i had a bad case of vundo and..

hi!

im new to the boards and...
i had a case of vundo and i followed the some of the tips from this board and it seems that it is removed, but i would like to make sure. I would appreciate if anyone could take a look at my logs and tell me.

and im sorry i made a new thread for this, but im new and the format of the board sorta confuses me.

 

and the last requested log...

 

Hi dotc277,
Welcome to Major Geeks!

Your computer is infected. Please use it as little as possible and avoid any unnecessary reboots until we can post a set of instructions to you. It takes time to go through the logs, so thank you for being patient.

abri

 

Hi dotc277,

I'm missing your MGlogs.zip. If you installed the MGTools and followed the instructions, the MGlogs.zip will be directly under C:\ You can find it by using the Manage Attachments button down below the reply window here. Before you continue below, please attach the MGlogs.zip.

Then please do the following:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: {d39919dc-8b9a-5c49-4a24-3b5d05b0da11} - {11ad0b50-d5b3-42a4-94c5-a9b8cd91993d} - C:\WINDOWS\system32\iyadkfkg.dll (file missing)


After you click fix, just close hijackthis.

3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
iyadkfkg
wowjgib
hvpkxnwe
ljvphacp

FILE::
C:\WINDOWS\system32\iyadkfkg.dll
C:\WINDOWS\system32\ljvphacp.dll
C:\WINDOWS\system32\hvpkxnwe.dll
C:\WINDOWS\system32\jwowjgib.dll

REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11ad0b50-d5b3-42a4-94c5-a9b8cd91993d}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

sorry, i forgot this one. thanks for the hasty reply!

 

here are my new logs. things seem to be running fine now, but im not sure if it is completely gone

 

Hi dotc277,

There are a few things left to do. Your computer's startup is being regulated by msconfig, which is not a good idea. Please go to Start / Run and type in msconfig and click on ok. Then select Normal System Start and click on accept and okay. I will give you some other means of controlling your startup items.

You are running AVG 7.0. Grisoft no longer supports this, which means you can't get your virus updates. AVG 8.0 is a security suite. If you don't want to run a security suite, I suggest trying Avast or Antivir along with Zone Alarm or one of the other firewalls we recommend. You'll find the information about this in How to Protect Yourself from Malware. Be sure to completely uninstall AVG before you switch or upgrade. If you are an avid gamer, I recommend going with the stand-alone programs because they don't use much in the way of resources and are effective. Also free.

Delusional Pickle. funny!

If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

Then please delete this file: C:\WINDOWS\BMf7b57c36.txt

Run CCleaner

Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Let me know how things are running now?

abri

 

which vrius protection do you recomend? i am an avid gamer so performance is an issue. avg has always been relyable so if theres anyway i can continue with it (for free) i would like to do that.
heh thank, delusionalpickle is a screen name i use for some things.

here is my new log also

 

Hi dotc277,

First to your question. I liked AVG very much, but I didn't want a security suite, so I switched to Avast, which is also excellent and free. The same is true for Antivir. You'll find both of these listed in the How to protect your computer thread in the link in my last post. I know Avast and Zone Alarm work together. As a firewall, Comodo has a very good reputation, but is somewhat more complicated than Zone Alarm. I advise reading through the How to protect yourself page, as it's not a long read and it has a lot of useful information in it.

As for controlling your startup items, please do the following:


1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


Do the need for the following programs to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

After you click fix, just close hijackthis.

2) Now run CCleaner at the default setting with the Windows tab as the top one.

Here are some suggestions from chaslang for controlling your startup processes without using msconfig:

Your logs are clean. If the malware problems you were having seem to be resolved, I would like for you to do the final cleanup instructions. The final cleanup will remove the logs and tools we had you put on your computer. You'll also be asked to wipe all your previous restore points and set a clean one. If you want to keep any of the programs, you can, but it's important to remember that they're constantly being updated, so if you wouldn't be using them on a regular basis, it's better to remove them now and reinstall them later if you need them again.

If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box. The reason for keeping HijackThis (analyse.exe) is because I asked you above to remove items from your startup menu. With the backups from HijackThis, you can put these back in if you need them later without having to reinstall the program.

abri

 

thank you for your help, but now some other things have popped up on my virus scan, and are turning off my firewall. im not sure if its vundo acting up again or something else.
im going to download avast right now and see if that will help anything

 

Hi dotc277,

After you update Avast and run a full system scan (have it check your archives too - the user interface of avast takes some getting used to), if it finds anything, please attach a copy of the log here.

abri

 

it says i need an automatic update, it stays in my system tray and wont go away, i was just wanting to check and make sure it wasnt a virus trying to get me to instal something bad.

the update says"Windows Malicious Software Removal Tool - July 2008 (KB890830)"