Win32.rungbu.a

Discussion in 'Malware Help (A Specialist Will Reply)' started by Moses, Dec 11, 2008.

  1. Moses

    Moses Private E-2

    Greetings, helpful people.

    I ran the normal scan and cleanup procedure. I did it yesterday, finding a couple of funky entries. One that Spybot picked up on was win32.rungbu.a. After running the procedure I did a quick run with spybot again and something else, but they didn't find anything so I cleared my system restore points and restarted as usual as I figured I was all good by this point.

    However, I ran a check with spybot again today after restarting and win32.rungbu.a has appeared again.

    So I did the run me procedure again, and these are the results.

    I wasn't able to get a log from superantispyware. Every time I try to open up the log files in "preferences -- statistics/logs" notepad freezes up. Is there some place where all the log files are stored that I could retrieve them from? In any case it didn't find anything today, although it did yesterday.

    Here are all the other logs, though.

    I'm not seeing any outwardly visible signs that my computer's infected, but I never did in the first place, yet win32.rungbu.a persists.

    Any help at all would be much appreciated.

    It's an HP laptop with windows XP service pack 2 (I really should get to installing sp 3, I guess...)

    I'm not running any antivirus right now. I was thinking of trying out avira. Avast/AVG slows down my computer /a lot/.

    Thanks again.
     

    Attached Files:

    Moses, Dec 11, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are running a very old version of MGTools. Please remove it and download the latest version from the Read and Run First instructions.

    Your SAS logs are here:
    Code:
    C:\Documents and Settings\Moses\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
su2ae6~1.log  Dec 10 2008         568  "SUPERAntiSpyware Scan Log - 12-10-2008 - 15-20-48.log"
    You should never be running without an AV program....even if it is just to post here.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    C:\6fnlpetp.exe
    C:\WINDOWS\system32\vamsoft.exe
    C:\WINDOWS\system32\vbsdfe0.dll
    C:\WINDOWS\system32\vbsdfe1.dll

    Now attach a "New" mglogs.zip.

    **CAUTION: Using P2P programs and torrent downloads can be dangerous, as they by-pass your firewall and may contain malware.
     
    TimW, Dec 14, 2008
    #2
  3. Moses

    Moses Private E-2

    Greetings, TimW.

    I did as you said with the updated MGTools, hijackthis and the registry fix, however I ran into problems with the second part: I couldn't find any of the files you said to delete manually.

    Something sort of funky goes on: every time I go into the folder options menu and uncheck "Hide protected protected operating system files", then hit apply and ok, nothing changes (I can't see hidden files) and when I go back into folder options, it's re-checked again. I've noticed this before. It only seemed to work correctly right after using Combofix, and then went back to its funkiness after re-starting. Is there another way to keep this setting the way I want it?

    Here's the MGtools logs.
     

    Attached Files:

    Moses, Dec 15, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Our tools set your policy for hidden files and folders. It will return when we are finished.

    Why could you not find the files? They are in your newfiles log right here:
    Code:
    Locating all files created in C:\ within the last 90 days.         

"C:\"
6fnlpetp.exe  Dec  3 2008      108963  "6fnlpetp.exe" [U][COLOR=DarkRed]--> This one![/COLOR]
[/U]boot.ini      Sep 28 2008         281  "boot.ini"
CMDCONS       Sep 28 2008              "cmdcons"

Locating .EXE files created in C:\WINDOWS\system32 within the last 90 days.     

"C:\WINDOWS\system32\"
java.exe      Oct  2 2008      139264  "java.exe"
javaw.exe     Oct  2 2008      139264  "javaw.exe"
javaws.exe    Oct  2 2008      143360  "javaws.exe"
vamsoft.exe   Dec 11 2008      106321  "vamsoft.exe"[U][COLOR=DarkRed] --> This one![/COLOR][/U]

    And you should also consider getting more RAM for this system.
     
    TimW, Dec 15, 2008
    #4
  5. Moses

    Moses Private E-2

    TimW,

    I can't find those files because I can't see them. Even when I try to change the viewing options it never switches over: I can't see any hidden files.

    Should I do the read & run me process again? I noticed it worked correctly immediately after using Combofix.
     
    Moses, Dec 15, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 15, 2008
    #6
  7. Moses

    Moses Private E-2

    Greetings, TimW,

    Merci beaucoup: here are the logs. Oh and I can finally see hidden files again. ^^
     

    Attached Files:

    Moses, Dec 16, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good deal......If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Dec 16, 2008
    #8
  9. Moses

    Moses Private E-2

    Greetings, TimW.

    Before going through the final steps I did a quick run with Malwarebytes and found an entry. I uploaded the log. Is it anything to worry about? (I haven't restarted my computer yet after finding it just in case something wonky occurs during startup).

    edit: Now that I can see hidden files I also deleted those two .dll's you mentioned earlier but which I couldn't find.
     

    Attached Files:

    Moses, Dec 17, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is why we suggest that you keep both SAS and MBAM ......:) You need to use them as often as your surfing habits dictate.
     
    TimW, Dec 17, 2008
    #10
  11. Moses

    Moses Private E-2

    So it's not related? I've been using a different computer: the infected laptop's pretty much only been here and the BBC website since we started work on my system.
     
    Moses, Dec 18, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What is happening? Are you having other new problems? Do any of the scans pick up anything else? If so, attach the logs.
     
    TimW, Dec 21, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds