Vundo Smitfraud Removal

First time post,

My PC recently became infected with vundu and Smitfraud.C. I followed the instructions for cleaning Vista and have attached the requested logs. I actually ran the cleaning twice. It seems to have removed the infections but I can't be sure as rundll still wants to run some random *.dlls on startup under one of my accounts. Attached please find the logs per instructions. These are the latest logs from this morning. I appreciate you taking time and fighting the good guys. Thanks so much.

 

Here are the remaining logs

combofix and old combofix and old SAS

 

Hi baron4664,
Welcome to Major Geeks!

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0271B089-9A2C-47DE-A121-C7A45ED71096} - C:\Windows\system32\hgGAPjJA.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [llubnqwn] C:\Windows\system32\ytefqvml.exe
O4 - HKCU\..\Run: [weakmlov] C:\Windows\system32\bmfetwdq.exe
O4 - HKCU\..\Run: [zeaztjnt] C:\Windows\system32\mbqzupmb.exe
O4 - HKCU\..\Run: [zoopjsuz] C:\Windows\system32\glebkriz.exe

After you click fix, just close hijackthis.


2) Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Files::
C:\Windows\System32\bhlviotc.ini
C:\Windows\System32\pueuvpmu.ini
C:\Windows\System32\qhojhddj.ini
C:\Windows\System32\tuyholyi.ini
C:\Windows\System32\yfjfpvch.ini
C:\Windows\system32\ytefqvml.exe
C:\Windows\system32\bmfetwdq.exe
C:\Windows\system32\mbqzupmb.exe
C:\Windows\system32\glebkriz.exe

Folders::
C:\Users\All Users\ayvqtpiy
C:\ProgramData\ayvqtpiy
C:\Users\All Users\wfytkhar
C:\ProgramData\wfytkhar

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"llubnqwn"=-
"weakmlov"=-
"zeaztjnt"=-
"zoopjsuz"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0271B089-9A2C-47DE-A121-C7A45ED71096}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3) Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp

4) Now run Ccleaner!

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Combofix log with the report of the above procedure. (Do not rerun Combofix for this log - it's already there!)

Let me know how things are running now?

abri

 

Abri,

Thanks for the prompt reply.

Your combofix script fails to run. It gets to the mailware removal and says fails to execute command and reboots the PC and does not create a log file. it does create a bug.txt file.

Baron4664

 

Hi baron4664,

Could you attach the bug.txt file?

Were you able to run HijackThis?

abri

 

abri,

Yes I was able to run Hijack this.
Attached is the bug.txt

 

Hi baron4664,

Let's try the other tools and see if that works better:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri,

Once again thanks to you, and all the other volunteers. I am at work so will have to wait till this evening to try out your next fix. I manually deleted the files listed in the combofix script that you sent and referenced in the avenger script. None of the *.exe files exist on the PC (probably why combofix "failed to execute the command" and exits prematurely when running that script. However the *.ini files were there Hidden. I deleted all of them. Also I deleted the users\ folders referenced in the script. Both were empty. The two programdata folders referenced in the scripts do not exist.

I reinstalled and updated avast and ran a thorough scan last night. It found and quarantined 2 files for virtumondo. However the PC shows no symptoms of vundo infections at this time.

Thanks

Baron4664

 

Hi baron4664,

Where'd you end up with all this? Did you ever complete the instructions? Please give me an update.

Thanks.
abri

 

Sorry Abri,

I've been away for awhile. I completed the cleanup and everything is good. Thanks for all your help.

Baron4664

 

Hi baron4664,

If you want me to look at the logs to make sure there are no bad files remaining, I will. If you don't, I want to post our final cleanup instructions to you anyway. If you decide not to have your logs checked, I would wait with resetting the restore points for a couple of weeks until you're sure the malware isn't coming back.

abri