Help, possible vundo?

Discussion in 'Malware Help (A Specialist Will Reply)' started by ycassandra, Dec 22, 2008.

  1. ycassandra

    ycassandra Private E-2

    Hi everybody,
    my antivirus detected a Vundo.JD.dll and my pc is starting to pop up ads in IE window. I run the protocol as described in " READ AND RUN.." and in winXP cleaning procedure. I am attaching the related files. Hope you can help me out with this. tks
     

    Attached Files:

    ycassandra, Dec 22, 2008
    #1
  2. ycassandra

    ycassandra Private E-2

    and the MGlog.

    I run just the CCleaner and the SAS twice be4 complete the entire procedure. I do not know it is usefull or not but I also added `em to the thread.

    tks again guys
     

    Attached Files:

    ycassandra, Dec 22, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Important Notice: A new version of SUPERAntiSpyware is out that should help with this problem from Vundo.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this first log later.
    • Since this infection has been reappearing after a reboot, you will have to reboot again and then run an additional scan to make sure it comes back clean. Attach this second log too.
    Now please use windows explorer to find and delete:
    C:\WINDOWS\system32\spkibkot.exe
    C:\WINDOWS\system32\sete39.tmp
    C:\WINDOWS\system32\sete41.tmp
    C:\WINDOWS\system32\setefa.tmp
    C:\WINDOWS\system32\setf40.tmp
    C:\WINDOWS\system32\setf41.tmp
    C:\WINDOWS\system32\setf42.tmp
    C:\WINDOWS\system32\setf43.tmp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from SAS.
     
    TimW, Dec 24, 2008
    #3
  4. ycassandra

    ycassandra Private E-2

    Hi TimW,
    I`ve done all steps you asked for. I am still missing the command for msconfig.

    Happy New 2009 man
     

    Attached Files:

    ycassandra, Jan 2, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I will get to your logs in a while....in the meantime:

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    TimW, Jan 2, 2009
    #5
  6. ycassandra

    ycassandra Private E-2

    Thanks TimW for your help.
    Windows Defender just found a Trojan:Win32/Vundo.gen!AH in system restore


    Resources:
    file:
    C:\System Volume Information\_restore{6B3B2631-9354-4189-8E72-FAB98CF40958}\RP665\A0043087.dll

    file:
    C:\System Volume Information\_restore{6B3B2631-9354-4189-8E72-FAB98CF40958}\RP665\A0043086.dll

    later man, tks
     
    ycassandra, Jan 4, 2009
    #6
  7. ycassandra

    ycassandra Private E-2

    I am planning to install spyware doctor 6.0 trial version just to have real-time spyware running. Do you think it is ok? for what I understood SAS free version doesn`t work as a real-time blocker unless you buy it.
     
    ycassandra, Jan 4, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Spyware Doctor as a trial is not advised. It is basically worthless unless you purchase it.

    Nothing will remove your system restore files ....we will handle that in the last cleanup.

    You need to run CCLeaner and empty your temp folders.

    I am not seeing any malware, so If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Jan 4, 2009
    #8
  9. ycassandra

    ycassandra Private E-2

    Hi TimW,
    thank you very much for your wonderful support in fixing my malware problem. It work out perfectly. I just want to ask you something more:

    1) I still have ComboFix.exe in my Desktop, can I trash it?
    2)in my C:\ I have a Boot.bak file, a cmldr file ( no clue what is that) a Qoobox folder and an other folder "32788R22FWJFW". All of them where created on the day I started the "Read procedure and downloaded softwares". I am wondering of I can trash all of them.
    3) I run a full scan with Windows Defender and it come out in this way:

    TROJAN:Win32/AgentBypass.gen!K
    c:\documents and settings\username\Desktop\ComboFix.exe->(UPX)->(RarSfx)->32788R22FWJFW\catchme.cfexe->(UPX)
    file:
    C:\32788R22FWJFW\catchme.cfexe->(UPX)
    containerfile:
    c:\documents and settings\username\Desktop\ComboFix.exe
    containerfile:
    C:\32788R22FWJFW\catchme.cfexe

    so if I am reading it right the folder 32788R22FWJFW is a link to combofix and it is not a real thread and I can simply delete everything?

    4) I read your usefull pages about Windows Firewall and OnlineArmor thks for the great link to matousec.com
    5) I want also to rid off of Windows Defender and keep your suggested software but I am wondering how to control the start up processes considering you guys suggested to do not use MSconfig,I doubt about CCleaner, should I work on the services.msc ?
    6) I still have lots of errors coming out when I run registry mechanic and my pc although malware free now is very slow. Can you suggest me a nice tool (hopefully free) to repair the registry?

    thanks guys to all of you for the amazing job and interesting & useful posts
     
    ycassandra, Jan 5, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes you can but it all should have been removed when you ran the combofix" /u
    All false positives for Windows Defender and yes I would suggest you uninstall that program.

    You may wish to use a Startup Manager

    I would also dump Registry Mechanic and only use CCleaner to take care of old / broken registry items. ( Run the issues section and make sure you do the backup when prompted).

    You are very welcome .....safe surfing. :)
     
    TimW, Jan 6, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds