TechSpot

Help, got hit by vundo, followed 8 steps

By guge
Mar 12, 2009
  1. I got hit by vundo!grb detected by mcaffee, each time I click I got a error message said "c:\windows\system32\dosakoha.dll is not a valid windows image, please check against your installation diskette"
    Also my IE will open lots of sites automatically.

    I followed the 8 steps except step 3, because I don't think I have any real time monitoring program.

    log files attached. Right now IE not open sites, but I still get message box when I click a program and when I start windows.

    I attached all the logs, please help to see if I'm OK.

    Thanks in advance!
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Uninstall your McAfee Antivirus
    Then run the McAfee Removal Tool

    Keep Avira installed, and never have two Anti-viruses installed together again


    Here's your next 8 steps ;)

    Download the following 4 tools, and print these instructions

    1. Download VundoFix; Trojan.Vundo Removal Tool; VirtumundoBeGone and ComboFix.
    2. Go Offline - pull the cable network, turn off wireless card, turn off your modem.
    3. Restart computer and press F8 to run Windows in Safe Mode
    4. Run VundoFix.. Click on the Scan for Vundo. Scanning will begin, which takes a long time. In the white box will display the names of infected files. After the scan is complete click Remove Vundo, removal will begin. Confirm by clicking Yes. The application should ask for permission to restart your computer - click Yes. Start Windows in Safe Mode again.
    5. Run FixVundo. Click Start, and then follow the instructions. It should be noted that this application can deal only with older mutations Vundo (Virtumonde).
    6. Run VirtumondoBeGone. Click Continue and wait for the report.
    7. Run ComboFix. Then, in the two windows that appear click Yes, and start scanning and removal of any Vundo (Virtumonde) infection. During this operation, you are not allowed to move the mouse or perform other actions. After the scan is complete, program will show a text file - a report from the program's action.
    8. Restart computer and run Windows normally.
     
  3. guge

    guge TS Rookie Topic Starter

    Thanks for the quick reply!
    Now I don't see any of the warning pop up when I click an app or window.

    Questions
    1. How do I know I'm safe now, do I need to send out some log?
    2. That Mcafee center is a paid product, it includes virus protection and firewall. Which one should I keep? If I drop Mcafee, do I need to install a free firewall as you recommended in "8 Steps"?
    3. For those software I installed following the 8 steps, do I need to keep the all there and run it periodically?
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    "Now I don't see any of the warning pop up when I click an app or window"
    That's great news :grinthumb

    "Questions
    1. How do I know I'm safe now, do I need to send out some log?
    "
    Actually do another scan with Malwarebytes (making sure to update it first) then save that log file to be submitted as an attachment

    Also run ComboFix (in Normal Mode) again as well (I know it's a nuisance but basically multiple scans remove hidden malwares) then save that log file to be submitted as an attachment

    Restart (although pretty sure Combofix would have done this already, if correctly run)

    The run HijackThis scan only, then save that log file to be submitted as an attachment

    Please then submit all 3 attachments :)


    "Questions
    2. That Mcafee center is a paid product, it includes virus protection and firewall. Which one should I keep? If I drop Mcafee, do I need to install a free firewall as you recommended in "8 Steps"?
    "
    Put it this way, McAfee did not help you this time ;) I generally find McAfee to be quite inferior :( And therefore would honestly say that Avira is much better
    But regarding Firewall. Firewalls do not stop malware (Virus and Trojans etc) they stop hackers trying to connect to your computer, and\or your private information being sent out. So unless you are doing some banking online, just use Windows Firewall (confirming all Security Updates are completed)

    "Questions
    3. For those software I installed following the 8 steps, do I need to keep the all there and run it periodically?
    "
    Definitely not. I'm trying to not only "clean" your system but also optimize it, so you don't need all this extra stuff.
    Generally I say:
    Windows security updates all completed
    Windows Firewall (depending on surfing habits)
    Avira AntiVirus
    Malwarebytes scan updated and run periodically

    That's it ;)
     
  5. guge

    guge TS Rookie Topic Starter

    Thank you for all these helps!

    New files are attached, Please let me know what you find.

    One more question for the firewall, how about I still keep mcafee firewall in case I really do some on line banking? Only two anti-virus software interfere, right?
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please re-open HijackThis and place a tick next to the following entries
    Close all\any Internet browsers, then select Fix
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"
    (Note: 1 space after ComboFix in that uninstall command)

    Clear & Reset System Restore's Cache

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

    Restart
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Your better getting a seperate firewall such as Comodo.
     
  8. guge

    guge TS Rookie Topic Starter

    Hi, Kritius,
    Thanks for the recommendation, I'll install the comodo.

    HI, Kimsland,
    After I send out the log, I uninstalled the SuperAntispyware, and Advanced Registry optimizer.
    So running hijackthis didn't see these 2 item anymore. I did fix as you told, and run a scan only again, and couldn't find the items listed above.

    For uninstall combofix, Since I run it in my removable disk (SD card drive), it does not work from the start run. I goto the dos command screen, goto the directory of combofix and type
    combofix /u, didn't get disclaimer, but did ask me to disable avira and tell me uninstall successfully.

    I did a last step too.

    So, do you think I'm OK now, do I need to send some log?

    Hmm, after I uninstalled the SuperAntispyware. when I start IE, and it automatically goes to my home page, but the small icon in front of the home page web adrees in the edit control of IE is superantispyware's icon. Do I still has something wrong?
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Post a fresh HJT log
     
  10. guge

    guge TS Rookie Topic Starter

  11. kritius

    kritius TS Guru Posts: 2,084

    Theres nothing in the log.

    I'll let Kimsland have a look, he may know more than me.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I think it just required a restart ;)

    But there is one thing in the log: (not Malware though)
    This seems to be some network configured entry, which is likely legit

    But do this anyway

    Run WinsockFix: http://files.snapfiles.com/localdl834/WinsockxpFix.exe

    Restart

    Report on how everything seems to running.
    You are finally confirmed malware free, by the way.
    Although you seem to be running Regshave with every startup
    Code:
    Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly
    I feel it's a shame that it defaults to run on every Windows startup (o4 entry in HijackThis) Certainly if you are not using Fuji digital camera, then I'd say uninstall this from add\remove programs. Otherwise you can disable this one entry using Startup Control Panel, and only re-enable it, if you ever do uninstall your Fuji digital camera.
     
  13. guge

    guge TS Rookie Topic Starter

    Restart does not work, still have the wrong icon. But as long as it's not malware related issue, I can live with it.

    I'm glad I got a clean machine again. Thank you guys for all these help!

    I run the winsockxpfix.exe, it just tells me it's finished. I didn't see any report.

    I removed mcafee security center, and installed comodo firewall, as you mentioned above, I only install the firewall, not the antivirus protection, because I already have Avira installed.

    Could you tell me what's the best setting for comodo firewall security level (mine is safe mode) and defense+ security level (mine is clean PC mode)?
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please do this => IE RESET
     
  15. guge

    guge TS Rookie Topic Starter

    Thanks! Now it's fixed.

    Any recommendation for the comodo firewall setting?
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...