:14 720,896 a------- f:\windows\system32\Audio3D.dll
2009-04-24 17:14 720,896 a------- f:\windows\system32\a3d.dll
2009-04-24 17:14 404,736 a------- f:\windows\system32\drivers\ALCXSENS.SYS
2009-04-24 17:14 208,896 a------- f:\windows\alcupd.exe
2009-04-24 17:14 139,264 a------- f:\windows\alcrmv.exe
2009-04-24 17:13 126,976 a------- f:\windows\system32\NVNFINST.DLL
2009-04-24 17:13 509,984 a----r-- f:\windows\50comupd.exe
2009-04-24 17:13 73,728 a----r-- f:\windows\system32\sstray.exe
2009-04-24 17:13 73,728 a----r-- f:\windows\system32\sscpl.cpl
2009-04-24 17:13 18,253 a----r-- f:\windows\system32\ssnvfx.ini
2009-04-24 17:13 3,471,428 a----r-- f:\windows\system32\sswav06.wav
2009-04-24 17:13 1,429,132 a----r-- f:\windows\system32\sswav04.wav
2009-04-24 17:13 301,636 a----r-- f:\windows\system32\sswav02.wav
2009-04-24 17:13 2,093,135 a----r-- f:\windows\system32\sndstorm.exe
2009-04-24 05:12 28,160 a----r-- f:\windows\system32\nvmdcoi.dll
2009-04-24 05:12 20,224 a----r-- f:\windows\system32\drivers\nvidesm.sys
2009-04-24 05:12 80,896 a----r-- f:\windows\system32\drivers\NVENET.sys
2009-04-24 05:12 1,024 a----r-- f:\windows\system32\drivers\jedih2rx.bin
2009-04-24 05:12 122 a----r-- f:\windows\system32\drivers\ramsed.bin
2009-04-24 05:12 42 a----r-- f:\windows\system32\drivers\jedireg.pat
2009-04-24 05:12 13,568 a----r-- f:\windows\system32\drivers\nv_agp.SYS
2009-04-24 05:12 3,000 a----r-- f:\windows\system32\SetupNT.sys
2009-04-24 05:11 5 a------- f:\windows\system32\BSETUP.TMP
2009-04-24 04:39 <DIR> --d----- f:\documents and settings\Cecil Collins
2009-04-24 04:39 8,192 a------- f:\windows\REGLOCS.OLD
2009-04-24 04:35 2,626 a------- f:\windows\system32\CONFIG.NT
2009-04-24 04:35 0 a------- f:\windows\control.ini
2009-04-24 04:35 25,065 a------- f:\windows\system32\wmpscheme.xml
2009-04-24 04:35 23,392 a------- f:\windows\system32\nscompat.tlb
2009-04-24 04:35 16,832 a------- f:\windows\system32\amcompat.tlb
2009-04-24 04:35 299,552 a------- f:\windows\WMSysPrx.prx
2009-04-24 04:34 <DIR> --dsh--- f:\documents and settings\all users.windows\DRM
2009-04-24 04:33 47,104 ac------ f:\windows\system32\dllcache\srdiag.exe
2009-04-24 04:32 605,696 ac------ f:\windows\system32\dllcache\getuname.dll
2009-04-24 00:30 5,888 a------- f:\windows\system32\drivers\splitter.sys
2009-04-24 00:30 50,048 a------- f:\windows\system32\drivers\DMusic.sys
2009-04-24 00:30 3,072 a------- f:\windows\system32\drivers\audstub.sys
2009-04-24 00:30 24,960 a------- f:\windows\system32\drivers\usbprint.sys
2009-04-24 00:30 56,576 a------- f:\windows\system32\drivers\redbook.sys
2009-04-24 00:30 2,944 a------- f:\windows\system32\drivers\msmpu401.sys
2009-04-24 00:30 6,400 a------- f:\windows\system32\drivers\enum1394.sys
2009-04-24 00:27 <DIR> --d----- f:\program files\common files\ODBC
2009-04-24 00:27 <DIR> --d--r-- f:\documents and settings\all users.windows\Documents
2009-04-23 09:51 <DIR> --d----- F:\AF
2009-04-21 13:11 98 a------- F:\index.ini
2009-04-21 13:10 <DIR> --d----- f:\program files\a-squared HiJackFree
2009-04-21 13:02 <DIR> --d----- f:\program files\Uniblue
2009-04-21 11:05 <DIR> --d----- f:\program files\ewido anti-spyware 4.0
2009-04-17 16:34 194 a------- F:\boot.ini.backup
2009-04-17 16:06 <DIR> a-dshr-- F:\cmdcons
2009-04-17 14:30 <DIR> --d----- f:\program files\Trend Micro
2009-04-14 17:40 <DIR> --d----- f:\program files\nLite
2009-04-14 17:19 <DIR> --d----- F:\swsetup
2009-04-14 15:23 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-04-13 14:03 <DIR> --d----- f:\program files\ATI
2009-04-13 11:59 <DIR> --d----- f:\program files\Comodo
2009-04-13 11:39 <DIR> --d----- f:\program files\SpywareBlaster
2009-04-13 11:32 <DIR> --d----- f:\program files\Advanced Spyware Remover
2009-04-13 10:53 <DIR> --d----- f:\program files\Lavasoft
2009-04-13 09:18 <DIR> --d----- f:\program files\Panda Security
2009-04-10 16:40 <DIR> --d----- F:\fsaua.data
2009-04-03 12:08 <DIR> --d----- f:\program files\Pcsx2

==================== Find3M ====================

2009-04-27 13:38 59,904 a--sh--- f:\windows\system32\volizita.exe
2009-04-27 10:20 558,142 a------- f:\windows\java\packages\VN1BN7BX.ZIP
2009-04-27 10:20 2,678 a------- f:\windows\java\packages\data\CC2X3XB9.DAT
2009-04-27 10:20 155,995 a------- f:\windows\java\packages\ODN5JNHF.ZIP
2009-04-27 10:20 2,678 a------- f:\windows\java\packages\data\J9F5RHV7.DAT
2009-04-27 10:20 2,678 a------- f:\windows\java\packages\data\W8EZJ173.DAT
2009-04-27 10:20 2,678 a------- f:\windows\java\packages\data\C0XZ31RV.DAT
2009-04-27 10:20 2,678 a------- f:\windows\java\packages\data\62K1ZT3R.DAT
2009-04-27 10:18 22,720 a------- f:\windows\system32\emptyregdb.dat
2009-04-24 04:35 558,142 a------- f:\windows\java\packages\PFVLZ1NR.ZIP
2009-04-24 04:35 2,678 a------- f:\windows\java\packages\data\WRZPBDBN.DAT
2009-04-24 04:35 155,995 a------- f:\windows\java\packages\D7DRTBV5.ZIP
2009-04-24 04:35 2,678 a------- f:\windows\java\packages\data\TB3DVVZP.DAT
2009-04-24 04:35 2,678 a------- f:\windows\java\packages\data\I6SY62T3.DAT
2009-04-24 04:35 2,678 a------- f:\windows\java\packages\data\B7JZNBTN.DAT
2009-04-24 04:35 2,678 a------- f:\windows\java\packages\data\6JDVB531.DAT
2009-04-24 04:35 80,007 a------- f:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-16 14:18 517,448 a------- f:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- f:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- f:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- f:\windows\system32\X3DAudio1_6.dll
2009-03-16 14:07 80,896 a------- f:\windows\system32\dxdllreg.exe
2009-03-09 15:27 4,178,264 a------- f:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- f:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- f:\windows\system32\d3dx10_41.dll
2008-09-11 14:03 14,290 a------- f:\program files\settings.dat
2008-03-09 08:25 236 a---h--- f:\program files\common files\dx.reg

============= FINISH: 15:29:42.17 ===============

Attached Files


Edited by doccbst, 01 May 2009 - 03:50 PM.


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:19 PM

Posted 14 May 2009 - 11:19 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DSS log back here :thumbup2:
Posted Image

#3 doccbst

doccbst
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 15 May 2009 - 03:12 PM

Thanks for reply Baabiouz, but during the interim I was forced to reinstall on another partition. Luckily I have saved all my data and applications.
As a stubborn cuss myself I kept the defective system as a test platform and continued to wage war against this vundo mutant variant, but in the end I lost the war.
Among the various exploits i suffered were several interesting symptoms I will list here for amusement and education.
Please move to a different topic if that is more appropriate.

Infested the bios -required a bios flash to remove
Crashed windows (BSOD) on attempted install of Avg, spyware doctor, OSAM Autorun manager and then vundo survived XP repair install still redirecting browsers.

Avoided detection by malwarebytes, superantispyware, spybot S&D (saw it couldn't remove) ,vundofix, virtumundobegone
also many listed (not named for respect) on bleeping tutorials and post

system errors included, NTLDR not found, hal not found and the final showdown on XP repair reinstall BSOD and bad_pool_caller at 43 min during device loading. This happened after a rootkit app search for hidden processes led to a BSOD crash and I tried the faithfull repair install again not so faithfull this time. Vundo wins !!!

Hope I never have to go thru this again. All because I ignored a virus warning from avira, it was a file downloaded from a torrent but nothing outlandish or outrageous, but in my defense i have always been able to remove infections before any major damage was done------never again !!!
I am now protected by Tea timer, avira, malwarebytes, avg (with exclusions for avira) super antispyware
Hope its enough for the next attempt by a virus or trojan.
Thanks again ,
doccbst

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:19 PM

Posted 15 May 2009 - 04:48 PM

Hello :)

Yep those programs might be enough. Here is my all-clean-speech so you can find some insterensting info there :thumbup2:



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Hide system files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Do not show hidden files and folders.
  • Check (tick) Hide extensions of known file types.
  • Check (tick) Hide protected operating system files (Recommended).
  • Click OK.
  • Close My Computer.
Create a new, clean System Restore point
  • Click on Start > All Programs > Accessories > System Tools > System Restore.
  • On the Welcome Page, select Create a restore point. Click Next.
  • Give this restore point a descriptive name and click Create.
  • When done, click Close.
Warning: Do not clear infected System Restore points before creating a new System Restore point first!

Please read the above to create a new System Restore point first, then clear out the infected System Restore points.


Clear infected System Restore points
  • Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
  • Select C drive and click OK.
  • Select the More Options tab.
  • Under System Restore, click on Clean up....
  • You will be prompted. Click Yes.
  • When done, click OK.
  • You will be prompted again. Press Yes to confirm.
  • When done, Disk Cleanup will close automatically.
Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows

Go to Start > All Programs > Windows Update

To update Office

Open up any Office program.

Go to Help > Check for Updates

Alternatively, you can visit the links below to update Windows and Office products.

Windows Update
Office Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:
  • Go to Start > Control Panel > Automatic Updates
  • Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  • Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  • Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.
  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.
Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, please refer to this website to learn how to secure Internet Explorer 6.

To secure Internet Explorer 7, please read this article.


Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection
  • Spyware Blaster
    SpywareBlaster is a program that is used to secure Internet Explorer by making it harder for ActiveX programs to run on your computer. It does this by disabling known offending ActiveX programs from running at all.

    You can download SpywareBlaster from Javacool.

    If you need help in using SpywareBlaster, you can read SpywareBlaster's tutorial at Bleeping Computer.

  • Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  • Malwarebytes RogueNET Bleeping Computer
    Before downloading any anti-spyware programs, always check it. This will save you from a lot of trouble. If in doubt, don't ever download it.
Here are some more things to read about:

Securing Skype
Greater email safety
Phishing - what is it?
80 Super Security Tips

Happy surfing and stay clean!
Posted Image

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:19 PM

Posted 21 May 2009 - 05:26 AM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by Baabiouz, 21 May 2009 - 05:26 AM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users