Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo/Monderb Fighting Removal Vigorously


  • This topic is locked This topic is locked

#1
Sarah82

Sarah82

    New Member

  • Member
  • Pip
  • 5 posts
I was getting webpage redirects and other strange behavior and a Virus Total scan of a suspicious file indicated my laptop running Windows XP is infected with Vundo/Monderb. But as soon as I attempted to start removing it by downloading various programs (such as Spybot S&D and Microsoft IE7 to replace the IE6 its currently running) the malware apparently realized I was onto it and the next time I booted, Windows XP demanded a password even though it was never set up to use a password.

I have since tried booting into Safe Mode and even tried various things after booting from the XP SP2 disk into the Recovery Console such as Bootcfg, Fixmbr and Fixboot. This was all done before I realized there are programs that gets rid of the Vundo/Monderb problem, such as VundoFix and Virtumundobegone.

But I can run those or HiJackThis, etc, until I can get Windows to work by getting past this password problem. In other words, I think I can solve the problem if I can just get past the password problem.

Even when I boot into Safe Mode, I am shown two accounts, one for Admin and one for the primary user. Both accounts want a password to proceed. Neither account ever required a password before. I have tried just leaving the password space blank and hitting enter and I have also tried using 0, 00, 000, and 0000 as passwords. But nothing seems to be working. This computer was fully up-to-date with XP SP3 and McAfee and was taken over by the malware.

Any assistance is greatly appreciated.
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.



Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply, along with a fresh HijackThis log

  • 0

#3
Sarah82

Sarah82

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Maybe I posted in the wrong forum because apparently you didn't read my post before replying with what appears to be a boilerplate HJT post.

I can't download HJT or put it on my desktop or anything else because I can't get past the password entry step of the boot process. This virus appears to have taken over my user accounts and is blocking me from even booting without a password.

I need help dealing with getting past the password/login process before I can go thru the HJT process. Can anyone here advise me on this or advise me where else I should post this issue. Thank you.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Boot up the PC, keep pressing F8, select Last Known Good Configuration. Does that get your PC to boot up normally ?
  • 0

#5
Sarah82

Sarah82

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Safe Mode, Last Known Good Configuration, etc: None of these work. I have now set up a parallel XP installation in order to access the files on the computer. So I am now able to boot and access files using the parallel install. Can I try and neutralize Vondo from there, using the standard recommendations here at GTG?
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes that may work

But it sounds like some serious damage has been done. Even if you remove the malware, you probably wont be able to boot up

Go over to the Windows XP Forum and explain your problem to them, they should get you booting up again
  • 0

#7
Sarah82

Sarah82

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I think it may be premature for me to head over to the XP forum. Here's why: Using the parallel install, I was able to download and install the AVG anti-virus software suite. I ran a full AVG scan a a variety of trojans were found. I suspect these are the kinds of nasties that will keep coming back if I don't take some additional steps to deep root them out. Can you take a look at the report generated by AVG and then advise me on what I should do in terms of running some additional utilities to permanently root out this variety of malware? I'm going on the assumption that while AVG was helpful in this initial step, it is not enough to keep this stuff away. Here's the AVG report:

"Scan ""Scan whole computer"" was finished."
"Infections found:";"20"
"Infected objects removed or healed:";"20"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"14"
"Information count:";"0"
"Scan started:";"Wednesday, July 16, 2008, 8:34:30 PM"
"Scan finished:";"Wednesday, July 16, 2008, 9:08:50 PM (34 minute(s) 19 second(s))"
"Total object scanned:";"467721"
"User who launched the scan:";"js"

"Infections"
"File";"Infection";"Result"
"D:\Documents and Settings\Owner\Local Settings\Temp\software.php";"Trojan horse Generic10.BCZJ";"Moved to Virus Vault"
"D:\Documents and Settings\Owner\Local Settings\Temp\software.php:\$IG$IH$IF\gpefaowr.exe";"Trojan horse Generic10.BCPU";"Moved to Virus Vault"
"D:\Documents and Settings\Owner\Local Settings\Temp\software.php:\$IG$IH$IF\wbxdpgfeqod.dll";"Trojan horse Generic10.BCZJ";"Moved to Virus Vault"
"D:\WINDOWS\system32\awtuuUMD.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\cbyocbyt.dll";"Virus found Vundo";"Moved to Virus Vault"
"D:\WINDOWS\system32\clbdll.dll";"Trojan horse BackDoor.Generic9.AZWO";"Moved to Virus Vault"
"D:\WINDOWS\system32\dapabpbu.dll";"Trojan horse BHO.ERV";"Moved to Virus Vault"
"D:\WINDOWS\system32\drivers\clbdriver.sys";"Trojan horse Downloader.Tibs.9.AG";"Moved to Virus Vault"
"D:\WINDOWS\system32\efcYSkii.dll";"Trojan horse BHO.ERS";"Moved to Virus Vault"
"D:\WINDOWS\system32\fccyxwwT.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\jtevps.dll";"Trojan horse BHO.ERM";"Moved to Virus Vault"
"D:\WINDOWS\system32\kkrdpmih.dll";"Trojan horse BHO.ERM";"Moved to Virus Vault"
"D:\WINDOWS\system32\lermwpfh.dll";"Trojan horse Generic10.BCRA";"Moved to Virus Vault"
"D:\WINDOWS\system32\mavzhh.dll";"Trojan horse Generic10.BCRA";"Moved to Virus Vault"
"D:\WINDOWS\system32\opnnLFwu.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\opnnLFwu.zip";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\opnnLFwu.zip:\opnnLFwu.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\ssqOfdBt.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\tcbtew.dll";"Trojan horse BHO.ERV";"Moved to Virus Vault"
"D:\WINDOWS\system32\xneibugw.dll";"Trojan horse BHO.ERU";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\js\Cookies\[email protected][2].txt";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"C:\Documents and Settings\js\Cookies\[email protected][2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][2].txt";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt";"Found Tracking cookie.Findwhat";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt:\findwhat.com.539b0606";"Found Tracking cookie.Findwhat";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][2].txt";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\[email protected][1].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
There is no point in me helping if you cant get into Normal mode properly

Head over to the XP forum, it is the best course of action
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP