Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo and vundo h virus/worms


  • Please log in to reply
19 replies to this topic

#1 mattsbach

mattsbach

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 30 September 2009 - 10:44 PM

I have the vondo and vondo h virus according to anti-malware bytes.

I have windows xp and have installed and run anti-malware bytes a number of times in safe mode. I still have the virus when I run a quick scan with AMBytes. I have also run boot-time scans with avast free home edition. (my AMB is also the free version).

I tried uninstalling ie 7, then downloading ie 8 and installing it, that did not help. I can't get windows update to load since I assume that resource is being blocked by the virus/worm.

I have service pack 3. I am looking for help please - what else can I provide for information?

thanks in advance, matthew

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 01 October 2009 - 12:21 PM

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally and try rescanning again.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 02 October 2009 - 02:24 AM

thank you - I have since run AMB quick scan in normal mode, and that has helped some. I am now running a full scan in normal run. I also downloaded the TFC program and ran that successfully, but I had problems with drweb. I downloaded it and tried running it in safe mode and continually got an error of the type - 'this program has encountered an error and has to stop'. This happens before I can even get to the screen where I can run an express scan. I also tried running it in normal mode and got the same error. Is this a common problem with drweb and/or is there an alternative?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 02 October 2009 - 06:34 AM

I had problems with drweb. I downloaded it and tried running it in safe mode and continually got an error

Then run the scan in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 02 October 2009 - 08:37 AM

thanks quietman - i have since run the scan multiple times in normal mode -- things are looking good but I am still getting the hijack.windowsupdate virus when I run MBAM. Actually I get three viruses:

disabled.securitycenter
hijack.windowsupdate (...\BITS\imagepath)
hijack.windowsupdate (...\wuauserv\imagepath)

how can I get those removed?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 02 October 2009 - 08:42 AM

The Disabled.SecurityCenter entries do not necessarily mean malware. They are registry keys that can be:
  • Disabled by malware to prevent notification that your protection has been disabled
  • Disabled intentionally by the user.
  • Disabled by other security programs to prevent conflicts, duplicate warnings and allow them to have control.

This key controls the warning you get about your antivirus software (out of date, not installed .....). If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software. MBAM is re-enabling this function in your log

explanation by nosirrah

For example, if you have McAfee Security Center or Norton Internet Security installed, they will disable the Windows Security Center in order to take care of (manage) things themselves. Other security programs like Spybot S&D will provide similar detections for these type of registry changes and ask you to allow or deny them. Please refer to this discussion thread and click the link in Post #2 for a more detailed explanation.

If a scan is showing these entries and there no other signs of infection, then it's likely another security program has disabled them. If that's the case, then having MBAM add them to the Ignore list will prevent the detections from showing in future scans. If you are experiencing symptoms of malware, do not use other security programs and did not disable them yourself, then further investigation is warranted as there is no way to specifically tell how or by what something became disabled. MBAM only shows that it is disabled.

Please post a complete MBAM log to include the top portion which shows the program/database version, operating system, date of scan and scan type.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 02 October 2009 - 11:12 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2879
Windows 5.1.2600 Service Pack 3

10/2/2009 5:56:42 AM
mbam-log-2009-10-02 (05-56-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 176788
Time elapsed: 44 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 02 October 2009 - 03:47 PM

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Then rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 2879. Last I checked it was 2893.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 02 October 2009 - 11:00 PM

thank you - I have followed the steps again except that my DRWEb always crashes doing a memory test, both in safe and in normal mode. not sure what that's about. I also am unable to run windows update, and when i try to start the service using services.msc, I get an error 2, file not found error, so i am hoping you can help me with that if we can get this first step solved. Here is my latest MBAM log -- looks pretty clean except like i said I can't get windows update to work. THANKS again for your help :thumbsup:


Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 5.1.2600 Service Pack 3

10/2/2009 11:38:46 PM
mbam-log-2009-10-02 (23-38-41).txt

Scan type: Quick Scan
Objects scanned: 108675
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 03 October 2009 - 09:07 AM

Your Malwarebytes Anti-Malware log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile" or save the report before having MBAM remove the threats. To confirm if everything was removed, rescan again in normal mode and check all items found for removal.

Please perform an online scan with Kaspersky Online Virus Scanner.
(Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.
From what you describe, you may be dealing with two different issues. If you can get to Microsoft and Anti-virus vendor websites, then the issue with Windows update may not be related to an infection.

I suggest you try some of the troubleshooting suggestions for issues with Windows Update provided by Microsoft:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 03 October 2009 - 03:09 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 3, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 03, 2009 17:42:14
Records in database: 2901315
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 73237
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:22:25


File name / Threat / Threats count
C:\Documents and Settings\Maria Carolina\Local Settings\Temp\~.exe Infected: Packed.Win32.Krap.ad 1
C:\Program Files\Common\_helper.dll Infected: Trojan.Win32.BHO.tts 1
C:\WINDOWS\system32\mijepubi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1

Selected area has been scanned.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 03 October 2009 - 03:23 PM

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
C:\Documents and Settings\Maria Carolina\Local Settings\Temp\~.exe
C:\Program Files\Common\_helper.dll
C:\WINDOWS\system32\mijepubi.dll

:Commands
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 04 October 2009 - 01:06 AM

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Maria Carolina\Local Settings\Temp\~.exe moved successfully.
C:\Program Files\Common\_helper.dll NOT unregistered.
C:\Program Files\Common\_helper.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mijepubi.dll
C:\WINDOWS\system32\mijepubi.dll NOT unregistered.
C:\WINDOWS\system32\mijepubi.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65984 bytes

User: Maria Carolina
->Temp folder emptied: 1601701101 bytes
->Temporary Internet Files folder emptied: 5159055 bytes
->Java cache emptied: 128013 bytes
->FireFox cache emptied: 45736584 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 18315464 bytes

Total Files Cleaned = 1593.69 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10042009_020107

Files moved on Reboot...

Registry entries deleted on Reboot...

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 04 October 2009 - 06:15 AM

How is your computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 04 October 2009 - 10:14 AM

it is running well :thumbsup:

thank you so much! I ran another MBAM scan and there were no threats found. I have also tested IE and am not seeing misc pop ups. I have also been able to run a successful windows update.

Are we at the end then?

One last question:
At this point I want to reinstall my anti-virus program - I have been using avast free home edition, and AVG, though never at the same time. I am not interested in using any of the big ones like Norton or McAfee, and I am also looking for a free solution. Do you recommend anything other than Avast or AVG?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users