Vundo virus

[ascot54]

Hi guys...new here. would appreciate some help if possible.

last wednesday i got the dreaded Vundo virus/trojan...cant understand how, unless i clicked a link incorrectly.

I have avast installed on 2 desktops and 3 laptops....
only my desktop has been infected..

Syptoms include:
losing desktop icins
windows explorer shut down randomly
unable to use system restore or HP recovery centre
logonui.exe error, also get fatal exception at area oe30 etc (numbers change)
windows no disk error
random response in safe mode

i have done the following after reading other posts:

updated and ran avast
ran vundo fix
malware

system gives midly faster response, conects to web but not abel to get all images on pages.

could someone point me in right direction to get my pc back to normal...

system is

HP pavilion 309
windows xp home edition service pack 3
1gb ram
2.4ghz intel celeron
geforce 5500 agp card

Thank you..

 

[mflynn]

Hello ascot54

Sorry to tell you my friend you don't have just vundo but are eat up!! But you did get quite a few with that scan.

When running the below UPDATE every time you run them again as sometimes updates can come houlry!

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Note: Ascot in your case you have already ran a MBAM so all you need to do is modify the settings as below under MalwareBytes.

Skip no steps (do not install another virus scanner as you already have one).

Most importantly update MalwareBytes and SuperAntiSptware!

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Do this correctly and we will make a short job of this!

Ascot again in your case as you have already ran MBAM then run SAS first then attache me the log then run MBAM again and get me a second log.

Mike

 

[ascot54]

Mike,

there in lies another prob...
i download via laptop and save to flash drive as desktop seems to "lock up" when trying to update..

will give it another go

Paul

 

[ascot54]

Mike,

Avast found this..

virus in memory... allow reboot to delete at start up..

file name c:\Windows\system32\rkskt.sys
type rootkit : hidden file

i have read through to Section 3 and dont have any of those progs ! do i need to "disable" Avast ?

desktop currently doing reboot scan with avast so i may be a while..

mananged to get ccleaner and SAS onto flashdrive and install to desktop !

thanks again for help so far..

Paul

 

[mflynn]

That can be a legit program. Let Avast do its thing clean what it finds. Then reboot.

Now since MBAM ran and cleaned much as you see in the log it may have exposed additional issues not even seen on the first run.

Reboot UPDATE mbam if you can, and run it again until it comes up clean.

Once Avast and 2 runs of MBAM complete SAS will likely run and sweep up the rest.

Attache me all logs on all runs as you do them!

Mike

 

[ascot54]

Mike,

ccleaner ran clean on 2nd run... 1st was 661mb crap...

ran Malaware got 40 odd infections..
log attached

Paul

 

[mflynn]

You ran it, it done its job, but you did not click next and tell MBAM to remove them!

No Action taken!

Run it again it will find them again click to remove them then run it again to be sure they are gone. If it is not clean send log and run it again.

Mike

 

[ascot54]

Mike,
ran it again...
i did select remove at reboot, however i couldn't get the log file to copy to my flash drive..
now goint to try step 5 ..SAS mode...
btw on reboot i didnt get the logonui.exe problem like i had earlier !

 

[ascot54]

Mike,
latest from my problem

still couldnt copy log file to flash drive to to slow response/lock out

system seems to have picked up..
not had logonui.exe error again...

now running SAS...
i got 9 items detected in Adware.MyWebSearch/FunWebProducts
and
Rogue.Component/Trace

IIRC correctly MyWeb has caused probs in past !
i never open links for MyWeb..think my other half has added stuff ! cant be sure, but the history in IE tells me different story to my usual web sites !

i'm gonna let SAS do its bit for tonight then carry on in morning.. 0030GMT here..

Really appreciate help on this...

hopefully 1 day i can return favour by helping others too..!

 

[ascot54]

Mike ,
SAS done,

see attached logs...

my IE opens ok but i get text only
no images..!

any ideas.?
ps..

MAM log was done prior to SAS

 

[mflynn]

Once we are clean we will handle all the Malware we will get to correcting other issues.

MBAM found and deleted much, we need it to come up clean UPDATE and run again. Then same for SAS UPDATE and run again.

Mike

 

[ascot54]

Morning Mike,

I owe you a big Beer !

Just done MAM and SAS updates..

ran both
guess what ?

I'm Clean...big sigh of relief...

i found out the cause of lack of images on IE !

i went to internet options..
scrolled down and found the insert images bullet was unchecked.!
placed check mark in there and hey presto i have images..

only glitch so far to report here is that, when i did SAS update i got a small window pop up on right handside of my screen, no text or anything, just a little jave like icon on top left corner..!
tried screen refresh, no response, wouldnt close itself.
did a restart, and it cleared...

have you encountered this. ? or similar ?

Thanks again Mike you are a top chap in my book !

Best wishes from one happy cookie in UK..!

Paul

 

[mflynn]

Great Paul

You did a fantastic job.

The yellow shield was a notice that you needed to reboot to finish the update.

Since you had already ran mbam and sas I disregarded it but now go back to here do the TechSpot 8 steps:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Since you have already done the mbam and sas do the CCleaner and HJT.

I need a fresh HJT log.

Mike

 

[killermiller]

hi!
I`ve tried all the steps and still get a Done blank page on some sites! i`ll post my log so hopefully someone can shed light on this.
many thanx km

 

[ascot54]

Mike,

here is my latest HJT file..

ran CC before it too..

anything need fine tuning here buddy ?

Rgds

Paul

 

[mflynn]

Hold on lets finish cleanup and that will come.

HJT Scan only Select and remove the below
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Next go to Control Panel Add/Remove programs and uninstall all Java except the last one.

Then

Clean and update Java
Cleanup old Java and update to newest version this program will do it all for you.

Download JavaRa http://prm753.bchea.org/JavaRa.html

Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun.

After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

After that run Search for Updates again to confirm you are up to date.
After that run remove older versions again. This time the Log file should be empty.
----------------------------------------------------------------------------------------------------------------------------------------------------
Next

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!

EDIT:

Put it thu its paces so you can give me a status report and remaining issues.

Mike

 

[ascot54]

Mike,
i cant find that BO file ref you posted ...!

 

[mflynn]

Neither can I!

I must have had someone else's log open I try to Multitask but only women can do that!

Her are yours
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - Winlogon Notify: hegultwk - hegultwk32.dll (file missing)

I will take you up on the beer when next I am there, large pitcher right?:grinthumb

New HJT log after.

Mike

 

[ascot54]

can t up load latest HJT for some reason

 

[ascot54]

got it now me think


your'e on for that beer buddy...

 

[mflynn]

Go to Add/Remove programs uninstall old HJT.

Reboot

Run CCleaner again both Temp and Registry until the come up clean.

Now install new HJT.

What were the results of the DAF and JavaRa operations?

Mike

 

[ascot54]

BTW,

DAF, gave me this error....

2147319780 encountered trying to register c:\windows\system32\shdocvw.dll
error accesing OLE registry

 

[ascot54]

Java log cleared ...

 

[mflynn]

OK Due to items in your new HJT log we need to run another cleaner.

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

EDIT: We will handle the DAF errors after the comob fix.
Do you have or had a Norton product on this computer?

 

[ascot54]

MIke,

attached logs as rqstd...

combo seemed to run ok..