vundo,virtumonde

Hi,

My computer is infected with tr_vundo.pr
I've tried a few spywares that identified problems and solved some but there are a few files that won't go.
I attach them as identified by Spybot and SuperAntiSpyware. I'll also attach a HJT log.
I run Windows XP and have turned off System Restore.

Please, I need help

Thanks

Fabi

 

Hi fabi,
Welcome to Major Geeks!

If you have not rebooted since turning off System Restore, please turn it back on. When you turn off system restore and reboot your computer, it wipes out all your previous restore points. This is not something we recommend, because sometimes it is better to have an infected restore point to return to, than none at all.

Whether you are able to correct that or not, please go to the following link and follow the instructions and attach the requested logs when you're finished:
READ & RUN ME FIRST

abri

 

Hi abri,

Thanks for reply.

This problem has been going for a week and it started with the download of zango.

Here are the logs. I have also run spybot which found the same files as SuperSpy.

Thanks for your help

fabi

 

and mglogs.zip

 

Hi fabi,

1) Do you have a specific problem which prevents you from getting or being able to use Windows Updates? Your computer is very vulnerable without them.


2) Please disable your guest account if this hasn't already been done.


3) Go to add/remove programs and uninstall the below:


"DisplayName"="J2SE Runtime Environment 5.0 Update 10"
"DisplayName"="J2SE Runtime Environment 5.0 Update 11"
"DisplayName"="J2SE Runtime Environment 5.0 Update 4"
"DisplayName"="J2SE Runtime Environment 5.0 Update 5"
"DisplayName"="J2SE Runtime Environment 5.0 Update 6"
"DisplayName"="J2SE Runtime Environment 5.0 Update 7"
"DisplayName"="J2SE Runtime Environment 5.0 Update 9"
"DisplayName"="Java 2 Runtime Environment, SE v1.4.0_01"
"DisplayName"="Java(TM) 6 Update 3"
"DisplayName"="Java(TM) 6 Update 5"
"DisplayName"="Java(TM) SE Runtime Environment 6 Update 1



for info about J2SE Development Kit 5.0 Update 5 - see https://java.sun.com/javase/downloads/index_jdk5.jsp

for info about Java 2 Platform, Enterprise Edition 1.4 SDK" - see http://java.sun.com/j2se/1.4.2/download.html


4) Reboot after uninstalling the above.

5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {04DA2E3E-07DA-41DE-963C-A223B036DF34} - C:\WINDOWS\System32\khfFUKBQ.dll (file missing)
O2 - BHO: {0ced8adc-dc88-976a-3d04-3329e79cbc92} - {29cbc97e-9233-40d3-a679-88cdcda8dec0} - C:\WINDOWS\System32\kcnxctyx.dll (file missing)
O2 - BHO: (no name) - {2AA98D61-A32B-482E-BD73-C8C9415CA54D} - C:\WINDOWS\System32\wvUmkJaX.dll (file missing)
O2 - BHO: (no name) - {413C7B82-ABBE-4B66-AEF3-1F9C6F5CB513} - C:\WINDOWS\System32\awtqQjjj.dll (file missing)
O2 - BHO: (no name) - {6B6935F3-6493-468D-BFC2-3F013160C188} - C:\WINDOWS\System32\hgGvwvSJ.dll (file missing)
O2 - BHO: (no name) - {89CDCE53-933B-4BE5-B7F8-D34D7EACD4D9} - C:\WINDOWS\System32\iiffGWMf.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

After you click fix, just close hijackthis.

8) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\SETBC.tmp
C:\WINDOWS\SETD1.tmp
C:\WINDOWS\SET47.tmp
C:\WINDOWS\SET5C.tmp

REGISTRY::

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89CDCE53-933B-4BE5-B7F8-D34D7EACD4D9}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B6935F3-6493-468D-BFC2-3F013160C18
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{413C7B82-ABBE-4B66-AEF3-1F9C6F5CB513}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2AA98D61-A32B-482E-BD73-C8C9415CA54D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29cbc97e-9233-40d3-a679-88cdcda8dec0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04DA2E3E-07DA-41DE-963C-A223B036DF34}]


[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Hi Abri,

Thanks for coming back to me. My computer is indeed running much better since yesterday after all the processes recommended on Read and Run Me.

Answer point:

1. The reason I don't have many windows updates including SP2 is because they cause problems on my computer, like crashing, slowing down, etc. Maybe there is something wrong with my windows?

3. When I uninstalled "Java 2 Runtime Environment, SE v1.4.0_01" a warning came up saying: Error number 0x80040702, failed to load dll:Act Panel.
Is that a problem or it can be ignored?

10. Logs attached.

Thanks again for your time.

Fabi

 

Hi fabi,

I would like for you to create a new restore point in System Restore. Later, after we finish everything, I'll have you remove any previously existing ones, but for the moment, your computer is at a good point and I would like for you to have this point to return to.

The reason I want you to create a restore point is because I'm going to ask you to scan your Windows files to look for errors. I don't know what will happen in your case where some of your versions may be old or mixed old and new.

If you've never created a new restore point, it is done as follows:
Go to Start / All Programs / Accessories / System Tools / System Restore
check the box to create a new restore point and click next. Put in the title before scannow and click on create or okay?. It takes a moment to complete.

Then, if you have your original Windows CD (you can also borrow a cd for this as long as it is the equivalent version - for instance, if you have XP Home SP1, then you would need to borrow a cd that is XP Home SP1), please go to Start / Run and copy/paste in sfc /scannow and click on ok. Allow the scan to run. If it finds faulty or corrupted files, it will ask you to insert your Windows cd and will look for a correct version.

Let me know how this goes?
abri

 

Hi Abri


I've done it and it seems to have gone smoothly. Windows showed a message saying it was the wrong cd but I clicked retry and it started doing the blue scan bar.

When I turned off the comp it flashed a few errors but too quickly to pick up and on re-start everything is fine, no error messages.

Something I forgot to mention on my last post is that Spybot is still finding
Microsoft.Windows.Security.InternetExplorer
HKEY_USERS\S-1-5-21-1489147370-2031193195-3193700461-1005\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe (is not) W=1

Thanks

fabi

 

Hi abri

Just a quick update. My computer seems less responsive after the scan. It has slowed down a bit.

Cheers

fabi

 

Hi fabi,
Does spybot fix this and does it come back again?
abri

 

Hi Abri

Yes, everytime.

Cheers

Fabi

 

Hi fabi,

See if this helps:


Go into Internet Explorer > Tools > Internet Options > Advanced tab > scroll down to Security (near the bottom). Uncheck these two (2) items unless you intentionally set them:

• Allow active content from CDs to run on My Computer
• Allow active content to run in files on My Computer

Then run Spybot again and see if this entry is gone.

abri

 

Hi abri

I don't have those options on my explorer.
The ones I have under security are:

Check for publisher's certificate revocation
Check for server certificate revocation (requires restart)
Check for signatures on downloaded programs
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Enable Integrated Window Authentication (requires restart)
Enable Profile Assistant
Use SSL 2.0
Use SSL 3.0
Use TLS 1.0
Warn about invalid site certificates
Warn if changing between secure and not secure mode
Warn if forms submittal is being redirected

...And that's all under InternetExplorer>Tools>Internet Options>Advanced - Security

Am I looking in the right place?

fabi

 

Hi chaslang,

I did it but it didn't work.

I saved to the desktop and cut/paste the text to notepad and saved as all files but an error message comes up:

Cannot import Cocume~1\LESLIE~1\Desktop\fixIFLL.reg: Error accessing the registry

Thanks

Fabi

 

Hi chaslang,

I've done it and the message came saying it was added successfully. I rebooted and run spybot and it found the same entry.
Microsoft.Windows.Security.InternetExplorer

fabi

 

Hi fabi,

This seems to be a Spybot problem, as there are several entries about it in their forum. In your running processes you have AOL ASM. I don't know if you can see it, but it should be visible using msconfig. Please go to Start / Run and type in msconfig and click on okay. Put a check next to Diagnostic Mode. Go to the startup list and see if you can locate the ASM program. Put a check in every box except this program. Then click on Accept and okay and reboot your computer. Run Spybot again. Does it still come up?

If it's gone, then go back into msconfig and put a checkmark next to it again. This will cause it to appear in HijackThis and you can remove it as follows:


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN

When you finish, just close HijackThis.

Let me know if this works?

abri

 

Hi abri,

Welcome back.
I've run the first part of your instructions but the entry still appears in spybot so I didn't do the hjt because you said to do if the entry was gone. Am I right?

Cheers

fabi

 

Hi fabi,

You mentioned that after running scannow, your computer seemed to be slower. Please set your computer back to the restore point I had you make called "before scannow". To get to system restore, go to Start / All Programs / Accessories / System Tools / System Restore and select the option to return your computer to an earlier restore point. Click on the highlighted dates of the 19th or more recent and you should find it listed there with other restore points. Click on next and follow the prompts.

Let me know if the speed of your computer returns to where it was prior to the scan.

The reason you're getting the spybot error is because it's picking up a non-default security setting and it wants to fix it back to the default. Something is overriding this change so that Spybot picks it up again. This could be a setting you put this way yourself or could be caused by a piece of software or it could be caused by malware. I'll see if I can find any further ideas on it rather than just having Spybot ignore it. Do you have teatimer enabled or disabled?

abri

 

Hi abri,

Yes, it was behaving oddly, it was getting stuck in some processes until yesterday when it got stuck all together on the welcome page and wouldn't go any further, so I run the windows cd and asked to repair my current installation. It seems to be behaving itself now, the only program that still is slow but only in loading up is Dreamweaver (taking longer to load the cache).

Should I restore anyway?

I don't think I changed any settings but maybe a software is doing it, I have the usual office packages installed plus webpage producing packages from macromedia and a drawing package called autocad. That's all I can think is different from most computers. I also use pegasus for emails rather than outlook.

I have teatimer disabled.

Thanks

fabi

 

Hi fabi,

I think using the cd for the repair was a good idea. I had been wondering, if you have an older version of Autocad, if this might have been getting in the way of your Windows Updates. Have you tried them since doing the repair with your CD? I think you should start a thread in the Software Forum to see if they might have a clue why your Windows Updates don't work. You can put the link to this thread here in your thread over there so they have easy access to what you've done so far. In the instructions below, I'll be asking you to clear all your previous restore points and set a clean one.

For the Spybot problem, I recommend asking over at the Spybot forum (Safer Networking), why you're unable to fix this. You can set Spybot to ignore this entry when it scans, but it would be nice to know why none of the suggestions I've given you from their forum has helped to eliminate this problem. Maybe they can tell you what's causing their scan to pick this up.

I'm going to give you the final cleanup instructions.

abri

 

Hi abri,

I use autocad 2002 but it wasn't installed when I tried to update to SP2, I'll try again and see if works, if not I'll do what you suggested. I'll try and find out what's wrong with the entry in spybot.

I've done the cleanup and everything is ok. I also erased and created a brand new restore point. I'll read on about protecting my computer more effectively.

Thank you so much for your help, chaslang's and everyone from majorgeeks.com. You guys have created something awesome and it's a great help.:wave

Thanks again

fabi

 

You're welcome fabi,
If you get an answer to the Spybot question, please post it back here. It will be useful to someone when they go looking for the same issue.
And if you are able to figure out what's preventing your windows updates, I'd be happy to hear about it.
abri