You might want to know...
Posted on 2008-Jul-27 at 12:44 in A day in the life..
I spent four days via remote fixing my Dad's PC last week. He was bored so he decided to fill out some online "surveys."
Next thing he knew he was getting virus warnings popping up left and right. Internet Explorer had been hijacked (he uses Firefox thanks to me) and his clock on his task bar said the time in military time with the words VIRUS ALERT! Next to it. Everything I went into on his machine said it was owned by the same words.
I spent the first three days running scans with AVG 8 and Spybot Search and Destroy. They worked great- killed off 90% of the problems.
But one kept coming back and in doing so, it was launching a myriad of invaders. It is called the Vundo virus or Virtemondo.dll. It is a really nasty, tenacious trojan that is common in drive by downloads. In other words, all you have to do is visit a page that is not nice and it will download to your pc. Be careful of messenger messages from those you don't know also.
Anyway, on day four I did some research on this particular virus and found these links and some programs to kill them.
The one I used was Malwarebytes Anti-Malware. The link to it is here>
This is the page that has the link on it.
http://www.dslreports.com/forum/r206...umondedll-. I ran it once and let it do its thing. In four minutes it had found 66 trojans on this pc!! FOUR MINUTES!! It ran for only 15 minutes and found over 100 of them total.
I had to reboot the machine at which time I lose contact via my screen sharing.
The next day Poppa called me to tell me his machine was CLEAN!! The only thing left was his cookie to Bluemountain (he uses their calendar to remind him of things) was gone. I told him how to fix that and he was set. So he has learned his lesson.. now.. will you take heed?
Make sure your virusware- whatever it is, is updated regularly. I use AVG Pro but I put ALL of my clients on AVG free. I will still include Spybot when needed as it found many things on his PC. Most of those are tracking cookies which are not always a threat. It found the Vundo virus but neither one could fix it. It has grips all over your pc. There were well over 200 entries of files thrown here and there in registries, in Windoze folders, all over the place that Vundo had scattered. It was amazing!!
Here are the notes I compiled with links to other programs that can help if Malwarebytes doesn't cut it. It cut it good with one pass on my Dad's pc. I hope yours and MINE never need it. Here is what I found:
(I got malwarebytes from the third link on this list I believe:
http://www.besttechie.net/tools/mbam...-setup.exe
http://malwarebytes.gt500.org/mbam-s...-setup.exe
http://www.majorgeeks.com/Malwarebyt...d5756.html )
Download VundoFix to your desktop
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:vundofix.txt and a new HiJackThis log in a reply to this thread.
http://www.atribune.org/ccount/click...k.php?id=4
------------------------------
rootkit revealer
http://technet.microsoft.com/en-us/s...97445.aspx
----hosts file-----------------------------
http://www.mvps.org/winhelp2002/host.../hosts.zip
------------------------------
VirtumundoBegone.
-------------------------------
http://download.bleepingcomputer.com...mboFix.exe
--------------------------------------
http://www.kaspersky.com/virusscanne...russcanner
----------------------------------------------
SmitfraudFix
------------------------
Malwarebytes Anti-Malware
--------------------------------------
http://www.dslreports.com/forum/r206...ll-Entries
* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
* On the Scanner tab:
o Make sure the "Perform Quick Acan" option is selected.
o Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Second:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: »www.bleepingcomputer.com/combofi•••combofix
view plainprint?
1. http://download.bleepingcomputer.com...mboFix.exe
2. http://www.forospyware.com/sUBs/Comb...mboFix.exe
3. http://subs.geekstogo.com/ComboFix.e...mboFix.exe
http://download.bleepingcomputer.com...mboFix.exe http://www.forospyware.com/sUBs/Comb...mboFix.exe http://subs.geekstogo.com/ComboFix.e...mboFix.exe
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you. •Please post the "C:ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
So that was my four days of pc repair via screen sharing with my Dad. Granted most of you are pretty computer savvy and he is too, for an 85 yr old man! But I found out the day after it was clean that my daughter (who knows better) was filling out surveys for money!! OMG!!! She has a laptop- which is just harder to deal with. Plus she has way too much music and images on her laptop- which illicites much loud screaming when I mention the word "format." She doesn't back up like I tell her too and so that will happen one day. It already did. The laptop was her grad present in 07 and 6 months later the hard drive died. So she bought (on her own!) a bigger one and had a friend install it. Now she is good to go but... still has the music and stuff on it.
Well I have tried... but she is stubborn.. where did she get that?
I hope this has been an informative post for you and that my hours of research will make yours unnecessary. I hope you never NEED this information. If you do and EFX2 is down- just e-mail me. Most of you have it or know someone else that does.
Take care all and have a nice Sunday!
No comments:
Post a Comment