TechSpot

Vundo Virus - please help

By kikib
Apr 16, 2008
  1. HI,

    My McAfee is telling me that I have a vundo virus. I boot up (normal mode) and can't open Window Explorer, run any programs etc and my virus software pops up constantly. I click "remove" at which point I'm told I need to reboot and it all starts again.

    There was a point at which I couldn't Ctl Alt Del, but I fiddled around in the Registry and removed some dodgy looking programs.

    I can boot up in Safe Mode though have similar problems, though was able to download and run SpyDoctor - which removed a number of problems, just not the main one. I have also done a RegClean.

    Can someone pls help, I don't know what else to try.

    The error I'm getting from my virus software points to:
    C:\Windows\System32\qoMdDvSk.dll - which I found in the Registry and deleted but it seems to return.

    Any assistance would be GREATLY appreciated.

    KikiB
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. tim_tank

    tim_tank TS Rookie

    ^^

    yup i had exact same virus on my comp actually, this helps alot :p then once you got rid of it, do another computer sweep to get rid of any other things that might have been attached to that.
     
  4. kikib

    kikib TS Rookie Topic Starter

    Thanks, did this and it didn't return any errors, so nothing to fix.
     
  5. tim_tank

    tim_tank TS Rookie

    no probs :p congrats
     
  6. kikib

    kikib TS Rookie Topic Starter

    No, no - the virus is still a problem but Vundo fix didn't "fix" my problem, it didn't return any results.
     
  7. tim_tank

    tim_tank TS Rookie

    ohhhhhhhh my bad, umm then download 'adaware'. its a good anitvirus program, try n see if that detects anything.
     
  8. kritius

    kritius TS Guru Posts: 2,084

    Go HERE and follow all the steps and post the logs back

    AVG Antispyware - set to quarantine
    ComboFix
    HijackThis
     
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Ad-Aware is NOT a good Antivirus program, please do not write this (2 threads so far)

    Ad-Aware was originally made for Advertisements removal ie Adds
    It has now expanded to many differents threats including some virus detection (but very minimal)

    To remove a virus, you will need AntiVirus protection like AVG (and hundreds of others)
     
  10. kikib

    kikib TS Rookie Topic Starter

    All seems to be OK

    kritius, you are a genius. Followed instructions and don't seem to have any further symptoms.

    Panda Antirootkit didn't return any results
    VundoFix didn't return any results

    The only thing out of the ordinary is that McAfee now alerts me to two programs:
    - PRC Viewer
    - Generic Pup g
    I select "Remove" these and they seem to go away. Though, I think I've done this about three times now (over the past 12 hrs).

    I have attached the HijackThis and ComboFix log. Someone removed all my AVG quarantined items so I don't have a log for this one. Do you recommend re-running and posting?

    thanks again for your help, I was about to have a breakdown.
     
  11. kritius

    kritius TS Guru Posts: 2,084

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\qoMdDvSK.dll.vir
      C:\Documents and Settings\All Users\Application Data\ezsid.dat
      
      Folder::
      C:\VundoFix Backups
      C:\Documents and Settings\All Users\Application Data\rofejklc
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Attach the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
  12. kikib

    kikib TS Rookie Topic Starter

    ComboFix Log

    Hi, thanks, here is the log.
     
  13. kritius

    kritius TS Guru Posts: 2,084

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  14. kikib

    kikib TS Rookie Topic Starter

    Kaspersky Report

    thanks again, report attached.
     
  15. kritius

    kritius TS Guru Posts: 2,084

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Delete the three tools that where used in step 10 of the prelim instructions, smitfraudfix, vundo fix and virtmundobegone, then empty the recycle bin.

    C:\Documents and Settings\Bowe Family\Local Settings\Temp<====Delete the contents of this folder if not already empty.

    How is the computer running now?
     
  16. kikib

    kikib TS Rookie Topic Starter

    thanks - all working now

    everything is great now - really appreciate your help. K.
     
  17. kritius

    kritius TS Guru Posts: 2,084

    I you post one more HJT log then we'll see if we can finish things off.
     
  18. kikib

    kikib TS Rookie Topic Starter

    Hijax this log

    here you go!
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://s3scwslb01wfa.in.telstra.com.au/callcenter_enu/19224/applets/SiebelAx_Des ktop_Integration.cab
    O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://ssdbsiiam003.in.telstra.com.au/qcbin/Spider90.ocx
    O21 - SSODL: pmsoarbf - {1BC7AAE6-2682-4539-BE56-70D82823001C} - (no file)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Delete the three tools from step 10 of the prelim instructions by dragging them to the recycle bin and then emptying it.

    Please download the OTMoveIt2 by OldTimer.

    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      or

      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...