Vundo Virus - please help

[kikib]

HI,

My McAfee is telling me that I have a vundo virus. I boot up (normal mode) and can't open Window Explorer, run any programs etc and my virus software pops up constantly. I click "remove" at which point I'm told I need to reboot and it all starts again.

There was a point at which I couldn't Ctl Alt Del, but I fiddled around in the Registry and removed some dodgy looking programs.

I can boot up in Safe Mode though have similar problems, though was able to download and run SpyDoctor - which removed a number of problems, just not the main one. I have also done a RegClean.

Can someone pls help, I don't know what else to try.

The error I'm getting from my virus software points to:
C:\Windows\System32\qoMdDvSk.dll - which I found in the Registry and deleted but it seems to return.

Any assistance would be GREATLY appreciated.

KikiB

 

[kimsland]

Download VundoFix: http://vundofix.atribune.org/
And do a full scan

 

[tim_tank]

^^

Download VundoFix:
And do a full scan

yup i had exact same virus on my comp actually, this helps alot then once you got rid of it, do another computer sweep to get rid of any other things that might have been attached to that.

 

[kikib]

Thanks, did this and it didn't return any errors, so nothing to fix.

 

[tim_tank]

no probs congrats

 

[kikib]

No, no - the virus is still a problem but Vundo fix didn't "fix" my problem, it didn't return any results.

 

[tim_tank]

ohhhhhhhh my bad, umm then download 'adaware'. its a good anitvirus program, try n see if that detects anything.

 

[kritius]

Go HERE and follow all the steps and post the logs back

AVG Antispyware - set to quarantine
ComboFix
HijackThis

 

[kimsland]

ohhhhhhhh my bad, umm then download 'adaware'. its a good anitvirus program

Ad-Aware is NOT a good Antivirus program, please do not write this (2 threads so far)

Ad-Aware was originally made for Advertisements removal ie Adds
It has now expanded to many differents threats including some virus detection (but very minimal)

To remove a virus, you will need AntiVirus protection like AVG (and hundreds of others)

 

[kikib]

All seems to be OK

kritius, you are a genius. Followed instructions and don't seem to have any further symptoms.

Panda Antirootkit didn't return any results
VundoFix didn't return any results

The only thing out of the ordinary is that McAfee now alerts me to two programs:
- PRC Viewer
- Generic Pup g
I select "Remove" these and they seem to go away. Though, I think I've done this about three times now (over the past 12 hrs).

I have attached the HijackThis and ComboFix log. Someone removed all my AVG quarantined items so I don't have a log for this one. Do you recommend re-running and posting?

thanks again for your help, I was about to have a breakdown.

 

[kritius]

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\qoMdDvSK.dll.vir
  C:\Documents and Settings\All Users\Application Data\ezsid.dat
  
  Folder::
  C:\VundoFix Backups
  C:\Documents and Settings\All Users\Application Data\rofejklc

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Attach the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

[kikib]

ComboFix Log

Hi, thanks, here is the log.

 

[kritius]

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

 

[kikib]

Kaspersky Report

thanks again, report attached.

 

[kritius]

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Delete the three tools that where used in step 10 of the prelim instructions, smitfraudfix, vundo fix and virtmundobegone, then empty the recycle bin.

C:\Documents and Settings\Bowe Family\Local Settings\Temp<====Delete the contents of this folder if not already empty.

How is the computer running now?

 

[kikib]

thanks - all working now

everything is great now - really appreciate your help. K.

 

[kritius]

I you post one more HJT log then we'll see if we can finish things off.

 

[kikib]

Hijax this log

here you go!

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://s3scwslb01wfa.in.telstra.com.au/callcenter_enu/19224/applets/SiebelAx_Des ktop_Integration.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://ssdbsiiam003.in.telstra.com.au/qcbin/Spider90.ocx
O21 - SSODL: pmsoarbf - {1BC7AAE6-2682-4539-BE56-70D82823001C} - (no file)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete the three tools from step 10 of the prelim instructions by dragging them to the recycle bin and then emptying it.

Please download the OTMoveIt2 by OldTimer.

• Double-click OTMoveIt2.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide
  
  or
  
  Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above