[pp111]

Basically, I have all the classic symptoms of Vundo (popups, redirecting ads, can't access facebook, slow/faulty internet connection, random shutdowns) and I have been able to detect but not remove it with Malwarebytes, Spybot S&D, and SuperAntiSpyware. I have not been able to detect it at all with Vundofix, Virtumondebegone, or Fixvundo.

Any and all help greatly appreciated I am trying to get my college applications in and need to be able to use this without it crashing ASAP!

Thanks again!

Attached Files

•  HJT_VUNDO_H.txt   7.28KB   256 downloads

[Advertisements]

Hi, pp111

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
• Install the Recovery Console upon request.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[JSntgRvr]

Hi, pp111

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
• Install the Recovery Console upon request.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[pp111]

Thank you, first of all.

I don't think it detected rootkit activity, but it did reboot my computer.

Combofix and HJT logs included.

edit: I'm going to sleep now, thanks for your help, I'll be on tomorrow to continue.
-pp111

Attached Files

•  ComboFix.txt   18.11KB   1204 downloads
•  new_hjt_log.txt   6.77KB   209 downloads

Edited by pp111, 15 January 2009 - 10:45 PM.

[JSntgRvr]

Hi, pp111

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Collect::c:\windows\system32\system201326.exec:\documents and settings\Guest\hpothb07.datc:\windows\system32\C1EE7468D5.sysc:\windows\system32\dowikabu.dllc:\windows\system32\jeyiniyo.dllc:\windows\system32\lahuyofu.dllc:\windows\system32\lesufuya.dllc:\windows\system32\lohulatu.dllc:\windows\system32\vejepoka.dllc:\windows\system32\vewalimu.dllc:\windows\system32\vigalefe.dllc:\windows\system32\wisepale.dllc:\windows\system32\dofakase.dllc:\windows\system32\reguligu.dllc:\windows\system32\wijahupu.dllc:\windows\Tasks\AE02538D9185C471.job[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CPMbfe15e46"=-[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"SSODL"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"CPMbfe15e46"=-"yubivehopu"=-Driver::systemdownmsavNetSvcs::systemdown

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on the C:\Qoobox\Quarantine\ called Submit [Date Time].zip

Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")

[pp111]

Thanks, I am about to submit the quarantined file and do the online scan, here are the combofix and hjt logs.

Edit: File submitted successfully, running online scan now.

-pp111

Attached Files

•  hijackthis_1.16.txt   6.3KB   265 downloads
•  ComboFix.txt   26.87KB   287 downloads

Edited by pp111, 16 January 2009 - 05:57 PM.

[pp111]

I'm havin a little trouble with the kaspersky scanner, my computer got to 79%+ but when I came back to check on it after that my computer had shutdown unexpectedly, as that has been one of the more recent symptoms with this virus. I tried it again, and it crashed, and I'm going to try it again now, I'll update on its progress.

[JSntgRvr]

I'm havin a little trouble with the kaspersky scanner, my computer got to 79%+ but when I came back to check on it after that my computer had shutdown unexpectedly, as that has been one of the more recent symptoms with this virus. I tried it again, and it crashed, and I'm going to try it again now, I'll update on its progress.

I believe is due to your Firewall that still active.

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Registry::[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"CPMbfe15e46"=-"yubivehopu"=-File::c:\windows\system32\wijahupu.dllc:\windows\system32\dowekenu.dll

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

As an alternate to Kaspersky, Please run the F-Secure Online Scanner

Note: You must use Internet Explorer for this scan!

• Accept the License Agreement.
• Once the ActiveX installs click Full System Scan
• Once the download completes, the scan will begin automatically.
• The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and copy and paste the entire report in your next reply.

[pp111]

Ok, I ran that most recent script and got a HJT log as well. When I was running Kaspersky it was in mozilla, and my windows firewall was off, but the Trend Micro one was on. I'll try running it in IE without the trend micro firewall (it starts up every chance it gets and so I have to be hypervigilant).

New Combofix and HJT logs, THANK YOU VERY MUCH FOR YOUR HELP SO FAR!

Attached Files

•  ComboFix.txt   13.53KB   223 downloads
•  hjt_1.16_22.35.txt   6.11KB   266 downloads

[pp111]

I got Kaspersky to work, here's the log.

-pp111

Attached Files

•  kaspersky_report.txt   3.59KB   686 downloads

[JSntgRvr]

Hi, pp111

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Collect::C:\WINDOWS\system32\felazako.dll.tmpC:\WINDOWS\system32\jevaziji.dll.tmpC:\WINDOWS\system32\kerneldrv336_600.dllC:\WINDOWS\system32\nukavuso.dllC:\WINDOWS\system32\rahobofo.dll.tmpC:\WINDOWS\system32\system169723.exeC:\WINDOWS\system32\system982354.exeC:\WINDOWS\system32\SystemHper.dll.120890C:\WINDOWS\system32\SystemHper.dll.125250c:\windows\system32\system340447.exe  c:\windows\system32\system376783.exe  c:\windows\system32\system864282.exe  c:\windows\system32\system619977.exe  c:\windows\system32\system98876.exe

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on the (Main Drive ):\Qoobox\Quarantine\ called Submit [Date Time].zip

Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.

[pp111]

Ok, that's done and I am noticing considerable improvement in my computer's performance aside from the random crashes which occur now and then. I ran the new script and submitted the quarantine file. Thank you for your continued help so far.

-pp111

Attached Files

•  ComboFix.txt   13.55KB   260 downloads
•  hjt_1.17.txt   6.11KB   210 downloads

Edited by pp111, 17 January 2009 - 08:30 PM.

[JSntgRvr]

Hi, pp111

The files submitted were all bad files. I still see some suspicious files.

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Collect::c:\windows\system32\system690824.exec:\windows\system32\system717722.exec:\windows\system32\system819345.exeSuspect::c:\windows\system32\SIntfNT.dl c:\windows\system32\SIntf32.dllc:\windows\system32\SIntf16.dllc:\windows\ScUnin.exec:\windows\scunin.datc:\windows\ScUnin.pifRegistry::[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"HTM DART"=-

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on the (Main Drive ):\Qoobox\Quarantine\ called Submit [Date Time].zip

Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.

[pp111]

Alright, file submitted and here are logs. I finally feel like I'm making progress

Attached Files

•  log.txt   12.94KB   268 downloads
•  hjt_1.17_2.txt   6.36KB   214 downloads

[JSntgRvr]

At this point all looks clear. There was no detection on the suspected files. I see you ran CHKDSK? How is it doing now?

[pp111]

I ran chkdsk after it crashed because when I started it up it said there were some corrupt files. It got to a point where it said it can't continue in read only though?

Everything seems to be fine unless it crashes again, but so far, so good.