Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Vundo


  • This topic is locked This topic is locked
2 replies to this topic

#1 Shadow_Dancers

Shadow_Dancers

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 04 March 2008 - 01:59 PM

A week ago I was infected with the nasty Vundo Trojan. It's been a week I've tried to destroy it, using programs such as VundoFix (from Atribune) and VirtuMundoBegone, but to no avail. As of yesterday, I had thought I had destroyed the infection but it popped up today. Lovely. :thumbsup:

Also, I have been infected with other trojans, Metajuan and Awax. I suspect that Vundo is downloading these trojans secretely (that's what Vundo does; to download malicious files secretly).

I have ran VundoFix and VirtuMundoBegone (in safe mode) twice right now, and the infection isn't gone? I'm kinda starting to lose hope here.

Antivirus: Symantec
Other relevant programs:

- Ad-Aware 2007
- My default browser is Firefox. I thought of scrapping IE altoghether.


Other intesresting things to know:

Yesterday, when I thought I was finally safe. I know for a fact the RUNDLL file encountered an error with a particular file which certainly looked suspicious (truly random file name!). Said file could not be executed because it did not exist. What I assume is that there is still something in my startup that is related to the malware. How do I correct this? With ''msconfig'' and how?

Here are my VundoFix and VirtuMundoBegone log files. These aren't HJT logs!

VundoFix:

VundoFix V6.7.10

Checking Java version...

Sun Java not detected
Scan started at 12:59:55 PM 3/4/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.10

Checking Java version...

Sun Java not detected
Scan started at 1:18:05 PM 3/4/2008

Listing files found while scanning....

awvtr.dll
dcowqhog.dll
iuxoptkl.dll

Beginning removal...

Performing Repairs to the registry.
Done!

I heard that Vundo works through a flaw in Java so I uninstalled everything concerning Java.


VirtuMundoBegone:

[03/04/2008, 13:41:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\SCHUTID\Bureau\VirtumundoBeGone.exe" )
[03/04/2008, 13:41:09] - Detected System Information:
[03/04/2008, 13:41:09] - Windows Version: 5.1.2600, Service Pack 2
[03/04/2008, 13:41:09] - Current Username: SCHUTID (Admin)
[03/04/2008, 13:41:09] - Windows is in SAFE mode.
[03/04/2008, 13:41:09] - Searching for Browser Helper Objects:
[03/04/2008, 13:41:09] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/04/2008, 13:41:09] - BHO 2: {0C15E1DF-9F71-4BA9-8E31-EBDC6BE60297} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - Checking for HKLM\...\Winlogon\Notify\pmnnk
[03/04/2008, 13:41:09] - Key not found: HKLM\...\Winlogon\Notify\pmnnk, continuing.
[03/04/2008, 13:41:09] - BHO 3: {3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - Checking for HKLM\...\Winlogon\Notify\rqroomm
[03/04/2008, 13:41:09] - Found: HKLM\...\Winlogon\Notify\rqroomm - This is probably Virtumundo.
[03/04/2008, 13:41:09] - Assigning {3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA} MSEvents Object
[03/04/2008, 13:41:09] - BHO list has been changed! Starting over...
[03/04/2008, 13:41:09] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/04/2008, 13:41:09] - BHO 2: {0C15E1DF-9F71-4BA9-8E31-EBDC6BE60297} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - Checking for HKLM\...\Winlogon\Notify\pmnnk
[03/04/2008, 13:41:09] - Key not found: HKLM\...\Winlogon\Notify\pmnnk, continuing.
[03/04/2008, 13:41:09] - BHO 3: {3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA} (MSEvents Object)
[03/04/2008, 13:41:09] - ALERT: Found MSEvents Object!
[03/04/2008, 13:41:09] - BHO 4: {3ABDB789-EBA5-4C35-AC3C-C1C8E5D5BE92} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - Checking for HKLM\...\Winlogon\Notify\poryb89104
[03/04/2008, 13:41:09] - Key not found: HKLM\...\Winlogon\Notify\poryb89104, continuing.
[03/04/2008, 13:41:09] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - No filename found. Continuing.
[03/04/2008, 13:41:09] - BHO 6: {F6DDD677-149C-42FE-AB2F-4699B7DB1949} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - Checking for HKLM\...\Winlogon\Notify\poryb89104
[03/04/2008, 13:41:09] - Key not found: HKLM\...\Winlogon\Notify\poryb89104, continuing.
[03/04/2008, 13:41:09] - BHO 7: {fedd7678-b3d7-4d64-97b4-dda16b7a1ed1} ()
[03/04/2008, 13:41:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:09] - Checking for HKLM\...\Winlogon\Notify\cqieuaqg
[03/04/2008, 13:41:09] - Key not found: HKLM\...\Winlogon\Notify\cqieuaqg, continuing.
[03/04/2008, 13:41:09] - Finished Searching Browser Helper Objects
[03/04/2008, 13:41:09] - *** Detected MSEvents Object
[03/04/2008, 13:41:09] - Trying to remove MSEvents Object...
[03/04/2008, 13:41:10] - Terminating Process: IEXPLORE.EXE
[03/04/2008, 13:41:11] - Terminating Process: RUNDLL32.EXE
[03/04/2008, 13:41:11] - Disabling Automatic Shell Restart
[03/04/2008, 13:41:11] - Terminating Process: EXPLORER.EXE
[03/04/2008, 13:41:11] - Suspending the NT Session Manager System Service
[03/04/2008, 13:41:11] - Terminating Windows NT Logon/Logoff Manager
[03/04/2008, 13:41:12] - Re-enabling Automatic Shell Restart
[03/04/2008, 13:41:12] - File to disable: C:\WINDOWS\system32\rqroomm.dll
[03/04/2008, 13:41:12] - Renaming C:\WINDOWS\system32\rqroomm.dll -> C:\WINDOWS\system32\rqroomm.dll.vir
[03/04/2008, 13:41:12] - ! File rename was unsucessful.
[03/04/2008, 13:41:12] - Attempting to Deny Access to C:\WINDOWS\system32\rqroomm.dll
[03/04/2008, 13:41:12] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[03/04/2008, 13:41:12] - ERROR: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

[03/04/2008, 13:41:12] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[03/04/2008, 13:41:12] - Removing HKLM\...\Browser Helper Objects\{3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA}
[03/04/2008, 13:41:12] - Removing HKCR\CLSID\{3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA}
[03/04/2008, 13:41:12] - Adding Kill Bit for ActiveX for GUID: {3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA}
[03/04/2008, 13:41:12] - Deleting ATLEvents/MSEvents Registry entries
[03/04/2008, 13:41:12] - Removing HKLM\...\Winlogon\Notify\rqroomm
[03/04/2008, 13:41:12] - Searching for Browser Helper Objects:
[03/04/2008, 13:41:12] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/04/2008, 13:41:12] - BHO 2: {0C15E1DF-9F71-4BA9-8E31-EBDC6BE60297} ()
[03/04/2008, 13:41:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:12] - Checking for HKLM\...\Winlogon\Notify\pmnnk
[03/04/2008, 13:41:12] - Key not found: HKLM\...\Winlogon\Notify\pmnnk, continuing.
[03/04/2008, 13:41:12] - BHO 3: {3A2FF3C5-EDFF-46CE-BBA0-7A68B2499DBA} ()
[03/04/2008, 13:41:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:12] - No filename found. Continuing.
[03/04/2008, 13:41:12] - BHO 4: {3ABDB789-EBA5-4C35-AC3C-C1C8E5D5BE92} ()
[03/04/2008, 13:41:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:12] - Checking for HKLM\...\Winlogon\Notify\poryb89104
[03/04/2008, 13:41:12] - Key not found: HKLM\...\Winlogon\Notify\poryb89104, continuing.
[03/04/2008, 13:41:12] - BHO 5: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[03/04/2008, 13:41:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:12] - No filename found. Continuing.
[03/04/2008, 13:41:12] - BHO 6: {F6DDD677-149C-42FE-AB2F-4699B7DB1949} ()
[03/04/2008, 13:41:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:12] - Checking for HKLM\...\Winlogon\Notify\poryb89104
[03/04/2008, 13:41:12] - Key not found: HKLM\...\Winlogon\Notify\poryb89104, continuing.
[03/04/2008, 13:41:12] - BHO 7: {fedd7678-b3d7-4d64-97b4-dda16b7a1ed1} ()
[03/04/2008, 13:41:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 13:41:12] - Checking for HKLM\...\Winlogon\Notify\cqieuaqg
[03/04/2008, 13:41:12] - Key not found: HKLM\...\Winlogon\Notify\cqieuaqg, continuing.
[03/04/2008, 13:41:12] - Finished Searching Browser Helper Objects
[03/04/2008, 13:41:12] - Finishing up...
[03/04/2008, 13:41:12] - A restart is needed.
[03/04/2008, 13:41:14] - Attempting to Restart via STOP error (Blue Screen!)

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 PM

Posted 04 March 2008 - 02:39 PM

Some variants of vundo may not be detected by Vundofix so the "Add more files" or "Drag & Drop" options are other ways of ridding this malware. These files need to be identified and posting a hijackthis log will enable an expert to advise you which files to add if you continue to have problems. If the infection remains after using VundoFix, then you should post a hijackthis log.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

Important: Some variants of vundo malware will hide certain entries in a hijackthis log to prevent detection so you need to rename HijackThis before using it.
  • After installing HijackThis, open My Computer or Windows Explorer and navigate to the HijackThis Folder.
  • Inside the folder, right-click on the HijackThis.exe file and rename it Scanner.exe.
  • Double-click on Scanner.exe (which is still HijackThis) run a scan, save the logfile and copy/paste it into a new topic in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts.
Give your topic, a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:06:28 PM

Posted 05 March 2008 - 11:54 AM

Now that you have a HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This topic will now be closed, since you have an open log posted.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users