My sister's computer (running Windows XP SP2) was popping up windows periodically when she clicked links while browsing the web. The first thought I had was that those sites were doing it, but that wasn't the case. My second thought was a piece of spyware and that was the case, but it was really difficult to find. If you're having trouble with pop-ups too, even when you're visiting Google and regardless of whether you use FireFox, Opera, or Internet Explorer, then it's possible your computer is infected with Vundo too. And, like in her case, it may not be your fault. It can come in through an old version of Sun Java regardless of what anti-virus software you're running. It's also very good at hiding itself from even the most expensive anti-virus/spyware software so it may not catch it (Sandra bought and installed Trend Micro to no avail).
Before I had figured out what the source of the problem was, Sandra and I began documenting the URL of every pop-up window. This resulted in the following list:
http://fp.pc-on-internet.com/sws/019/index_en.php ?al2=1 &nums=N03EUSH2Z-FBrWQLsABG &login=672125 &mediaid_prefix=005 &asked_billing_id=2 &time=312e3230362e31These sites aren't necessarily purveyors of pop-ups, e.g. run by the same people who made the Spyware; it's probably a small chance that they have any relation. Basically the makers or distributors of the Vundo spyware/virus/trojan sign up for reseller accounts with these businesses and then get a piece of every sale made.
http://www.singlesnet.com/ ?campaign_id=27 &creative=%5Bcontextual%5D &redirected=true &keyword=CD1226
http://generousgenie.com/ ?cid=NnyWkFhC++k &u=b8b43400b461651a59c79fd78054c977 &s=CD6985 &= &login=672125 &mediaid_prefix=005 &asked_billing_id=2 &time=312e3230362e31
http://us.celldorado.com/US/ADS/415469620/index.php ?trackid=1034704623 &clickid=0005iA007iCE1eqRv8hR &ce_cid=0005iA007iCE1eqRv8hR
http://www.wixawin.com/us/ads/wii_am.aspx ?clickid=0004EA006ZjO1eqRv8hR &ce_cid=0004EA006ZjO1eqRv8hR
http://www.amateurmatch.com/in/ ?ainfo=ODM4MHw2 &atcc=0 &_t=mg &id=238205 &t=2 &= &= &login=672125 &mediaid_prefix=005 &asked_billing_id=2 &time=312e3230362e31
http://cover19.adultfriendfinder.com/go/ ?pid=p374069.subcover19 &nums=N03EUSH2Z &login=672125 &mediaid_prefix=005 &asked_billing_id=2 &time=312e3230362e31
http://app.winyourcruise.com/signup.form ?transition=start &k=7dd5lkjoi9 &p=CD233 &d=default &a=CD1577 &s=204bdd948f8f88f62080bd6071a745aa &noSession=true
http://theprizecenter.com/ ?config=4159 &src=WC-55138aaaCD6985:143382:
Another problem, which I should've taken a screenshot of (and didn't), is a message box would pop-up in the lower-right part of the screen saying that the computer was infected and some software should be purchased and installed to remove it. Thankfully my sister didn't buy into it and always clicked cancel. I'm assuming it would've just taken her to another web page, but buying that software will not make the problem go away. Seriously, it won't.
Here's the text of that bogus message from Wikipedia:
"NOTICE: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss.After accumulating the above data and searching on it, I was able to find a relevant forum post on TechGuy.org. This lead me through several hoops as a person in my predicament was being helped by an expert to resolve the same issue. His computer had slightly different specific things to be solved, but it amounted to the same thing: finding and killing Vundo to stop getting these gnarly pop-ups.
Would you like to install SysProtect for free? (Recommended)"
And here's how I did it:
- Download and install HijackThis. It isn't exactly a user-friendly program, so make sure you can comfortably call yourself a power user or go find a friend or family member who is.
- Boot Windows into Safe Mode. Vundo runs as a service and running in safe mode loads only the most basic system services. Access safe mode by pressing F8 before Windows starts its loading. You will get a list of various boot options and one is Safe Mode.
- Run HijackThis and have it perform a scan.
- Delete any service executable that is 8 letters of obvious gibberish and is located in c:\windows\system32. On my sister's computer these were maegayz.exe, vknohco.exe, yaqeyjkx.exe. There were three because I didn't remove them cleanly enough the first time (wasn't in Safe Mode and didn't use HijackThis).
- Restart and Pray.
6 comments:
Hi, this virus is running rampant this month and it is a new strain of vundo that is very potent and corrupts many files. The only program that is currently able to completely remove it is called combofix You can download it through a site called bleepingcomputer.
After running combofix, if any important system files are quarantined you can reinstall them by taking the log file after combofix is done, renaming it log.txt, and dropping it into the rev icon on your desktop. This whole issue and these fixes are discussed on the avast antivirus forums.
Yes I too have the same problem as your sister.It started happening after I had downloaded some MP3 files from Limewire.
The pop-up that appears at the bottom right hand corner is Malware. Just Google Advanced Cleaner and you'll see what I mean. Also known as Drive Cleaner as well.
Wouldn't you know it, but nearly a year later and I got Vundo on my desktop. I launched Internet Explorer simply to test a website and I believe some malicious AD code installed it on my system. Using my own blog entry (this one) I removed it with HijackThis and in doing so I found that the URL to that in my post is no longer valid (fixing now).
The culprit this time?
O4 - HKLM\..\Run: [acfa1503] rundll32.exe "C:\WINDOWS\system32\wroovkbn.dll",b
In case it helps, it was launching THIS website:
http://www.premiercardoffers.com/?Mkt=674&SubMkt=1341&PID=1&BID=0&SourceID=YOUR_SOURCEID&jump=ap1
Dang I just spent nearly an hour actually getting rid of frickin' Vundo. It's insanely simple once you know what to do, but the problem is a lot of sources give you bad information. Here's the low-down:
1.) View C:\WINDOWS\System32 in Explorer sorted by "Created Date" to find the Vundo DLL's which should be very recent assuming you caught this early enough. Its DLL names are always an 8 character assortment of upper and lower-case letters.
2.) Write down the names of said files.
3.) Boot off your Windows XP CD. To do this put it in your drive, restart, and pay attention ... your computer should say something like "Press any key to boot from CD-ROM".
4.) After waiting 4-EVA for the CD to "start Windows", select the "Recovery Console" option. You'll need to type in your Administrator password so I hope you have it handy.
5.) Type "CD \WINDOWS\System32" (without the quotes) and then for each file you wrote down type "DEL blahblah.dll" (where blahblah is the file name).
6.) Type "EXIT" to restart your computer and this time don't boot from the CD.
7.) Once back in Windows, you should be able to clean out the registry entries left behind without them constantly re-appearing. Basically just run "REGEDIT" and do a search for those file names in the registry, deleting any place they show up. If you have some sort of utility to check for "Windows Errors" then it will do this for you.
--
The problem I was having is that since Vundo hooks into WinLogon, NONE of the solutions I found worked 100%. Sure they'd stop the BHO or pop-ups, but that main "kernel" of Vundo was still running. The delete-on-reboot utilities ran AFTER WinLogon and therefore would not delete it and I couldn't rename the files even in Safe Mode. Then I realized I was looking at it the wrong way, fighting the criminal from WITHIN their little cave rather than bombing it from outside. Good thing I kept those boot CD's around!
Neil, your suggestion worked Great!!! Thank you so much!
One of my co-workers had this on her computer and none of the programs listed on bleepingcomputer could fix it. The computer blue screened when try to get into SafeMode, I couldn't get into regedit and I couldn't delete any of the entries in HiJack This. I followed your suggestions and loaded Windows Recovery Console and deleted the bad dll files that way - all fixed now :) I think I owe you a beer!
Post a Comment