Vundo

Discussion in 'Malware Help (A Specialist Will Reply)' started by tvazana, Jun 14, 2007.

  1. tvazana

    tvazana Private E-2

    I think I have Vundo or something like it on my computer. I get a lot of popups (such as Winantivirus, etc.). I followed the procedure listed on the Malware Removal Guide EXACTLY as listed. I had to run the online scans from normal mode and I got an awful lot of popups during the Pandascan, but it did manage to finish. I will attach 3 of the 5 logs on this message and te remaining 2 on the next. What do you think I should do? Thanks!
     

    Attached Files:

    tvazana, Jun 14, 2007
    #1
  2. tvazana

    tvazana Private E-2

    2 more log files

    ....continued from the previous message....here are the other 2 log files
    Thanks
     

    Attached Files:

    tvazana, Jun 14, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You forgot to follow the directions in step 7 of the READ ME and attach your log from HijackThis; however before doing that, let's run a couple other tools to start reducing the severity of your infection. You are very badly infected and we need to reduce the amount of manual cleaning that will be required.


    Run this Virtumonde aka Trojan Vundo Removal and do not attach the requested log right away. Run it multiple times until it comes up clean and then attach the final log.

    Now continue on with the below to help remove more malware.
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the below new logs and tell me how the above steps went.

    1. VundoFix
    2. ComboFix
    3. GetRunKey
    4. ShowNew
    5. HJT
    Make sure you tell me how things are working now!
     
    chaslang, Jun 14, 2007
    #3
  4. tvazana

    tvazana Private E-2

    I followed the instructions you layed out. I ran VundoFix a few times until eventually "\windows\system32\ssqrrrp.dll" was the only file that remained. I tried to remove that file about 4 more times (via vundofix) and it would not budge. I ran the rest of the scans and toggled system restore as indicated. Its been running smmoothly for about the past 24 hours and Adaware, Spybot and AVG scans all come up clean. I think everything is about back to normal. I attached the log files in this and he next post.
    Thanks!
     

    Attached Files:

    tvazana, Jun 15, 2007
    #4
  5. tvazana

    tvazana Private E-2

    Re: Vundo, more log files

    here are the other 2 log files
     

    Attached Files:

    tvazana, Jun 15, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not have touch System Restore yet! That should only be done once you are clean, not before.

    Please attach the ComboFix.txt log. We do not need the quarantine log from ComboFix.
     
    chaslang, Jun 15, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You log form GetRunKey indicates you did not follow the directions in the READ ME in step 0 about not using MSconfig. You must get into to normal startup mode and remain there. Do this now before continuing.

    Also You did not install and run GetRunKey properly this time. You ran it properly the first time. Make sure you have extracted it from the ZIP file as instructed. I will ask for another new log after you do the below.

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Also please uninstall Viewpoint Media Player as requested in step 0 of the READ ME.

    What are the below new folders for?
    Code:
    C:\
ZGETRUNK      Jun 12 2007              "zgetrunk"
ZSHOWNEW      Jun 12 2007              "zshownew"

    You have a load of Vundo related files hanging around in your C:\windows folder. Below is a list of them. Run Windows Explore and locate each of these files and delete them. Only delete the files specified. Other files with .ini extensions are valid.
    Code:
    "C:\WINDOWS\"
aycddd.ini    Jun 11 2007      943759  "aycddd.ini"
bbcdeg.ini    Jun 14 2007      945599  "bbcdeg.ini"
bcbcfe.ini    Jun  9 2007      971634  "bcbcfe.ini"
cbdffe.ini    Jun 12 2007      944801  "cbdffe.ini"
ccfffe.ini    Jun 14 2007      929437  "ccfffe.ini"
dcegjl.ini    Jun 12 2007      948497  "dcegjl.ini"
dcehii.ini    Jun 14 2007      945530  "dcehii.ini"
dcfhkj.ini    Jun 13 2007      945371  "dcfhkj.ini"
ddccfe.ini    Jun 14 2007      924386  "ddccfe.ini"
ddggjl.ini    Jun  9 2007      971009  "ddggjl.ini"
dedcfe.ini    Jun 12 2007      945008  "dedcfe.ini"
dfikkj.ini    Jun 11 2007      944210  "dfikkj.ini"
dgfeeg.ini    Jun 12 2007      944504  "dgfeeg.ini"
dgihkj.ini    Jun 11 2007      944246  "dgihkj.ini"
ehikjl.ini    Jun  9 2007      971352  "ehikjl.ini"
feeghk.ini    Jun 13 2007      929386  "feeghk.ini"
feeghk.tmp    Jun 14 2007      929386  "feeghk.tmp"
ggikkj.ini    Jun 10 2007      970859  "ggikkj.ini"
ghhgjl.ini    Jun 13 2007      929317  "ghhgjl.ini"
hijiii.ini    Jun  9 2007      971496  "hijiii.ini"
hjjklm.ini    Jun 12 2007      944459  "hjjklm.ini"
ihhklm.ini    Jun 10 2007      970850  "ihhklm.ini"
ikmpqr.ini    Jun 12 2007      948539  "ikmpqr.ini"
jiknmp.ini    Jun 14 2007      943159  "jiknmp.ini"
klmoqr.ini    Jun 13 2007      945866  "klmoqr.ini"
lnoqpo.ini    Jun 13 2007      945428  "lnoqpo.ini"
mlmnmp.ini    Jun 12 2007      948470  "mlmnmp.ini"
mnmoqr.ini    Jun 12 2007      948530  "mnmoqr.ini"
mnqpru.ini    Jun 11 2007      944030  "mnqpru.ini"
mpqtut.ini    Jun 13 2007      929197  "mpqtut.ini"
nmmlmp.ini    Jun 13 2007      945668  "nmmlmp.ini"
nmmnmp.ini    Jun 14 2007      945737  "nmmnmp.ini"
nmmoqr.ini    Jun 12 2007      944528  "nmmoqr.ini"
noprss.ini    Jun 11 2007      965173  "noprss.ini"
norrss.ini    Jun 12 2007      945188  "norrss.ini"
norrtv.ini    Jun 10 2007      970970  "norrtv.ini"
onoopo.ini    Jun 12 2007      945068  "onoopo.ini"
oprtut.ini    Jun 14 2007      929557  "oprtut.ini"
oprtut.tmp    Jun 14 2007      929557  "oprtut.tmp"
oqppoq.ini    Jun  9 2007      971061  "oqppoq.ini"
oruvxx.ini    Jun 14 2007      945659  "oruvxx.ini"
oruvxx.tmp    Jun 14 2007      945659  "oruvxx.tmp"
prsrru.ini    Jun  9 2007      971163  "prsrru.ini"
qpqtwa.ini    Jun 12 2007      944348  "qpqtwa.ini"
qprtss.ini    Jun 11 2007      964992  "qprtss.ini"
qqpqpo.ini    Jun 14 2007      929668  "qqpqpo.ini"
qrtwwa.ini    Jun 12 2007      948584  "qrtwwa.ini"
qsutwa.ini    Jun 14 2007      943219  "qsutwa.ini"
rqtttv.ini    Jun 12 2007      944939  "rqtttv.ini"
ruxyxx.ini    Jun  9 2007      971721  "ruxyxx.ini"
srsutv.ini    Jun 13 2007      929050  "srsutv.ini"
stuwwa.ini    Jun 11 2007      944297  "stuwwa.ini"
sututv.ini    Jun 12 2007      944261  "sututv.ini"
suuutv.ini    Jun  9 2007      971823  "suuutv.ini"
suwvxx.ini    Jun 13 2007      929248  "suwvxx.ini"
svwyyb.ini    Jun  9 2007      971454  "svwyyb.ini"
ttuutv.ini    Jun  9 2007      971087  "ttuutv.ini"
ttuxbc.ini    Jun 12 2007      944870  "ttuxbc.ini"
ttwxbc.ini    Jun 14 2007      945806  "ttwxbc.ini"
tutsut.ini    Jun  9 2007      971754  "tutsut.ini"
tutvvw.ini    Jun 11 2007      944207  "tutvvw.ini"
tuvxxx.ini    Jun 12 2007      945257  "tuvxxx.ini"
tvwadd.ini    Jun 14 2007      945866  "tvwadd.ini"
tvxxay.ini    Jun  9 2007      970886  "tvxxay.ini"
utttvw.ini    Jun 13 2007      928981  "utttvw.ini"
utvvvw.ini    Jun 10 2007      970850  "utvvvw.ini"
utvyxx.ini    Jun 12 2007      945137  "utvyxx.ini"
vvwxxx.ini    Jun 14 2007      921781  "vvwxxx.ini"
wvxwwa.ini    Jun 14 2007      943099  "wvxwwa.ini"
xadddd.ini    Jun 14 2007      929590  "xadddd.ini"
xaddgh.ini    Jun 10 2007      970910  "xaddgh.ini"
xbadfe.ini    Jun 11 2007      944162  "xbadfe.ini"
xwyccf.ini    Jun 13 2007      945557  "xwyccf.ini"
xxwaay.ini    Jun  9 2007      971214  "xxwaay.ini"
xyayyb.ini    Jun 12 2007      945317  "xyayyb.ini"
yacfii.ini    Jun 14 2007      945926  "yacfii.ini"
ycedeg.ini    Jun 10 2007      970859  "ycedeg.ini"


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {6497e1fa-61d3-4c16-8a4e-2552974041ab} - C:\WINDOWS\system32\dx3SEQ.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O20 - AppInit_DLLs: c:\windows\system32\ssqrrrp.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 15, 2007
    #7
  8. tvazana

    tvazana Private E-2

    Here is te combofix log. When I hit F8 to enter safe mode I could not use the up/down arrows on my keyboard to select an option for startup...so the only way I could get there (in order to run the 2 online scans) was from msconfig. Those 2 folders you listed are the folders for "getrunk" and "shownew"; I just added a "z" before them so I could locate them easier.

    I deleted the first list of files, but the second list...

    C:\WINDOWS\SYSTEM32\
    tmp692~1.dll Jun 14 2007 39124 "tmp692.tmp.dll"
    tmp695~1.dll Jun 14 2007 39124 "tmp695.tmp.dll"
    tmp698~1.dll Jun 14 2007 39124 "tmp698.tmp.dll"
    tmp69b~1.dll Jun 14 2007 39124 "tmp69B.tmp.dll"
    tmp69e~1.dll Jun 14 2007 39124 "tmp69E.tmp.dll"

    were not there (I unchecked the 2 boxes under explore, tools, folder options, view). I unsinstalled Counterspy (but couldnt locate those 2 folders), re-extracted and ran Getrunkey. Attached the 2 logs. Everything seems to be running smooth.
     

    Attached Files:

    tvazana, Jun 15, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please re-read message number 7! Did you run the procedure with HJT and Avenger?
     
    chaslang, Jun 15, 2007
    #9
  10. tvazana

    tvazana Private E-2

    I dont know which message is #7
    I ran Hijackthis and attached te log file but I didnt check off anyting to be fixed at the end of that procedure...should I have? What is Avenger? Where do I find out how to run that?
     

    Attached Files:

    tvazana, Jun 15, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Message number 7 in this thread! Each message is number at the top right of the message box. This is the message you were reading when you started deleting files. You need to re-read the message since it was updated shortly after first posting to add more instructions. You can never go by whay you receive in an email message if you subscribe to threads. Always refer to current information in the actual thread.

    You need to complete the other steps with HJT and Avenger.
     
    chaslang, Jun 15, 2007
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds