Laptop: Vundo.variant won't delete, logs attached

Hello, again. Here's what's happening:

SAS found 3 instances of a Vundo.variant in something called URLSearchHooks.

Whenever any attempt is made, including by SAS, to get rid of these URLSearchHooks, a message comes up saying "Webshots has detected another program attempting to change your default search page. Would you like to continue with this change or leave your search page as is?" (Might not be exact quote, but exact idea.) It then gives yes or no buttons. Now, about a week ago when I was browsing to download my daily allottment of 5 free photos at webshots, I came across one that was just this ugly, blurry--maybe horizonish sorta thing that wasn't even wallpaper shape, and it definitely didn't fit its label. To me, that was a pretty obvious sign that someone had hijacked the site with nasties, so I immediately contacted webshots, then ran all the scans, etc., on my computer. They came up clean at the time. But, now, here we are. And...call me crazy, but I don't think uninstalling webshots is going to do the trick.

Anyway, other symptoms are my wireless signal occasionally bouncing down to poor from excellent while in the same position, me getting messages that a new wireless network has been found and it giving me the laptop's regular IP address on our home network...without me rebooting my laptop or the hub--all things I saw in my last laptop when it lost its life to vundo. I'd really rather that didn't happen again--especially because this one isn't entirely paid for, yet....

So attaching the 1st 3 logs to this one (it appears I managed to get rid of one of the occurrences of vundo) and the last to the next message. Thanks so much!
:cry HAAALP!

 

Re: Vundo.variant that won't delete (last log)

Here's the MGTools log. Thanks, again!

 

Re: Laptop w/Startup Issues (Logs Attached)

Hi, there. I'm having issues, again, this time with a specific malware (Vundo). I already posted the info, but I mistakenly replied to the entire thread instead of to you. Here is the link to the first message:

http://forums.majorgeeks.com/showpost.php?p=1266980&postcount=6

 

First, uninstall your current versions of SAS & MBAM. Once uninstalled, reboot and download the new updated programs below. Once downloaded, install, update and run full scans with both. Attach the new logs once complete.

Also, download the newest version of ComboFix & MGTools below and once complete with the two scans above, run this once more as well.

Your next post should contain new logs from MBAM, SAS, ComboFix and MGTools.

MGTools.exe

ComboFix

Malwarebytes Anti-Malware 1.33

SUPERAntiSpyware 4.25.0.1008

 

Okay, thank you. On my laptop right now, so getting it started on this. As soon as I've got it started here, I'll turn on my desktop and start on that, too.

Sorry I was such a pest earlier. My dad's been pestering me, too. "Have you heard from the geeks, yet?" over...and over...and over. And, I had no idea that was what bumping meant.

Thanks for your assistance. Be back soon with attachments. Probably from the desktop first, as that is the machine I need for work...but I will do the un- and re-installs and run the scans on this in the meantime. *hugs*

 

Okay! Not a problem, just post the logs once completed.

 

Well, of course, the laptop's scans are done first. DOH! I had just gotten into bed when I replied to your message, so...I couldn't expect to be 100%. :-o

ComboFix already had another update when it ran, but it downloaded the update successfully and restarted, unlike all the other times the old versions told me they'd detected an update, so...bonus!

I included my flash drive in the scans because I believe both machines got infected because I moved a document from my laptop to my desktop on the flash drive...so, it's probably infected, too.

Oh, and I followed all the "how to protect yourself from malware" steps both before and after each time I've come to you guys for help, but the one thing I've never been able to get my machines to do is create another user on the computer without being unable to access the Administrator account...so I end up having to bestow the user account with adminstrative access, and then the Administrator account doesn't have any. If you could help me with that step after we're done with all this, that would be great, too.

Anyway, I'm attaching the SAS, MBAM, and CF logs to this post, and will reply with the MGT log after. Thankies!
:wave

 

Oh, another thing: the Vundo.variant isn't showing up in the SAS scan anymore, but my Internet connection is doing the same thing it did when my last laptop was infected with a vundo infection...just a few days before it died completely: the wireless card is registering an "excellent" connection, but the Windows network connection is only registering "low."

The next thing to happen--at least, it was last time--will be the death of my antivirus and firewall programs, depending on which it decides to attack first. Wait. I have WinPatrol on this, and it didn't start when the computer started. ETA: I had set WinPatrol not to start when Windows started just in case ComboFix restarted the computer. DOH!

THERE we go. It's started. CRAP. :cry

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 2:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 3:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 4:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Logs are attached. A couple of things I should probably mention:

1. CF restarted the computer, so Avast and WinPatrol came on before it finished. As soon as I got back in the room (not long after it happened, as I only left for about 5 mins) and saw this, I disabled Avast's background protection and exited WinPatrol's monitor.

2. WinPatrol continues to tell me there is something trying to change my host file. This has been a consistent issue with my laptop. Online Armor used to warn me, too--usually at the end of the Spybot S&D immunization process...and that's an entirely different story...where the hosts file always has 8000-10000 unprotected by the end of the immunization scan. When I click the immunization button, everything goes fine until it gets down to the hosts. It takes care of them, then I start getting Online Armor popups for a bunch of obviously bad sites asking if it's okay to let my host file be changed to have them be redirected to 127.0.0.1. Whether I block or allow, this happens every time. Now that I have WinPatrol, I am getting asked about changes to my host file quite often--sometimes when I have no idea what I did to cause it.

Anyway, logs are attached.

....Computers are our friends...right? rolleyes

 

You didn't attach anything?

 

Well, when I posted that reply this morning, I had, and they showed. I don't know what happened to them in the interim.

Anyway, I am at my workstation right now and will not have access to my laptop until, at the earliest, 5:00 a.m. EST or, at the latest, 6:00 a.m. We are very backlogged at present. I usually stop at 5:00 because I don't take a break, but my shift officially ends at 6:00, so if we're backlogged I'll stay until then. After that, though, I start to drowse off, which endangers the patients' safety because of accuracy concerns, so I stop taking reports.

Anyway, I can't attempt to reply with the logs again until then. I am told that I will get bumped if I don't, but I hope this info will prevent that from happening.:banghead

 

Just attach them when you can.

 

Wow. I really conked out. I'm glad you were willing to be patient. I was really kicking myself all the way here.

Okay, let's try this again....

Thank you, sweetie!:wave

 

Step 1:

Now we need to run ComboFix once more to remove some leftovers.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 2:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Logs are attached. And, I should note:

At the end of this fix, I got the note I used to get at the end of every "Immunize" in Spybot S&D regarding the attempt to take all the host files SSD had redirected from 127.0.0.1 and turn them right back around to 127.0.0.1

So...something got aggravated instead of fixed.:cry I hate this.... I want to throttle this malware's creator.

 

Your logs are clean! Are you currently having any malware issues?

 

I don't seem to be, now. Thanks, hon!

One more thing: Where do I go in these forums for assistance with creating other user accounts on my computers? Because when I tried to do that on my laptop, the next time I logged on, the option to sign on as the administrator wasn't there--only the user option was, so I had to give the user all the administrative powers.

So, I figure I'm doing something wrong, which, y'know, isn't that much of a surprise because if I don't have someone to talk to every step of the way, I'm liable to misinterpret something and do it wrong because of the Asperger syndrome. *sigh*

I pretty much need everything step-by-step in as detailed instructions as possible with absolutely nothing left to interpretation, no knowledge assumed. Sad, I know, but...that's the only way to assure I don't f*ck it up.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

You can post this in the Software Forum and those guys will help you.