Vundo and others

[sjpritch25]

Go here and download and run the Fix it Tool

http://support.microsoft.com/kb/971058

Let me know if windows update still isn't working properly.

Go ahead and remove ComboFix

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

That is to say, did anything steal my passwords or other info?

Is there anything still on my PC that would do so in the future?

This infection doesn't usually steal personal information, but its best to change all banking/credit card passwords. Just to be safe.

[Onikirimaru]

The Fix it Tool didn't work in default mode. Should I try it again in 'aggressive' mode?

Successfully uninstalled ComboFix.

This infection doesn't usually steal personal information, but its best to change all banking/credit card passwords. Just to be safe.

That's good to know.

Thank you.

[Onikirimaru]

I just noticed two new entries in the Spybot System Startup page (after running the Fix it Tool): crypt32.dll & cryptnet.dll

I'm wondering if some of the entries I turned off before were required for Automatic Updates to run.

The ones I turned off are:

Value / Command Line

crypt32chain / crypt32.dll

cryptnet / cryptnet.dll

cscdll / cscdll.dll

igfxcui / igfxdev.dll

ScCertProp / wlnotify.dll

Schedule / wlnotify.dll

sclgntfy / sclgntfy.dll

SensLogn / WlNotify.dll

termsrv / wlnotify.dll

WgaLogon / WgaLogon.dll

wlballoon / wlnotify.dll

[Onikirimaru]

Here's the SpybotSD.System startup report.

SpybotSD.System_startup_report.txt

[sjpritch25]

Your best bet it to either uncheck those items one at a time or disable that function in Spybot. Then see if you can update after completing the fix it tool.

[Onikirimaru]

Well, I restored all those entries on the Spybot System Startup page. Sure enough, Windows Automatic Updates came back...

I guess I got a bit... overzealous the day Vundo hit. Though, the winlogon entry in the firewall exception list vanished after running ComboFix.

So, maybe I wasn't completely off track.

Thank you for all your assistance and patience.

If I could ask for your advice one more time...

My current set up is: Avira's guard, Windows XP firewall, SpywareBlaster, KeyScrambler, and daily scans with Malwarebytes', Spybot, Avira, & BitDefender. And my browser is Firefox.

Is there anything I should have to prevent this from happening again, but don't?

I'm thinking of changing my firewall, but am not sure whether to change it to Online Armor, Outpost, Comodo, or something else.

Do you have any recommendations?

Thanks again!

[sjpritch25]

Well, your setup is a little overkill. However, nothing is 100% secure. Basically a good Anti-Virus program with a good anti-spyware program (protection enabled). Should suffice. Spywareblaster is good because it blocks malicious Activex and sites that are in its database. As for a firewall, i personally just stick with a hardware firewall and leave the default windows firewall. Since your running XP, i would use Firefox and NoScript when web browsing. NoScript blocks all scripting on sites, i tend to only fully enable on my banking sites and sites i trust. Running with all scripts disabled is a pretty safe way to browse. Finally, make sure you have the latest Adobe Reader 9.2 and Adobe Flash 10.2* and Java Jre 6 update 17. Lately, old version of adobe and flash have contributed to a number of infections in the past year.

I've tested and use Microsoft Security Essentials and really like it. I have it paired with Mbam with protection. Another good AV is Vipre by sunbelt software. Just my opinions.

Hope this helps.