Incomplete Vundo Removal 1 of 2

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by IBCool, Nov 1, 2009.

  1. IBCool

    IBCool Private E-2

    Dear Forum Helpers,

    I read the Run and Read Me First sticky before I posting this post. Unfortunately it was after I used MalwareBytes and Super AntiSpyware (SAS) twice. So the logs for those may not be useful. Well actually it looks as though Mbam and SAS saved the original logs. I hope everthing else was done correctly.

    I am attempting to help a friend that got Vundo on her computer. The variant is I believe an older one. I am not really sure when or where she got it. I think it is fair to say she is a fairly inexperienced user. MalwareBytes IDed is as Trojan.Vundo. SAS also found what I believe were components of it (some dlls) but IDed them as Trojan.generic.

    The reason I believe that Vundo is still on her system is that I msconfig is returning an access error and asking that we log on as admins. But we are on as admins. A wiki article on Vundo states that msconfig may be compromised. Also it (or something) kept launching the install for Trueinstall.exe at startup until I removed Trueinstall.exe. Now it keeps launching Adobe.com.exe at startup.

    I have included the logs but edited out her last name. If there is any other information required please let me know. Your advice would be much appreciated.

    John Rene
     

    Attached Files:

  2. IBCool

    IBCool Private E-2

    Re: Incomplete Vundo Removal 2 of 2

    Needed for 5th log, MGlog.zip

    Again thanks for any help.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The cleaning procedure removed remaining items from Vundo. If you are still having problems with MSconfig, it may not be related. Try actually using the real Administrator acccount or try Running As Administrator. Using an account with admin privies is not the same thing as running as administrator.


    I still see Trueinstall.exe in your ComboFix log. Did you remove it after running the procedure. It may not be malware. We will remove it again anyway using ComboFix. ISPs use Trueinstall.exe when you change from one company to another. Were ISPs changed at somepoint.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. IBCool

    IBCool Private E-2

    Thanks again for the help. I am not working on her computer but will tomorrow evening I suppose. I will follow your instructions and post the logs. I should clarify a couple points.

    Actually this was the first thing I thought about as I assume nothing with XP. I did in fact log into safe mode under Administrator. msconfig was still goofy (i.e. denying access). I am now thinking that it's perhaps one of her services or processes interfering with msconfig. I believe once upon a time there were HP services that would interfere with msconfig (I believe this is known as corporate malware) and she had a HP printer in the past. This might also explain the odd behavior at startup with adobe.com.exe launching. All it seems to do is open the explorer window for Adobe.com.

    As there are 82 (yes 82) processes running and god knows how many services I will be hard pressed to figure out which is the problem. I did warn her about installing every piece of junk out there. Oh well.

    I actually may have reinstalled TrueInstall.exe but its not obvious in the Control Panel Add/Remove. I believe it's part of the 2Wire wireless software from AT&T. I needed to reinstall 2Wire as it seemed corrupted (when it wasn't working). As soon as I can I will post the logs.

    John Rene
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running the below procedure and then trying MSconfig.

    Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

    Now run this: Resetting Registry and File Permissions


    Actually according to the HijackThis log in MGlogs.zip you have 67 processes running if I discount MGtools.exe, analyse.exe, cmd.exe and ntvdm.exe (last two are from running MGtools).
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds