TechSpot

Help remove Vundo/AppInit_DLLs

By rwnewson
Jan 4, 2009
  1. Hello everyone,

    I can usually remove spyware/adware myself without difficulty but this one particular trojan I have is a doozie. Can someone please help me??

    I believe it is a Vundo stored in stubborn DLL files in the C:\WINDOWS\SYSTEM32 directory. Specifically, they appear in my hijackthis log (full log attached) as this line:

    O20 - AppInit_DLLs: C:\WINDOWS\system32\wunufaku.dll C:\WINDOWS\system32\nizukipu.dll c:\windows\system32\hejivego.dll

    For the life of me I cannot remove these three files! Here are the things I've attempted so far, and I've tried them in both regular and safe mode:

    Initially I did the following scans:
    - AVG Free Antivirus 8.0 full system scan
    - Lavasoft Ad-aware
    - Spyware Doctor
    - CCleaner
    - VundoFix.exe
    - HijackThis (removing clearly bad entries)

    Each found some infections and claimed to remove them.
    Then I noticed that about 10 bad DLLs were in my System32 folder still not removed... So I used HijackThis's "delete file on reboot" utility to remove most of them... But the three listed above will not delete. Then I tried:

    - FileAssassin - the program crashes (error message "needs to be shutdown") whenever I try either "FileAssassin's method" or "delete on reboot"
    - KillBox - tried to delete on reboot but keeps giving me the "PendingFileRenameOperations Registry Data has been Removed by External Process" error; and when reboot is done manually, nothing happens. Here is log:

    Pocket Killbox version 2.0.0.881
    Running on Windows XP as Administrator
    was started @ Sunday, January 04, 2009, 8:28 AM
    # 1 [Delete on Reboot]
    Path = c:\windows\system32\nizukipu.dll
    PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:29:16 AM
    Killbox Closed(Exit) @ 8:29:23 AM


    I feel like I tried everything and nothing works... the files are still there causing popups and slowing down my computer! PLEASE HELP ME! thanks!!!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps here to run Malwarebytes and SuperAntispyware:
    http://www.techspot.com/vb/topic58138.html

    When through, run ComboFix:
    ComboFix should remove all these System32 files:
    Rescan with HijackThis when through running Malwarebytes, SuperAntispyware and ComboFix. Attach the logs from all programs when through.

    I also need to know if you have set your home page to come up with a blank page:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    If not, we will remove this entry in the next log.
     
  3. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    Yay! It seems to have worked! My computer is running a lot faster now and the pop-ups are gone so far. I looked for those old DLL files and I can't find them so hopefully they are gone for good. Thanks a lot for your help!!

    I posted the log files. I ran Malwarebytes twice (once on full scan but it was taking so long that I stopped it and ran the quick scan) and the SUPERAntispyware once (but I can't seem to find the log) followed by the ComboFix.

    And to answer your side question, yes I have a blank page assigned as my homepage. I like it that way.

    Thanks again!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we're getting there. But Vundo is still around= none of the logs are clean.

    You are still loading old entries for Java and Adobe, meaning the versions are still installed: Get these first:
    Update Java:
    Update Adobe:
    Control Panel> Add/Remove Programs> UNINSTALL the following:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

    Right click on Start> Explore> Windows system32. Right click> Delete on any of the following if present:
    When done, reboot into Normal Mode:

    Run SDFit: Download and Install SDFix
    Boot into Safe Mode
    Run SDFix
    Credits to Blind Dragon: http://www.tech-101.com/viewtopic.php?f=18&t=38

    Run new scan with HijackThis after SDFix and attach both logs.

    FYI: you have all of these loading at boot-none need to load on start and run in the background:
    QuickTime, Real Player, TomTom, Creative\Sound Blaster Live!, CyberLink PowerDVD DVDLauncher, P17Helper (for recording and home project studios),
     
  5. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    Hello,

    Thanks again on all the detailed instructions.

    I actually had to do something recently which reinstalled the virus (I know I know) but then ran all the anti-spyware programs above again a few times to get rid of it again. I think it is now gone but can you take a look at my logs? Here's what I did...

    After my Spyware Doctor scan removed most things I ran full scans of the MalwareBytes and SUPERAntispyware; then restarted and ran quick scans with each, both coming up with nothing found.

    Next I followed your directions about the Java, updating to the new version and uninstalling the old versions.

    Regarding the Adobe Acrobat Reader, I actually don't use the Reader at all. I use the full version of Adobe Acrobat 5.0, which I know is old, but I like it and don't own the new versions so I'd like to stick with it.

    I rebooted in safe mode to remove those files you specified but they were already removed.

    I rebooted as normal and ran hijackthis (log attached).

    I did NOT re-run ComboFix and did NOT yet run SDFix. Do you think I need to? I think everything is gone but if you think I should then I will.

    Thanks again!
    Ryan
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Doing a system restore while cleaning is never advised. Now you know why!

    Adobe v5 is way out of date. Many of the Adobe and Java updates were done because of security vulnerabilities. Keeping an old version such as this is a security risk.

    You should have a PDF Reader as many files on search are in PDF format. If you don't want Adobe, get FoxIt which was also in my update recommendation. Then uninstall the Adobe v5.

    Please run either SDFix or ComboFix, then update and run Malwarebytes again, followed by new HijackThis log. Since you restored to a previous date, we don't know what's back on the system. Why do a half-you know what job!

    Attach the new logs. If clean, we'll remove the cleaning programs and the old restore points.

    And once again:
     
  7. rwnewson

    rwnewson TS Rookie Topic Starter Posts: 44

    Just to clarify, I did not do a System Restore. I have this exe file which performs an intended function while simultaneously installing the virus to my computer. So the other day I needed to run the exe file again despite knowing the repercussions. But I don't intend on running it again in the future.

    Regarding Adobe, I not only need a PDF reader, but also the Acrobat Distiller to write PDF files as well as a PDF editor and PDF form creator.... So if you know of another free program that does all that please let me know. I may try to get my work to pay for the new version...

    I had hoped my current logs were clean so that I didn't have to run the other fix programs but I will anyway. I'll reply back when I do.

    Thanks a bunch,
    Ryan
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, so I called it wrong! It was a reasonable assumption! Either way, to do it while understanding what your were doing means we now have a system that is basically right back where we began. We cannot assume everything has been removed- again.

    This program:
    C:\Program Files\Adobe\Acrobat 5.0\Distillr
    Is up Adobe Distiller Server 8:
    http://www.adobe.com/products/acrdis/

    There is another company that makes PDF products: FoxIt. They have a free reader but the combination products do have a price. You might want to look around for a comparable product and compare the prices:
    http://www.foxitsoftware.com/products/

    Either way, I don't advise keeping a program that is so outdated- security issues could be involved.

    I'll be glad to check the new logs whenever they're ready.
    .
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...