TechSpot

8 Steps Removal Done--Possible Vundo?

By hyjinx
Dec 31, 2008
  1. Hi,

    I'm actually new to these sorts of message boards but I need help. For the last 3 days I've gotten alerts from Windows Defender that I've had Vundo, also alerts for it from AVG before I switched to Avira, I've removed it each time but it keeps returning. I've done the 8 steps and Vundo wasn't mentioned but I still think it's there. I saw somewhere that it could hide in the restore files. Could someone have a look at my logs please and tell me if it's gone? I've never read them before and don't know what to look for.
     
  2. rev_olie

    rev_olie TS Maniac Posts: 560

    Hi Hyjinx

    Just to let you know i will take a look at your logs tomorrow just so you are not left in the dark as to what is happening.

    However before i look at them can you:

    Right click you Hijackthis icon and go to properties

    Then rename the Hijackthis icon to analyse this or something similar.

    Then re scan and post the new log. This is because some programs can hide from Hijackthis and make things difficult.

    Thanks
     
  3. hyjinx

    hyjinx TS Rookie Topic Starter

    Just rename it in General Tab? Not the Path name or Startup file?

    If so, I did that. Here's the log...
     
  4. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    HyJinx

    I can see by your log files this may be a company computer or one you use to connect to a company?
    NOVELL network, Lotus Notes, Corporate Domain ?
    Please let me know your type of connection is it VPN or SSL
    just want to keep you safe and not have things broken...

    This the one i want to know about O1 - Hosts: 172.17.226.89 HC1

    General cleanup is needed and will hurt anything
    Right Click on MyComputer icon and go to properties
    Turn Off system restore
    open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
    do a disk cleanup in your Start/accessories/system tools/ Menu


    download malwarebytes and install

    BEFORE YOU DO THIS remember the connection O1 - Hosts: 172.17.226.89 HC1

    run hijackthis and malwarebytes at the same time
    select any files and or keys in the attachment I posted in hijackthis but on both maiwarebytes and hijackthis click fix at the same time.
    then reboot immediatly.
    if you forget to turn off system restore it will return no matter
    You have the google redirecter also O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
    MAKE sure you check all in Hijackthis
    reboot once complete, run hijack this and post your log here again


    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    C:\WINDOWS\system32\dpmw32.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O1 - Hosts: 172.17.226.89 HC1
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

    O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe

    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

    O4 - Global Startup: APC UPS Status.lnk = ?

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

    O20 - AppInit_DLLs: girruy.dll

    O20 - Winlogon Notify: geBuRIAT - geBuRIAT.dll (file missing)

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
     
  5. hyjinx

    hyjinx TS Rookie Topic Starter

    It's a computer that I got from a relative, sort of borrowing it for the present, so yes it does have network stuff on it but it isn't attached to any network now.

    I installed and ran malwarebytes as part of the 8 steps and post the log in my initial post. The result of that scan was clean but I'm running it again and will post the log when it's finished.

    I did notice
    O20 - AppInit_DLLs: girruy.dll
    in your list of items to check. This was the name of the most recent Vundo Alert from CA eTrust.

    Edit: I'm I supposed to Fix only the files you listed, BlkHeart, or all of the files HijackThis shows?
     
  6. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    JUST the ones in me thread or post
     
  7. hyjinx

    hyjinx TS Rookie Topic Starter

    The malwarebytes scan came up clean for the second time. I checked and fixed all the ones you listed except this one:

    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

    HJT said it couldn't fix it and said I needed something called LSPFix(?)
     
  8. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    lets see checking file
     
  9. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    LOOKING GOOD

    remember to turn on SYSTEM RESTORE
     
  10. hyjinx

    hyjinx TS Rookie Topic Starter

    Does that mean we're done? It's gone?
     
  11. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

  12. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Add me as a friend and i will be sending some IE setting's soon to help avoid this stuff

    good job
     
  13. hyjinx

    hyjinx TS Rookie Topic Starter

    Thank you so very, very much. You have no idea how much I appreciate your help. This has been driving me insane for days.:D

    I'm primarily a Firefox user (I cleared files and cookies there as well) but any help would be great.
     
  14. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Add me as a friend and i will be sending some IE setting's soon to help avoid this stuff

    No Browser is safe from it and the SYSTEM use's IE setting's take care
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...