Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected still


  • Please log in to reply
4 replies to this topic

#1 cfaber1974

cfaber1974

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 04 February 2010 - 11:12 PM

Hello -

I have been experiencing the vundo virus on my machine with .dll files located in my startup . I had spent several hours running my Avast antivirus to clean up however the computer has been really slow with no luck in cleaning it up. A friend of mine referred me to combofix and unfortunately didn't realize I'd be ignored if I ran the program before posting this. So anyway. I did run the combofix and many of the dll files were cleaned up - I think I'm still infected.

When I restarted my computer it had a RUNDLL error? I don't know how to paste the screen shot on here

"Error loading mokejudu.dll the specified module could not be found" then a "ok" button.

and also found this in my startup - (program name - binugeyafo Rundll32.exe "mokejudu.dll",s)

I was wondering if someone would be willing to help me out with cleaning my machine thoroughly - thanks

My apologies bleeping up the protocol.

Cory

BC AdBot (Login to Remove)

 


#2 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 05 February 2010 - 09:48 AM

Hello, I have a problem with one remaining file from Vundo as well. (One entry left in the Registry for hazikubu.dll)
My post is:
hazikubu.dll (rundll32.exe), How to remove hazikubu.dll ?
http://www.bleepingcomputer.com/forums/t/293472/hazikubudll-rundll32exe/

From the research I've done on the internet, there are many variations of Vundo.

When you run Task Mngr (Ctrl, Alt, Delete), Processes tab, do you see an entry for rundll32.exe ?
If Yes, it's worth looking into further because while Task Mngr shows the "processes" that are running, it does NOT show the command lines.
Process Explorer is a free program that WILL show the command lines.
You can download Process Explorer from: http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
When you run Process Explorer, click View, Select Columns, and put a checkmark next to "Command Line".
Then you will be able to see the command line for rundll32.exe (you'll see some strange .dll names).
Knowing what you're up against is alot better than not knowing.

(Note: I made note of all the .dll files, and went to where mine were, C:\Windows\System32 and tried to delete them, (a right click on each file, Properties, showed they had the "hidden" attribute, and after I removed the "hidden" attribute, they kept coming back and running again.)

Click Start, Run, type in "msconfig" and hit the Enter key.
Click the Startup tab and look at which items have checkmarks (those items are set to run on boot.)
You can click to remove checkmarks from the items with the strange .dll's to take them OUT of startup.
Hit Apply. When you click OK to close, it will give you a message that changes will take effect on next restart, and you can restart your computer at that time, or later.

SUPERAntiSpyware got rid of several of the Vundo files in my case.
You can download the free version of SUPERAntiSpyware from: http://www.superantispyware.com

a-squared Free 4.5 is another program you can use to get rid of Vundo.
a-squared Free 4.5 can be downloaded from: http://www.emsisoft.com/en/software/free/

Malwarebytes` Anti-Malware is another (free) program to get rid of Vundo. I was unable to install Malwarebytes` Anti-Malware on this laptop, but I have used it in the past and found it effective. It can be downloaded from:
http://www.malwarebytes.org/mbam.php

WinPatrol is another program (free) that will alert you to programs added to your startup, and will ask if it is ok with you for a program to be added to your startup. Get the free version of WinPatrol here: http://www.winpatrol.com/

Initially, my AVG antivirus did not detect anything. After I ran SUPERAntiSpyware (also free) and it removed several of the Vundo files (see my post: http://www.bleepingcomputer.com/forums/topic293472.html), several days later AVG did detect several infected files, all of which were "restore points".

You may want to delete your restore points (mine were useless and I deleted mine, because I was unable to do a System Restore). To delete all restore points, go to Control Panel, System, System Restore tab, put a checkmark in "Turn Off System Restore" and hit Apply.

(After you get all of this fixed, you will probably want to turn System Restore back on. To turn System Restore back on, go to Control Panel, System, System Restore tab, click to take the checkmark out of "Turn Off System Restore" and hit Apply. Then hit OK to close. )

If you don't already have/use CCleaner, it is a good program, and it's free. Take the tour, see what the program does, look at the screen shots. It not only cleans your computer, it also has a Registry tool that will check for/fix registry errors, and it also has an "uninstall programs" tool and a "startup" tool.
The website for CCleaner is: http://www.ccleaner.com/

This site has a list of freeware applications:
http://www.bleepingcomputer.com/forums/t/44690/slow-computer/

And there is good information in this topic:
http://www.bleepingcomputer.com/forums/t/44690/slow-computer/

Hope this helps you, and best of luck to you.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 cfaber1974

cfaber1974
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 06 February 2010 - 10:47 AM

Thanks Sashacat -

I'm going through your advice:

I ran the Process Explorer and found that the rundll32 file was running in my task manager then stopped thus didn't find dll files in the process explorer....but did find them in my start up unchecked.......

vulademu.dll
mokejudu.dll


I'm trying the Superantispyware........I hope it works....

Have you ever received assistance with the combofix tool.

I've never used such forums before thus not sure if its usual to wait for help for long periods with no response or if I'm still being ignored because I ran the combofix tool before asking for help. I thought I would save their time given the very well layed out guide and tutorial they have.

Thanks again for your help

Cory

#4 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 09 February 2010 - 12:17 PM

Hello :thumbsup: Don't feel like the lone stranger on not getting much help. I checked the post where I asked for help, and it had ZERO replies.
Glad you're giving SUPERAnti-Spyware a try.
It got rid of several infected files on my machine.

Initially I was unable to get Malwarebytes' Antimalware to install (I kept having a "Destination Component" error during the Malwarebyte's install attempt....). After several days of searching, I finally found a post (on the Malwarebytes' forum) that suggested the "Destination Component" error was the result of an HP printer (yes, I have an HP printer), and I gave tried what the post suggested, which was put the HP printer install cd in, go to the setup folder, and run a certain .msi file, and that resolved my "Destination Component" error issue, and was FINALLY able to install Malwarebytes' Antimalware.

When I scanned with Malwarebytes', it found several infected files (that SUPERAnti-Spyware did NOT find), and it got rid of them.

I scanned again with SUPERAnti-Spyware and it finally came up "clean" (no infected files found).
Scanned again with Malwarebytes' and it finally came up "clean" also.

AVG found infected restore points on my computer, so I just deleted all my restore points. If you haven't done so already, you will want to do that.

If you don't have CCleaner, get it. It's free. And it does alot more than just clean out the trash.
It does a good job of cleaning your computer of trash/junk/temp, all that.
CCleaner also has a Registry checking/fixing tool. I've used that, and it found entries leftover in the registry from programs I USED to have, and it got rid of those entries.
CCleaner also has a section called TOOLS, which has 3 different tools:
Uninstall (to uninstall programs)
Startup (you can make use of this one, because it shows you all entries listed in Startup, whether they have a checkmark or not. The two files that you found unchecked listed in your Startup:
vulademu.dll
mokejudu.dll
will be shown there, and you can remove those entries using the Startup tool in CCleaner.
The 3rd tool is a System Restore tool, that allows you to selectively choose restore points to delete. Not knowing WHICH restore points are infected, I think it is better to simply turn OFF System Restore (through Control Panel, System, System Restore tab) and delete ALL Restore Points. I just wanted to let you know that CCleaner WILL allow selective deletion of Restore Points, whereas the Control Panel, System, System Restore does NOT give that option).

So, end result, I do recommend that you run CCleaner (use the cleaner, use the Registry check/fix thing, and remove any entries in your Startup for those infection files, even if they are NOT checked), and do get Malwarebytes', and go turn off your System Restore.

I have not yet found the answer for the one remaining trace left on my computer (the hazikubu*.* entry in my registry that causes the rundll32.exe to run in Task Mngr), and until I do, I'm not going to risk doing something that will I regret. I don't know enough about editing the registry to know whether it is a simple matter of changing the value for that entry, or simply deleting that entry in the registry.

By the way, my personal email is hill5904@bellsouth.net if you want to email me further about this (or other computer issues). I've been helping people with computers since 1996. When I do not know the answer, or am only partially certain about an answer, I will tell the truth. I'm not ashamed to say "I'm not sure, let me go look it up" or "I have NO idea".
If you email me, put something in the subject line of the email that I'll recognize, like HELP in upper case (I read those first), or Cory-cfaber1974 from bleepingcomputer.

I have never run the combofix tool, because of the warnings I read about it.

Are you still getting the error on boot?
"Error loading mokejudu.dll the specified module could not be found" then a "ok" button.

You've very welcome, and I hope this gets better for you.
In view of the fact that I received ZERO replies, I will probably not be on this site very much.

Lisa


P.S. I'm using AVG Anti-Virus Free Edition.
You might want to try that as well.

http://download.cnet.com/AVG-Anti-Virus-Fr...4-10320142.html

http://free.avg.com/us-en/homepage

Edited by Sashacat, 09 February 2010 - 12:21 PM.

If we don't change the direction we are going,
We are likely to end up where we are headed.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:25 AM

Posted 09 February 2010 - 12:31 PM

Hello about the wait.. sometimes it happens when your topic has several repilies to it that it appears that you are already being helped.
It would help to post your scan logs to see what was here and removed..

Please DO NOT run comboFix on your own,,see the blue text at the top of this forum.

"Error loading mokejudu.dll the specified module could not be found" then a "ok" button

.
Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.


Are you still having redirects or popups??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users