TechSpot - PC Technology News and Analysis

razerforlove · #1 04-24-2009

Hello,
My laptop was recently attacked by the Vundo Trojan. I followed the 8 steps removal procedure. I am attaching the 3 logs with this thread. Please help me resolve the issue. Thanks.

Regards
Raj Nambiar

Bobbye · #2 04-24-2009

Did you follow the instructions in Mbam to reboot to delete the malware?

Do NOT use System Restore while the system is being cleaned> this entry> C:\SYSTEM VOLUME INFORMATION\_RESTORE indicates that the malware is in the restore points. We will drop the old restore point and create a new, clean on when the malware has been removed.

You have Symantec/Norton entries as well as McAfee. Decide which you want to keep and remove the other:

Quote:

Norton Removal Tool is HERE

McAfee Removal Tool is HERE

I suspect you are not starting up, shutting down or surfing very fast. That is because you have to many processes starting on boot. (running processes, 04 entries, 023 services set to Automatic) That means they have to load, will run in the background, then each needs to shutdown. This is a waste of your resources as most can be started manually as needed. You are also using IE8 which is fat with bloat, using a lot of the system memory:

Examples: Media players (QuickTime Task, iTunes helper, ipod, Real Player updater, , Camera utilities, printer, PDF reader, Sonic, and on and on. you might want to look into that and the many Vaio processes Sony pre-loads. The ZoneAlarm Spyblocker is pre-checked on some update sites. I discourage using it because it is a BIG resource user.

Remove Bad Entries in HijackThis:
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):

Quote:

C:\Program Files\Viewpoint\Common\ViewpointService.exe
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKUS\S-1-5-19\..\Run: [hagufenoko] Rundll32.exe "C:\WINDOWS\system32\jilumuyo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hagufenoko] Rundll32.exe "C:\WINDOWS\system32\jilumuyo.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O15 - Trusted Zone: http://*.techsatish.tv
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Boot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:

Quote:

Viewpoint entries
ZoneAlarm Spyblocker

Internet options> Security tab> Trusted Sites> Sites> remove the following from the Trusted Zone:

Quote:

*.techsatish.tv
*.trymedia.com (HKLM)

Reset Cookies:

Quote:

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Control Panel> Add/Remove Programs> UNINSTALL the following:

Quote:

Viewpoint Manager
ZoneAlarm Spyblocker
Consider removing the Weather Channel

Boot into Normal Mode> Ignore the nag message and close it after checking 'don't show message again.' Stay in Selective Startup.

Run Vundo Fix:
Please download VundoFix.exe HERE and save to your desktop.

Quote:

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the ‘Fix Vundo’ button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Rescan with HijackThis after vundoFix. Attach new log and Vundfo report.

This thread is for the use of razerforlove only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.

razerforlove · #3 04-25-2009

I now understand what I missed. Thanks a lot for your reply. I will immediately follow the instructions and will post the new logs. Thanks once again.

Hello,
I have followed all the instructions given in your post. I did not uninstall IE8 or other BOG resource user, but I will slowly look into what to keep and what to remove. I also uninstalled the weather channel programs and zone alarm spyblocker. I could not find viewpoint manager to uninstall. I could only find Viewpoint player which I have not yet uninstalled. I am attaching all the 4 logs along with this comment. Please verify and let me know if my PC is safe. Thanks a lot for your precious time.

Regards
Raj Nambiar

Bobbye · #4 04-25-2009

Okay, very good! Almost there!

Open HijackThis again> System Scan Only> Check the following:
[quote]

Quote:

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL C:\WINDOWS\system32\pudomehi.dll (oneVundo process left)
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

Close all Windows and email> click on Fix Checked
Close when through

Boot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:
PIFSvc.exe

Control Panel> Add/Remove Programs> UNINSTALL the following:
Viewpoint player

Right click on Start> Explore> Windows> System 32> right click> delete on the following if found:
pudomehi.dll

Boot into Normal Mode> Ignore the nag message and close it after checking 'don't show message again.' Stay in Selective Startup.

Run Combofix:
Please download ComboFix. HERE:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

Quote:

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis when through. Attach Combofix report and new HJ log.
If they're clean, we will finish up.

razerforlove · #5 04-25-2009

Hello,
Sure. I am on it. Thanks once again for your quick reply. Will be back soon with the new set of logs.

Regards
Raj Nambiar

razerforlove · #6 04-25-2009

Hello
When I started my PC in safe mode, I could not find PIFSvc.exe under Start> Run> msconfig> enter> Selective Startup> Startup menu to UNCHECK it.

I did not find pudomehi.dll under Right click on Start> Explore> Windows> System 32

Can I enable my system restore?

Please find the latest HijackThis.log and ComboFix.txt with this file. Thanks once again for all your help.

Regards
Raj Nambiar

touch · #7 04-26-2009

P2P software/programs are a major contributor to your infections.

We reserve the right to withdraw our support:
If such programs are found in your logs
Should you not agree to their removal.
As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer

Uninstall:
c:\program files\Azureus << you decide

If you remove it, reboot and post new combofix log

razerforlove · #8 04-26-2009

Hello,
I had uninstalled Azureus even before I posted my last set of logs, but some how the windows uninstaller did not remove the Azureus folder and some files within it in the "C:\Program FIles" directory. That is what was listed in the ComboFix log that I attachet last time. It is all gone now. I am attaching the new ComboFix log with this post. Thanks once again for your wonderful help.

Regards
Raj Nambiar

touch · #9 04-27-2009

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Killall:
Snapshot::
File::
c:\windows\system32\tebejuyi.dll.tmp
c:\windows\system32\valafuwe.dll.tmp
Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint

Save this as:
CFScript

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then attach fresh combofix log.

Similar Topics
Topic	Category	Replies	Last Post
Had Vundo problems, logs attached	Virus & Malware removal	1	04-20-2009 01:02 AM
Vundo need help logs attached	Virus & Malware removal	9	01-16-2009 01:36 PM
Ran 8 steps: Vundo, sagipsul, etc logs attached	Virus & Malware removal	2	01-13-2009 10:02 PM
Requesting help with Vundo. Logs attached.	Virus & Malware removal	4	12-07-2008 08:40 AM
Please see logs for virus attack	Virus & Malware removal	1	08-31-2008 12:46 PM

TechSpot - PC Technology News and Analysis

Vundo attack, logs attached