Vundo,Rundll32 and other Malware Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Danimal33, May 25, 2008.

  1. Danimal33

    Danimal33 Private E-2

    Hello,

    I was recommended to your site from a friend when I started experiences computer issues. Last week I was having a hard time going on the internet and doing any processes on the computer. My friend has helped me do all the steps in the run & read me file and now I would like to make sure everything looks good because I have had issues for awhile now.

    The "windows update" (was malware) symbol is finally gone and is not stopping my processes, however my Norton bar is checked on IE but there is nothing on it anymore and I am not sure about a couple things.

    I have attached all the logs for your review. (this and the next post)
    Thank you for any help you can give and for already helping me thus far.
     

    Attached Files:

  2. Danimal33

    Danimal33 Private E-2

    Next Logs
     

    Attached Files:

  3. abri

    abri MajorGeek

    Hi Danimal33,
    Welcome to Major Geeks!


    You still have quite a bit of malware on your computer. Please use your computer as little as possible and avoid unnecessary reboots until one of us can look through your logs and post a set of instructions to you. This takes some time, so thanks for being patient.

    abri
     
  4. abri

    abri MajorGeek

    Hi Danimal33,

    Please do the following:



    1) Please go to Start / Run and type in msconfig. In the window that opens up, put a checkmark next to normal system start, click on accept and okay.

    2) Install the current version of Sun Java from: Sun Java Runtime Environment

    3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


    4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

    O2 - BHO: (no name) - {13CE19F2-39A3-45D2-B362-69044CC4FE6B} - C:\WINDOWS\system32\urqOGxwW.dll (file missing)
    O2 - BHO: {f4bf6a7a-ec73-921a-b214-2e8bcee9a1ef} - {fe1a9eec-b8e2-412b-a129-37cea7a6fb4f} - C:\WINDOWS\system32\kxvbglei.dll (file missing)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    Do you need for the following programs to load at startup? If not, please fix them as well.

    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    After you click fix, just close hijackthis.



    5) Download and install Erunt. Use it to create a backup of your registry.

    6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.
    7) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the 'Execute' button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt



    8) Now run CCleaner at the default setting with the Windows tab as the top one.

    9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log, whichever we used.


    Let me know how things are running now?

    abri
     
  5. Danimal33

    Danimal33 Private E-2

    Hi Abri, after using avenger and the reboot started i got a window on the startup that said

    Windows- No Disk


    X Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. Are you still having any malware problems?
     
  7. Danimal33

    Danimal33 Private E-2

    Hi, Things seem to be ok but I still have a few glitches
    1. when I go on the internet on IE in the menu and links bar I am supposed to have a Norton bar that is for phishing, has my identidy login and my identidy passwords to get on my websites. I right click in the tool bar area and click on the show norton toolbar, but when I click on it the area it is supposed to be in, its just blank. Phishing does not work even though it is clicked to on position in norton. I cant sign in to my password protect sites.

    How can I get this back on, because norton is keeping all my passwords stored but will not respond when on any password type websites.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry but issues with Norton's Toolbars are not topics for this forum. This is a software issue. You could try reinstalling it or checking for options with in the program to make sure it is not disabled. Also make sure you do not have it disabled in IE or in Manage Addons. I did see the below in your HijackThis log:

    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

    I assume this is the feature you are referring to.
     
  9. Danimal33

    Danimal33 Private E-2

    Hi I had trouble get on this site last night but all good now. For the question about the norton toolbar that is the one I am talking about. In the manage add on's it is clicked on enabled so I dont know why that is not working.

    2. I also have been having problems with my computer rebooting itself for no reason. It has happened about 4 times in the last couple of days and it woke me up this morning at 4:30 am when my computer went from standby mode and turned on and rebooted itself.

    3. Also in my shutdown mode for my computer which is set to automatically shut down doesn't seem to work at all. My settings for my shutdown when I am on desktop I right click desktop then properties and under the screensaver tab I have None selected for screensaver then under the power button in that same screensaver tab setting I click on that power settings button.
    (a.) On that screen the power scheme is set to Always on.
    Power scheme settings are
    (b.) Turn off monitor is set to turn off in 10 minutes
    (c.) Turn off hard disks is set to Never.
    (d.) System standby is set to turn off at 25 minutes
    (e.) System hiberate is set at to hibernate at 2 hours.

    When I let my computer just sit to let it shut down on it's own the monitor will turn off in the 10 minute time period which it does but it will never go into standby mode and will not hibernate. Neither of those functions seem to work it has only worked a couple of times and that was last week. I just started using the power mode a couple of months ago for the first time and only the monitor would turn off everything else stayed on. Like I said it worked a couple of times but now it will not shutdown properly.
    The only way that it goes into standby mode is if I click the start munu and manually click the standby mode which then it will shut down and then it will go into hibernation.

    How can I get those settings to work for me so I can just leave my computer alone and it will take care of itself on shutdown and not to get it to reboot by itself for no reason.

    Thank you so far for everything and all your help. Everything else has been working pretty good so far except those couple of glitches I have here.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm sorry but none of these issues are malware related. I suggest that you uninstall Norton and then run the below at least two time with a reboot inbetween.

    Norton Removal Tool (SymNRT)

    Then afterwards and before reinstalling Norton, see if there is any impact to your other issues. If not, then reinstall Norton and see if your toolbar issues are resolved. Then post your other issues in the Software or Hardware Forum.
     
  11. Danimal33

    Danimal33 Private E-2

    So far everything seems to be running great, the help you gave me was just the best. I would like to thank chaslang and abri for all there help keep up the good work and thanks again.


    Danimal33
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    9. Go to add/remove programs and uninstall HijackThis.
    10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    11. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    12. After doing the above, you should work thru the below link:
     
  13. Danimal33

    Danimal33 Private E-2

    Hi, sorry I haven't gotten back to you sooner I was on vacation.
    Do I have to uninstall these programs because I would like to keep them on my computer for anything in the future may I need it.

    Thank you again Danimal33
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you should follow the instructions as given since the tools change all the time. ComboFix, Avenger, and MGtools will become outdated quickly. You always need to redownload and use the current versions that are given in the links in the READ ME. As far as SUPERAntispyware is concerned, you can keep it if you wish. Just keep it up to date.
     
  15. Danimal33

    Danimal33 Private E-2

    Hi there, I have uninstalled the items suggested such as avenger hijack this. I cannot get the combofix to delete through the start run way that you explained. When I put in "%userprofile%\Desktop\cf" /u in the run box it says windows cannot find C:/Documents and settings/HP_Administrator/Desktop/cf I did create combofix on my desktop so where do I go from here to get rid of combofix. Also do i need to get rid of Erunt. I did see a Erunt Registry in my add or remove programs do I remove that also?

    Thank you Danimal33
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your previous logs, the reason you cannot run the uninstall is because you never renamed combofix.exe as requested in the initial instructions. You still had it named combofix.exe. As stated in my final instructions
    So instead of using this: "%userprofile%\Desktop\cf" /u
    You need to use this: "%userprofile%\Desktop\combofix" /u


    You can decide for yourself if you wish to keep Erunt as a registry backup tool.
     
  17. Danimal33

    Danimal33 Private E-2

    Hi, chaslang that worked just great and uninstalled the combofix and also answering my next question about the erunt. That seems to answer everything unless there is something else I need to do just let me know
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As long as you have finished all of those final instructions then you are good to go. ;)
     
  19. Danimal33

    Danimal33 Private E-2

    Yes I did everything and seems great. I did run malwarebytes yesterday and it did find a vundo which i removed. Did you need a log for that? if not and you think everything seems right after completing the steps you gave me I am good with everything am seems to work pretty good. I cant express enough how great you guys were in helping me and have told a few friends about your site for which now they are hooked.

    Thanks Major Geeks and Chaslang
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes I would like to see what it found.
     
  21. Danimal33

    Danimal33 Private E-2

    here is the log also since I have uninstalled all the programs sucsessfully my computer is rebboting itself anytime it wants weather I am in a program or on the internet do you know why that is happening?

    Thank You Danimal33
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What Malwarebytes found was implied to be Vundo but I'm not sure if thazt was correct. Either way it was nothing major.

    I'm not sure why this would happen now. It should not be related to uninstalling anything. I assume you mean the uninstall of SUPERAntispyware, ComboFix, HijackThis and MGtools??

    Have you looked at your Event log to see if there is anything being mentioned as the cause of the reboots? Are you seeing any error messages?

    Do the following:
    Click Start -> Run
    type eventvwr.msc
    Click 'OK'

    Click System, scroll down the page, and look for an error around the time the PC rebooted.

    Right-click on the error and select 'Properties'. I need to know exactly what is in the Description Field. Word for Word.

    Also on the top menu select Action, Save Log As and save the log file. Attach the log here.
     
  23. Danimal33

    Danimal33 Private E-2

    I uninstalled all the ones listed except super anti spyware because i am going to purchase that program the other programs are gone.

    As for the Start Run proceedure it says under the properties
    Date: 06-20-08
    Source: Service control manager
    Time: 12:53pm
    Type: Error
    Event ID:7206

    The following boot-start or system-start driver(s) failed to load:
    ftsata2
    for more info go to http://go.microsoft.com/fwlink/events.asp.
    I am not sure if that letter is a G or a Q in the web address.
    When I clicked on the link this is what it gave me below.


    Details
    Product: Windows Operating System
    ID: 7026
    Source: Service Control Manager
    Version: 5.0
    Component: System Event Log
    Symbolic Name: EVENT_BOOT_SYSTEM_DRIVERS_FAILED
    Message: The following boot-start or system-start driver(s) failed to load: %1

    Explanation
    The specified drivers did not load correctly. The driver might not be in the expected location.


    User Action
    Do all of the following:

    Verify that the drivers are configured correctly.
    Verify that the computer is running the most current version of the drivers.



    Version: 5.2
    Symbolic Name: EVENT_BOOT_SYSTEM_DRIVERS_FAILED
    Message: The following boot-start or system-start driver(s) failed to load: %1

    Explanation
    The specified drivers did not load correctly. The driver might not be in the expected location.


    User Action
    Do all of the following:

    Verify that the drivers are configured correctly.
    Verify that the computer is running the most current version of the drivers.


    Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx.

    There Where also the 3 other errors at that same time of 12:53pm
    Event ID:7203
    The IPSEC Services service terminated with the following error:
    the authentication service is unknow and that also had the same microsoft weblink.

    Event ID: 7000
    The MCSTRM service failed to start due to the following error:
    the system cannot find the file specified.

    Event ID: 7000
    The Nsynas32 service failed to start due to the following error:
    the system cannot find the file specified.
     
  24. Danimal33

    Danimal33 Private E-2

    HI I tried to send the log but it tells me it exceeds the 250 kb and the log is 400 something kb.

    Also it is saving the log as an *.evt file but i also made it as text too.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can compress the log into a ZIP file so it can be attach but it looks like I will be sending you to the Hardware Forum. These are issues with drivers for your hardware. You should start by checking to see if the files mentioned in the error messages are actually on your PC. For one example the ftsata2.sys file should be in your C:\windows\system32\drivers folder. But you can also search your PC to see if it exists anywhere.

    I also suggest that you try this. Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. If this finds any problems that it can not easily fix from files on your hard disk, it will ask for your Windows CD so have it ready.
     
    Last edited: Jun 20, 2008
  26. Danimal33

    Danimal33 Private E-2

    Hi there, well here is the log.
    I don't have a windows cd i have windows xp media center and it came with no cd of that sort.

    I checked the ftsata2.sys and it is not in the C:\windows\system32\drivers folder.

    I guess my next stop is the hardware section in the forum.
     

    Attached Files:

  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to get one! Did you try running sfc? You don't need it just to run sfc. The disk will only be requested if it cannot find a way to repair any problems (if any are found) using existing files on your hard disk.

    Did you try a Windows search to see if the file was anywhere else on your hard disk?

    Yes that is where you should be going. Based on your event log which only goes back to 05-20-2008, you have had problems loading these drivers and others well before you came here to the Malware Forum. The log show many problems with aquiring an IP addres from your DHCP server too which would account for your statement about getting on the internet in your 1st message.
     
  28. Danimal33

    Danimal33 Private E-2

    Hi chaslang,
    Hey thank you very much for all your help with the malware issues. Everything is running good on the antivirus stuff. Great job.
    Well it looks like I need to go to the hardware forum. You said that you would send me over to the hardware section with the problems that I am having now. Do you have someone in mind that willl help me?
    I did post a thread in the forum earlier today but got no replies as of yet.
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    No one in particular. Just anyone who may have information about this.


    We neer to do our final steps in this forum.
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    9. Go to add/remove programs and uninstall HijackThis.
    10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    11. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    12. After doing the above, you should work thru the below link:
     
  30. Danimal33

    Danimal33 Private E-2

    Hi there I uninstalled everything except superantispyware because i purchased that one aslo I kept malwarebytes search and destroy and added Avg Antivirus. Did some more scans today and malwarebyes found 1 item ans S&D found 2 and I removed the one file but kept the other which was a microsoft windows security center antivirus overide plus S&D found Quite a few other things when I went into the recovery part of S&D. I attached some logs of those scans I did today.
     

    Attached Files:

  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All SAS found was cookies which are not problems. That is why our procedure asks you to uncheck the option in SAS to report on cookies. Malwarebytes is incorrect about Autoexec.bat being problem. It just is not a file normally seen on Windows XP but there is nothing wrong with having one. I even have one on this PC that I working on right now. When the PC boots up it autoexec.bat is run and configures some settings for me. It would be more important to know what was in the file.
     
  32. Danimal33

    Danimal33 Private E-2

    Thanks for the info on the autoexec.bat I no longer have that file I did a search and it found it in the D drive and says its a MS-DOS batach file. When I click on the file it gives a warning that D:\autoexec.bat is not a valid Win32 application. That's about all I can give you on that one.
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Load the Autoexec.bat file into notepad so you can see what is in the file. Then post that into here. Or alternatively you can put the file into a ZIP file and attach the ZIP file.
     
  34. Danimal33

    Danimal33 Private E-2

    Got the file and put in notepad and there is nothing in the file it shows 0kb. It is blank.
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is just a typical default seen in the root folder of a hard disk drive where Windows XP is installed. It is not a problem.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds