Help remove Vundo/AppInit_DLLs

Status
Not open for further replies.

rwnewson

Posts: 44   +0
Hello everyone,

I can usually remove spyware/adware myself without difficulty but this one particular trojan I have is a doozie. Can someone please help me??

I believe it is a Vundo stored in stubborn DLL files in the C:\WINDOWS\SYSTEM32 directory. Specifically, they appear in my hijackthis log (full log attached) as this line:

O20 - AppInit_DLLs: C:\WINDOWS\system32\wunufaku.dll C:\WINDOWS\system32\nizukipu.dll c:\windows\system32\hejivego.dll

For the life of me I cannot remove these three files! Here are the things I've attempted so far, and I've tried them in both regular and safe mode:

Initially I did the following scans:
- AVG Free Antivirus 8.0 full system scan
- Lavasoft Ad-aware
- Spyware Doctor
- CCleaner
- VundoFix.exe
- HijackThis (removing clearly bad entries)

Each found some infections and claimed to remove them.
Then I noticed that about 10 bad DLLs were in my System32 folder still not removed... So I used HijackThis's "delete file on reboot" utility to remove most of them... But the three listed above will not delete. Then I tried:

- FileAssassin - the program crashes (error message "needs to be shutdown") whenever I try either "FileAssassin's method" or "delete on reboot"
- KillBox - tried to delete on reboot but keeps giving me the "PendingFileRenameOperations Registry Data has been Removed by External Process" error; and when reboot is done manually, nothing happens. Here is log:

Pocket Killbox version 2.0.0.881
Running on Windows XP as Administrator
was started @ Sunday, January 04, 2009, 8:28 AM
# 1 [Delete on Reboot]
Path = c:\windows\system32\nizukipu.dll
PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:29:16 AM
Killbox Closed(Exit) @ 8:29:23 AM


I feel like I tried everything and nothing works... the files are still there causing popups and slowing down my computer! PLEASE HELP ME! thanks!!!
 
Please follow the steps here to run Malwarebytes and SuperAntispyware:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

When through, run ComboFix:
Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix should remove all these System32 files:
O2 - BHO: (no name) - {99e7dbd9-90da-4a89-984e-08ba0d4c3a84} - C:\WINDOWS\system32\vuvuwofi.dll (file missing)
O4 - HKLM\..\Run: [diniwifimu] Rundll32.exe "C:\WINDOWS\system32\bawaruno.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CPM1b9b287f] Rundll32.exe "c:\windows\system32\hejivego.dll",a
O4 - HKUS\S-1-5-19\..\Run: [diniwifimu] Rundll32.exe "C:\WINDOWS\system32\bawaruno.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [diniwifimu] Rundll32.exe "C:\WINDOWS\system32\bawaruno.dll",s (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\WINDOWS\system32\wunufaku.dll C:\WINDOWS\system32\nizukipu.dll c:\windows\system32\hejivego.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hejivego.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hejivego.dll
Rescan with HijackThis when through running Malwarebytes, SuperAntispyware and ComboFix. Attach the logs from all programs when through.

I also need to know if you have set your home page to come up with a blank page:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
If not, we will remove this entry in the next log.
 
Yay! It seems to have worked! My computer is running a lot faster now and the pop-ups are gone so far. I looked for those old DLL files and I can't find them so hopefully they are gone for good. Thanks a lot for your help!!

I posted the log files. I ran Malwarebytes twice (once on full scan but it was taking so long that I stopped it and ran the quick scan) and the SUPERAntispyware once (but I can't seem to find the log) followed by the ComboFix.

And to answer your side question, yes I have a blank page assigned as my homepage. I like it that way.

Thanks again!
 
Okay, we're getting there. But Vundo is still around= none of the logs are clean.

You are still loading old entries for Java and Adobe, meaning the versions are still installed: Get these first:
Update Java:
Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Update Adobe:
Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Control Panel> Add/Remove Programs> UNINSTALL the following:
All Adobe Reader except v9
All Java except v6u11

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
(If the ActiveX plugin for IE7 named 'Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll) is enabled, IE7 takes 3-4 seconds to open every new tab. A bug report has been made on this issue)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll >> plug in or Adobe Acrobat
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Right click on Start> Explore> Windows system32. Right click> Delete on any of the following if present:
wunufaku.dll
a.exe
geBssrRI.dll
iifCsSJd.dll
When done, reboot into Normal Mode:

Run SDFit: Download and Install SDFix
* Download SDFix and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here
Credits to Blind Dragon: http://www.tech-101.com/viewtopic.php?f=18&t=38

Run new scan with HijackThis after SDFix and attach both logs.

FYI: you have all of these loading at boot-none need to load on start and run in the background:
QuickTime, Real Player, TomTom, Creative\Sound Blaster Live!, CyberLink PowerDVD DVDLauncher, P17Helper (for recording and home project studios),
 
Hello,

Thanks again on all the detailed instructions.

I actually had to do something recently which reinstalled the virus (I know I know) but then ran all the anti-spyware programs above again a few times to get rid of it again. I think it is now gone but can you take a look at my logs? Here's what I did...

After my Spyware Doctor scan removed most things I ran full scans of the MalwareBytes and SUPERAntispyware; then restarted and ran quick scans with each, both coming up with nothing found.

Next I followed your directions about the Java, updating to the new version and uninstalling the old versions.

Regarding the Adobe Acrobat Reader, I actually don't use the Reader at all. I use the full version of Adobe Acrobat 5.0, which I know is old, but I like it and don't own the new versions so I'd like to stick with it.

I rebooted in safe mode to remove those files you specified but they were already removed.

I rebooted as normal and ran hijackthis (log attached).

I did NOT re-run ComboFix and did NOT yet run SDFix. Do you think I need to? I think everything is gone but if you think I should then I will.

Thanks again!
Ryan
 
I actually had to do something recently which reinstalled the virus (I know I know)
Doing a system restore while cleaning is never advised. Now you know why!

Adobe v5 is way out of date. Many of the Adobe and Java updates were done because of security vulnerabilities. Keeping an old version such as this is a security risk.

You should have a PDF Reader as many files on search are in PDF format. If you don't want Adobe, get FoxIt which was also in my update recommendation. Then uninstall the Adobe v5.

Please run either SDFix or ComboFix, then update and run Malwarebytes again, followed by new HijackThis log. Since you restored to a previous date, we don't know what's back on the system. Why do a half-you know what job!

Attach the new logs. If clean, we'll remove the cleaning programs and the old restore points.

And once again:
the files are still there causing popups and slowing down my computer! PLEASE HELP ME! thanks!!!
FYI: you have all of these loading at boot-none need to load on start and run in the background:
QuickTime, Real Player, TomTom, Creative\Sound Blaster Live!, CyberLink PowerDVD DVDLauncher, P17Helper (for recording and home project studios),
 
Just to clarify, I did not do a System Restore. I have this exe file which performs an intended function while simultaneously installing the virus to my computer. So the other day I needed to run the exe file again despite knowing the repercussions. But I don't intend on running it again in the future.

Regarding Adobe, I not only need a PDF reader, but also the Acrobat Distiller to write PDF files as well as a PDF editor and PDF form creator.... So if you know of another free program that does all that please let me know. I may try to get my work to pay for the new version...

I had hoped my current logs were clean so that I didn't have to run the other fix programs but I will anyway. I'll reply back when I do.

Thanks a bunch,
Ryan
 
Okay, so I called it wrong! It was a reasonable assumption! Either way, to do it while understanding what your were doing means we now have a system that is basically right back where we began. We cannot assume everything has been removed- again.

This program:
C:\Program Files\Adobe\Acrobat 5.0\Distillr
Is up Adobe Distiller Server 8:
http://www.adobe.com/products/acrdis/

There is another company that makes PDF products: FoxIt. They have a free reader but the combination products do have a price. You might want to look around for a comparable product and compare the prices:
http://www.foxitsoftware.com/products/

Either way, I don't advise keeping a program that is so outdated- security issues could be involved.

I'll be glad to check the new logs whenever they're ready.
.
 
Status
Not open for further replies.
Back