Vondo

Discussion in 'Malware Help (A Specialist Will Reply)' started by computernovice1, Mar 1, 2009.

  1. computernovice1

    computernovice1 Private E-2

    so i believe i have fallen victim to the Vundo virus...
    basic description of whats going on...
    desktop background is black with a warning sign that says dangerous spyware found and user should run special program
    warning security report shows up every five seconds saying my comp is infected and to start spyware cleaners
    and iexplorer windows appear to random spyware removers, my documents opens randomly also

    i tried to do the read and run me first cleaning procedure but i am completly restricted from just about everything, for instance couldnt open run so i couldnt get to the msconfig, cant get to the control panel so i cant view hidden files (although i believe i already have them on).
    I couldn't install SAS because as soon as i hit the installer an error popped up, Spybot would not run, Malwarebytes would install but would not run, combofix would not install, so the mgtools exe ran and i've included all the logs in a zip file

    idk if this is important or not but every time i attempted to install a program above a iexplorer window opened, but i dont know where it was taking me because i disconnected the computer from the router

    Any help would be much appreciated.
     

    Attached Files:

    computernovice1, Mar 1, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why are you running this PC with NO PROTECTION? No wonder you are so badly infected!


    Please follow the instructions in the below link to see if you have the TDSSserv rootkit problem
    If you did find the TDSSserv driver and disabled it then try running SUPERAntiSpyware, Malwarebytes, and ComboFix scans again and attach the logs if this helps.

    Based on your MGlogs.zip file I can see that you have a lot of problems. Some of your Windows system files may even be infected which could be difficult to fix. Do you have a copy of your Windows XP boot CD just incase it is needed.

    Now no matter what the results from the above with the TDSSserv driver were, I want you to continue on with the below.

    Now download LSP - Fix

    Run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the ntdll64.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move ntdll64.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    If it is already in the Remove section, just click Finish.


    Now download a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Please C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis. And click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\frmwrk32.exe
    C:\WINDOWS\system32\sysmgr.exe
    C:\WINDOWS\system32\ntdll64.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\khfcDVME.dll
    O2 - BHO: C:\WINDOWS\system32\hhs3ijndfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hhs3ijndfd.dll
    O2 - BHO: (no name) - {efa1222b-4253-4327-b089-ccd6b24500ec} - C:\WINDOWS\system32\opnNeEVm.dll
    O4 - HKLM\..\Run: [Rnidesa] rundll32.exe "C:\WINDOWS\Bdinoguj.dll",e
    O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
    O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\sysmgr.exe
    O4 - HKLM\..\Run: [Spama] rundll32.exe "C:\WINDOWS\ewuxoqir.dll",e
    O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Owner\Desktop\RRT.exe auto <-- not malware but you don't need it.
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O20 - AppInit_DLLs: miujlz.dll
    O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
    O20 - Winlogon Notify: khfcDVME - C:\WINDOWS\SYSTEM32\khfcDVME.dll
    O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hhs3ijndfd.dll

    NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.


    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\1956815474
    C:\kked.exe
    C:\napxnnr.exe
    C:\tkpl.exe
    C:\ypxod.exe
    c:\docume~1\owner\locals~1\temp\ntdll64.dll
    C:\WINDOWS\Bdinoguj.dll
    C:\WINDOWS\ewuxoqir.dll
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\frmwrk32.exe
    C:\WINDOWS\system32\sysmgr.exe
    C:\WINDOWS\system32\ntdll64.exe
    C:\WINDOWS\system32\byXRjjJa.dll
    C:\WINDOWS\system32\miujlz.dll
    C:\WINDOWS\SYSTEM32\crypts.dll
    C:\WINDOWS\SYSTEM32\khfcDVME.dll
    C:\WINDOWS\system32\hhs3ijndfd.dll
    C:\WINDOWS\system32\opnNeEVm.dll
    C:\WINDOWS\system32\hehpkroj.ini
    C:\WINDOWS\system32\mVEeNnpo.ini
    C:\WINDOWS\system32\mVEeNnpo.ini2
    C:\WINDOWS\system32\wsbilaol.dll
    C:\WINDOWS\system32\drivers\c4c9f564.sys

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)
    If Killbox does not reboot just reboot your PC yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Mar 2, 2009
    chaslang, Mar 2, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds