Newbie here, need help with Vundo trojan

[gobruins]

Hi everyone,

I am very thankful that I found a community with such helpful people! A few weeks ago, I noticed lots of popups, misdirections, and just overall slowness on my computer. I had Avira antivirus, Ad-aware and Malwarebytes at the time. I ran scans and each time a Vundo trojan was detected, I deleted it. But it kept coming back. Finally I installed AVG, uninstalled Ad-aware and Malwarebytes, and I thought my system was clean, but I kept getting bad image errors.

I found this site, and decided to follow the 8 steps. Attached are my logs for Malwarebytes, Super Anti-spyware and Hijack this. To my surprise, even though my computer stopped getting the bad image errors and seemed to run fine, the 8 step process yielded over 70 additional Vundo infections.

I hope the 8 step process has cleaned me completely, but I need someone's help. I am not sure how to read these logs to make sure my system is clean. Can someone help me? Thank you all for your help, I really appreciate it!

 

[Bobbye]

Welcome to TechSpot and thank you for your patience. I'll help with the malware.

There is a line to check in Malwarebytes (and SAS) to remove the malware that is found. When that line isn't checked, each entry says No action taken.

So I have to send you back to update Malwarebytes and run a scan gain, being sure to check this:
Make sure that everything is checked, and click Remove Selected.

The Vundo that is showing in SAS is all in the System Restore points. They will not infect your system unless you do a system restore- so don't! I'll have you remove all the old restore points when the system is clean and set a new clean one.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach Combofix report and Mbam log.

Rescan with HJT when through- attach new log..

 

[gobruins]

Thank you so much for getting back to me! I will follow the steps you've outlined and get back to you as soon as I can.

 

[gobruins]

Ok, it took a little longer than I anticipated, but here's what I did. I ran a complete scan with Malwarebytes and it came up empty, so hopefully that means I'm clean. Log is attached. I also ran a scan with Super-Antispyware, also came up clean. Log is attached. I disabled my internet and ran Combofix, but wasn't able to download the recovery console since the internet connection was disabled. It continued to run, and the log from this run is attached as combofixlog1. My computer restarted, and combofix continued to run. I got a prompt that said there was an updated version of combofix and started downloading it, but my computer froze. I restarted my computer, fixed the internet connection and did another combofix scan. This time the recovery console downloaded, and the log from this scan is attached as combofixlog2. I then ran Hijackthis. Log is attached.

I really appreciate all the help. I hope I'm clean. Please let me know what I should do next. Thank you!

 

[Bobbye]

Awesome! You should be running better. Just a couple of removals suggested:

Please reopen Hijackthis to 'do system scan only.' Check the following if present: Note: these are Optional Removals> See Options 1 and 2.

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll> See Optional 1
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll> See Optional 1
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun> See Optional 2

Close all Windows except HijackThis and chick on "Fix Checked."

Optional 1: You have the Ask Toolbar installed, I would recommend you uninstall it - decide after taking a look at this article:
http://www.benedelman.org/spyware/ask-toolbars/

If you choose to remove it, uninstall it and delete this folder C:\Program Files\AskPBar using Windows explorer.

Optional 2: fwupdate is an Auto firmware update program for LG Electronics CD-ROM/DVD writer. But it doesn't need to start on boot and run in the background. Check entry in HJT, then remove from Start menu as follows:
Click on Start> Run> type in msconfig> enter> Selective Startupo> Start tab> Uncheck fwupdate> Apply> OK.

Reboot: Note. Ignore and close the nag message after checking 'don't show this mssage again.' Stay in Selective Startup.


I'd like you to run an online scan to be sure we found everything:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If anything is found in the Eset scan, please include the log. If it's clean and if the problems have been resolved, I'll have you remove the cleaning tools and old restore points.

 

[gobruins]

Thank you so much for your help! I followed your suggestions, ran the online scan for Eset and everything came up clean! What are my next steps?

 

[Bobbye]

Please run one more HijackThis scan. IF there are no removals, I'll have you remove the cleaning tools and set a new, clean restore point. Leave the log in next reply.

Are the original problems resolved? Are there any other malware related problems>

 

[gobruins]

The original problems are resolved, and I do not notice any other malware problems.
Attached is the latest Hijackthis log. I am crossing my fingers!

 

[Bobbye]

Looks good to me! Since original problems have been resolved, let' s>>>

Remove all of the tools we used and the files and folders they created
First:
Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Second:

• DownloadOTCleanIt by OldTimer and save it to your desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes. [/list]

Third:
Follow with setting a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

And some tip to help you stay clean:
Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.

 

[gobruins]

Thank you so much for all of your help! I think my machine is finally back to normal. I'll be sure to use the programs you suggested to try and keep my computer clean in the future. Thanks again!

 

[Bobbye]

You're welcome.