Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo.gen.bw and windows will not load


  • This topic is locked This topic is locked
22 replies to this topic

#1 haley6412

haley6412

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 11 December 2009 - 05:11 PM

Hello,

I really appreciate any help anyone can give me. Received a popup "worm.win32.netsky" then a fake scanner displayed. I ran McAfee, which found vungo.gen.bw but stated could not quarantine and needed to restart and scan again. Did this, but looked at scan logs which was still not quarantined. Ran superantispyware which found it and stated need to restart for the files to be removed. Typed password at welcome screen which stated loading preferences, but then proceeded to log off. Tried starting in safe mode but it wouldn't do it either, but from that screen if I pick normal or last working it will go to desktop without icons just wallpaper but then logs off again after about 5 min.

I had seen a previous post "cannot stay logged in" where "budapest"? suggested to someone else about burning an iso image. I have done so, but I haven't taken it to my computer (using mother's to get help). I am just wondering before doing this will it even work as she has vista and have winXP?

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:02:10 PM

Posted 11 December 2009 - 05:50 PM

Well it sounds like this thing has got you on lock down. This is what you can try....

Use a known working computer to download Hirens Boot CD 10.1 . Burn the ISO file to a CD so that it is bootable. Take the CD and boot the infected computer from it. Run the Antivirus scans (they include malware and spyware scanners) Remove what the scans find and try booting normally again.

Your other option would be to pull the hard drive, slave it to another known working computer. Run scans with Malwarebytes, SUPERAntispyware and your antivirus program and remove what they find. After that, take the hard drive, put it back in the computer it came out of, re-run the scans and remove what they find.
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 11 December 2009 - 06:17 PM

Okay, I know this is probably a stupid question, but how do I get the iso image? I saved Hirens boot CD to desktop which is in a zip file. When opening it I see this file: hirens.bootCD.10.1. and the type says iso image. I open magiciso, open the hirens.boot...... which on the right panel has other files, do I copy and save these as well to desktop then burn that? I have no idea what to do. Any help would be appreciated.

#4 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:02:10 PM

Posted 11 December 2009 - 06:58 PM

All you need to burn to the CD is the .iso image. That's the entire program. Boot from the CD and run it's virus/spyware/malware scans. There's a link in my last post which gives you screen shots on how to burn the iso to a disk :thumbsup:
DJ Digital Gem

I gave up on computers and now I just DJ!

#5 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 11 December 2009 - 07:50 PM

Ok so now its on my computer but I have no idea which one to select. I don't see any of the antivirus programs on there. Any help with which one to pick? Thank you so much for the help I really don't know about computers (as you can tell)

#6 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:02:10 PM

Posted 11 December 2009 - 08:27 PM

I am at work now so I can't load it. When I get home I wil fire it up and get you some more instructions. From the screen shots I am looking at there should be an option off the main menu that says Virus Scans.....

Posted Image
DJ Digital Gem

I gave up on computers and now I just DJ!

#7 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 11 December 2009 - 08:35 PM

i had checked every single option available but I didnt see it, so I downloaded it again, unzipped everything to desktop, burned another copy using the "burn to CD" option so hopefully the antivirus stuff is on there and now going home to try again. Thanks for the fast replies and I will let ya know how it goes.

#8 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 11 December 2009 - 09:45 PM

Ok still nothing about antivirus programs. I had even seen the ccleaner file before burning, I don't get it. Anyway I will be patiently awaiting further instructions :thumbsup:

#9 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:02:10 PM

Posted 12 December 2009 - 01:06 PM

Sorry I couldn't get to this last night. I've been sick with the swine flu for some weeks and I was wiped out when I got home from work last night. I will be looking at this tonight ;)
DJ Digital Gem

I gave up on computers and now I just DJ!

#10 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 12 December 2009 - 02:10 PM

That's ok I finally was able to log in and have been running everything on my comp. (MBMA, superantispyware, ATF, CCleaner, etc) but this vundo thing is ridiculous can't seem to get rid of it

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,083 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 PM

Posted 12 December 2009 - 07:59 PM

Please note the message text in blue at the top of this forum.

No one should be using or recommending the use of ComboFix unless instructed to do so by a Malware Removal Expert.

Please read the pinned topics:Further, ComboFix logs are not permitted to be posted outside the HijackThis Logs and Malware Removal forum and then only when requested by a HJT Team member. Referrals are made to the HJT forum if we cannot assist you in this forum. As such, I have removed the log from this topic.

The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 PM

Posted 12 December 2009 - 08:02 PM

Can you please post your Malwarebytes and SAS logs for review?
Computer Pro

#13 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 12 December 2009 - 11:25 PM

First let me say thanks to everyone who is trying to help and to please forgive me......dilemma #2. I have done the most idiotic thing! Desperately I thought that if I tried to make the computer boot in safe mode (checked safe boot in msconfig) and run the antivirus programs that it would get rid of it. Well now its looping again, won't go into safe mode or normal. I tried doing what I did before which did get windows to load but now that is not working. Is there a way to bypass this or to go to msconfig another way? Any help would be most appreciated.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,083 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:10 PM

Posted 13 December 2009 - 12:14 AM

Using MSConfig to access (force) safe mode with the /Safe boot option when there is malware on your system could have disastrous results and render your computer unbootable. The Safeboot option modifies the Boot.ini file by adding the /safeboot:minimal argument to your operating systems startup line. Some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot fully into safe mode or back to normal mode. When this occurs, you may be locked in a continuous reboot loop afterwards where you cannot get back to MSConfig and undo your selection until the /safeboot argument is removed from the boot.ini. See Booting into Safe Mode safely.

...If a situation like this has happened to you it is possible to fix this problem by renaming your boot.ini file. The first step would be to use a boot disk to start your computer. If your computer does not have a floppy disk, then you can typically boot off the Windows CD that came with your computer in order to access the Windows Recovery Console...Once booted to a command prompt, you would simply rename your C:\Boot.ini file to another name like C:\Boot.ini.bak. The command to rename the file at the command prompt is:

ren C:\Boot.ini Boot.ini.bak

Once the file is renamed, you can then remove the boot disk and reboot your computer to get back to normal mode. When booting up after the rename, do not be surprised if you see an error stating that you do not have a valid Boot.ini file. When you get back to normal Windows mode, you can then rename C:\Boot.ini.bak to C:\Boot.ini file and run Msconfig again to remove the /safeboot flag...

Problems that can occur by forcing Safe Mode

If you don't have your XP CD you can download a Recovery Console ISO file and burn it as an image to a disk to get a bootable CD which will startup the Recovery Console for troubleshooting and fixing purposes. This is especially useful for those with OEM systems with factory restore partitions or disks but no original installation CD. If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO and Creating A Windows XP Recovery Console CD Image.

Other options to consider:

Edited by quietman7, 13 December 2009 - 12:18 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 haley6412

haley6412
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:10 PM

Posted 13 December 2009 - 05:25 PM

I used the recovery console disk so now everything is okay as far as windows loading in normal, still cannot load in safe mode. Last night I ran all the antivirus, malware, etc. programs including Avast, which has some files in the chest but not sure what to do about them. "internet 2010" is still in quick launch and on desktop, so I don't think I am clear of this virus just yet. Any help getting rid of this thing would be greatly appreciated. Not going to do anything else without further instructions as I seem to prolong the situation :thumbsup:


computer pro - these are the logs requested (both MBAM and SAS from last night and day before) Thank you so much for the help.

Malwarebytes' Anti-Malware 1.42
Database version: 3351
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/13/2009 2:11:38 AM
mbam-log-2009-12-13 (02-11-38).txt

Scan type: Quick Scan
Objects scanned: 147698
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.42
Database version: 3350
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/12/2009 2:35:16 PM
mbam-log-2009-12-12 (14-35-16).txt

Scan type: Quick Scan
Objects scanned: 147834
Time elapsed: 17 minute(s), 15 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lenewahar (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ketisozi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\logon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2009 at 02:47 AM

Application Version : 4.25.1012

Core Rules Database Version : 4364
Trace Rules Database Version: 2207

Scan type : Quick Scan
Total Scan Time : 00:23:14

Memory items scanned : 436
Memory threats detected : 0
Registry items scanned : 586
Registry threats detected : 0
File items scanned : 8633
File threats detected : 3

Rogue.Agent/Gen-Nullo[BIN]
C:\WINDOWS\JAWA32VS.BIN

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\JNNRZ.DLL
C:\WINDOWS\UA000022.DLL


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/12/2009 at 08:46 AM

Application Version : 4.25.1012

Core Rules Database Version : 4359
Trace Rules Database Version: 2154

Scan type : Quick Scan
Total Scan Time : 03:23:50

Memory items scanned : 454
Memory threats detected : 4
Registry items scanned : 594
Registry threats detected : 5
File items scanned : 8648
File threats detected : 10

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\KEKUZEVI.DLL
C:\WINDOWS\SYSTEM32\KEKUZEVI.DLL
C:\WINDOWS\SYSTEM32\WEMIPIPO.DLL
C:\WINDOWS\SYSTEM32\WEMIPIPO.DLL
C:\WINDOWS\SYSTEM32\JUKAJEYI.DLL

Adware.Vundo/Variant-Dx
C:\WINDOWS\SYSTEM32\GEHUSEDA.DLL
C:\WINDOWS\SYSTEM32\GEHUSEDA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{4cbf065e-60dc-49c6-a140-72c6ece3b871}
HKCR\CLSID\{4CBF065E-60DC-49C6-A140-72C6ECE3B871}
HKCR\CLSID\{4cbf065e-60dc-49c6-a140-72c6ece3b871}\InprocServer32
HKCR\CLSID\{4cbf065e-60dc-49c6-a140-72c6ece3b871}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#roterahan

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\WINHELPER86.DLL
C:\WINDOWS\SYSTEM32\WINHELPER86.DLL

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\GAYUSOMI.DLL
C:\WINDOWS\SYSTEM32\MATIZAVA.DLL
C:\WINDOWS\SYSTEM32\MAZILEVE.DLL

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\GEBUHOBO.DLL

Adware.Vundo/Variant-WinMM
C:\WINDOWS\SYSTEM32\MAJUBILU.DLL

Edited by haley6412, 13 December 2009 - 05:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users