Vundo refuses to leave

Discussion in 'Malware Help (A Specialist Will Reply)' started by ZaPHoN, May 19, 2007.

  1. ZaPHoN

    ZaPHoN Private E-2

    Adware.virtumonde, xxyvsqo.dll & vtsts.dll

    Well I tried everything and I could even after reading some threads here but this thing is persistent.

    Adware.virtumonde, xxyvsqo.dll & vtsts.dll

    The last two dlls can't be removed by the methods I've tried so far.

    Could someone please be so kind as to help.


    Here is my log for HijackThis. Browser, antivirus, AVG spyware, Adwatch all disabled before running.

    PS System will not let me go into safe mode fully anymore. Desktop disappears and the only control I have is Task manager via CTRL,ALT.DEL


    Great place guys. You all deserve a lot of credit. My hat is off to you.


    ZaP
     

    Attached Files:

    ZaPHoN, May 19, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Adware.virtumonde, xxyvsqo.dll & vtsts.dll

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments. If you cannot run steps in safe mode, run them in normal boot mode!
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - only for Windows XP, 2K, & NT users
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, May 19, 2007
    #2
  3. ZaPHoN

    ZaPHoN Private E-2

    I'm sorry but I'm at my whits end. I've tried everything as per instructed before I post.

    1. I can't boot into safe mode.
    2. Could not get panda online scan to work
    3. Got some errors starting GetRunKey but it did produce a log
    4. Got some errors starting ShowNew but it did produce a log
    5. Programs I've used are avgas-setup-7.5.0.50, CCleaner, GetRunKey, hijackthis (renamed to analyse.exe), ProcessExplorer, ShowNew, avgarkt-setup-1.1.0.42, avg75free_467a1008, CounterSpy, FixVundo,KillBox-Beta, VundoFix, RootkitRevealer, Spybot - Search & Destroy,ewido-setup_4.0.0.172c. Spy Sweeper, Spyware Doctor, Avast Antivirus (removed)

    Programs currently installed:

    Spy Sweeper (running now)
    AVG Anti-Spyware 7.5 (running now)
    AVG Antivirus Free (running now)
    Adaware Ad watch is (running now)
    Spybot Search and Destroy
    Spyware Doctor


    I really hate to bother you all about this but I've really tried my best here and I could use some help but most of all some understanding in case something like this happens like this again and do what I can to help others if I can. The internet is becoming such a dangerous place. If it keeps getting worse nobody will be able to use it.

    Thanks so much,


    ZaP
     

    Attached Files:

    ZaPHoN, May 20, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then where are the requested logs for AVG Antispyware and BitDefender? Please attach them! The only item that you said you could not run was Panda.

    You need to install both GetRunKey and ShowNew properly as per the directions on the download pages. You appear to be running them directly from the ZIP files and the logs are incomplete. Please install them properly now.


    Is Spy Sweeper a paid or free trial version? If free, uninstall it now!
    Is Spyware Doctor a paid or free trial version? If free, uninstall it now!


    Also uninstall the below old Sun Java version as requested in step 6 of the READ ME.
    J2SE Runtime Environment 5.0 Update 11



    Your logs showed Avast and AVG7 installed? I need logs that show that only one antivirus is installed as requested in the READ ME step 3. I will request new logs later in this message.


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Download The Avenger ( http://swandog46.geekstogo.com/avenger.zip ) by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy the quoted bold print below and paste it in the box that opens from Avenger:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now attach the below logs:
    • Avg Antispware log never attached
    • BitDefender log never attached
    • C:\Avenger.txt
    • GetRunKey
    • ShowNew
    • HJT
    Is the below something you installed?
    "catsrv"="C:\\Documents and Settings\\Administrator\\Policies\\catsrv.exe -AutoStart"


    Did you setup the below policies (possibly using the above)?
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoResolveTrack"=dword:00000001
    "LinkResolveIgnoreLinkInfo"=dword:00000001
    "NoResolveSearch"=dword:00000001
    "ClearRecentDocsOnExit"=dword:00000001
    "NoRecentDocsMenu"=dword:00000001
    "NoRecentDocsHistory"=dword:00000001
    "NoStartBanner"=dword:00000001
    "NoSMConfigurePrograms"=dword:00000001
    "NoInstrumentation"=dword:00000001
    "NoSMBalloonTip"=dword:00000001
     
    Last edited: May 21, 2007
    chaslang, May 21, 2007
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds