Help needed please with vundo virus

[lindylou2]

I am having problems with my tower computer, when rebooting my anti virus brings up a scan message window that says Vundo is dectected, I am given the option to clean delete or move the file but each time I click an option it just says 'clean failed', 'delete failed' etc. I cannot download any vundo fix as I cannot open windows explorer, it either just will not open or just opens then shuts down again. If I boot up in safe mode I cannot connect to the internet. I have managed to run my AVG, adaware and spybot be it very slowly other applications will open but very very slowly.

Any help will be gratefully received :wave:

Could I download the vundo fix onto my laptop and put it on a memory stick to transfer it to my tower computer, if so how should I run the fix?
thanks in advance Linda

 

[CCT]

Have you tried booting in Safe Mode with Networking (assuming that your OS supports that)?


Send a private message to momok or Howard Hopkinson - they somehow missed you.

 

[lindylou2]

yes just worked that out AFTER I had posted on the thread, embarrassed or what, you replied before I reposted, have just managed to download it and got rid of it(I think). Am now working through HH's thread on 'Viruses/Spyware/Malware, preliminary removal instructions' and will post a HJT log to ensure it has gone. Thanks

 

[momok]

Hi

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of lindylou2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

Hi here is my HJT file, combofix file and avg spyware scan. The AVG scan and Antirootkit scan was clean. Thanks in advance Linda

 

[momok]

Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

gog.exe
bbb.exe
uuu.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\mljgf.dll
C:\DOCUME~1\Megan\gog.exe
C:\DOCUME~1\Megan\bbb.exe
C:\DOCUME~1\Megan\uuu.exe
C:\WINDOWS\system32\F87783B3D3.sys
C:\Program Files\MSN Messenger\msrr.exe

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of lindylou2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

Hi thanks for your reply, am following your instructions, did not find any files with the gog.exe etc.

I am struggling to find "Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\mljgf.dll
C:\DOCUME~1\Megan\gog.exe
C:\DOCUME~1\Megan\bbb.exe
C:\DOCUME~1\Megan\uuu.exe
C:\WINDOWS\system32\F87783B3D3.sys
C:\Program Files\MSN Messenger\msrr.exe"

How do I locate these folders in windows explorer, please could you give me more detailed instructions.
Many thanks Linda

 

[howard_hopkinso]

Momok isn`t around at the moment, so in the meantime, please do the following.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of lindylou2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

Sorry but I don't seem to be able to open the avenger file, is unzipped, but won't 'load script from file' just gives me error code. What am I doing wrong

My desktop now has that many icons to 'fix-it programmes' on it now I am loosing the background (and the will to live!!!) :giddy:

 

[howard_hopkinso]

Delete the Avenger you downloaded and try again.

Regards Howard

This thread is for the use of lindylou2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Hi,

Did you unzip the files (both avenger program and the script from howard) to desktop? You need to open the avenger program first, and then choose to "load script from file".


Regards,
Your friendly momok =)

This thread is for the use of lindylou2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

:giddy: Thats what I can't find the script from Howard.
Have now totally lost the will to live:giddy: :giddy:

Linda

 

[howard_hopkinso]

It`s attached to my post#8

Regards Howard

This thread is for the use of lindylou2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

:wave: just found it now, and realised why it wouldn't work, please be aware that I need simple step by step, details, you experts forget us lay people are thick its workin its magic now, onto the next bit! I remain ever hopeful that one day I will get a simple virus that I can just delete normally!!

 

[howard_hopkinso]

Don`t be so hard on yourself.

I did try and give you step by step instructions.

If you ever have any difficulty in following any of the instructions, just ask and tell us which bit you don`t understand.

Regards Howard

 

[lindylou2]

Thank for sparing my blushes, I followed your instructions but what you didn't say was "put in text that I have attached to bottom of this message into Avenger' pointed out with a big arrow! only saw it later thought the script was in the avenger file and was looking for it there.

Attached Avenger file, combo file and HJT file
Need a strong drink and a lie down now

 

[howard_hopkinso]

I have altered the instructions for the Avenger script and will always use them from now on. Thanks for pointing it out.

Your logfiles look clean. How`s your system running?

Regards Howard

This thread is for the use of lindylou2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Hi,

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of lindylou2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

Computer seems fine now, how long it remains so is debatable, I am sure its that msn/windows messenger used by daughter that lets all the creepy crawlies in. I have more spyware and virus checkers and cleaners etc than ever before, especially after what you said last time when I had problems with the laptop compter.

Thank you all for your help.

So computer is ok now, no nasties on it?

Will now spend the next hour removing some of the icons so I can find my desktop again!
Linda
ps will read suggested articles:wave:

 

[howard_hopkinso]

You can remove all the tools that have been used.

I suggest you keep the following.

Spybot Search & Destroy.

Ad-Aware se personal.

Spyware Blaster.

AVG Antispyware.

Ccleaner.

Regards Howard

This thread is for the use of lindylou2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

Have now cleared desktop and kept the ones you suggested, many thanks to both of you for your help. Computer running like a dream

 

[howard_hopkinso]

That`s great to hear and thanks for letting us know. I see you`re just down the road from me in sunny Burnley lol.

Regards Howard

This thread is for the use of lindylou2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lindylou2]

:wave: :wave: yes its a small world isn't it, tho I originate from Leyland and came to do my nurse training in Burnley in '89 and been here ever since :grinthumb

 

[howard_hopkinso]

Yeah, it is a small world. I have nothing but admiration for the work that nurses do. I was in hospital in Burnley(ward27) 18 months ago and the nursing staff were absolutely superb.

Regards Howard