Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Virus Problem


  • Please log in to reply
17 replies to this topic

#1 Verde49

Verde49

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 29 May 2009 - 09:27 PM

I've just joined this forum, so bear with me. My mother's computer has picked up a Vundo virus that seems to be replicating itself every time the machine is shut off and rebooted. I've used Malwarebytes and VundoFix to try to remove it. She was getting pop ups that warned her the computer was infected and tried to get her to go to a website to download an antivirus program that would, purportedly, clean her computer. I didn't let her do it and used the two programs mentioned to try to clean the virus. Some of the infected files were, apparently removed. But 4, one .dll file in the System32 section and three keys in the registry resist all efforts of removal. I've also tried removing them with SpyBot Search and Destroy but that doesn't work either. She has also now lost her internet connection as well, so I'm using my own computer to post this.

I've read on this and other sites that sometimes this particular virus has a rootkit function that makes it very difficult to remove. I'm wondering if that is what it is. Can anyone help me in removing it?

Thanks in advance for your help.

Verde49

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:00 PM

Posted 29 May 2009 - 09:46 PM

Hello and welcome. Please post the last infected MBAM ( Malwarebytes ) log.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Next Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 11:45 AM

As requested here is the latest Malwarebytes scan log:

Malwarebytes' Anti-Malware 1.36
Database version: 2084
Windows 5.1.2600 Service Pack 2

5/30/2009 9:48:51 AM
mbam-log-2009-05-30 (09-47-47).txt

Scan type: Quick Scan
Objects scanned: 81329
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wtvwsvgk (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\yivszcp.dll (Trojan.Vundo.H) -> No action taken.

I followed your instructions disabling the tea timer and SD helper. then I rebooted into Safe Mode and ran the ATF cleaner from the CD drive. I then tried to run SAS from the CD drive as well, but it wouldn't load. A screen popped up saying the administrator had set a policy that would not allow the program to install.

I thought perhaps I should check the User Account to see if something could be done to change that policy, but it didn't appear there were any policies to change in the User Account. I did find that both the Admnistrator Account that came with the computer and the User Account are listed as administrator accounts. Shouldn't there be just one administrator account?

Anyway, I rebooted to normal mode and tried to install SAS again and it did install. I then ran a full scan and it came up with some adware cookies and one Vundo file. I checked those boxes and quanrantined and removed them. I was asked by SAS to reboot and I did. I then ran Malwarebytes again and it showed the same 4 Vundo files still. But I hadn't tried to eliminate them the last time I did a scan, so could it just be showing results from the previous scan?

Let me know if I can do anything more or, of course, if I have done something wrong here and should redo it.

Thanks Again,
Verde49

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:00 PM

Posted 30 May 2009 - 11:50 AM

Good.. Ok 2 things did you reboot the PC normally after that Mbam scan as it was needed to complete removal. Now MBAM has updraded the engine soo rescan..

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 11:52 AM

I forgot to post the SAS log. I will do that as soon as I can get back to the other computer.
Back in awhile.

#6 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 11:59 AM

I can't update Malwarebytes on my mother's computer because it has no internet connection. Should I make a copy of MB on a CD, update it, then use the CD version?

#7 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 12:00 PM

No I hadn't rebooted after running MB. So I will try that.
Thanks.

#8 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 07:08 PM

The good news is that the internet connection is back, I'm sending this from the infected computer.

The bad news is that it's still infected, according to MB.

Malwarebytes' Anti-Malware 1.37
Database version: 2198
Windows 5.1.2600 Service Pack 2

5/30/2009 7:55:40 PM
mbam-log-2009-05-30 (19-55-40).txt

Scan type: Quick Scan
Objects scanned: 85950
Time elapsed: 8 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wtvwsvgk (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\yivszcp.dll (Trojan.Vundo.H) -> Delete on reboot.

I haven't rebooted yet, but I wanted to tell you what I've done since the last time I posted.

Once I got the internet connection back (a faulty filter on the phone line) I was able to update SAS as you had previously asked and Malwarebytes as well. So, that done, I rebooted into safe mode and this time chose the User account instead of the administrator account as I had last time. I ran ATF again and then ran the updated version of SAS from safe mode. It found one file in the system32 folder that was infected: OVLABBXI.DLL. I checked it off for removal and rebooted into normal mode.

Then I ran the updated version of MB and it once again found the same 4 infections as before, 1 in the system32 folder and three in the registry. The odd thing is that SAS didn't see the same infected file as MB and vice versa. The infected file found by MB is: yivszcp.dll.

Anyway I'll reboot again and run MB again to see if the 4 files are gone. I'm beginning to think this has become a permanent part of the computer. I've heard there are such things as false positives found by antispyware programs. Could this be an example?

Thanks again for your help.

#9 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 07:13 PM

Sorry forgot the SAS logs again. Here they are.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/30/2009 at 07:30 PM

Application Version : 4.26.1004

Core Rules Database Version : 3917
Trace Rules Database Version: 1861

Scan type : Complete Scan
Total Scan Time : 01:33:58

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 5204
Registry threats detected : 0
File items scanned : 25267
File threats detected : 1

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\OVLABBXI.DLL

And:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/30/2009 at 11:36 AM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 01:00:48

Memory items scanned : 429
Memory threats detected : 0
Registry items scanned : 5186
Registry threats detected : 0
File items scanned : 25264
File threats detected : 83

Adware.Tracking Cookie
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.ads.addynamix.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.anm.112.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.cbs.112.2o7.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.clickability.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.offeroptimizer.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.offeroptimizer.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.offeroptimizer.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.offeroptimizer.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.overture.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.overture.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.pix01.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revenue.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]
www.burstbeacon.com [ C:\Documents and Settings\Able\Application Data\Mozilla\Profiles\default\vcxubmkb.slt\cookies.txt ]

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\OVLABBXI.DLL

Verde49

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:00 PM

Posted 30 May 2009 - 07:20 PM

Thats why we run several antispyware tools,one gates what the other doesn't. Vundo is a stubborn malware and may take several scans and reboots.. We will also run Drweb-cureit next.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 May 2009 - 07:40 PM

Ok. I've just downloaded the Cureit file and will reboot to safe mode and follow your instructions.
Thanks.

#12 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 31 May 2009 - 08:24 AM

Here is the log file from the DrWeb Cureit scan:

hjcbiazs.sys;c:\windows\system32\drivers;Trojan.NtRootKit.1652;Deleted.;
VirtumundoBeGone.exe\data005;C:\VirtumundoBeGone.exe;Tool.Prockill;;
VirtumundoBeGone.exe;C:\;Archive contains infected objects;Moved.;
wmplayer.exe.tmp;C:\Documents and Settings\Able\Start Menu\Windows Media Player;Trojan.DownLoader.1297;Deleted.;
RegUBP2b-Able.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Invalid path to file ;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Trojan.DownLoader.1297;Deleted.;
cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Moved.; cfd.exe;c:\program files\broadjump\client foundation;Adware.Cfd;Incurable.Moved.;

This was saved by default as an xcel file. I resaved as a text file, but aside from being full of semi colons it seems to have the same information as the xcel file had.

Should I rescan with MB to see if the virus is removed or are there further steps I should take first?

Thanks.

#13 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 31 May 2009 - 09:40 AM

I took the liberty of scanning with MB again after running the Cureit program that had eliminated several virus files. Once again MB found the same 4 virus files as before:

Malwarebytes' Anti-Malware 1.37
Database version: 2198
Windows 5.1.2600 Service Pack 2

5/31/2009 10:03:45 AM
mbam-log-2009-05-31 (10-03-37).txt

Scan type: Quick Scan
Objects scanned: 86142
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wtvwsvgk (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\yivszcp.dll (Trojan.Vundo.H) -> No action taken.

Then I quarantined and tried deleting the files as I had done unsuccesfully 5 or 6 times before. Previously MB had popped up a notice that the files could not be deleted but may be deleted on reboot. This time a screen popped up saying the files had been succesfully deleted! Boy, I was beginning to think maybe the virus was gone. So I rebooted and ran MB again and........NO VIRUS!

Malwarebytes' Anti-Malware 1.37
Database version: 2198
Windows 5.1.2600 Service Pack 2

5/31/2009 10:03:45 AM
mbam-log-2009-05-31 (10-03-37).txt

Scan type: Quick Scan
Objects scanned: 86142
Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wtvwsvgk (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7352eeef-0b33-4f84-8ea8-f2b271586909} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\yivszcp.dll (Trojan.Vundo.H) -> No action taken.

Thank you very much for your help. This was a particularly nasty and tenacious virus and I'm sure I wouldn't have gotten rid of it without your help.

Thanks again so much.

Verde49

#14 Verde49

Verde49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 31 May 2009 - 09:44 AM

I guess I got so excited I posted the first logfile twice. Here is the second MBam logfile:

Malwarebytes' Anti-Malware 1.37
Database version: 2198
Windows 5.1.2600 Service Pack 2

5/31/2009 10:30:32 AM
mbam-log-2009-05-31 (10-30-32).txt

Scan type: Quick Scan
Objects scanned: 86099
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Verde49

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:00 PM

Posted 31 May 2009 - 05:22 PM

good work.. by rerunning.. Only now updtae and do one more . Tell me if there's any redirecting or popups left..

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users