8 step complete: Vundo, Darksma, Casclient infections

By timbob5 ยท 18 replies
Nov 26, 2008
  1. I have been running CA Security (Virus and Spyware) along with Windows Firewall for years with good success (past week on a daily basis).

    For about two weeks, been fighting Casclient, Darksma Spyware and Vundo virus. 2 to3 Spyware and up to 50 viruses detected at times. When on internet, Windows 2009 Security continues to attempt loading automatically, need to hit [esc] and exit every time to keep away (My spouse and kids are not very computer savvy and I worry this virus will get in). Also get random websites opening.

    We use internet for college, loan payments, occasional online banking, and occasional purchases. I have not done any of this after getting spywares (virus showed up shortly after).

    I cannot seem to rid myself of these and began researching online. Found your site and saw many successful correspondence on similar issues and was quite impressed.

    I have run the 8 step removal instructions, attached logs and am asking if someone has time and knowledge to let me know if I was successful in my first attempt and if further steps are needed. Thank you in advance.

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Tim

    Your mbam and sas logs show found and removed items. We must see them either clean or with something it can not clean.

    Rerun them both again.

    Post all log as you run again, except HJT log after clean or when requested.

  3. timbob5

    timbob5 TS Rookie Topic Starter Posts: 44


    Thank you for the quick response. It sure is nice to have people to help out on computer troubles. Years back I gave up on some virus issues and got a new computer to solve (the virus won). Your help is really appreciated.

    I have run Malewarebytes Anti-Mailware (with no items detected) and ran SuperAntiSpyware (first run with 8 items, rebooted as told and ran second time with no items) and I am attaching the log files.

    This is the first time on the web and I wonder if I should try running both again to see if all is clear.

    I will wait for your recommendation(s) prior to continuing.

  4. mflynn

    mflynn TS Rookie Posts: 2,655

  5. timbob5

    timbob5 TS Rookie Topic Starter Posts: 44


    I have downloaded the program requested and have attached the info and log files.

    Thank you for taking the time to help,
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Tim

    Some minor issues to be cleaned with HJT but not yet.

    There are indications of other issues so do the below.

    These don't take as long so do the first attach log as they are run.

    Download SD Fix to Desktop among other things Catchme to look for RootKits.


    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished.

    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt now.

    Then continue below.

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    After all the above are done post new HJT log.

  7. timbob5

    timbob5 TS Rookie Topic Starter Posts: 44


    Sorry for delay, son's car needed repair work, ughhh.

    I had nine viruses on CA Anti Virus scan today which were deleted automatically, listed as 'Actns/SwifT'.

    I followed your instructions and have attached the three (3) logs.

    Looking forward to next step.

  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Tim

    There is evidence of a very bad new Malware. This one is hard to get rid of and CA is one of the only scanners catching it as far as I know. But it is not completely cleaning it.

    It is imperative that you do all the below ASAP!

    Run HJT Scan only Select and remove the below
    O20 - AppInit_DLLs: jlruoa.dll

    Run MBAM click More Tools- Run Tool. Then paste the line below in to the File name box and click OK to delete it.


    Next Run combofix again.

    Then UPDATE MBAM and run it again, then UPDATE SAS and run it again.

    Get me the logs as you run them not all at once.


  9. timbob5

    timbob5 TS Rookie Topic Starter Posts: 44


    The 12/3 CA spyware scan detected 'KaZaA' and 'Bifrost' which were deleted and quarentined.

    I ran HJT scan only and deleted file 'O20 - AppInit_DLLs: jlruoa.dll'

    I ran MBAM and attaching log. After pasting 'c:\windows\system32\mawwurqo.dll' it could not find file, however created it and then deleted it.

    Will perform other steps later this evening.

  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK run Combofix again to be sure it comes up clean. Post log.

    New HJT log last.

  11. timbob5

    timbob5 TS Rookie Topic Starter Posts: 44


    Ran Combofix and have posted the log.

    Ran Hijackthis and posted the log.

    My son needs to write paper on word and after I plan on updating MBAM and SAS and running both again. I will send these logs when completed.

    Thanks Mike,
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    OK you did it!

    Won't hurt to rescan with UPDATED MBAM an SAS once more as you said, if done at convenient time as while you are working or sleeping.

    I will wait a few days till you have sent the logs and then we will close the thread and cleanup the tools we used.

  13. timbob5

    timbob5 TS Rookie Topic Starter Posts: 44


    Ran MBAB and SAS. MBAB was clean, however 13 adware cookies on SAS (normal?). Attaching both logs.

  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes the moment you open a website you get cookies. Most are OK so don't worry.

    Thread closing-------------------------------------------------------------------
    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.
    These tools update so often they require downloading again later if needed.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

    If prompted to Reboot click Yes.
    OTCleanit will delete itself when finished, if not delete it by yourself.

    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    The issues found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

    If they find something they can not clean then get back to us.

    Additionally run CCleaner.

    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to co-exist with other Virus scanners.

    Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.

    Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
    Hostman http://www.abelhadigital.com/2008/07...-released.html

    A Disk scan and Defrag are in order.

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Mike, can you explain to me about the use of RSIT in place of HijackThis? What is the home site? What does it do? How is it different from HJ?

    timbob, here's some help with the Tracking Cookies. Have SAS remove them. Click on the lower left screen shot here to enlarge image, showing you what to check:

    After you have done that:
    Reset Cookies:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

    1. Start> Run> msconfig> Selective Startup> Startup menu> UNCHECK all Viewpoint entries> Apply> OK
    2. Start> Run> services.msc> right click on viewpoint Manager> Properties> change Startup type to Disabled.
    3. Control Panel> Add/Remove Programs> UNINSTALL any Viewpoint entries

    Reboot into Normal Mode. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Well post #18 in this thread tells you where you get it.

    I am surprised you have never heard of it I have used it for over a year.

    It is a System information tool that runs HJT as part of its report just gives a lot of other details. Similar to OTScanit.

  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I have not heard of it to be used in place of HijackThis. Since HijackThis is recommended in the TechSpot malware cleaning, it seems you would encourage the use of that. The problem I think Mike is that you don't open and deal with the entries that need to be removed in the HijackThis log. Having the users run additional programs is not going to remove those entries.
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    Bobbye it is HJT it just gives additional diagnostic and system info.:)

  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    But why burden the user with more to run? Plus I think the HijackThis entries themselves need to be dealt with. I think you run unnecessary programs.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...