Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: lenny24 on December 31, 2007, 11:23:40 PM
-
*Again this program worked for me but I take no responsibility if you think it messes up your system. All I know is I downloaded it, it deleted all the Virtumonde / vundo files that vundofix could detect but not delete, as well as additional corrupted Avast, Adobe acrobat, and other files that no other program could detect, remove, or fix. After last Windows boot avast no longer asks for restart, all virus files are gone, and reboot speed is back to normal. Also remember to update your sun java after Virtumonde / vundo infected files are removed. Full info below.
Alright major and GOOD update, I may start a separate thread on this so it gets attention:
I found this thread: http://www.dslreports.com/forum/r19208560-Vundo-Vundo-Removal
The person seemed to have the same problem, could detect but not delete with vundofix. I downloaded combofix mentioned in the middle of the thread and it seems to have kicked Vundo / Virtumonde's @$$ into next Tuesday! Cool
There are no longer any Vundo files on my system, at least right now, even after reboot.
Combofix also deleted a bunch of other stuff, including some stuff in the avast and Adobe acrobat (another user mentioned) folder, as well as a n=bunch of quicktime stuff.
Avast is still working, I did get the start error during the combofix mid process reboot but not thereafter, and the thing that caused all of this appears to be gone and boot is completely back to normal. Here is a log of what combofix deleted:
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\opnopqr.dll
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vtutq.exe
-
Or to be brief ;D
Go to the thread in the above post, download and run combofix, and after the whole combofix process is done (requires a reboot in mid-process ), reboot again and everything will be fine, vundo / virtumonde will be gone, and avast will be back to normal.
Then update your java past 1.5.
Then thank me & guy who made combofix. ;D
Edit: I jus noticed that the essex guy posted about combofix as a reply in another thread, so he can be thanked as well, ;D though this one is definitely easier to find. 8)
-
This is a tutorial for Combofix:
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
If you get this then you will need to run another tool to replace the infected files - not quite as straight forward as it seems
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
-
you will need to run another tool to replace the infected files
Which is it exactly?
-
Renv also by sUBs http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe this programme is less than a week old and being refined daily to try and wipeout this particularly nasty version of vundo. It is a manually operated file programme though so you need someone who knows what is what to give instructions
After the search you need to do this
- Copy the entire contents of the Code Box below to Notepad.
- Name the file as Log.txt (Overwrite the existing one)
- Change the Save as Type to All Files
- and Save it on the desktop
Insert List of files here(http://img.photobucket.com/albums/v666/sUBs/RenV.gif)
Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.
-
Thanks, too late though as I no longer have the log file. :-[ If the rev program replaces those deleted files then I'll jus uninstall / reinstall quicktime if I have any issues with it, that would work right? The combofix definitely seems to have completely removed Vundo / Virtumonde as nothing is showing with a new search for it, and everything seems to be perfect right now, even with programs that had items removed with combofix. Haven't tried quicktime yet though.
-
No as long as there is just one infected file on your system it starts all over again. It must be done in one sweep
Download and run the latest combofix and see what it says - delete your current version
-
Alright this is interesting, I ran Combofix again and the system is clean, no bad files were found. It did however create a new folder called qoobox or something on it's second run that made another copy of the original log, so I can run the rev program if I want to, but do I want to since the computer is definitely clean and running perfect already? What does this rev program do again?
second run of combofix also created a quarantine folder. Actually they might have been there from the first run and I didn't notice heh.
-
Alright I ran the rev program with the newer log file and it opened like every frigan program on my computer lol. Anyway says system is clean as well. Didn't use the old log because I didn't want those bad qt files replaced anyway.
Also qoobox was created with first run of combofix to quarantine the infected files. Combofix definitely took care of everything, still don't know what rev program did lol but combofix definitely was the solution the Virtumonde / vundo / avast restart issue.
-
;D Alright I was going through the original log and thankfully for me the program files that were quarantined were not that important. I deleted one of the programs all together, and simply reinstalled quicktime so it wasn't a big issue for me. If however another Vundu infected user uses combofix, it may quarantine something important to them, so make sure afterwards you also have the rev program to disinfect and reinstall any important quarantined files. I was lucky as nothing that important or irreplaceable was deleted.... as I unfortunately deleted the qoobox before I used rev properly. Anyway listen to the other guy too, Combofix is the cure, but you also need to use the rev program to make sure you don't lose any important files after using combofix. ;D
-
You only need the rev programme if you have the newer version of Vundo combofix alone is sufficient for the older types