Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

yet another desperate vundo victim...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: yet another desperate vundo victim...

Unread postby Cypher » August 2nd, 2010, 6:00 am

Hi vundoburned.
Ok lets run a few more scans please continue with the instructions below.
We will be doing some updates also.

Java SE Runtime Environment (JRE).

Please download from HERE
  • Find Java SE Runtime Environment (JRE) 6 Update 21.
  • Click the Download JRE button to the right.
  • Choose the correct Platform and Multi-language. Next, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click the Continue button.
  • Click on the filename under Windows Offline Installation and save it to your desktop.
  • Close all active windows.
  • Install the program.

Next.

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
  • Download Adobe Reader 930 from Here

Next.

Please download MBRCheck.exe to your desktop.
  • Right-click on MBRCheck.exe and select " Run as administrator " to run it.
  • It will show a Black screen with some information.
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file in you're next reply.

Next.

Please run ATF Cleaner again it should still be on you're desktop.

Next.

Please disable McAfee VirusScan Enterprise as it will interfere with the below scan.
Note: Don't forget to Re-enable it after the below scan..

Next.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Hold down Control then click on the following link to open a new window to Kaspersky Online Scan
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan. * This will take a while. Please be patient *.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

This online tutorial will help explain how to use the aforementioned online scan.


Logs/Information to Post in your Next Reply

  • MBRCheck log.
  • Kaspersky log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Re: yet another desperate vundo victim...

Unread postby vundoburned » August 3rd, 2010, 6:15 pm

Hi,
The kaspersky report seems impressive, even to me, a total novice. Impressively infected!!!
I suppose this is very good news, as you've found the offenders. A BIG thank you again for what's turned out to be an enormous effort. Do you think there is light at the end of the tunnel now?

Here are the two logs as you requested: MBRcheck and Kasperksy:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 151):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 PCIIde.sys
0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA338000 cercsr6.sys
0xB9EF3000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED3000 fltmgr.sys
0xB9EC1000 sr.sys
0xB9EAB000 DRVMCDB.SYS
0xBA118000 PxHelp20.sys
0xB9E94000 KSecDD.sys
0xB9E81000 WudfPf.sys
0xB9DF4000 Ntfs.sys
0xB9DC7000 NDIS.sys
0xB9DAD000 Mup.sys
0xBA218000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9159000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9145000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA430000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9121000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA228000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB90E1000 \SystemRoot\system32\drivers\smwdm.sys
0xB90BD000 \SystemRoot\system32\drivers\portcls.sys
0xBA258000 \SystemRoot\system32\drivers\drmk.sys
0xB909A000 \SystemRoot\system32\drivers\ks.sys
0xB8FE7000 \SystemRoot\system32\drivers\senfilt.sys
0xBA268000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA440000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8FD3000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA278000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA590000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA288000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5DE000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA298000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA448000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB8FB5000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA450000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA5E2000 \SystemRoot\system32\DRIVERS\WacomVKHid.sys
0xBA684000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB92E6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB4FD0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA148000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB937E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA390000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB4FBF000 \SystemRoot\system32\DRIVERS\psched.sys
0xB56B7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB4269000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB4261000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB2E73000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB430C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB4259000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA62C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB2E15000 \SystemRoot\system32\DRIVERS\update.sys
0xB414C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB4148000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB4251000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0xB4144000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB4099000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB4089000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA638000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA61C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB55F4000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61E000 \SystemRoot\System32\Drivers\Beep.SYS
0xB3ADF000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xB3AD7000 \SystemRoot\System32\drivers\vga.sys
0xBA5F6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA626000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB3ACF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB3AC7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB3694000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAADC2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAAD69000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4079000 \SystemRoot\system32\drivers\mfetdik.sys
0xAAD43000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB4069000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAAD1B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAACF9000 \SystemRoot\System32\drivers\afd.sys
0xB4059000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB4049000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xAACCE000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA5A4000 \??\C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
0xAAC5E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB3ABF000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xB4029000 \SystemRoot\System32\Drivers\Fips.SYS
0xB2FCC000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA570000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAAC09000 \SystemRoot\system32\DRIVERS\PRISMA02.sys
0xB3AA7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB2FAC000 \SystemRoot\system32\drivers\LVUSBSta.sys
0xAA5F8000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0xB2F9C000 \SystemRoot\system32\drivers\usbaudio.sys
0xAA53E000 \SystemRoot\system32\DRIVERS\lvrs.sys
0xAA526000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB3818000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9D5C000 \SystemRoot\System32\drivers\Dxapi.sys
0xB2EBB000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7D8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF093000 \SystemRoot\System32\atikvmag.dll
0xBF0C9000 \SystemRoot\System32\ati3duag.dll
0xBF34D000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB432C000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA791000 \SystemRoot\System32\DLA\DLADResN.SYS
0xA75A5000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB9D60000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xBA60E000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xBA368000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xA758D000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xA7577000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xA753F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7432000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5F4000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA732A000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xB3814000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xA7283000 \SystemRoot\system32\DRIVERS\srv.sys
0xA6E86000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4B55000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4281000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0xA67F0000 \SystemRoot\system32\drivers\mfehidk.sys
0xBA408000 \SystemRoot\system32\drivers\mfebopk.sys
0xA6968000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA6CA0000 \SystemRoot\system32\drivers\mfeavfk.sys
0xA661F000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
544 C:\WINDOWS\system32\smss.exe
952 csrss.exe
984 C:\WINDOWS\system32\winlogon.exe
1028 C:\WINDOWS\system32\services.exe
1040 C:\WINDOWS\system32\lsass.exe
1236 C:\WINDOWS\system32\ati2evxx.exe
1252 C:\WINDOWS\system32\svchost.exe
1324 svchost.exe
1376 C:\Program Files\Windows Defender\MsMpEng.exe
1428 C:\WINDOWS\system32\svchost.exe
1464 C:\WINDOWS\system32\svchost.exe
1568 svchost.exe
1644 svchost.exe
2000 C:\WINDOWS\system32\spoolsv.exe
176 svchost.exe
200 C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
260 C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
296 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
320 C:\Program Files\Bonjour\mDNSResponder.exe
344 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
528 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
560 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
608 C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
720 C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
736 C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
916 naPrdMgr.exe
940 C:\WINDOWS\system32\svchost.exe
956 C:\WINDOWS\system32\Pen_Tablet.exe
1500 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2116 C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
2148 C:\WINDOWS\system32\Pen_Tablet.exe
2220 C:\WINDOWS\explorer.exe
2240 C:\WINDOWS\system32\PRISMSVR.exe
2660 C:\Program Files\Canon\CAL\CALMAIN.exe
1596 C:\Program Files\Windows Defender\MSASCui.exe
1860 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
1736 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
2072 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2076 C:\Program Files\McAfee\Common Framework\Mctray.exe
2492 C:\Program Files\Dell Wireless\PRISMCFG.exe
3996 alg.exe
2976 C:\WINDOWS\system32\wuauclt.exe
2668 C:\Program Files\Java\jre6\bin\jqs.exe
1548 C:\Program Files\Mozilla Firefox\firefox.exe
4044 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
3260 C:\WINDOWS\system32\msiexec.exe
3720 scan32.exe
508 C:\Documents and Settings\Ellyn\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6L080M0, Rev: BANC1G10

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 3, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 03, 2010 00:18:13
Records in database: 4157054
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 97431
Threats found: 13
Infected objects found: 22
Suspicious objects found: 0
Scan duration: 05:09:11


File name / Threat / Threats count
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Incomplete\T-3545427-build me up buttercup.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\emasculate masculine unicorns.mp3 Infected: Trojan-Downloader.WMA.GetCodec.w 1
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\embryonic journey jefferson new single.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\golden slumbers beatles extended live version.snd Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\Love Rhymes With Hideous Car.wma Infected: Trojan.Win32.StartPage.ehg 1
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\Pink Floyd - Wish You Were here.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\tickle me pink johnny flynn two guys shoot their cream inside hot girl's tight ass [cumshot].mp3 Infected: Trojan-Downloader.WMA.GetCodec.e 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\aphex twin flim.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\desert rose sting.wma Infected: Trojan-Downloader.WMA.GetCodec.ah 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\Foreigner - At War With The World.wma Infected: Trojan-Downloader.WMA.Wimad.v 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\jogging gorgeous summer - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.w 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\lmfao shooting start party mix(1).wma Infected: Trojan-Clicker.WMA.Agent.d 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\lmfao shooting start party mix.wma Infected: Trojan-Clicker.WMA.Agent.d 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\menomena wet and rusting.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\Nirvana - In Bloom.wma Infected: Trojan-Clicker.WMA.Agent.d 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\Pitbull ft lil John - Toma.wma Infected: Trojan-Clicker.WMA.Agent.d 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\rusted roots sends me on my.au Infected: Trojan-Downloader.WMA.GetCodec.af 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\somebody to love jefferson.wma Infected: Trojan-Downloader.WMA.GetCodec.x 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\too Fast for Love Razed in.wma Infected: Trojan.Win32.StartPage.ehg 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\we a de rasta israel vibration.wma Infected: Trojan-Downloader.WMA.GetCodec.x 1
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\wombats lets dance to joy.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
C:\WINDOWS\system32\pyfqbjf.dll.bak Infected: Packed.Win32.Krap.hc 1

Selected area has been scanned.
vundoburned
Regular Member
 
Posts: 15
Joined: July 23rd, 2010, 5:46 pm

Re: yet another desperate vundo victim...

Unread postby Cypher » August 4th, 2010, 6:39 am

Hi vundoburned.
Do you think there is light at the end of the tunnel now?

You will appreciate that we want to be sure you're PC is clean but you're logs are looking better now.
Complete the following then give me an update on you're PC's performance.

Re-run OTM
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Files
    C:\Documents and Settings\Ellyn\My Documents\FrostWire
    C:\Documents and Settings\Ellyn\My Documents\LimeWire
    C:\WINDOWS\system32\pyfqbjf.dll.bak
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the largeImage button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Logs/Information to Post in your Next Reply
  • OTM log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: yet another desperate vundo victim...

Unread postby vundoburned » August 4th, 2010, 8:21 am

Hi,
I ran OTM and the log file is pasted below. After rebooting the computer seems to be behaving the same: as previously described with choppy mouse pointing, chopped up tunes and taking a really long time to boot up or launch applications.
Here goes, and thanks yet again...

All processes killed
========== FILES ==========
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Store Purchased folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Shared folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\Sean-Fournier-Oh-My-Free-Album-FrostClick.com.2008.11.26.frostwire.MP3_160k folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\SagaBoy_Evolution_frostclick.com_frostwire.com_MP3_2009_01_10\songs folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\SagaBoy_Evolution_frostclick.com_frostwire.com_MP3_2009_01_10 folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\Georgia_Wonder__Hello_Stranger__frostclick.com_frostwire.com_TPB_MP3_320k__2009_01_14\songs folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved\Georgia_Wonder__Hello_Stranger__frostclick.com_frostwire.com_TPB_MP3_320k__2009_01_14 folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Saved folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire\Incomplete folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\FrostWire folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Store Purchased folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Shared folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\Steven_Dunston__Hymns_About_Her__frostclick.com_frostwire.com__MP3_VBR_320k_2009_08_08 folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved\Alexx_Calise__Morning_Pill__FrostClick.com_FrostWire.com__MP3_VBR_160k_2009_11_11 folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Saved folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire\Incomplete folder moved successfully.
C:\Documents and Settings\Ellyn\My Documents\LimeWire folder moved successfully.
C:\WINDOWS\system32\pyfqbjf.dll.bak moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ed
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ellyn
->Temp folder emptied: 106734736 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 32250897 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 556 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 3322 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Your Father
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66674295 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 196.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08042010_080619
vundoburned
Regular Member
 
Posts: 15
Joined: July 23rd, 2010, 5:46 pm

Re: yet another desperate vundo victim...

Unread postby Cypher » August 4th, 2010, 11:18 am

Hi vundoburned.

Check Hard Disk For Errors:

Press Start->Run, then copy/paste the following command into the box and press OK:
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
A blank command window will open on your desktop, then close in a few minutes. This is normal.
A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: yet another desperate vundo victim...

Unread postby vundoburned » August 4th, 2010, 7:21 pm

Here you go...

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

74758477 KB total disk space.
63093368 KB in 94920 files.
38904 KB in 13466 indexes.
0 KB in bad sectors.
335481 KB in use by the system.
65536 KB occupied by the log file.
11290724 KB available on disk.

4096 bytes in each allocation unit.
18689619 total allocation units on disk.
2822681 allocation units available on disk.
vundoburned
Regular Member
 
Posts: 15
Joined: July 23rd, 2010, 5:46 pm

Re: yet another desperate vundo victim...

Unread postby Cypher » August 5th, 2010, 5:03 am

Hi vundoburned.
Complete the following then give me an update on you're PC's performance.

Hard-Drive Maintenance/Repair:

Note: for the CHKDSK portion you may refer to this tutorial Here and follow the instructions for Graphical Mode if you so wish.

  • Click Start >> Run... then type in CMD and click on OK.
  • At the Command Prompt C:\ > type the following:
  • CD C:\ and hit the Enter/Return key.
  • Now type in DEFRAG C: -F
  • A Analysis report will be displayed and then Windows will start the Defragmention run automatically.
  • This may take some time, when completed the Command Prommpt C:\ > will appear.
  • Now type in CHKDSK C: /R and hit the Enter/Return key.
  • When prompted with:
CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)
  • Hit the Y key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.

Note: Upon Reboot(Restart) the CHKDSK(check-disk) will start and carry out the repairs required.

You should see a screen like this just after the Post(power on self test) screen:

Image

Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: yet another desperate vundo victim...

Unread postby vundoburned » August 5th, 2010, 7:12 am

Hi, I see that you may still be online as I type this. I'll follow your newest instructions shortly and get back to you.
Just for fun I went ahead and reran Kaspersky and did confirm that all of those "infections" have been moved to the OTM_moved location, rather than being permanently deleted. I presume that's okay now? thanks!
vundoburned
Regular Member
 
Posts: 15
Joined: July 23rd, 2010, 5:46 pm

Re: yet another desperate vundo victim...

Unread postby Cypher » August 5th, 2010, 7:18 am

Hi.
When i give you final instructions the OTM moved items will be removed from you're PC :)
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: yet another desperate vundo victim...

Unread postby vundoburned » August 6th, 2010, 12:59 am

Hi,
We did all the chkdsk steps and the computer is unchanged. Still get the feeling during the incredibly long bootups that it is busy in the background, with what sounds vaguely like lots of hard drive activity (I could be wrong about that). One also always gets the sensation that it is running something else all on its own, thereby interfering with whatever I want to do: choppy/delayed mouse movements (the arrow has to catch up with your hand movements); broken up sound (i.e. tiny pauses); broken up tunes (even the Windows jingle on startup as it is loading one's personal preferences). Not sure if that helps you at all... Thank you again for what has sure turned out to be a tedious problem to fix.
vundoburned
Regular Member
 
Posts: 15
Joined: July 23rd, 2010, 5:46 pm

Re: yet another desperate vundo victim...

Unread postby Cypher » August 6th, 2010, 4:56 am

Hi vundoburned.

The problems you are still experiencing are not coming from malware as all of your latest logs have come back clean.
As this is a dedicated Malware Removal site I think those issues are best left to experts elsewhere..
Here are some excellent Tech sites (in no particular order) that may be able to help with these problems:


So as I said above your logs are clean, I hope you can resolve your other problems with the links that I provided.

This is my general post for when your logs show no more signs of malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Time for some housekeeping
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next

Clean up with OTM

  • Double-click OTM.exe to start the program, This tool will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTMoveIt3 as this step will require a reboot
  • On the OTM main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.


You can now delete any tools we used if they remain on your Desktop.


Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Now we needed to deal with security vulnerabilities
Internet Explorer v6.00

This is extremely outdated and a security risk Install internet explorer 8 now

You can find information and install IE 8 from Here

Here are some free programs I recommend that could help you improve your computer's security.


Install SpywareBlaster
Download and install Javacools SpywareBlaster from Here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.


Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: yet another desperate vundo victim...

Unread postby jmw3 » August 7th, 2010, 8:54 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware