Help, got hit by vundo, followed 8 steps

[guge]

I got hit by vundo!grb detected by mcaffee, each time I click I got a error message said "c:\windows\system32\dosakoha.dll is not a valid windows image, please check against your installation diskette"
Also my IE will open lots of sites automatically.

I followed the 8 steps except step 3, because I don't think I have any real time monitoring program.

log files attached. Right now IE not open sites, but I still get message box when I click a program and when I start windows.

I attached all the logs, please help to see if I'm OK.

Thanks in advance!

 

[kimsland]

Uninstall your McAfee Antivirus
Then run the McAfee Removal Tool

Keep Avira installed, and never have two Anti-viruses installed together again


Here's your next 8 steps

Download the following 4 tools, and print these instructions

1. Download VundoFix; Trojan.Vundo Removal Tool; VirtumundoBeGone and ComboFix.
2. Go Offline - pull the cable network, turn off wireless card, turn off your modem.
3. Restart computer and press F8 to run Windows in Safe Mode
4. Run VundoFix.. Click on the Scan for Vundo. Scanning will begin, which takes a long time. In the white box will display the names of infected files. After the scan is complete click Remove Vundo, removal will begin. Confirm by clicking Yes. The application should ask for permission to restart your computer - click Yes. Start Windows in Safe Mode again.
5. Run FixVundo. Click Start, and then follow the instructions. It should be noted that this application can deal only with older mutations Vundo (Virtumonde).
6. Run VirtumondoBeGone. Click Continue and wait for the report.
7. Run ComboFix. Then, in the two windows that appear click Yes, and start scanning and removal of any Vundo (Virtumonde) infection. During this operation, you are not allowed to move the mouse or perform other actions. After the scan is complete, program will show a text file - a report from the program's action.
8. Restart computer and run Windows normally.

 

[guge]

Thanks for the quick reply!
Now I don't see any of the warning pop up when I click an app or window.

Questions
1. How do I know I'm safe now, do I need to send out some log?
2. That Mcafee center is a paid product, it includes virus protection and firewall. Which one should I keep? If I drop Mcafee, do I need to install a free firewall as you recommended in "8 Steps"?
3. For those software I installed following the 8 steps, do I need to keep the all there and run it periodically?

 

[kimsland]

"Now I don't see any of the warning pop up when I click an app or window"
That's great news :grinthumb

"Questions
1. How do I know I'm safe now, do I need to send out some log?"
Actually do another scan with Malwarebytes (making sure to update it first) then save that log file to be submitted as an attachment

Also run ComboFix (in Normal Mode) again as well (I know it's a nuisance but basically multiple scans remove hidden malwares) then save that log file to be submitted as an attachment

Restart (although pretty sure Combofix would have done this already, if correctly run)

The run HijackThis scan only, then save that log file to be submitted as an attachment

Please then submit all 3 attachments


"Questions
2. That Mcafee center is a paid product, it includes virus protection and firewall. Which one should I keep? If I drop Mcafee, do I need to install a free firewall as you recommended in "8 Steps"?"
Put it this way, McAfee did not help you this time I generally find McAfee to be quite inferior And therefore would honestly say that Avira is much better
But regarding Firewall. Firewalls do not stop malware (Virus and Trojans etc) they stop hackers trying to connect to your computer, and\or your private information being sent out. So unless you are doing some banking online, just use Windows Firewall (confirming all Security Updates are completed)

"Questions
3. For those software I installed following the 8 steps, do I need to keep the all there and run it periodically?"
Definitely not. I'm trying to not only "clean" your system but also optimize it, so you don't need all this extra stuff.
Generally I say:
Windows security updates all completed
Windows Firewall (depending on surfing habits)
Avira AntiVirus
Malwarebytes scan updated and run periodically

That's it

 

[guge]

Thank you for all these helps!

New files are attached, Please let me know what you find.

One more question for the firewall, how about I still keep mcafee firewall in case I really do some on line banking? Only two anti-virus software interfere, right?

 

[kimsland]

Please re-open HijackThis and place a tick next to the following entries
Close all\any Internet browsers, then select Fix

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher 2.lnk = ?

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

(Note: 1 space after ComboFix in that uninstall command)

Clear & Reset System Restore's Cache

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Restart

 

[kritius]

Thank you for all these helps!

New files are attached, Please let me know what you find.

One more question for the firewall, how about I still keep mcafee firewall in case I really do some on line banking? Only two anti-virus software interfere, right?

Your better getting a seperate firewall such as Comodo.

 

[guge]

Hi, Kritius,
Thanks for the recommendation, I'll install the comodo.

HI, Kimsland,
After I send out the log, I uninstalled the SuperAntispyware, and Advanced Registry optimizer.
So running hijackthis didn't see these 2 item anymore. I did fix as you told, and run a scan only again, and couldn't find the items listed above.

For uninstall combofix, Since I run it in my removable disk (SD card drive), it does not work from the start run. I goto the dos command screen, goto the directory of combofix and type
combofix /u, didn't get disclaimer, but did ask me to disable avira and tell me uninstall successfully.

I did a last step too.

So, do you think I'm OK now, do I need to send some log?

Hmm, after I uninstalled the SuperAntispyware. when I start IE, and it automatically goes to my home page, but the small icon in front of the home page web adrees in the edit control of IE is superantispyware's icon. Do I still has something wrong?

 

[kritius]

Post a fresh HJT log

 

[guge]

screen shot like this

Sorry like this
http://i686.photobucket.com/albums/vv224/guge/untitled.png?t=1237082318

Here is my latest HJT log

 

[kritius]

Theres nothing in the log.

I'll let Kimsland have a look, he may know more than me.

 

[kimsland]

I think it just required a restart

But there is one thing in the log: (not Malware though)

O17 - HKLM\System\CCS\Services\Tcpip\..\{734BE8C3-FB20-43CC-94BE-94A0FD9EE4AC}: NameServer = 172.21.63.3 192.168.0.20

This seems to be some network configured entry, which is likely legit

But do this anyway

Run WinsockFix: http://files.snapfiles.com/localdl834/WinsockxpFix.exe

Restart

Report on how everything seems to running.
You are finally confirmed malware free, by the way.
Although you seem to be running Regshave with every startup

Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly

I feel it's a shame that it defaults to run on every Windows startup (o4 entry in HijackThis) Certainly if you are not using Fuji digital camera, then I'd say uninstall this from add\remove programs. Otherwise you can disable this one entry using Startup Control Panel, and only re-enable it, if you ever do uninstall your Fuji digital camera.

 

[guge]

Restart does not work, still have the wrong icon. But as long as it's not malware related issue, I can live with it.

I'm glad I got a clean machine again. Thank you guys for all these help!

I run the winsockxpfix.exe, it just tells me it's finished. I didn't see any report.

I removed mcafee security center, and installed comodo firewall, as you mentioned above, I only install the firewall, not the antivirus protection, because I already have Avira installed.

Could you tell me what's the best setting for comodo firewall security level (mine is safe mode) and defense+ security level (mine is clean PC mode)?

 

[kimsland]

Restart does not work

Please do this => IE RESET

 

[guge]

Thanks! Now it's fixed.

Any recommendation for the comodo firewall setting?

 

[kimsland]

Not sure. I'd say it's definitely here though: http://forums.comodo.com/