Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Vundo


  • This topic is locked This topic is locked
2 replies to this topic

#1 anthony.mlist

anthony.mlist

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 30 December 2008 - 07:11 AM

Hi .. need your help. My computer was recently infected with Virtumonde, Vundo Trojan, and several other malwares. Symantec AntiVirus (version 10) combined with Avast was able to remove a bunch of the trojans. I did install Spybot Search and Destroy, Malwarebytes, SuperAntiSpywares to remove those malwares. So far i think Malwarebytes did the best in removing most of the files. The only problem i have now is that a registry key detected as Trojan.Vundo can't be removed even after rebooting multiple times (both in normal and safe mode with networking). I even tried ComboFix as well. No luck. I'm now running out of ideas on how to fix this. Please help.

Log from Malwarebytes
[codebox]
Malwarebytes' Anti-Malware 1.31
Database version: 1567
Windows 5.1.2600 Service Pack 2

2008-12-30 03:36:33
mbam-log-2008-12-30 (03-36-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139564
Time elapsed: 30 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
[/codebox]

DDS Report. I've removed the valid URL due to security reasons and replaced them with ##replaced## text.

DDS (Version 1.1.0) - NTFSx86
Run by awong1 at 4:39:32.71 on 2008-12-30
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.491 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Cisco\Cisco Secure Services Client\Cisco_SSCservice.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Cisco\Cisco Secure Services Client\Cisco_SSCgui.exe
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\awong1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = ##removed##
mStart Page = ##removed##
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = ##removed##
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [naldesk] naldesk
mRun: [CiscoCSSCgui] "c:\program files\cisco\cisco secure services client\Cisco_SSCgui.exe"
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: disablecad = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: { - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Trusted Zone: ##removed##
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: csscsso - csscsso.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: yxhyjo.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = SbNp5 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\awong1\applic~1\mozilla\firefox\profiles\zo5vm4rd.default\

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-2-22 102688]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SBAlg.sys [2007-7-16 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-2-22 12928]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-2-22 5840]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-2-22 34192]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-2-22 14960]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2007-5-29 169576]
R2 Cisco Secure Services Client;Cisco Secure Services Client;"c:\program files\cisco\cisco secure services client\Cisco_SSCservice.exe" [2008-1-16 1904640]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-2-22 356352]
R2 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-6-6 116928]
R3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2007-5-29 192104]
R3 CiscoSSD;Cisco Secure Services Miniport Driver;c:\windows\system32\drivers\css_drv.sys [2008-9-3 39168]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-9-2 9817]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081210.009\naveng.sys [2008-12-11 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081210.009\navex15.sys [2008-12-11 876112]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2007-10-17 92550]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-9-2 137392]
S3 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-6-6 1821376]

=============== Created Last 30 ================

2008-12-30 00:41 <DIR> --d----- c:\program files\ToniArts
2008-12-30 00:37 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-29 02:29 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-12-28 18:18 <DIR> a-dshr-- C:\cmdcons
2008-12-28 18:16 161,792 a------- c:\windows\SWREG.exe
2008-12-28 18:16 98,816 a------- c:\windows\sed.exe
2008-12-28 18:10 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 04:42 <DIR> --d----- c:\docume~1\awong1\applic~1\Malwarebytes
2008-12-27 04:42 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 04:42 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 04:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 04:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 02:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-27 02:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-27 02:55 <DIR> --d----- c:\docume~1\awong1\applic~1\SUPERAntiSpyware.com
2008-12-27 01:24 91 a------- c:\windows\wininit.ini
2008-12-26 23:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-26 22:12 <DIR> --d----- c:\documents and settings\awong1\.housecall6.6
2008-12-26 20:21 <DIR> --d----- c:\program files\Lavasoft
2008-12-26 20:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-22 03:34 <DIR> --d----- c:\docume~1\awong1\applic~1\ActiveState
2008-12-22 03:33 <DIR> --d----- c:\program files\ActiveState Komodo Edit 5
2008-12-22 03:31 <DIR> --d----- C:\Python26
2008-12-20 15:35 <DIR> --d----- c:\docume~1\awong1\applic~1\Songbird2
2008-12-20 15:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SongbirdVLC
2008-12-20 15:35 <DIR> --d----- c:\program files\Songbird
2008-12-11 20:33 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-11 14:13 0 a------- c:\windows\vpc32.INI
2008-12-10 02:28 <DIR> --d----- C:\database
2008-12-10 01:22 131 a------- c:\windows\ScreenHunter.INI
2008-12-08 18:40 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2008-12-08 18:40 21,504 a------- c:\windows\system32\hidserv.dll
2008-12-07 02:52 72,192 a------- c:\windows\unlite3.exe
2008-12-07 02:52 <DIR> --d----- c:\program files\Bradbury
2008-12-05 14:02 <DIR> --d----- c:\documents and settings\awong1\workspace
2008-12-04 16:52 2,131,968 a------- c:\windows\system32\python26.dll

==================== Find3M ====================


============= FINISH: 4:39:45.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 anthony.mlist

anthony.mlist
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 31 December 2008 - 05:15 PM

I've managed to remove the pesky registry entry by using CounterSpy trial copy. Several tests with SuperAntiSpyware and Malwarebytes showed that it's now clean. CounterSpy managed to do what the rests couldn't. Two thumbs up to them. I'm going to monitor the situation for the next couple of weeks to see if anything else should crop up.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:30 AM

Posted 08 January 2009 - 01:28 PM

Thanks for telling us what you have done.

Should you find other problems please start a new topic.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users