TechSpot

Am I clean? 8 steps performed for vundo and crypt.fkm.gen

By dmcrx7
Dec 6, 2008
  1. avira said I had vundo and crypt.fkm.gen trojans.

    I have performed the 8 steps.

    Am I clean?
     
  2. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    Vundo hard to get rid of

    avira still showed vundo files.
    Re-ran mbam.
    Here's the log file for mbam and hijack this.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Vundo malware is in the System Restore points. these are protected files so the cleaning programs don't remove it from there. We will drop the old restore points when the cleaning is complete. In the meantime, Do NOT use system Restore as you will reinfect the system.

    Have SAS remove the Tracking Cookies. Click on lower left image here to enlarge- shows where to check:
    http://superantispyware.en.softonic.com/images

    When done:
    Reset Cookies:
    Update Java:
    Update Adobe:
    You need to disable Real Time monitoring while cleaning:
    Spybot S&D (Teatimer)
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

    1. Control Panel> Add/Remove Programs> UNINSTALL the following:
    2. Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK everything EXCEPT the processes for Avira/AntiVir
    Apply> OK> Reboot.

    NOTE: you will get a nag message that you can ignore after checking 'don't show this message again.' Stay in Selective Startup.

    Run HijackThis again and attach a new log. I may have you run another program after I see the log.
     
  4. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    update

    The cookies had already been removed - apparently the log printed before removal.

    I use firefox most of the time, do I need to change cookie settings there?

    Java has been updated, I switched to foxit.

    I removed Spybot early in the process, leaving only the resident running. (couldn't figure out how to turn it off)
    Should I reinstall and let it scan?

    Windows unstaller would not run in safe mode, so I had to switch to regular startup to delete the old java and all adobe.


    A bit off topic, but for some reason, I do not have a Run option from the start menu on this computer. I just use the msdos shortcut
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Protection in Firefox:
    To disable the Spybot Resident (Teatimer)
    ( if you should need to do this in the future)
    .

    I should have warned you about this. Some of the FoxIt downloads have the ask.com toolbar checked- I see you got it, but we need to remove it. It is a known high deliverer of ads and various adware:

    Have HijackThis remove these 2 entries:
    I know the second one says Foxit Toolbar, but the CLSID is for Ask. Please see the information here why you don't want it:
    http://www.benedelman.org/spyware/ask-toolbars/

    Boot back into Safe Mode after closing HijackThis and clicking on FixChecked:

    Look on Startup and UNCHECK anything for either FoxIt OR Ask.
    The use Add/Remove Programs to uninstall the Ask entry.

    I really hate it when the software makers do this. While users should always look carefully at the download screens, it is easy to miss this.

    Otherwise the log appears to be clean. Looks like the 020 entries are gone. How is you system performing? Do you have any indication at all of remaining malware?
     
  6. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    almost there

    OK, firefox is ready

    I saw the ask toolbars, but when I unchecked them, it said that some features of foxit would be disabled unless I downloaded it.

    nothing showed up in safemode for ask or foxit.

    there was one entry that was blank in the first two columns.

    Should I reinstall spybot and turn off teatimer in advance settings? I had read where the resident for IE was a good thing to have running.

    System is slower than it used to be, but prob about right with avira running. I had been running without any virus protection previously.

    mbam seams to have cleaned the vundo from the restore files (A0000155.exe) These were showing up in avira. Now mbam and avira are clean.
    Thanks for all your help.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FoxIt does not require the ask.com toolbar. That's just a marketing gimmick. Remove ALL entries and references to ask.com.

    Go ahead and reinstall Spybot S&D. You can run TeaTimer if you want- it just needs to be turned off when we're doing scans. It offers real Time protections-some have an occasional conflict from that. I left the information for you in case you needed to disable Teatimer in the future. Whether you run it usually is up to you.

    Mbam does NOT remove the restore points. It will show 'System Volume' but they are not removed until we drop them. If you would like to do that now you can:
    Clear system restore points
    I should have caught these last night. I'm sorry- I was tired. These autoruns need to be stopped and removed:
    Please open Autoruns and remove entries for the following processes. Once the entries have been removed, reopen HijackThis and check the following:
    Also, I suggest you take these off of startup:
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\msconfig.exe /auto>>Not Required at Startup - Microsoft Office Application Launcher- do not need to start on boot.
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe">> does not need to start on boot
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control http://www.onlinegis.net/download/MgViewer6.0CAB/mgaxctrl.cab >>>> Autodesk MapGuide

    Please see this information regarding the vulnerability of this CLSID: http://securitytracker.com/alerts
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://mail.cmicompany.com/dwa7W.cab>>>
    Lotus Domino Web Access for Web access to email and collaboration
    /2007/Dec/1019138.html

    This should not be enabled unless you are actively using or giving remote support. It can b a security issue:
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    Related to LogMeIn LogMeIn Rescue is used by IT helpdesks to provide instant remote support to customers and employees.

    When done, close all Windows except HijackThis, click on Fix Checked and reboot into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK entries for any of the following:
    Right click on Start> Explore> Windows> System 32> right click> delete of any of the following if found:
    Reboot into Normal Mode. You will get a nag message you can ignore after checking 'don't show this message again.' Stay in Selective Startup.

    I would like you to run one more HijackThis scan and make sure we have handled the autoruns. If clean, we'll remove the cleaning tools,
     
  8. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    Update

    restore points set and removed.

    removed all 04's requested except rocketdock, I kinda like it, is it a vulnerability?

    domino is used for my work email, removed it, guess I have to click no on the dialog box that pops up?

    Logmeln is used to access a work computer. Can this be set up intermittently and shut off? Is this a vulnerability?

    the dll's were already gone from system32.
    No references to the removed 04's showed up in msconfig
     
  9. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    one more thing

    Also noticed java/jre6/bin/jusched in msconfig startup.

    Is this necessary?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is the Java updater and should be turned off. Every time we do anything with Java, it puts itself back on Startup:

    Control Panel> Java> Update tab> UNCHECK 'check automatically check for updates'> OK> Answer Yes when asked if you're sure.

    You still show Teatimer running. You said you uninstalled Spybot S&D and I then-again- told you how to disable it, but it's still running:
    You still have one process that needs to be stopped in Autoruns:
    O4 - HKUS\S-1-5-20\..\Run: [vawaluzolu] Rundll32.exe "C:\WINDOWS\system32\hujinuya.dll",s (User 'NETWORK SERVICE')

    The names "vawaluzolu" and "hujinuya" smack of malware and cannot be identified.

    Please re-read my comment about Logmein and Domino.

    If you go back and read my suggestions in Post #7, you will see that I recommended you take some programs off of Startup. RocketDock was one of them. It does not mean you can't use it- it means you launch it manually when you do want to use it instead of having it start on boot and run in the background.

    I also recommend you take ALL of the HP processes off of Startup. Printers, Cameras and Open Office do NOT need to start on boot. When they do, they continue to run in the background. This uses resources that are better applied elsewhere. The can be started manually when needed.

    The ONLY processes that need to start on boot are the antivirus, firewall and touchpad if on laptop. Everything else can be called up and started manually when needed,
     
  11. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    You still show Teatimer running. You said you uninstalled Spybot S&D and I then-again- told you how to disable it, but it's still running:

    Quote:
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    Please refer to either of my previous two posts giving directions to disable teatimer.

    You still have one process that needs to be stopped in Autoruns:
    O4 - HKUS\S-1-5-20\..\Run: [vawaluzolu] Rundll32.exe "C:\WINDOWS\system32\hujinuya.dll",s (User 'NETWORK SERVICE')

    The names "vawaluzolu" and "hujinuya" smack of malware and cannot be identified.

    I'll remove these, and the HP related startups. I guess Spybot only partially uninstalled, so I couldn't start it to follow your instructions. I'll reinstall and disable teatimer.Can I remove superspyware to see if it speeds things up a bit?


    I'm still confused about domino and logmein. I can't get to the domino link unless I subscride to securitytracker, and I couldn't find much with a google search. It'll take a couple days to activate a free trial with them.
    I think you're saying to only activate when needed, but I don't know how to keep them from popping up in startup again.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology about referring you to the Security tracker. I though the site had the patch for Domino. I missed that you had to register and ultimately purchase.
    Leave Domino running, but check their homesite and see if there is any patch or update for Domino Web Access 7 Control.

    Do you really need the program "LogMeIn". It uses up a lot of resources and requires total accessibility to the net. If not I recommend you uninstall it through Add/Remove programs, then DELETE the folder using Windows Explorer and Reboot

    When finished, run one more HijackThis l and attach log..
     
  13. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    update

    I think I got it. This is the second time I have removed
    O4 - HKUS\S-1-5-20\..\Run: [vawaluzolu] Rundll32.exe "C:\WINDOWS\system32\hujinuya.dll",s (User 'NETWORK SERVICE'

    hujinuya .dll was removed the first time and has not returned to the C:\WINDOWS\system32 directory.

    I did a search of the c drive and found it here:
    C:/documents and settings/all users/application data/Spybot - Search and Destroy/Recovery/Virtumondeprx.zip

    I don't see logmein in hijackthis, add/remove programs, or a c: search anymore.

    Can I keep windows messenger from running at startup, or do I need it for something?
     
  14. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    log

    forgot the log, here it is
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looking good! You should set up a homepage though so I can make sure it's not getting redirected.

    Messenger:
    You can UNCHECK all of these on Startup: The ARE legitimate programs, but they don't need to start on boot
    You don't need to remove these entries> just UNCHECK on the Startup menu. I've given you a description and none need to start on boot:
    Java:
    Adobe:
    When you have finished the above, reboot the computer. You will get a nag message that you can ignore and close after checking 'don't show this message again'. Stay in Selective Startup/

    We can remove the cleaning programs:
    Download OTCleanIt
    The Restore Points should be remove again since you had a few malware entries when you did the removal: Clear your existing System Restore points and establish a new clean restore point:
    It's been a pleasure working with you. If you need more help, please let us know.
     
  16. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    I think that got it. Thanks for all your help.

    On last question: Do you know what this is? looked suspicious to me

    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You had one or two entries which I had you remove. But these are legitimate entries which I though you had put in place. Read the description and check the URL I leave. If you no longer want this to run, we should be able to stop it- I'll check it out so let me know.

    Here is the description of nLite:
    See nLite - Windows Installation Customizer http://www.nliteos.com/nlite.html
    And check out the FAQ page: http://www.nliteos.com/faq.html

    advpack.dll assists with hardware and software installs by reading and verifying .INF files.
     
  18. dmcrx7

    dmcrx7 TS Rookie Topic Starter Posts: 42

    That makes sense.
    Thanks for all your help.

    :D:wave:
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Please let us know if you need more help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...