Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Persistent Vundo Trojan Please! Hjt Log Attached.


  • Please log in to reply
4 replies to this topic

#1 Tredders

Tredders

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 08 January 2008 - 02:13 PM

Hi all

I'm a newbie to this site and found it through Google, and from reading through previous responses, thought you seemed like a friendly and knowledgeable bunch!

I'm trying to sort out a friend's laptop for them - it's running XP Home, and Norton Security 2005. When I first booted it up, I found a number of trojans, which I removed fairly easily. However, one has got me stumped....

When booting up, Norton pops up a window: -

Object Name C:\windows\system32\gebbcd.dll
Virus Name Trojan.Vundo

Norton is unable to quarantine the file (as it's in use).

Now, I've booted in safe mode and run the Symantec Vundo removal tool, but it reports that the virus isn't present. Same with VundoFix. I also ran a number of recommended spyware tools (TrojanHunter, Spybot, AVG anti-Spyware & ComboFix) and they all come up clean. I'm unable to run a Norton scan in safe mode, as I'm getting a Windows error message ("Symantec Integrator has encountered a problem and needs to end").

I should also add that all of the Windows updates have been applied, and Norton's definitions are up to date.

Any help would be massively appreciated - it's driving me mad!

Thanks in advance.

Mark

HJT Log attached

Attached Files


Edited by Tredders, 08 January 2008 - 02:18 PM.


BC AdBot (Login to Remove)

 


m

#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 09 January 2008 - 11:45 PM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 11 January 2008 - 09:55 PM

Hello Tredders,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Posted Image


#4 Tredders

Tredders
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 12 January 2008 - 10:16 AM

Hello Tredders,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Hi there

I think I've finally just managed to remove the Vundo infection. I re-read some of the posts on this forum, and used ComboFix to delete the file in question on reboot.

I'll monitor the PC for a day to make sure it's all clear, but at the moment it looks good!

Thanks for your time so far.

Mark.

#5 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 12 January 2008 - 01:24 PM

Hi,

Can you please post the logs though.


Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users