TechSpot

pennydavis · #1 11-18-2008

Please help remove pop up ads and Vundo.

Bobbye · #2 11-21-2008

Penny, please run all of the programs here: http://www.techspot.com/vb/topic58138.html

When through, attach all three logs, including new HijackThis log from the run AFTER Malwarebytes and SuperAntispyware.

Checking the HijackThis log without the benefit of the other programs is useless.

pennydavis · #3 11-23-2008

Completed steps, see attached logs.

Bobbye · #4 11-23-2008

Okay. Hopefully you viewed the Mbam log to get some idea of the infections. Most were quarantined and deleted, but some required a reboot to complete. Did you do that?

The malware is in your System Restore points. DO NOT do a System Restore while we are cleaning. We will remove the old restore point at the end.

Please reopen SuperAntispyware and do a Quick Scan. Have SAS remove everything found. See the lower image on the left (click to enlarge) to see what to check:
http://screenshots.en.softonic.com/e...3_antispy4.jpg

It appears you may have used the Symantec/Norton AV program. But the uninstall wasn't complete and processes for it are still running. If you want to finish the uninstall, please download this removal tool and Save to the desktop> don't run it yet:
http://service1.symantec.com/SUPPORT...05033108162039

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

Quote:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {823481ea-e5a4-46e2-9eaf-e09fe18b47c8} - (no file)
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKCU\..\Run: [qmir] C:\PROGRA~1\COMMON~1\qmir\qmirm.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - AppInit_DLLs: lxihqx.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> msconfig> enter> Selective Startup> Start up tab> UNCHECK ALL processes for Symantec/Norton> Apply> OK>

Double-click on the Norton Uninstaller and run. If it won't run in Safe Mode, go ahead and reboot into Normal Mode. You will get a nag message that you can ignore after checking 'don't show this message again'. Stay in Selective Startup.

You were so badly infected, that I'd like you to run the Vundo Fix:

Quote:

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

AFTER, VundoFix, update and run Mbam again. Then follow with HijackThis. Attach all three logs when done.

pennydavis · #5 11-23-2008

THanks, I completed the your instructions. See attached logs. Please note the following:
- I went into safemode to uncheck all processed for Symantec/Norton but there were none listed.
- Ran VundoFix but no vundo was found.
- The clock on my taskbar is in military time which is unual. It wasnt like this until I got attacked by Vundo.

Bobbye · #6 11-24-2008

That is looking much better! Running the Vundo Fix was overkill, but better that than not enough.

The logs are fine with two exceptions:

Quote:

O2 - BHO: (no name) - {F5B8433B-512A-481B-9811-F0C6439BBFDB} - (no file)
I can't ID the CLSID above- it did appear in the HijackThis log on Post#3, but I missed it. Reopen HijackThis, check the entry> check Fixed Checked and reboot.

The other is removing the old restore points which are infected.We'll do that if the next log is okay.

We'll run one more HijackThis and check log. And I'd also like you to run a full scan with the AV program- let me know results. Are you noticing any difference in your system's performance?

To change the way your computer displays the time:

Quote:

1. Open Regional and Language Options in Control Panel.
To open Regional and Language Options, click Start, click Control Panel, click Date, Time, Language, and Regional Options, and then click Regional and Language Options.
2. On the Regional Options tab, under Standards and formats, click Customize.
3. On the Time tab, specify any changes you want to make.
4. If you do not see the format you want in Time format, follow these guidelines:
Display time in a 12-hour format Type lowercase h or hh for the hour
Display leading zeros in single-digit hours Type two characters, HH or hh
Suppress the display of leading zeros in single-digit hours, minutes, or seconds Type a single uppercase H, or lowercase letter, such as h, m, or s
Display a single letter to indicate AM or PM Type lowercase t
Display two letters to indicate AM or PM Type lowercase tt
Display text Type single quotation marks (') around text

Source: Geekstogo.com

pennydavis · #7 11-24-2008

System is running much bettter. ;o). See attached log. I ran the AV program, it said it could not remve a file on my desktop PrcViewer - Smtihfraudfix.exe.

Bobbye · #8 11-27-2008

Sorry Penny. I didn't get notice of your reply.

PrcViewer Potentially Unwanted Program *Cannot be completely removed
Filename -=> C:\RECYCLER\S-1-5-21-181055147-4036027980-950489811-500\Dc4.exe, C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip

Prcviewer is part of smitfraudfix tool(which you used to remove malwarewipe),have you deleted the tools from your desktop?

Also click start>search>all files and folders>type prcviewer>delete if found.

PRCViewer can be a genuine application or not depending on where it originated.

There's an interesting read here: http://www.bleepingcomputer.com/forums/topic44790.html

If 1911's instructions do not work, Click on lik HERE on the page> http://www.kellys-korner-xp.com/xp_tweaks.htm to open a Kelly's Korner vbs script .
The files will be xp_system32opens.vbs
Download a small .vbs file to your desktop.
Once it's downloaded, run it according to the directions at the top of the Kelly's Korner page.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

Quote:

C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
PTHOSTTR.EXE - This is a legitimate process that is installed on HP computers but it has some security issues: http://h20331.www2.hp.com/Hpsub/cach...0-225-121.html
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
Default settings software in Hewlett Packard notebook
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL (mscoree.dll is a net framework file)
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
018 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

Advise system status. If running okay and original problems are resolved, we can remove the cleaning programs:
Download OTCleanIt (http://download.bleepingcomputer.com.../OTCleanIt.exe)

Quote:

Click the CleanUp! button.
It will go through the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing system restore points and establish a new clean restore point

Quote:

1. Go to Start > All Programs > Accessories > System Tools > System Restore
2. Select Create a restore point, and Ok it.
3. Next, go to Start > Run and type in cleanmgr
4. Select the More options tab
5.Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.

Let us know if you need more help.

Tedster · #9 12-06-2008

vundo is a very vicious and extremely difficult to remove virus. Also this is not the correct forum.
i suggest reformatting and reinstalling the OS and posting in the correct forum next time as well.

Bobbye · #10 12-06-2008

Tedster, where have you been for the past two weeks? Why are you not telling the user to reformat and reinstall. You are assuming Vundo has not been removed. I do not think that is the case.

And while security issues are better handled in that forum, telling a user they should post somewhere else when the cleaning is over seems a bit on the rude side.

xavier100 · #11 03-21-2009

BobBye, My PC is infected with Vundo!grb and I would appreciate your assistance. My Mcaffee software kills it when it detects it, but does not remove it. Can you please help me out.

Thanks

Bobbye · #12 03-21-2009

My name is Bobbye. If you have a problem again, please begin a new thread in the Virus and Malware Forum. This thread is 6 months old.

Follow the Steps set here: http://www.techspot.com/vb/topic58138.html

Attach all three new logs. IF you still have the original cleaning programs on the PC, you must UPDATE each of them for new definitions.

Please remember> move to the malware forum.

Similar Topics
Topic	Replies	Forum
Vundo?	18	Virus and Malware Removal
Can't get rid of Vundo	12	Virus and Malware Removal
Please help with Vundo	8	Virus and Malware Removal
Vundo	1	Virus and Malware Removal
I Might Have Vundo....Please Help	3	Virus and Malware Removal

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

TechSpot

Help with Pop Ads and Vundo

Follow TechSpot

Subscribe to our Newsletter