Vundo H removal?

McAfee does not detect Vundo H. Spydoctor and SropZilla do. I need to spend money to use the removal features. I have been searching all night for the best way to remove this Trojan.

I keep reading on the internet that others have tried to remove it with programs, only to have it not be removed.

I don't know what to do. I don't know what to buy, and if I need to, or if it will even work.

Could someone please offer some advice?

 

Welcome to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

Read & RUN ME FIRST Before Asking for Support

Also check out this sticky http://forums.majorgeeks.com/showthread.php?t=74267

 

Hi oceans4me,

How are you getting on? Just a note, we don't recommend using VundoFix anymore because it's not adequate to remove the infection. At this time, the only way we've found of removing it is to run the instructions Lev posted you for the READ & RUN ME and then to have one of us check your logs and find the remaining files to remove manually. Let me know if you have any questions.

Thanks.
abri

 

I have been running whatever scans that seem to work on my computer. There were some that I could not get to operate. Nothing I have used so far has found the Vundo H. The Vundo Fix could not find it. I did find a lot of other Mal ware junk, that I did remove. Is it possible that Spyware Doctor was in error in finding it? I am not understanding why nothing else I run does. I tried to upload the only logs I was able to get so far.

Should I keep trying to search? I am not certain why nothing else I run can't find it.

 

Hi oceans4me,

You have some things that were taken care of, so I don't think everything was just a false positive. Can you get Combofix and the MGTools to run? These will be in the cleaning procedures that are specific to your operating system on the same page where you found the instructions to MalwareBytes and SuperAntiSpyware. To get there again, go back to the READ & RUN ME FIRST and scroll down to the bottom of the page and select the instructions for your operating system.

Thanks.
abri

 

The Combofix would not run. It started running, and then I got an error message and it shut down. The MGtools instructions confused me. I will need to ask my son or husband to help with that one....

 

File for MGtools

I was finally able to run MG tools and attaching the file. My computer still is not right. I followed all the instructions, and previously attached my files for SAS and MAM, but they did not find the Vundo H that spyware dr had detected.

I am still getting popups, and I think something is still not right.

This all started when spyware dr found Vundo H, but I did not have the paid version. I know something is wrong with my computer because I keep getting popups, and I was finding that parts of my mcAfee were turned off. That had never happened before.

I will try to run the combofix again. I got an error last time. Does the MG tool logs show anything?

 

Hi oceans4me,

The following will seem like a lot of instructions, but it's only because I'm explaining things so they will hopefully be easier.

1) Your temporary files didn't get deleted by CCleaner. I'm not sure if you ran it and this is very important, so I would like for you to do that now. Go to the CCleaner icon on your desktop (it's a red C with a blue-handled broom in it) and double click on it. This will open the program. Then I would like for you to click on the settings button on the left side, then in the next window, there are a group of buttons starting with settings, cookies, custom. Please click on custom. In the window that opens up, you'll see the possibility to add a folder or add a file. Please add a folder - first the one called C:\WINDOWS\Temp\ and then add the folder C:\Documents and Settings\Ava\Local Settings\Temp\ You will get a warning, just say okay.

After you've added both of these, click on the broom on the left side and you should be back at the default window with the Windows tab as the one on top. Leave everything checked. (If you use your history, you can uncheck it now, but you should change to bookmarks or favorites so you can always delete your history in the future.)

Now click on Start Cleaner in the lower right-hand side of CCleaner. Allow it to run until it's finished. When it's finished, the button "Start Cleaner" will become active again.

Now please go to settings and then custom as you did before. Highlight each of the temp folders you added and remove each one.


2) Next I want you to go to add/remove programs and uninstall Viewpoint Media Player.



3) Once you've finished both of the above, I want you to have you delete a program in your Program Files. Please go to C:\Program Files and look for the folder called Common Files. Open the Common Files folder and look for a folder called iS3. Open the iS3 folder and delete everything that's in it. Then delete the iS3 folder as well.

Now please do the following:

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

After you click fix, just close hijackthis.

5) Now I want you to rename the following files by adding .zzz to the end. To rename the files, find them in Windows Explorer and then right-click on each file. Select rename and at the end of the name, add .zzz to each one.

C:\WINDOWS\system32\BB09298911.sys ----> BB09298911.sys.zzz
C:\WINDOWS\JYW08.INI ----> JYW08.INI.zzz

After you rename the file, you can just click out in the window somewhere to complete the renaming process. This will make the little box go away. Then check each one to make sure it has the .zzz at the end and not in the middle.

6) Finally, I need to see if the above worked. Please find the file called GetLogs.bat in the MGTools folder under C:\
Double-click on GetLogs.bat and allow it to run to completion. When it's finished, come back here and use the Manage Attachments to attach the new logs which will be called MGlogs.zip. You can find them among the files directly under C:\ (click on the drive, not the + sign).

Let me know how this went?

abri

 

I had my son help me with the instructions. How does this look now?

 

Hi oceans4me,

Your temp files are not getting deleted as they should. Let's see if you can delete some of the manually to begin with, and then I will give you a different cleaner to see if we can get the rest of them.

If your computer is not showing any new problems, I would like for you to delete the two files I had you rename. They are these: (If they won't allow you to delete them, tell me.)

C:\WINDOWS\system32\BB09298911.sys.zzz
C:\WINDOWS\JYW08.INI.zzz


Then go to the following folders and open them and click on the files a few at a time and delete any that you can. If you hit a small group where it won't let you delete them, try those one at a time. Keep going until you've deleted all the files you can.

C:\WINDOWS\Temp\
C:\Documents and Settings\Ava\Local Settings\Temp\


When you finish the above, please do the following:


Download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Finally, I need to see if the above worked. Please find the file called GetLogs.bat in the MGTools folder under C:\
Double-click on GetLogs.bat and allow it to run to completion. When it's finished, come back here and use the Manage Attachments to attach the new logs which will be called MGlogs.zip. You can find them among the files directly under C:\ (click on the drive, not the + sign).

Let me know how this went?

abri

 

Ok- my son did this for me today while I was at work. I am attaching the result.

 

Hi oceans4me,

How is your computer working now? There is one last removal tool I will give you along with the final cleanup instructions which will remove all of our tools and logs from your computer.

If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

abri

 

Thank you for all your help. My son just did the last of the instructions, and I will see how things go. The computer seems better than it was. I am hoping that disabling windows messenger helps what I noticed earlier. I went to the internet, and a window came up separately from the browser page that said that the page could not be found...even though I was on the page. Then when I clicked start outlook came up as my default email, although I never use it.

I will check things out now over the next few days and see how it goes.

This has been a great help!!

 

Hi oceans4me,

Does Outlook / Outlook Express always open everytime you click on the Windows Start button?

There is one service which I missed which you can remove. To do this, please Download HijackThis. It will be installed in a folder called HijackThis, usually under Program Files. Double-click on HijackThis.exe to run the program. Select "Run a system scan" Check the below O23 entry for a-squared and after closing all browser windows click fix. Then rerun the scan and see if it's still there.

If it's still there, run HijackThis again, only this time choose "None of the above, just start the program". Then select config, misc tools and look for the box that says Delete an NT service. Copy/paste in a2free and then click on okay. After that just close HijackThis.

O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)

Let me know about the Outlook question and if you're able to fix this a-squared service.

abri

 

No, it does not open when I click start. It just comes up and the left, and then I can click it to open. The problem was that I use outlook express, and sometimes outlook appears although I never use it. When I click on Outlook express it tells me that it is no longer the default. I just did not know why outlook would suddenly appear, and become my default when I never use it.

Should I still do the last directions?

 

Hi oceans4me,

You had a grammar error, but I think what you wanted to say was that when you click on the Start button, one of the programs appearing in the start menu on the left is Outlook which you don't want to use. If you click on Outlook Express that you do want to use, it tells you it's not the default email program. Is that right?

In that case, there should be a setting in Outlook Express' options to make it the default email. This setting is probably under tools and options. See if that keeps Outlook from loading.

If it doesn't, then go to add/remove programs and look for the button to add/remove Windows Components. Click on that and see if both Outlook and Outlook Express are in the list. If so, uncheck Outlook and allow it to be "removed". If you need it again, you can go back the same way and add it back in.

You should run HijackThis to remove that one a-squared service. If you still have the MGTools installed, you don't have to install HijackThis, just go to the MGTools folder and run analyse.exe.

abri

 

Yes, that is what I meant. I will run the program to delete the one a-squared. Thank you very much for all your help!

 

You're welcome!

Let me know if the Outlook problem gets resolved.
Thanks.
abri