Author Topic: nigavimi?  (Read 9900 times)

0 Members and 1 Guest are viewing this topic.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
nigavimi?
« on: April 20, 2009, 04:58:20 AM »
Anyone had problems with the Vundo virus/trojan?  I have just dug out hundreds of offending files from someone's computer and had to use killbox for some stubborn ones (regsvr32 couldn't get rid).  There is nothing left but I cannot get rid of one registry key  for the nigavimi.dll and I cannot remove it from the startup using Msconfig (it keeps coming back).  Anyone know how to edit this out manually from the startup as the error linking it to the now non existent module, is the last thing I have to clear before this comp is good to go.

Thanks
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #1 on: April 20, 2009, 07:58:47 AM »
Safe Mode, Hijack This; fix, modify registry. Maybe.

I have always found, without exception, that the only fully effective cure for Vundo is format.

Yep I have tried all three options.. I have got rid of the file, but something is forcing the link to it to remain established.  There are a couple of files that I cannot be sure are malicious or safe - one is called mudubuye.dll and the other is yapi... something or other.  I cannot delete these two and if they are connected, are probably the cause of the remaining errors.  This is really bugging me though, as I will accept that there are virii and whatnot that I cannot overcome, but not knowing what bits are defeating me is a bummer.

BTW, I noticed in my search for a solution, that mac users also seemed to get hit my something like this?
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline dweez

  • Global Moderator
  • Q
  • *
  • Posts: 11622
  • Gender: Male
  • Rebel Mod
Re: nigavimi?
« Reply #2 on: April 20, 2009, 08:32:06 AM »
Yeah, my experience with Vundo is that a format is required.
--dweez

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #3 on: April 20, 2009, 02:12:14 PM »
Not as far as I know.

There was a root-kit crisis a couple of years ago, where someone's (Sony's?) DRMed disks were unreadable on a mac, and corrupted irrecoverably the mac in the attempt - but they got class-actioned to poo and back because what they were doing made the disk not technically a "Compact Disk?" any more. Other than that, I am unaware of abny such thing. Certainly there is none extant in the wild at the moment.

I actually only noticed in some of the search returns that the urls were from mac forums.  As I didn't check those links, it probably means that the member used macs and pcs and had asked about this on the off chance.

I have installed a second drive and have put a system it. I will copy their files across and then kill the other drive but I was inches away from getting it all out (there were around 400 associated files) and it pains me to surrender to it!
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #4 on: April 21, 2009, 05:45:31 AM »
I have got all the offending files out but the registry still contains poo that I cannot trace.  I found this page that is chock-a-block with info on the files, and guess what, it is one page out of 110 on this one virus!!!

Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #5 on: April 21, 2009, 04:18:43 PM »
Bit of an update on this that might help other in the future. 

There were 4 or 5 registry entries in various different places that could not be got rid of, every time you deleted a key it came back almost immediately even when in safe mode or using HJT.  The three buggers in the system32 folder were: nigavimi.dll, yapiniti.dll and one that I wasn't sure about called "mudubuye.dll" that I mentioned earlier. 

regsvr32 did help but using killbox I managed to get nigavimi out and yapiniti after a couple of tries (incidentely, if you google those 2 files you get the reports of what they are and what they are part of), but the suspect mudubuye couldn't be shifted and even when you did, it crashed the gui making me believe that it was a system file and would be replaced on restart naturally (these files had no attributes like date and whatnot, and were hidden).

By chance, after I had installed a new OS on a new drive to back up all the guy's data before format, and was logged into that system, I went to inactive windows folder on the other drive and deleted mudubuye.dll which didn't object to its deletion.  Then, not being able to give it up, I went back to the infected OS and deleted the keys, and guess what, they didn't respawn.

The interesting thing is that mudubuye does not give any returns when googled, and as this virus hit the guy in early march, I find that a bit odd.  As you can see by the link above there are thousands of reported files connected to the Vundo virus, and this machine had about 400 of them which were easy to delete, as were their registry keys.

I am not boasting that it has gone forever and I have evicted all of it, as although I have restarted it a few times and have run a FF and IE to see if the rogue links appear, and the system does stay intact, I have read that Vundo had looked out for some people in the past, only to return unannounced. 

I wonder when or if someone googles "mudubuye" in the future, will this thread come up in the returns?
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #6 on: April 28, 2009, 04:01:59 AM »
A couple of days ago I clicked an addon link for something on the other place and immediately got something similar to this.  It only took me 20 minutes to get it out but it had spread thoughout the registry and looked a bit if a madam to begin with.  These virii are no fun any more and I am striking them from the Christmas card list..



Get a mac?
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline dweez

  • Global Moderator
  • Q
  • *
  • Posts: 11622
  • Gender: Male
  • Rebel Mod
Re: nigavimi?
« Reply #7 on: April 28, 2009, 08:27:55 AM »
Or better yet, save you some money by using your current hardware and just run linux?
« Last Edit: April 28, 2009, 08:32:19 AM by dweez »
--dweez

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #8 on: April 28, 2009, 09:38:54 AM »
Or better yet, save you some money by using your current hardware and just run linux?

That thing I caught the other day is the first virus I have had in 4 years, and I do not run any anti-whatnot software at all and only rely on windows firewall for some basic security.  I regularly inspect my registry and system folders to make sure I am not living with an unknown parasite, but have never had to delete or fix anything.  I will probably run linux on one of my comps eventually, but this laptop is purely for the net and has no important software installed, and I am happy with its record to date.
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline dweez

  • Global Moderator
  • Q
  • *
  • Posts: 11622
  • Gender: Male
  • Rebel Mod
Re: nigavimi?
« Reply #9 on: April 28, 2009, 09:42:45 AM »
I was more pushing christ's buttons than yours.  :D
--dweez

Offline ztx651

  • Homo Erectus
  • **
  • Posts: 186
  • Gender: Male
  • Pinky, Pinky, Grrr!
Re: nigavimi?
« Reply #10 on: April 28, 2009, 10:09:24 AM »

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15941
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: nigavimi?
« Reply #11 on: April 28, 2009, 05:04:02 PM »
Nothing to do with me, guv.

Are you sure ?  ^
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.