Vundo & other Malware

XLNTA · Oct 26, 2008

Hello all,
This is a first for me, so lets see how it goes. I was given a used Dell, XP Pro, SP2. It had no virus protection that I could tell. I installed Macafee & it found numerous problems -- QHosts-95, AdClicker-FK, Vundo, Several: Adwares, Generic PUP.x, & Winfixers.

I have done all the Read & Run me first proceedures, & the XP Cleaning proceedures. Gives me a new respect for how much time you guys spend on this stuff!!!

Spybot was the only program that had previously been installed & run & had some stuff removed. Thus when I ran it, it tested clean. I am assuming that it ran with all default settings. I did update it to the newest version first.

I would like to have someone review the log files, & help me confirm that everything is cleaned up. I don't want to connect this computer to my home network if it is still smacked up. Also, I have yet to clear my restore point. Finally, when all is done, should I delete all the downloads or save them for later use?

I will attach your log files for your review.

I am not sure I understand this part of your instructions: "You will need to post 2 messages to attach all four logs since only 3 attachments are allowed in any single message. Post all of them in one thread."

Thanks in advance for your help.

XLNTA · Oct 26, 2008

Attachment of final log file from your MG tools.

Thanks again.

TimW · Oct 27, 2008

Your system is very low on ram......

Total Physical Memory 256.00 MB
Available Physical Memory 82.24 MB
Click to expand...

There are just a few things to do:

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O23 - Service: OneStepSearch Service - Unknown owner - C:\Program Files\OneStep\onestep.exe (file missing)
Click to expand...

After clicking Fix, exit HJT.

Then use windows explorer to find and delete:
C:\WINDOWS\system32\sviriqvt.ini

Reboot and tell me how things are running.

XLNTA · Oct 27, 2008

Thanks for the help.

I have done the HJT proceedure, & deleted the referenced file.

Everything seems to be running fine.

Since submitting my first post, MacAfee had a warning to block or allow: "Tool-NirCmd". I have assumed it to be from ComboFix or the MG Tools, but have not taken any action on it. What do you suggest?

TimW · Oct 28, 2008

Good to know....now we just have to clean up from the scans:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

XLNTA · Oct 28, 2008

Have cleaned up from the scans & will work through the "How to Protect...." page. It seems thorough, but if I have questions during that process, do you suggest I post to this forum or would there be a more appropriate one.

Thanks again for your help. I assume we will be finished now. I'll check back to see if you close the thread, or if you have anything further.

TimW · Oct 29, 2008

We do not close these threads..there is always the chance that you need to post with new questions regarding these issue. So do reply if you need something.

Log in or Sign up

Vundo & other Malware

XLNTA Private E-2

Attached Files:

SAS Log 10-25-2008.log

mbam-log-2008-10-25 (16-29-51).txt

combo fix 10-25-08 log.txt

XLNTA Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

XLNTA Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

XLNTA Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member