Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:win32/vundo.gen!d (with Skype Complications)


  • Please log in to reply
8 replies to this topic

#1 Corey_R

Corey_R

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 21 April 2008 - 02:08 PM

Hello!
I'm running Windows Vista Ultimate (32 bit)
My issue began a couple of days ago when I ran the MS OneCare standalone scanner (I had Avast, Defender, AdAware and Spybot as my resident spyware protection, all up-to-date) and it found '1 Severe issue found - Trojan/Win32/Vundo.gen!D'
It couldn't delete it until I closed every running application I could (including Skype).
But as soon as I restarted or opened Skype it would return. I ran several Avast, Defender, AdAware and Spybot scans, they never found anything. But the OneCare scanner found it every time.
I tried running system restore to several points, and that didn't help. In fact, it would get an 'Unspecified Error' when I tried running it windows, and was only able to run system restore successfully when I booted from my Vista install CD and ran the 'Repair my computer' function.
I even did a complete PC restore to a point when I know I wasn't infected. But the Trojan was there when I ran OneCare's stand-alone scanner.
Eventually I uninstalled AdAware and Avast and installed MS OneCare with it's 90 day trial (because at least it could detect the infection).
So then I would run a scan and it would find the Trojan and quarantine/delete it. The infection would stay gone until I restarted, and then it would come back (or so my scans told me). As this was all happening I noticed that Skype kept quitting without notice.
Noting this, I tried seeing what would happen if I uninstalled Skype and then did a scan. It found the Trojan like normal and deleted it right away. I then restarted and ran the scanner again...No infection!!! Yea!
And as far as I can tell it stays gone as long as I don't have Skype. But when I did a fresh install of Skype the infection came back (and Skype started crashing again). So I uninstalled Skype and deleted the Trojan again.
And that's where I sit now. So I guess what I'm looking for is some way to totally rid myself of this infection so I can have my Skype back!
The Trojan actually hasn't given me too many issues that I know about, just Skype crashing and system restore failing. But thatís enough!
Any help would be Very appreciated. Thank you for your time and knowledge.

BC AdBot (Login to Remove)

 


m

#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 21 April 2008 - 02:24 PM

you have not yet tried the superantispyware program?

http://www.superantispyware.com/superantis...efreevspro.html

get the exe from http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

install it, fully update the definitions, then reboot preferably into your computers safe mode ; launch the program from the desktop icon; run a full computer scan and post back the report/log it produces

#3 Corey_R

Corey_R
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 21 April 2008 - 03:32 PM

Okay,
First of all, thank you Ruby1 for your fast reply. I did as you suggested and ran the scan in safe mode after updating the scanner. Then I rebooted into Safe Mode with Networking to place this post (and to finish deleting the cookies the scanner found, as it directed me to). Here's the log it produced:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/21/2008 at 12:13 PM

Application Version : 4.0.1154

Core Rules Database Version : 3443
Trace Rules Database Version: 1435

Scan type : Complete Scan
Total Scan Time : 00:29:04

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 5725
Registry threats detected : 0
File items scanned : 21574
File threats detected : 30

Adware.Tracking Cookie
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\neo_machina@ads.bleepingcomputer[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\neo_machina@2o7[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\neo_machina@revsci[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\neo_machina@adopt.euroclick[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@media.xbox360.ign[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@ads.ookla[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@ads.ookla[3].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@bp.specificclick[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@adlegend[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@stats1.clicktracks[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@questionablecontent[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@questionablecontent[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@tribalfusion[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@adopt.euroclick[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@adopt.euroclick[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@bs.serving-sys[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@optimize.indieclick[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@serving-sys[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@ads.pointroll[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@ads.pointroll[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@insightexpressai[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@tremor.adbureau[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@interclick[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@specificclick[2].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@specificclick[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@tacoda[3].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@tacoda[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@media.wii.ign[1].txt
C:\Users\Neo Machina\AppData\Roaming\Microsoft\Windows\Cookies\Low\neo_machina@stats.gamestop[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[1].txt

****End Log****

I'm not sure where I go from here though...and I feel a little vulnerable sitting here in Safe Mode with Networking since it seems that none of my usual anti-virus software wants to run in it.
Anyway, as I said before; any help would be greatly appreciated.
Thanks again.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:56 PM

Posted 21 April 2008 - 04:14 PM

Often times that resident protection interfers with malware removal especially a program called teatimer

I suspect something is hiding from super,

http://www.besttechie.net/tools/mbam-setup.exe

run malwarebytes from regular mode

see if it catches anything
Chewy

No. Try not. Do... or do not. There is no try.

#5 Corey_R

Corey_R
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 21 April 2008 - 04:41 PM

Thanks for the tip Chewy.
Yeah, I've had a love/hate relationship with TeaTimer for a while now. When this whole thing started I had TeaTimer turned off, but I turned it on back on to see if it could help me get a handle on what was happening. But, like usual, I couldn't really tell if the things it was bringing to my attention where bad or not, so I turned it back off yesterday.
Anyway, I'm currently running a scan with Malwarebytes, but - as you point out - my other programs could interfere. Should I pause/close OneCare and uninstall Spybot and then run the scan?

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:56 PM

Posted 21 April 2008 - 05:32 PM

As long as teatimer isn't loading at bootup you are ok with spybot, I use that as one of my essential programs.

Malwarebytes and Super are 2 others I rely on for scanning. Live OneCare might be a good program but since Defender is such a bust with the security community, I kind of doubt it's effectiveness.
Chewy

No. Try not. Do... or do not. There is no try.

#7 Corey_R

Corey_R
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 21 April 2008 - 06:06 PM

Thanks again Chewy,
I just finished the Malwarebyte scan, but it didn't find anything...
I'm almost wondering if I should reinstall Skype and see if I can get the infection again. Would having the Trojan to find make it easier for scanners to hunt down the root cause?
Also, as another random thought; should I do a power-cycle or reset of my Linksys? And I have a roommate on the network who has a computer without much protection on it, could he be reinfecting me via skype? It's a Mac with OSX, but he has Boot Camp with a copy of XP installed on it. Skype is installed on both OSX and XP.
Uh, that's all I can think of at the moment...
Thanks!

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:56 PM

Posted 21 April 2008 - 06:58 PM

I read up on skype a while back and really didn't like what I saw? Look at your exceptions in your firewall and see what's running there?
Chewy

No. Try not. Do... or do not. There is no try.

#9 Corey_R

Corey_R
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 22 April 2008 - 02:06 PM

That was a good call on the Firewall Chewy! I reset all settings to defaut and told it to let me know everything that wanted to connect. Since then I've done a number of scans with every tool I have and they've all come up clean. As it sits now, I think I'm good...
Thank you all so much for your attention, time and help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users