Posted 25 February 2011 - 05:25 PM
Yesterday night my dad's computer with Vista got a redirect from a website to a Windows Security Rogue Antivirus. I'm sure you guys know how that works, so I closed out mozilla firefox as fast as I could and disconnected my internet. From their I panicked a bit and ran a windows defender scan and a McAfee security center scan and both came up empty. However, I could tell something was still wrong because his task manager showed three unauthenticated processes: winlogon.exe, csrss(or something like that).exe, and rundll32.exe.
None of these tree processes allowed my to right-click and check properties, instead only giving an option to "run administrative task" or something like that.
My dad's computer only had McAfee and Windows Defender when this happened. However, I kept the computer on all night (because the McAfee scan took that long) and this morning I sucessfully installed an older version of Malewarebytes, which found 7 adware.coupons and deleted them. I still felt like that wasn't it, and the task manager processes hadn't gone away so I read a bunch of stuff about getting rid of rogue anti-viruses online and most things said, including on this site, to run RKill and then Malewarebytes again in safe mode.
At some point while I was in my morning class my dad had restarted his computer in normal mode from safe mode,
and since then McAfee is disabled.
I ended up restarting into safe mode and using RKill and the first time it ran, it disabled some malware process called
So I ran malewarebytes and it still found nothing!
Then I downloaded SuperAntiSpyware from this computer I'm on and transferred it to my dad's computer with a jump drive.
SuperAntiSpyware found 79 adware cookies and 1 trojan, a
I let malewarebytes do its thing but McAfee was still disabled.
I installed and ran Spybot and the it found absolutely nothing! However, as it was scanning I noticed that it actaully
passed some virtumonde.sci and virtumonde.sdn files but did not flag them.
I went online and did my research to find that McAfee online says the winlogon.exe and rundll32.exe can be infected by virtumonde vundo trojans, so I am now at the only conclusion I can possibly have:
That my dad has some sort of Vundo virtumonde on his system.
So I again tried to run RKill, and ran it five times (some guy on another forum said he had to do so before he could anything) yet it found no malicious processes. Getting very ticked off, I went online on my computer and downloaded the most up to date version of
malewarebytes and put it on my dad's computer, as I mentioned the one I gave him that had already been on my computer was out-of-date.
I uninstalled it and tried to reinstall the new one, but now it "installs" really quick, says its finished, and doesn't actually install. I had renamed it to m.exe as some people online mentioned they tried, but it did not help.
So now what do I do? I can no longer install any malware programs I guess, or I just don't know what else to try installing.
And yes, my dad ran a HiJack this log this morning before we ever restarted the computer, and I compared it to an older log he had, and it was exactly the same, it didn't show anything unusual.
Should I go into normal mode and then try to install malewarebytes? Are there other techniques I can try to get rid of this or
even detect it? Also, I don't know if it is a Vundo but can I run a vundofix without first running malewarebytes?
Any help would be appreciated, Thanks