Vundo wont die, IT JUST WONT DIE!!!!

[philly12]

I thought i had gotten rid of it.  A few months ago i had a vundo infection and thought i had gotten rid of it.  I even asked from help here to get rid of it and thought i had.  I had done A LOT to insure i had gotten rid of it and will list those below.  My problem now is that i did a full scan with SAS yesterday and it found the following: C:\windows\SYSTEM32\ACBEG.INI2   .  Unfortunately, i had SAS set up to terminate the infection automatically (I now have it set up just to quarantine) so i dont have the file but i wrote down what it was.    I just don't know what to do.  I have checked my HJT report and it looks perfectly clean but i have included it just incase u want to check it over (securemaker is not a known program using the HJT log scanner, but i know it is safe).  Is there any program that could show a better analysis than HJT to determine if there is something else i can do?

To combat this beast i have done the following: scans with avast!, scans with SAS, scans with A-squared and A-sqaured antidialer, ran latest vundofix, ran latest combofix, ran latest virtumundobegone, scans with spywareterminator, scans with avg antispyware, scans with adaware, scans with bazooka, scans with spy sweeper, checked for rootkits with icesword and gmer avg antirootkit, scans with spyware doctor starter edition, scans with norton security scan, scans with spybot, and i have spyware blaster fully updated.

So you can see that i have used my ENTIRE arsenal (yes i have used every program that i listed) on this beast and ITS STILL COMING.  WHAT ELSE CAN I DO TO KILL THIS THING???

[polonus]

Hi philly12,

Haven't you seen these thrillers where even if there is one microbe left of it, the monster is capable of rebuilding itself, well our vundo has the same abilities. Wait until oldman or essexboy return to the scene, and perform the appropriate cleansing routines again. Did you remove all the old Sun Java versions from your computer, you have to do that manually with Start Configuration Screen etc.

But I will give it a try now and maybe you get the all clean now:

 Open Notepad, copy and paste the following bold txt into an empty window:

      File:: C:\WINDOWS\system32\acbeg.bak1
      C:\WINDOWS\system32\acbeg.bak2
      C:\WINDOWS\system32\acbeg.ini2


Save this onto your Desktop as CFScript.txt.

Drag CFScript.txt into ComboFix.exe as shown below in picture:

This will start up ComboFix again.

After restarting your comp, (when it asks you for a restart), copy and paste & attach the contents of Combofix.txt into your next reply,

pol

[philly12]

okay the combofix log is attached.  Let me know if i didn't do something correct. 

I think java may be the problem because i have multiple versions.  Let me know which ones i should get rid of or keep:

1. Java (TM) 6 Update 3

2. Java 2 Runtime Environment, SE v1.4.2_03

3. J2SE Runtime Environment 5.0 update 3

(hmm..the 1.4.2_03 version sounds really old but maybe i'm wrong)

[rdmaloyjr]

Java Runtime Environment 1.6.0.4 is the newest version.  Download Java Runtime Environment 1.6.0.4 & save to your desktop.  Then uninstall all other versions before installing Java Runtime Environment 1.6.0.4.

[oldman]

Hi philly12 , just to add to rdmaloyjr's suggestion for the java, follow these steps.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.



I'll have a peek at your log.

 

[oldman]

Don't really see anything in there. You still having problems?

[philly12]

okay i got rid of the old versions and updated java.  No, i'm not having problems and i havent for a long time.  I'm just trying to totally kill the vundo beast and get rid of any sign of infection.  It made me want to cry when i saw that file get detected by SAS after thinking i had gotten rid of it for good.

[rdmaloyjr]

Have you run a scan with SAS since you followed Polonus' suggestion?

But I will give it a try now and maybe you get the all clean now:

 Open Notepad, copy and paste the following bold txt into an empty window:

      File:: C:\WINDOWS\system32\acbeg.bak1
      C:\WINDOWS\system32\acbeg.bak2
      C:\WINDOWS\system32\acbeg.ini2


Save this onto your Desktop as CFScript.txt.

Drag CFScript.txt into ComboFix.exe as shown below in picture:

This will start up ComboFix again.

After restarting your comp, (when it asks you for a restart), copy and paste & attach the contents of Combofix.txt into your next reply,

pol

[essexboy]

A .ini file without the main run file is generally neutered, it may just be a remnant from your last infection.  I could see nothing worthy of note in your logs   

[philly12]

Have you run a scan with SAS since you followed Polonus' suggestion?

I just ran a full scan and it came up clean.  I'll still scan with all the others in the next few days.  Hopefully the vundo beast is finally dead (may it burn in hell).  Thanks for the help guys.