TechSpot

Stupid Vundoo

By SchobA
Jun 3, 2010
  1. Hi All,
    I am a newbie to this removal of spyware, malware, viruses, etc... so please bear with me. I do have some computer background education but this stuff just seems so scary in terms of registry/files/system restores.

    I downloaded and was successful in Safe mode downloading Norton Internet Security 2010 trial, after running and seeing that 2 high risks were removed (both related to Vundoo) I thought I was possibly in the clear.
    I then decided to fork out the $ and purchase Norton 360 (today). I ran a complete scan and nothing seems to be out of order, however when I open facebook, yahoo, or a couple other sites I keep getting random pop-ups.
    Attatched is my HJT log that I just ran.
    After going through many forums and looking up 85% of the different entries on the list to see what each .exe was I determined that I may still be infected specifically: *
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

    I don't know I feel like all I've been doing is running around in circles and getting no where fast.
    If anyone could help me I would greatly appreciate it.
    Thanks,
    SchobA
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

  3. SchobA

    SchobA TS Rookie Topic Starter

    Hi,

    I completed steps 1-4 and keep getting stuck on GMER. I downloaded and ran GMER followed all the directions to a T and the program either freezes on me or takes over 24 hours and than freezes. It won't let me stop and then save.
    If you could please help me or possibly send me or refer me to someone who could help me I would appreciate it. I am currently using the computer that I was running GMER on. I only have the issue while running the program.

    Thanks Bunches,
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Proceed with next steps, please.
     
  5. SchobA

    SchobA TS Rookie Topic Starter

    MBAM and DDS Logs (NO GMER)

    MBAM:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4169

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/4/2010 7:13:41 AM
    mbam-log-2010-06-04 (07-13-41).txt

    Scan type: Quick scan
    Objects scanned: 147495
    Time elapsed: 12 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 4
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 9

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jakogumap (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpltinor (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpltinor (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\robibizeka (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\jabunegi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nukanaji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\puhayawu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\reziyike.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\romarete.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tubivabo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tunapiro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wepejapu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.
     
  6. SchobA

    SchobA TS Rookie Topic Starter

    attach.txt log

    I had to do this as an attachment.
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    I still don't see DDS.txt log.
     
  8. SchobA

    SchobA TS Rookie Topic Starter

    DDS.txt

    Sorry, I thought I had done all 3. Thanks
     

    Attached Files:

    • DDS.txt
      File size:
      20.2 KB
      Views:
      0
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...