Vundo Variant. Logs attached.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Babyalien, Jan 3, 2009.

  1. Babyalien

    Babyalien Private E-2

    Hi guys. Hope you can help.

    I regularly run scans with SAS, MBAM and AVG and apart from the usual tracking cookies all seemed fine until 2 days ago. I ran a SAS scan and to my horror it found 1 Vundo Variant. Tried to remove it and then rebooted and rescanned only to find it was still there. So, I downloaded Spybot Search and Destroy and Combofix but they found nothing. Ran MBAM and again and found nothing. AVG found nothing. Tried SAS scan again and would you believe it but it now found 3 Vundo Variants and 1 Accoona Toolbar instance. I'm bit of a newbie when it come to Viruses/Malware etc so will need coaching.

    Since then I followed all instructions correctly in READ & RUN ME FIRST then installed all updates and ran up-to-date scans with all programs recommeded in READ & RUN ME FIRST, all logs are attached at the end of this thread. I have not been able to remove them despite trying further scans with McAfee Stinger and A2 but these found nothing.

    I really don't know what to do next so your help is very much needed and will be greatly appreciated.
     

    Attached Files:

    Babyalien, Jan 3, 2009
    #1
  2. Babyalien

    Babyalien Private E-2

    Here are the logs for the MGTools scan.
     

    Attached Files:

    Babyalien, Jan 3, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. You will have to tell me exactly what is reported and by what program.

    Do you know what this is:
    C:\Documents and Settings\All Users\Application Data\nmpmeswb.lkq --> If not delete it.

    We can do a little cleaning in the meantime:

    Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):


    Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    C:\WINDOWS\DXT59.tmp
    C:\WINDOWS\dxt5a.tmp
    C:\WINDOWS\dxt5b.tmp
    C:\WINDOWS\dxt5c.tmp
    C:\WINDOWS\NV1448372.TMP
    C:\WINDOWS\NV1948~1.TMP
    C:\WINDOWS\NV3428~1.TMP
    C:\WINDOWS\NV3816~1.TMP
     
    TimW, Jan 5, 2009
    #3
  4. Babyalien

    Babyalien Private E-2

    Thanks for getting back to me.

    I have followed you're instructions to the tee but does not seem to have helped remove the Vundo's. I could not remove one of the registry entries via Hijack This:R3 - URLSearchHook: (no name) - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file) still remains it would appear

    Also, deleted the following files as instructed but could not see the problem with them (although may be my lack of knowledge) as half of these are just Help files for Nvidia Graphics card I have.
    C:\WINDOWS\DXT59.tmp
    C:\WINDOWS\dxt5a.tmp
    C:\WINDOWS\dxt5b.tmp
    C:\WINDOWS\dxt5c.tmp
    C:\WINDOWS\NV1448372.TMP
    C:\WINDOWS\NV1948~1.TMP
    C:\WINDOWS\NV3428~1.TMP
    C:\WINDOWS\NV3816~1.TMP

    I have attached a log of the Hijack This scan and a log of a fresh Super Anti-spyware scan showing the Adware Vundo Variants are still there. Grrrrr!
     
    Babyalien, Jan 6, 2009
    #4
  5. Babyalien

    Babyalien Private E-2

    Here's the logs. :)
     

    Attached Files:

    Babyalien, Jan 6, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Jan 6, 2009
    #6
  7. Babyalien

    Babyalien Private E-2

    MGtools\GetLogs.bat file scan results as requested. Thanks.
     

    Attached Files:

    Babyalien, Jan 7, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Lets try this:

    Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):


    Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Let me know if you get a success message.

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file so I can tell if it worked. :)
     
    Last edited: Jan 9, 2009
    TimW, Jan 9, 2009
    #8
  9. Babyalien

    Babyalien Private E-2

    I have followed all given instructions and successfully ran the fixME.reg.

    The results of the updated MGtools\GetLogs are attached as requested.

    Thanks.
     

    Attached Files:

    Babyalien, Jan 10, 2009
    #9
  10. Babyalien

    Babyalien Private E-2

    Having now ran a new SAS scan I am less than happy, to say the least to report the count has somehow now increased from 3 Vundo's to 24 consisting of 23 registry threats and 1 file threat.

    I cannot believe this.:mad

    SAS log attached.
     

    Attached Files:

    Babyalien, Jan 10, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What I would like you to do is to uninstall:
    Kiwee Toolbar

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now make sure these are deleted:
    C:\Documents and Settings\MAT\Local Settings\Application Data\Kiwee Toolbar
    C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar
    C:\Program Files\Kiwee Toolbar

    Run CCleaner and after a reboot, run SAS and MBAM and attach those logs and tell me how things are running.
     
    TimW, Jan 11, 2009
    #11
  12. Babyalien

    Babyalien Private E-2

    Well I managed to remove the Vundo's myself yesterday much to my relief. Many thanks for you help all the same but the way I managed this was to firstly run SAS and after it had found the 24 variants, used the SAS logs to identify a folder called AGI. I tried to delete the folder but it was locked so I downloaded Unlocker, ran this but it advised it could only try to remove the locked file after reboot. So rebooted to find the file was gone, bingo. Re-ran SAS and found just the 3 original Vundo's again. Ran HJT and deleted the R3 - URLSearchHook which remained and much to my amazement, all Vundo's were gone after a re-scan with SAS, ran a SAS deep scan, still nothing. Ran Regcure to tidy things up and ran an SAS quick scan and still no Vundo variants. Ran HJT and no reachooks remain:-D

    I hope some of the info I have posted can be put to good use.
     
    Babyalien, Jan 11, 2009
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know....If you are not having any other malware issues, then:

     
    TimW, Jan 13, 2009
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds