Jump to content

Recommended Posts

A couple of weeks ago, my friend came to me about a computer issue. I asked him to run Malwarebytes (and several other things, but he only ran mbam and spybot). I confronted him for updates on this situation today and it turns out that mbam found that he had Vundomonde.sci but he suspects that it's still there after running mbam and spybot. Being very into computer security, I had heard of this, but had no experience in actually dealing with it. I knew that this virus liked to piggyback and replicate around the system, combo fix will give it a blue screen, and that mbam and spybot will only partially get rid of it. Also... that many vundo eliminating software won't even put a dent in it... the ones that aren't malware in and of themselves anyways. I have a screen shot of his netstat -a -n -o and am awaiting his screenshot of task manager processes and PID list for comparison and also his msconfig processes on start up screenshot. Here are the instructions that I have sent him:

"After finding out that it was this virus, I sent him the following instructions:
 

pre1 -IF you want an extra step, you can do all of this in safe mode by restarting the computer and as soon as you click that button, just keep pressing F8 until you get a screen that allows you to boot into safe mode with networking, which will further help with the following by making it harder for the viruses to function and replicate themselves while you run these. Some of these may not run in safe mode, just run what you can. Another help may be to run all of this in a different user account first. You can take extra steps as needed, though I recommend safe mode with networking on a different user account than your own

pre2- Now that we have a screen shot of netstat, we’ll need to compare the PIDs to what your task manager says the PIDs are. So press ctrl + shift + escape. They’re all 3 on the far left side of the keyboard. Ctrl and shift are on the bottom left and escape is on the top left. If your task manager/process explorer doesn’t display PIDs, you’ll have to add the column by right clicking and adding it. It may be a long list, but if you order them by PID by double clicking on PID, it may be much smaller as all of the PIDs for the established state from netstat may all be grouped in a smaller area of the list. If that’s confusing, you may be able to skip it or just wait for both of us to be online at the same time and I’ll walk you through it. The point with this is to try and suspend the process, if we can find it, so that it doesn't give the cleaners too much trouble. Some versions of this may even freeze the cleaners/kilers.

1. go to computer under the start menu and click on system properties and then remote settings... turn off remote assistance. That should help with the following..

2. http://www.bleepingcomputer.com/download/tdsskiller/dl/4/  -TDSSKILLER will auto download^
3. http://www.bleepingcomputer.com/download/rkill/dl/10/

-RKILL will auto download^

3. http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

-Adware Cleaner will auto download^

4. http://www.bleepingcomputer.com/download/roguekiller/dl/121/

-rogue killer will auto download^
5. http://www.piriform.com/ccleaner/download/standard
-Ccleaner will auto download. Run this last, as it fixes your registry. When files get removed from the above, it creates registry holes that ccleaner fixes and makes your computer move faster. You can also edit startup programs from here (like in msconfig). You run the scanner/fix first and then the registry cleaner.

 

6. as a double check, local disk, users, name, local… look through it. Then look through system files to make sure it didn’t piggy back. We can also check temp files if they weren't all removed with Ccleaner. Get with me when you get to this step and we'll see if we can find anything else. Hopefully this is all way more than needed, but I also spoke with a friend that has directly dealt with this virus. He ok'd the instructions as well."

Why i'm posting this here: i'm not certain that this will all work and i'm hoping that I can get any additional information that you all might have and possibly even bring this virus to the attention of Malwarebytes. I have done probably as much research on this virus as I can, but i'm hoping to get as much info on it as possible and from as many sources as I can so that I can help others with this virus and its variants.

This is the first post i've ever made on these forums, but i'll keep checking back. Another reason that i'm so interested in this virus is that I am currently working towards as many certs as I can get in computer security, which to me involves knowing how to get rid of modern viruses and malware and which software to use in which situations. It's a learning process. Thanks in advance for anything you can help me with :)

Link to post
Share on other sites

  • Root Admin

I'm sorry but this is not a training facility.  We will help you clean the computer if you like but if you're only here for education then you'd need to look at joining a school that does train users in order to safely help others.

 

The following are websites who host training facilities: United Network of Instructors and Trained Eliminators

 

 

 

 

Thanks

 

Link to post
Share on other sites

what I mainly wanted to know from posting this, is if i'm taking the right steps or if I need to take more steps. All I know of this virus is from research and from a friend that has dealt with it, but doesn't have a method to for sure get rid of it every time.Though I was just perusing the bleeping computer training and the info you posted does help me even still. :)

Link to post
Share on other sites

  • Root Admin

Many users do try to "self medicate" and fix it and sooner or later you might remove the infection fully but having someone assist you for free doing a one-on-one is much easier.

Generally speaking there are many helpers that won't want to help you after you've done a lot of self medicating as it can potentially make it hard to cleanup depending on whats been done.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.