Recovering from vundo trojan

[cardtrick7802]

I think I had a case of the vundo trojan, if that's what this guy had here

I was getting a ton of pop-ups from WinAntiVirusPro 2006 and thankfully they are gone now. I'm crossing my fingers that it's fixed for good...

I read through all the info here and my logfile seems to be in pretty good shape, except for one or two entries. Can someone please verify what needs to be taken care of before I go ahead and fix them?? Thanks, -s

 

[howard_hopkinso]

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {5ce6d187-adc0-4718-add1-5d5f90ef6b0e} - C:\WINDOWS\system32\mpl__Y.dll (file missing)

Fix all 016-DPF entries, except for any Microsoft/Windows entries.

Click on the fix checked button.

Close HJT.

Other than the above, your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of cardtrick7802 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[cardtrick7802]

ddayx.exe

Norton detected a virus on my computer called ddayx.exe but said that it could not do anything about it. What a waste of a program! I put my computer in safe mode and scanned with Windows Defender, Spybot, Ad-Aware and AVG. Attached is my HJT logfile. Do I have anything to worry about?

Also, mysterious folder named "2e26648837a1480b5e4ff6280cbb23" has appeared in my Program Files, containing a file named similarly. Is that safe to delete?

Thanks in advance.

 

[howard_hopkinso]

I have merged your new thread into this one.

It looks like your system has another vundo infection. Are you sure the file in question is ddayx.exe and not ddayx.dll?

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard

This thread is for the use of cardtrick7802 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[cardtrick7802]

It is ddayx.EXE not .DLL. Does that make a difference? I ran another Norton Scan today and it came out clean. I am currently attempting the House Call online virus scanner...

 

[howard_hopkinso]

Yes, ddayx.EXE is totally different to ddayx.dll.

Once I have your log files, I`ll be in a better position to help you.

Regards Howard

This thread is for the use of cardtrick7802 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[cardtrick7802]

here are my logfiles.

 

[howard_hopkinso]

Your HJT log looks clean.

However, you should have HJT fix these entries, only if they don`t belong to your ISP, or you don`t recognise the domain.

O17 - HKLM\System\CCS\Services\Tcpip\..\{01476032-18F6-4777-ADCB-4E03F9033800}: NameServer = 207.217.77.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E6E9F3-1BF4-4F4B-B88F-D679DACB376F}: NameServer = 63.162.197.69,208.33.159.39<Note: This IP is different from the rest of the 017 entries.
O17 - HKLM\System\CS1\Services\Tcpip\..\{01476032-18F6-4777-ADCB-4E03F9033800}: NameServer = 207.217.77.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{01476032-18F6-4777-ADCB-4E03F9033800}: NameServer = 207.217.77.82

Can you give me the full filepath to the ddayx.EXE file?

Regards Howard

This thread is for the use of cardtrick7802 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[cardtrick7802]

thanks for your help! i simply deleted ddayx.exe which i realize may not have been the best choice, however it was located in c:\windows\system32 i believe. once again thank you.