Yet another recent worm

Ok sir, I ran the Vundofix.exe

It performed a scan of my computer and it found 8 objects. I’m not sure, but I think all of them were .dll extensions. After the scan, I deleted the objects and rebooted the computer. There is just one thing: I didn’t get any logs. If I did, I don’t know where it is.

The computer seems to be working fine. It’s not as slow as it was before and I’m not getting those malware warnings from AVG every 5 seconds… then again, I’d like to make completely sure.

Also, another question:

I just ran the Avast again and there’s a file it was unable to scan. I asked it to move the file to the chest and surprisingly it gave me the ol’ “An error ocurred during the process of the result” but then, like 5 seconds afterwards, it gave me the “All results were processed sucessfully” message… what the hell is up with that?

The file reads: C:/Program Files/Alwil Software/Avast4/DATA/moved/RDB-TuAmor[1].flv.vir

“Tuamor”???
That means “Your love”

What the hell?

The moved directory used to be where avast! put malware found during a boot time scan (although I think it’s now put in the chest).

Probably a malware file detected in a previous boot time scan- inactive in the moved directory but still detectable during a normal scan, when it would be moved to the chest.

If you choose ‘move’, it will go to that folder.
If you choose ‘move to Chest’, it will go to Chest.

What reason was given by avast for not being able to be scanned ?

There are many legitimate reasons why a file can’t be scanned, password, in use, there are others (and avast doesn’t know the password or have any way of using it even if it did know it). So the reason is important in deciding any action.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned and you should investigate further.

If the file was very large it might have exceeded the maximum file size for the chest (Program Settings, Chest).

“What reason was given by avast for not being able to be scanned ?”

I wish I knew but Avast never really gave me a reason for that. It only says it was unable to scan the file.

So how do I view the log from Vundofix?

The file is named vundofix.txt and it is in c:\

It most certainly does, though the window listing files that can’t be scammed is small and the columns too are small, the text may not be shown fully, you can drag column widths in the same way windows columns can be expanded. Unfortunately now it is gone and you can’t scan the same area again we will never know for sure what the reason was.

Gentlemen:

The log:

VundoFix V6.4.1

Checking Java version…

Scan started at 01:35:39 p.m. 26/05/2007

Listing files found while scanning…

C:\WINDOWS\system32\iksvakgp.ini
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\pgkavski.dll
C:\WINDOWS\system32\qomjheb.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\ulcfjmtf.dll

Beginning removal…

Attempting to delete C:\WINDOWS\system32\iksvakgp.ini
C:\WINDOWS\system32\iksvakgp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pgkavski.dll
C:\WINDOWS\system32\pgkavski.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomjheb.dll
C:\WINDOWS\system32\qomjheb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqo.dll Has been deleted!

Performing Repairs to the registry.
Done!

cough, so whaddaya think?

A step in the right direction, for sure.

If you haven’t already updated Java please take care of the and remember to uninstall all old versions.

Then scan with the free version of SuperAntiSpyware

http://www.superantispyware.com/

Do a complete scan and quarantine at the end. The log can be found in Preferences>Statistics/Logs. This is necessary to confirm that you are clean - Vundo can download quite a bit of malware so I would like double check after Vundo’s removal.

How is the computer running?

I assume the Java update is at http://www.java.com/en/download/manual.jsp, right?

Question: What is the exact procedure to delete all previous versions of Java? I thought just by updating it, any other previous version is automatically replaced, or am I wrong?

Yes, that’s the correct site.

After installing the newest version you will need to remove the old versions in Control Panel > Add or Remove Programs. Installing a Java update does not remove the older versions. You will see them listed with version number. Just highlight one at a time and click the Remove button.

I just ran a virus scan with Avast and once again there was this file it was unable to scan (I think it’s the same file from before). Only this time, I stretched the tab to read the reason. Here’s what it reads:

Name of file:
C:/Program Files/Alwil Software/Avast4-DATA-moved-RDB-TuAmor[1].flv.vir

Result:
Unable to scan: The system cannot read from the specified device

This is what the path should be C:/Program Files/Alwil Software/Avast4/DATA/moved/RDB-TuAmor[1].flv.vir so I’m assuming you just typed it the way you did. The same as the one you mentioned before in a previous post.

You could add the file to the User Files (File, Add) section of the avast chest where it can do no harm and won’t be subject to future scans. Then delete the original from the moved folder.

If it has been in the moved folder for some time a couple of weeks or more you could just delete it and be done with it, but the above user files option would be safer.

Have you scanned with SuperAntiSpyware yet. It would eb usefull to confirm that you are clean.

No I haven’t. Currently I only have Ad Aware and AVG Anty Spyware. I thought that would be more than enough.

In fact, SuperAntispyware could detect what other misses. Not a program is perfect and ad-aware is far behind in detection rates nowadays… If I were you, I’ll test SuperAntispyware.