Vundo attack, logs attached

By razerforlove
Apr 24, 2009
  1. Hello,
    My laptop was recently attacked by the Vundo Trojan. I followed the 8 steps removal procedure. I am attaching the 3 logs with this thread. Please help me resolve the issue. Thanks.

    Raj Nambiar
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you follow the instructions in Mbam to reboot to delete the malware?

    Do NOT use System Restore while the system is being cleaned> this entry> C:\SYSTEM VOLUME INFORMATION\_RESTORE indicates that the malware is in the restore points. We will drop the old restore point and create a new, clean on when the malware has been removed.

    You have Symantec/Norton entries as well as McAfee. Decide which you want to keep and remove the other:
    I suspect you are not starting up, shutting down or surfing very fast. That is because you have to many processes starting on boot. (running processes, 04 entries, 023 services set to Automatic) That means they have to load, will run in the background, then each needs to shutdown. This is a waste of your resources as most can be started manually as needed. You are also using IE8 which is fat with bloat, using a lot of the system memory:

    Examples: Media players (QuickTime Task, iTunes helper, ipod, Real Player updater, , Camera utilities, printer, PDF reader, Sonic, and on and on. you might want to look into that and the many Vaio processes Sony pre-loads. The ZoneAlarm Spyblocker is pre-checked on some update sites. I discourage using it because it is a BIG resource user.

    Remove Bad Entries in HijackThis:
    Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Boot into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:
    Internet options> Security tab> Trusted Sites> Sites> remove the following from the Trusted Zone:
    Reset Cookies:
    Control Panel> Add/Remove Programs> UNINSTALL the following:
    Boot into Normal Mode> Ignore the nag message and close it after checking 'don't show message again.' Stay in Selective Startup.

    Run Vundo Fix:
    Please download VundoFix.exe HERE and save to your desktop.
    Rescan with HijackThis after vundoFix. Attach new log and Vundfo report.

    This thread is for the use of razerforlove only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.
  3. razerforlove

    razerforlove TS Rookie Topic Starter

    I now understand what I missed. Thanks a lot for your reply. I will immediately follow the instructions and will post the new logs. Thanks once again.

    I have followed all the instructions given in your post. I did not uninstall IE8 or other BOG resource user, but I will slowly look into what to keep and what to remove. I also uninstalled the weather channel programs and zone alarm spyblocker. I could not find viewpoint manager to uninstall. I could only find Viewpoint player which I have not yet uninstalled. I am attaching all the 4 logs along with this comment. Please verify and let me know if my PC is safe. Thanks a lot for your precious time.

    Raj Nambiar
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, very good! Almost there!

    Open HijackThis again> System Scan Only> Check the following:
  5. razerforlove

    razerforlove TS Rookie Topic Starter

    RE:: Vundo attack..... Logs attached... Pls help!

    Sure. I am on it. Thanks once again for your quick reply. Will be back soon with the new set of logs.

    Raj Nambiar
  6. razerforlove

    razerforlove TS Rookie Topic Starter

    RE:: Vundo attack..... Logs attached... Pls help!

    When I started my PC in safe mode, I could not find PIFSvc.exe under Start> Run> msconfig> enter> Selective Startup> Startup menu to UNCHECK it.

    I did not find pudomehi.dll under Right click on Start> Explore> Windows> System 32

    Can I enable my system restore?

    Please find the latest HijackThis.log and ComboFix.txt with this file. Thanks once again for all your help.

    Raj Nambiar
  7. touch

    touch TS Rookie Posts: 978

    P2P software/programs are a major contributor to your infections.

    We reserve the right to withdraw our support:
    If such programs are found in your logs
    Should you not agree to their removal.
    As they are normally set to bypass your Firewall and Anti-Virus software
    Filesharing/P2P Programs serves as a constant threat to your computer

    c:\program files\Azureus << you decide ;)

    If you remove it, reboot and post new combofix log
  8. razerforlove

    razerforlove TS Rookie Topic Starter

    RE:: Vundo attack..... Logs attached... Pls help!

    I had uninstalled Azureus even before I posted my last set of logs, but some how the windows uninstaller did not remove the Azureus folder and some files within it in the "C:\Program FIles" directory. That is what was listed in the ComboFix log that I attachet last time. It is all gone now. I am attaching the new ComboFix log with this post. Thanks once again for your wonderful help.

    Raj Nambiar
  9. touch

    touch TS Rookie Posts: 978

    Open notepad and copy/paste the text in the quotebox below into it:

    Save this as:

    Refering to the picture above, drag CFScript into ComboFix.exe

    Then attach fresh combofix log.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...