Please help with Vundo

[dixiejen79]

I have the Vundo virus & I don't know what to do....I have been looking online for awhile (from my laptop since my desktop is useless). I noticed that several posts are specific to user so I thought I might need to try that. I am not computer savy so I may need alot of help...you may not want to attempt this! But please help anyway...I am good with instructions (usually!). Thanks so much!

Jen

 

[xxdanielxx]

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Come back here to this thread and Attach the log in txt format your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

[dixiejen79]

Attached is the log. Thanks.

 

[xxdanielxx]

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - Winlogon Notify: 44f0ed4d382 - C:\WINDOWS\system32\__c006A1C8.dat
O20 - Winlogon Notify: __c00C7966 - C:\WINDOWS\system32\__c00C7966.dat (file missing)
O20 - Winlogon Notify: __c00DE624 - C:\WINDOWS\system32\__c00DE624.dat (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis and*Reboot.

========================================================

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]C:\WINDOWS\system32\__c006A1C8.dat[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[dixiejen79]

Moved files log

 

[xxdanielxx]

Please download VundoFix.exe
to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click Yes
• Once you click yes, your desktop will go blank as it starts removing the Vundo.
• When completed, it will prompt that it will reboot your computer, click Ok
• Please attach the C:\vundofix.txt & a new HijackThis log.

Note: it is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." When VundoFix appears at reboot.

======================================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version. Then reboot into safe mode by rebooting then start tapping the F8 key you will get the advance option select safe mode then load run the program
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

=======================================

Please run an on-line virus scan at http://www.kaspersky.com/virusscannerKaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

 

[dixiejen79]

VundoFix did not find any infected files.

Below is the Malwarebytes' Anti-Malware log.

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2

12:42:27 PM 8/24/2008
mbam-log-08-24-2008 (12-42-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 148598
Time elapsed: 2 hour(s), 37 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\__c006A1C8.dat (Trojan.Zlob) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00de624 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\44f0ed4d382 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\__c006A1C8.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


BitDefender log below(one infected file unable to remove)


BitDefender Log File

Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Full System Scan
Log date : 15:33:07 24/08/2008
Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1219609987_1_02.xml

Scan Pathsath 0000: C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
Path 0001: C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
Path 0002: C:\WINDOWS\system32\DfrgNtfs.exe
Path 0003: C:\WINDOWS\system32\Defrag.exe
Path 0004: C:\WINDOWS\System32\msiexec.exe
Path 0005: C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
Path 0006: C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
Path 0007: C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
Path 0008: C:\Program Files\Digital Line Detect\DLG.exe
Path 0009: C:\Program Files\America Online 9.0\aoltray.exe
Path 0010: C:\Program Files\iPod\bin\iPodService.exe
Path 0011: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Path 0012: C:\Program Files\DellSupport\DSAgnt.exe
Path 0013: C:\WINDOWS\system32\ctfmon.exe
Path 0014: C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
Path 0015: C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
Path 0016: C:\Program Files\ATT Internet Tools\blsloader.exe
Path 0017: C:\Program Files\Dell Support Center\bin\sprtcmd.exe
Path 0018: C:\Program Files\iTunes\iTunesHelper.exe
Path 0019: C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
Path 0020: C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
Path 0021: C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
Path 0022: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
Path 0023: C:\Program Files\Real\RealPlayer\RealPlay.exe
Path 0024: C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
Path 0025: C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
Path 0026: C:\Program Files\Dell\Media Experience\PCMService.exe
Path 0027: C:\WINDOWS\system32\dla\tfswctrl.exe
Path 0028: C:\WINDOWS\System32\hkcmd.exe
Path 0029: C:\WINDOWS\System32\svchost.exe
Path 0030: C:\WINDOWS\System32\wbem\wmiprvse.exe
Path 0031: C:\Program Files\Microsoft Windows OneCare Live\winss.exe
Path 0032: C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
Path 0033: C:\WINDOWS\wanmpsvc.exe
Path 0034: C:\WINDOWS\System32\wdfmgr.exe
Path 0035: C:\WINDOWS\System32\svchost.exe
Path 0036: C:\Program Files\Dell Support Center\bin\sprtsvc.exe
Path 0037: C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
Path 0038: C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
Path 0039: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Path 0040: C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
Path 0041: C:\Program Files\Bonjour\mDNSResponder.exe
Path 0042: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Path 0043: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
Path 0044: C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
Path 0045: C:\WINDOWS\system32\spoolsv.exe
Path 0046: C:\WINDOWS\system32\LEXPPS.EXE
Path 0047: C:\WINDOWS\system32\LEXBCES.EXE
Path 0048: C:\WINDOWS\System32\svchost.exe
Path 0049: C:\WINDOWS\System32\svchost.exe
Path 0050: C:\WINDOWS\Explorer.EXE
Path 0051: C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
Path 0052: C:\WINDOWS\System32\svchost.exe
Path 0053: C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
Path 0054: C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
Path 0055: C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
Path 0056: C:\WINDOWS\system32\svchost.exe
Path 0057: C:\WINDOWS\system32\svchost.exe
Path 0058: C:\WINDOWS\system32\lsass.exe
Path 0059: C:\WINDOWS\system32\services.exe
Path 0060: C:\WINDOWS\system32\winlogon.exe
Path 0061: C:\WINDOWS\system32\csrss.exe
Path 0062: \SystemRoot\System32\smss.exe
Path 0063: C:\

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes

Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : No
Scan runtime packers : Yes
Scan emails : No
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target Processing: Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : None

Scan engines summaryNumber of virus signatures : 1428775
Archive plugins : 43
Email plugins : 6
Scan plugins : 12
System plugins : 4
Unpack plugins : 7

Overall scan summaryScanned items : 158912
Infected items : 1
Suspicious items : 0
Resolved items : 0
Unresolved items : 1
Password-protected items : 0
Individual viruses found : 1
Scanned directories : 10826
Scanned boot sectors : 3
Scanned archives : 2
Input-output errors : 37
Scan time : 01:55:39
Files per second : 22

Scanned processes summaryScanned : 63
Infected : 0

Scanned registry keys summaryScanned : 395
Infected : 0

Scanned cookies summaryScanned : 395
Infected : 0

Remaining issues:Object Name Threat Name Final Status
[System] Cookie.2o7 Disinfect Failed


Hope this helps.....Thanks!!

 

[dixiejen79]

Anyone have anymore recommendations?? Any help is greatly appreciated! Thanks.

 

[dixiejen79]

My firefox has now shutdown. I do not know how to access the internet from my desktop computer. If I transfer files via a memory stick will this transfer the virus? Any other fix suggestions?