hi everyone,

i have vundo.h on my system and i tried several programs for 3 days online virus scanners,i got avira , malwarebytes finds them quarantines them at least it seems it quarantines them. but when it reboots the computer they are there again on the scan. what can i do i update everyday nearly but results are same. what should i do ? i dont know what to do firstly. thank you..

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

i didnt do hijack this, but malwarebytes log is here, why cant malwarebytes remove these malwares??
i don't get it

anti-malware 1.38
2353
windows xp sp2

30.06.2009

scantype quickscan


registry keys infected:3
files infected :1


registry keys infected:
hkey-local-machine\software\microsoft\windows\currentversion\explorer\browserhelperobjects\{SOMENUMBERS} trojan.vundo.H delete on reboot
hkey-local-machine\software\microsoft\windows nt\currentversion\winlogon\notify\cwrvvqco (trojan.vundo.h) -delete on reboot
hkey_classes-root\clsid\{SOMENUMBERS} trojan.vundo.H -delete on reboot

files infected:
c:\windows\system32\ecwcgum.dll (trojan.vundo.H) - quarantined and deleted succesfully

Please do not edit logs. Please post back the FULL LOG

i dont want to connect to the internet with the infected computer, so i use a computer from an internet cafe to solve this problem. And believe me the rest of the malwarebytes' log is unnecessary they were all zero. i had to edit log because i write it by looking the infected computer's screen.

i just realizedi can't access my system volume information folder, by the way my system restore is off . when i try to enable it it gives an error message and says something like that: an error has occurred when system restore one or more one or more enabling/disabling . please restart and try again. i restarted and tried agaib the computer but ,it's the same.

i think that vundo.h causes that. right??

Well you're going to need access to a computer that can download software and burn a CD.

Please download and run the following on the computer. If it won't run then try renaming it. If that does not work then start in Safe Mode and try again and try renaming again.
If it sill will not run then download and burn the Avira Rescue CD and boot the computer with it.

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

If Combofix won't run then run this.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
• If the above link does not work please try this one: here
• The program will automatically burn the CD for you.
• Place the burned CD into the affected computer and start the computer from this CD.
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
• Click on the Configuration button.
  
  • Select Scan all files
  • Select Try to repair infected files and Rename files, if they cannot be removed
  • Select Scan for dialers
  • Select Scan for joke programs (Jokes)
  • Select Scan for games
  • Select Scan for spyware (SPR)
• Click on Virus scanner
• Click on Start scanner at the bottom of the screen
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

1. Please see the post here if you're unable to view the entire screen of Avira.
2. You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
3. Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

i'm sorry but the infected computer has not got a cd or dvd player, i have to solve this infection with other solutions??

Well if you don't have a USB stick to transfer stuff either then we may have a very difficult time fixing this.
Is this XP Home or XP Pro?

How are you at using the DOS command line console?

home edition, i'm ok with dos, i mean i don't know every commands , but i know something, ithink

this vundo.h , can you tell me where is it actually? because there is no file named cw...dll somethig like that in the system32. it knows to hide itself successfully:D

it can't be in the system restore information folder?? right?

I'm sorry but I just had too many other things to do tonight and I'm out of time. I'll pick back up on this tomorrow.

no problem dude,

Okay, this is not too good. XP Home is missing some tools that XP pro has. So does this have a USB port you can use to copy files to and do you have access to a friend or work computer to copy data?

The current Malware is much more sophisticated than even stuff from last year and is not easy to remove without tools and methods to see what's going on. If you can't post back logs then I'm in the dark trying to help you because their is no magic command to remove X when we don't know what X is.

We can take some guesses and that's about it.

Please review the posts here for examples of things you can try to get it working again, but you will need some way to transfer files to that computer.


Procedures to help resolve issues preventing MBAM from running

1. MBAM won't run(Fix), SystemSecurity
2. MB won't run(Fix) - Total-Security (FakeAlert)
3. MBAM wont run (Fix) - av360 (Fakealert)
4. MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

If you can run REGEDIT then take a look at the Services Keys and look for stuff with strange odd names - DO NOT remove any - just write them down and tell me what ones they are.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

well i look for services , and found these:

qwcqfcuv.sys
utm5oti3.sys
seclogon.sys
cwrvvqco.dll , ecwcgum.dll (these are in the qwcqfcuv.sys folder in regedit.) which malwarebytes finds every scan and cant delete. and these 2 dlls are in other places in registry. and i can't delete them manually. i think vundo denies that access to delete them.

what can we do ??

Okay good. It's the July 4 Holiday here so will be in and out but will try to provide further details on things to try as soon as I can.

Well if MBAM can not remove them then I'm sure there is something going on here that is hiding and as I said we're going to need some way to transfer logs so I can see what's up.
I doubt this will work, but please give it a try.

STEP 01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

STEP 02
Please click on START - RUN and type in the following and click OK

Please click on START - RUN and type in the following and click OK

Please click on START - RUN and type in the following and click OK

Please click on START - RUN and type in the following and click OK


STEP 03
Now restart the computer

STEP 04
See if you can now delete these files:
c:\windows\system32\cwrvvqco.dll
c:\windows\system32\ecwcgum.dll

STEP 05
See if you can now run MBAM again and do another Quick Scan, also run your Anti-Virus and have it scan as well.

i did first 3 but on 4th step i couldn't find any dlls to delete.

by the way i tried to delete reg entries of these files and cmd says: there is not such a entry like this or something like that, or ; you have don't right to reach?? something like that.. i don't sure.

well, i will try to transfer logs here, it's really annoying anymore

Please run another MBAM scan and see what it finds please.

Please post a status update on this. Thank you.

i ran mbam 3-4 times and found the same cwrvvqco.dll and ecwcgum.dll files in the system32 folder. The same thing happens, it found them and i click remove , and after reboot they appear mbam scan again.

Yeah, you're going to have to find a way to get Combofix on that box and run it in order to find and remove this.

now, i got combofix one of my friends usb and use on mine. it look ok i think. vundo.h is gone i think. i resacan with malwarebytes and found nothing. Thank you... Malwarebytes is best and also combofix it took so long but we did thanks.

Well if you can it would be best if you posted the Combofix log so I can review for you. If not then at least run Combofix /U to uninstall it.

Okay, up to you. Make sure you keep your Anti-Virus running and up to date every day and get all the Microsoft Critical Updates for your system and take care.