Vundo virus - some assistance required

stewieandco · Aug 5, 2008

Well, i have finally found a formidable adversary to myself - the Vundo virus. I've been able to remove all other viruses without drama, but this one has me stumped. I believe it was last night, the virus entered my computer. I logged on at 3:30pm this afternoon, and i noticed that certain pages were loading and certain pages were hanging (for example, hotmail, Skyscrapercity.com and google worked, while Myspace, Giveaway of the Day and Bigpond hanged). I've had problems with the LAN and this could happen. Rebooting had always solved the problem. So i rebooted, and logged in, before getting a userinit.exe error. (code 0xc000005). I clicked ok to terminate application, and got it again. i eventually made it to where my desktop is, but got only my background. So i used task manager to load explorer.exe and got my desktop back. I knew i had a problem, so i ran a SuperAntiSpyware and a Bitdefender scan, and it identified a Vundo trojan. I checked the internet and saw that the symptoms matched what i have, with internet hanging, boot troubles, ...... So i spent several hours trying different programs (RogueRemover, Vundofix, one by Trend Micro, and those listed on MG. I've attached a few of the log files from those listed, but Combofix would not run due to a rundll error (same as userinit.exe error).

TimW · Aug 5, 2008

Why did you run MalwareBytes and not fix all that it found?

Please re-run it and fix the issues that it reports. Then attach the new log and also the log from running MGTools.exe (from the READ & RUN ME FIRST. Malware Removal Guide).

stewieandco · Aug 5, 2008

Hi
The Malawarebytes log file is before the items were fixed. How do you save a log file for it as when it finishes taking action it closes?

Cant run MGtools.exe. Comes up with error message similar to #4 (Rundll error) but have .Net Framework 3.5.

TimW · Aug 5, 2008

We want to see what was fixed....if you open MalwareBytes...there is a tab for the logs.

Give me the exact error message....

Go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

stewieandco · Aug 6, 2008

Hi
Have managed to rid my computer of the virus. I found the infected file in the Windows folder but it would not let me delete it. It kept saying that the file was in use. I then installed Creative Elements Power Tools and set it to delete files in use. Deleted the file and rebooted. It was gone.
Thanks for all your help

TimW · Aug 6, 2008

Very well .....If you are not having any other malware problems, it is time to do our final steps:

You can uninstall SUPERAntiSpyware now.

We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Log in or Sign up

Vundo virus - some assistance required

stewieandco Private E-2

Attached Files:

mbam-log-8-5-2008 (23-59-37).txt

SpybotSD.Results.txt

SUPERAntiSpyware Scan Log - 08-05-2008 - 23-26-20.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

stewieandco Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

stewieandco Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member