Jump to content

Recommended Posts

hi everyone,

i have vundo.h on my system and i tried several programs for 3 days online virus scanners,i got avira , malwarebytes finds them quarantines them at least it seems it quarantines them. but when it reboots the computer they are there again on the scan. what can i do i update everyday nearly but results are same. what should i do ? i dont know what to do firstly. thank you..

Link to post
Share on other sites

  • Root Admin

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

i didnt do hijack this, but malwarebytes log is here, why cant malwarebytes remove these malwares??

i don't get it :D

anti-malware 1.38

2353

windows xp sp2

30.06.2009

scantype quickscan

registry keys infected:3

files infected :1

registry keys infected:

hkey-local-machine\software\microsoft\windows\currentversion\explorer\browserhelperobjects\{SOMENUMBERS} trojan.vundo.H delete on reboot

hkey-local-machine\software\microsoft\windows nt\currentversion\winlogon\notify\cwrvvqco (trojan.vundo.h) -delete on reboot

hkey_classes-root\clsid\{SOMENUMBERS} trojan.vundo.H -delete on reboot

files infected:

c:\windows\system32\ecwcgum.dll (trojan.vundo.H) - quarantined and deleted succesfully

Link to post
Share on other sites

Please do not edit logs. Please post back the FULL LOG

i dont want to connect to the internet with the infected computer, so i use a computer from an internet cafe to solve this problem. And believe me the rest of the malwarebytes' log is unnecessary they were all zero. i had to edit log because i write it by looking the infected computer's screen.

Link to post
Share on other sites

hi everyone,

i have vundo.h on my system and i tried several programs for 3 days online virus scanners,i got avira , malwarebytes finds them quarantines them at least it seems it quarantines them. but when it reboots the computer they are there again on the scan. what can i do i update everyday nearly but results are same. what should i do ? i dont know what to do firstly. thank you..

i just realizedi can't access my system volume information folder, by the way my system restore is off . when i try to enable it it gives an error message and says something like that: an error has occurred when system restore one or more one or more enabling/disabling . please restart and try again. i restarted and tried agaib the computer but ,it's the same.

i think that vundo.h causes that. right??

Link to post
Share on other sites

  • Root Admin

Well you're going to need access to a computer that can download software and burn a CD.

Please download and run the following on the computer. If it won't run then try renaming it. If that does not work then start in Safe Mode and try again and try renaming again.

If it sill will not run then download and burn the Avira Rescue CD and boot the computer with it.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

If Combofix won't run then run this.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescue_system-common-en.exe

  • If the above link does not work please try this one:
    here

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Well if you don't have a USB stick to transfer stuff either then we may have a very difficult time fixing this.

Is this XP Home or XP Pro?

How are you at using the DOS command line console?

home edition, i'm ok with dos, i mean i don't know every commands , but i know something, ithink :D

this vundo.h , can you tell me where is it actually? because there is no file named cw...dll somethig like that in the system32. it knows to hide itself successfully:D

it can't be in the system restore information folder?? right?

Link to post
Share on other sites

  • Root Admin

Okay, this is not too good. XP Home is missing some tools that XP pro has. So does this have a USB port you can use to copy files to and do you have access to a friend or work computer to copy data?

The current Malware is much more sophisticated than even stuff from last year and is not easy to remove without tools and methods to see what's going on. If you can't post back logs then I'm in the dark trying to help you because their is no magic command to remove X when we don't know what X is.

We can take some guesses and that's about it.

Please review the posts here for examples of things you can try to get it working again, but you will need some way to transfer files to that computer.

Procedures to help resolve issues preventing MBAM from running

  1. MBAM won't run(Fix), SystemSecurity
  2. MB won't run(Fix) - Total-Security (FakeAlert)
  3. MBAM wont run (Fix) - av360 (Fakealert)
  4. MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

If you can run REGEDIT then take a look at the Services Keys and look for stuff with strange odd names - DO NOT remove any - just write them down and tell me what ones they are.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Link to post
Share on other sites

well i look for services , and found these:

qwcqfcuv.sys

utm5oti3.sys

seclogon.sys

cwrvvqco.dll , ecwcgum.dll (these are in the qwcqfcuv.sys folder in regedit.) which malwarebytes finds every scan and cant delete. and these 2 dlls are in other places in registry. and i can't delete them manually. i think vundo denies that access to delete them.

what can we do ??

Link to post
Share on other sites

  • Root Admin

Well if MBAM can not remove them then I'm sure there is something going on here that is hiding and as I said we're going to need some way to transfer logs so I can see what's up.

I doubt this will work, but please give it a try.

STEP 01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 02

Please click on START - RUN and type in the following and click OK

cmd /c sc delete qwcqfcuv.sys

Please click on START - RUN and type in the following and click OK

cmd /c sc delete qwcqfcuv

Please click on START - RUN and type in the following and click OK

cmd /c sc delete utm5oti3.sys

Please click on START - RUN and type in the following and click OK

cmd /c sc delete utm5oti3

STEP 03

Now restart the computer

STEP 04

See if you can now delete these files:

c:\windows\system32\cwrvvqco.dll

c:\windows\system32\ecwcgum.dll

STEP 05

See if you can now run MBAM again and do another Quick Scan, also run your Anti-Virus and have it scan as well.

Link to post
Share on other sites

i did first 3 but on 4th step i couldn't find any dlls to delete.

by the way i tried to delete reg entries of these files and cmd says: there is not such a entry like this or something like that, or ; you have don't right to reach?? something like that.. i don't sure.

well, i will try to transfer logs here, it's really annoying anymore

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.