Jump to content


Archive of Older Fixes

  • This topic is locked This topic is locked
2 replies to this topic

#1 CalamityJane


    Global Board Mom

  • Charter Members
  • 5,268 posts

Posted 19 March 2006 - 12:11 AM

my own topic

How to remove Bube/Beavis using KAV 5.0

Adware T.V. Media Removal Tool (KB 886590)

Stubborn R3 entries In Your Hijackthis Log

READ THIS IF YOU HAD iSearch infection!!

Pinned: Windows Files
CWS trojan replacement files if needed

Pinned: Victims of AURORA/Nail.exe! Start here first!

#2 CalamityJane


    Global Board Mom

  • Charter Members
  • 5,268 posts

Posted 21 March 2006 - 07:32 PM

Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have been the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.

VundoFix v. 4 by Atribune

Please download VundoFix.exe from here:

and save it to your desktop
    Double-click VundoFix.exe to run it.
    Checkmark the box "Run Vundo as task"
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    When VundoFix re-opens, click the Scan for Vundo button
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt into a New Topic.
We will also need to see a diagnostic log from the free tool HijackThis
Create a Diagnostic log using HijackThis
    Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
    See here for specific instructions and screen shots to help:
    <a href="http://russelltexas.com/malware/createhjtfolder.htm" target="_blank">http://russelltexas.com/malware/createhjtfolder.htm</a>

    Download HijackThis here
    <a href="http://www.merijn.org/files/hijackthis.zip" target="_blank">http://www.merijn.org/files/hijackthis.zip</a>

    or here
    <a href="http://castlecops.com/downloads-file-328.html" target="_blank">http://castlecops.com/downloads-file-328.html</a>

    Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*

    When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.

    Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

Note: For older variants prior to Nov. 30 2005, there is a free removal tool offered by Symantec here:

or here:

Follow the removal directions on the download page. Run the tool twice with a reboot inbetween to be sure it got everything.

It is recommended you may need to take additional steps to clean off any remnants by following this FAQ:

Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections
Check your installed Sun Java versions
We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:

Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

Or you can get the manual download here:

And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
According to the bulletins you need at least:

* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)

to be safe.
AND you still need to manually uninstall old verisons of Sun Java after updating!
Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.

#3 CalamityJane


    Global Board Mom

  • Charter Members
  • 5,268 posts

Posted 26 March 2006 - 12:43 AM

SpywareQuake and SpyFalcon belong to the Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and are a goad to have you buy the commercial version of this software. This version is slightly different than the previous variants (SpywareStrike, SpyAxe,etc.) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar. An example of this alert is below:

Other Smitfraud variants include:
Security IGuard
Virtual Maid
Search Maid

SpywareQuake/SpyFalcon/Smitfraud Removal

The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. (WinXP & Win2k only) Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Note: SmitfraudFix will not run on Win98/ME. Please proceed to step 3 for those operating systems.

A folder named SmitfraudFix will be created on your Desktop.

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

3a. Windows XP/2K (includes Ewido)
Download, install, and update Ewido AntiMalware (get the free trial version)

a. Install Ewido AntiMalware

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

c. The program will prompt you to update click the OK button

d. The program will now go to the main screen

e. On the left hand side of the main screen click on Update

f. Click on Start. The update will start and a progress bar will show the updates being installed.

g. Do not scan yet. We'll do that later in SAFE MODE

3b. Alternatively, for Win98, WinME, download, install and update the latest version of Adaware SE
Download Adaware (get the free edition)

Install and update the program.

4. After the updates are installed, exit Ewido or Adaware, depending on which one you will be using for your system.

5. Reboot into Safe Mode

(Windows XP) To start the computer in safe mode

Description of Safe Boot Mode in Windows 2000

How to Start Windows Me in Safe Mode

How to Start a Windows 98-Based Computer in Safe Mode

6. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

7. Stay in safe mode, start Ewido AntiMalware

a. Click on scanner

b. Click on *complete system scan*

c. Let the program scan the machine.

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

Click OK.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
For Win98/ME users, please scan with Adaware (full system scan) and let it remove any infected files found.

8. Exit the program and reboot back to normal mode.

9. Get a free online AV scan at Panda's ActiveScan
Let it remove any infected files found, and when it finishes save the log at the end to post back here. Y

Panda's Active Scan
(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)

10. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier (or the Adaware log) and the Panda report. We will also need the log from Smitrem: The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Ewido Scan report

Panda ActiveScan report

Fresh HijackThis log