Vundo; R n R Me done; am I still having problems?

Hi Dear Angels
I was looking for subtitles to an Italian comedy last night and got hit pretty hard with Vundo, Sheur2, Agent, Cryptor etc... first time in about 6 years i've had a major attagk like this. FYI I'm xp sp2, firefox, AVG8 and windows firewall.

I was very methodical in running "R n R Me" and it SEEMS I may be clean, but I don't know what to do now; run a new scan above and beyond R n R? Freshen up my security and hope for the best? How can I tell if I'm done?

There was some anomalous behaviour during the R n R procedure but that is hardly surprising ;-)

1) instead of SAS giving me notice of quarantine and removal complete, my machine rebooted. I ran again with recommended 5 boxes unchecked and when scan was done I was offered a reboot w/o clicking "finish", which I (perhaps unwisely) did. After reboot I ran again (5 boxes) and again my machine rebooted itself without showing quarantine and removal complete. I chose to move on to Spybot at this point, and have attached all 3 SAS logs to this post.

2) After the mbam restart suspicious dlls attempted to load (ihugiyelovawub?)

3) If combofix backed up my registry it did it VERY quickly; I didn't see it happen.

4) throughout, until I started mgtools, AVG kept finding new instances of Vundo, which I quarantined. I'll go empty the vault in a minute. I have reactivated Resident Shield.

I am now at Step 3 of R n R, and have not toggled System Restore.

How can I tell if I'm done?

...like many others, I offer my sincerest gratitude for your kindness and generosity; bless you

yrs
Kevin

 

Re: logs.Vundo; R n R Me done; am I still having problems?

Here are the MB, CF, and MG logs; thanks again!
-k

 

sorry, I meant I'm at step 3 of winXP cleaning procedure, not step 3 of R n R. Thanks again! -k

 

oh, I just noticed; I have now got an icon in the middle of my desktop for Internet Explorer, and IE has somehow replaced Firefox as the "Internet" item in the top level of my start menu. I normally run firefox from a desktop icon so it's not a big problem, but why it there?

 

I'm so glad to hear from you... I was flipping out! I'll do that right away!
-k

 

I'm getting an update prompt for combofix; do it?
Also, I installed the JRE11 as part of R n RMe...the file you just directed me to has the same name... do I really need to reinstall it?

 

OK, I ran combofix (version I DLd tuesday)... I clicked "no" or "cancel" or whatever when it offered me a "newer version". It then ran in textbook form, but I never noticed a reboot. I closed the log.txt file, checked for the other file, and went for a "start>turn off computer>restart", which caused my screen to flash and nothing else... after trying that 3 times, I went "start>turn off computer> turn off" (3 times) with the same result... turned to my laptop to send you this message, and 45 seconds later the requested restart took hold; it took about 4 minutes (I type very slowly)...all this anomalous behavior is making me nervous but I've run one more apparently normal "turn off", and turned my computer back on with the big green button for an apparently normal boot. I'm going to continue your instructions from "install the latest JRE"... the only thing to add is that I've been seeing splash screens on bootup from superantispyware... I'll carry on and send the logs you requested... wish me luck!

 

HERE ARE THE LOGS: OK, I've done as you instructed as best I can, and things behaved normally... things seem to be working normally but it's not like I've done anything but MG stuff for the last hour ;-)...

One thing still wierd: I wrote earlier that "I have now got an icon in the middle of my desktop for Internet Explorer, and IE has somehow replaced Firefox as the "Internet" item in the top level of my start menu."... this is still true. I keep IE around to check my html, but it's installed in the usual place ie C>program files> Internet Explorer, and I almost never open it... what's now on my desktop doesn't seem to be a shortcut, but a seperate install. I've looked at its properties and some of the settings seem a little sketchy to me, but I haven't started it or anything... it's set for homepage = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop

Thanks!!

 

mg tools log attached...
I don't know what that folder is but it appears empty (I have views set to see all hidden)...
Can you think of a reason why print jobs aren't getting to my printer? (HP psc 2600)

My display seems balky and struggley-- messy desktop icons flickering lots more than i remember...

gotta run... thanks a bunch!!!

 

PS do I appear more or less safe to use email (thunderbird) and browse freely (ffox) at this point?
thx

 

Chaslang you've been swell... alas, I think I'm not quite done: I accidentally clicked on that explorer install and heard a bunch of clicks, which made me suspicious... I closed explorer and ran AVG8, which found nothing. I completed your cleanup procedure except for deleting tools and toggling system restore. I uninstalled combofix and HJT, then downloaded CFix and ran the entire Read and Run Me procedure again (updating the tools as I went). Spybot found Smitfraud-C in the registry. The other tools didn't offer me any "fix" instructions. I'm attaching and appending a new set of logs (including the spybot log which R n R doesn't normally ask for). I hope I haven't done wrong to do this...

I fixed my printer problem by folk-remedy aka disconnect/reconnect ;-)

About my desktop: I DID take your advice to heart and tidied up some (and will do more), but, well, it's actually not a mess but intensely-ordered, icons arrayed in a way that visually organizes my workstream. My question is, will replacing all of these items with shortcuts give good benefit? I've heard many different ideas about this, and since you obviously have lots of experience and a strong opinion, I hope you can answer definitively... if the answer is "No, having 80 shortcuts on your desktop is just as bad as having 80 files and folders on your desktop" is there perhaps some way to emulate this organizational strategy without having it all on my desktop?

I loved AVG 7.5 and I loved the idea of antivirus and antispyware in a single scan, but if 8.0 is a problem, away with it... I'll continue to work through your "How to Protect yourself from malware".

Will you have a look at my logs again? Getting a positive on Smitfraud 4 hours after you said my logs were clean is a little spooky...

Thanks again, from the bottom of my geeky heart!
-kc

 

2 more reports
-k