TechSpot

Unable to remove Vundo Virus

By Sidz
Jul 2, 2008
  1. Hello, I have recently picked up a few Virus's. The first was one called Antivirus XP 2008, and the other Vundo something. I am not sure, but I think I removed the first one, because I scanned, saw it and Vundo, clicked "Fix" and then I scanned again, the first one was gone but vundo was still there. However, I also see that the first one(Antivirus XP 2008) still looks to be installed on my start menu. I did try and unstall it as well, but the icon stays.

    Symptoms
    ----------

    - Slower Computer
    - Can't open certain sites(IE: Bitdefender for one)
    - Links in google send me to unknown directories(I have to copy and paste URL in the Address bar)
    - Firefox does not work(I click on it, see the hour glass, but it doesn't open), I now have to use IE
    - Spybot does not work(I click on it, see the hour glass, but it doesn't open), but the rest of my anti-spyware does

    FYI: Just thought I'd mention I have combofix already as the guy in the old thread I saw had it as well... I just don't know how to use it again, as I had to use it for a different problem quite some time ago... I remember just clicking on it and it running, but it doesn't seem to want to do that anymore. I also have Killbox, Superantispyware, Adaware, Spywareblaster, AVG, CCleaner, HJT, and LSPfix(which I got during my search for a fix). I've run most of this as well, but to no avail. I've gone through a different guide somewhere else that ended in me needing to get combofix. However, the virus disables me from being able to open any links of combofix so I can DL it.

    I guess I should add my OS as well... XP SP3.
     
  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,214

  3. computernerd17

    computernerd17 TS Rookie Posts: 32

    hello i am not really a computer genius but i would suggest getting mcafee after u fix the problem it could be maleware or smitfraud sorry i cant help more in i wqere in ur situation i would just reanstall fresh copy of XP or whipe my harddrive
     
  4. Sidz

    Sidz TS Rookie Topic Starter

    STEP 1 - Shut off all Monitoring programs

    Was unable to view the Instructions link until step 6.

    STEP 2 - Get AVG, Comodo

    mmhmm

    STEP 3
    - Online Scan

    Again, unable to access until step 6.

    STEP 4 - get HJT

    Check

    STEP 5 - Rename HJT

    Check

    STEP 6 - Get and run Superantivirus or malwarebytes anti-malware

    This is the program taht made the rest possible.

    I already had the first program, it was the factor that helped me in my last nasty virus. This time, however, it was malwarebytes that I believe has been the factor for this virus. That is why I recommend downloading both.

    After I scanned and removed the threats with malwarebytes, I was unable to access the net, but I played around repairing my winsock connection with Superantivirus(This is just one reason why it's handy) while in safe mode, and also repairing connection via IE diagnostic repair. It took me several times until I then tried unplugging my modem, rebooting in safe mode, and doing it again(after many times) then rebooted and net was back up again.

    Now FF, spybot, and notepad work.

    STEP 7 - Get SS&D

    Check

    STEP 8 - Get Adaware 2008

    Check

    STEP 9 - Get CCleaner

    Check

    STEP 10

    Check and nothing found on any.

    STEP 11 - Get Panda Antirootkit

    Nothing found

    STEP 12 - Combofix

    Check

    I thought I was in the clear after malwarebytes, but I'm pretty sure this thing picked up something extra.

    STEP 13 - Run Antivirus

    Check, I used AVG

    this also picked up something extra. It found the exact file that it was I downloaded that gave me all this. Deleted. :)

    STEP 14 - SS&D & Adaware

    Nothing found.

    STEP 15
    - HJT

    DONE.

    --

    Thanks to everyone, I think my computer is finally clean again. But just in case, I will attach the three logs. Nevermind, all my logs are too big to attach. So I'll copy + Paste then.
     
  5. Sidz

    Sidz TS Rookie Topic Starter

    STEP 1 - Shut off all Monitoring programs

    Was unable to view the Instructions link until step 6.

    STEP 2 - Get AVG, Comodo

    mmhmm

    STEP 3
    - Online Scan

    Again, unable to access until step 6.

    STEP 4 - get HJT

    Check

    STEP 5 - Rename HJT

    Check

    STEP 6 - Get and run Superantivirus or malwarebytes anti-malware

    This is the program taht made the rest possible.

    I already had the first program, it was the factor that helped me in my last nasty virus. This time, however, it was malwarebytes that I believe has been the factor for this virus. That is why I recommend downloading both.

    After I scanned and removed the threats with malwarebytes, I was unable to access the net, but I played around repairing my winsock connection with Superantivirus(This is just one reason why it's handy) while in safe mode, and also repairing connection via IE diagnostic repair. It took me several times until I then tried unplugging my modem, rebooting in safe mode, and doing it again(after many times) then rebooted and net was back up again.

    Now FF, spybot, and notepad work.

    STEP 7 - Get SS&D

    Check

    STEP 8 - Get Adaware 2008

    Check

    STEP 9 - Get CCleaner

    Check

    STEP 10

    Check and nothing found on any.

    STEP 11 - Get Panda Antirootkit

    Nothing found

    STEP 12 - Combofix

    Check

    I thought I was in the clear after malwarebytes, but I'm pretty sure this thing picked up something extra.

    STEP 13 - Run Antivirus

    Check, I used AVG

    this also picked up something extra. It found the exact file that it was I downloaded that gave me all this. Deleted. :)

    STEP 14 - SS&D & Adaware

    Nothing found.

    STEP 15
    - HJT

    DONE.

    --

    Thanks to everyone, I think my computer is finally clean again. But just in case, I will attach the three logs. Nevermind, all my logs are too big to attach. So I'll copy + Paste then.
     
  6. Sidz

    Sidz TS Rookie Topic Starter

    Sorry for double post.

    Ok, so my combofix log is too big for both an attachment and a post, so I dunno what I will do bout that... "The text that you have entered is too long (758307 characters)."... lol

    So here are the other two in their own posts.
     
  7. Sidz

    Sidz TS Rookie Topic Starter

    SAS LOG


    SUPERAntiSpyware Scan Log
    superantispyware.com

    Generated 07/03/2008 at 02:54 AM

    Application Version : 4.0.1154

    Core Rules Database Version : 3477
    Trace Rules Database Version: 1468

    Scan type : Quick Scan
    Total Scan Time : 00:38:14

    Memory items scanned : 188
    Memory threats detected : 0
    Registry items scanned : 428
    Registry threats detected : 0
    File items scanned : 29760
    File threats detected : 0
     
  8. Sidz

    Sidz TS Rookie Topic Starter

    HJT LOG


    Logfile of HijackThis v1.99.1
    Scan saved at 3:17:35 AM, on 7/3/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\HijackThis\Crusty.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk.disabled
    O4 - Global Startup: Kodak software updater.lnk.disabled
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.