Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo With Rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 PurpleFLSTF

PurpleFLSTF

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 05 May 2008 - 05:13 PM

Good Day. I have been using posts from BleepingComputer for some time to troubleshoot and repair computers for friends and relatives, but this one has me stumped. Two fellow teachers, two different computers, same infection symptoms. From reading other posts, they both appear to have the rootkit variant of Trojan.Vundo. I have run the VundoFix and Malwarebytes' Anti-Malware, as well as the Sophos Anti-Rootkit, CCleaner and SuperAntiSpyware which are all part of the solution in other posts, but to no avail. The system appears clean, and then NAV2008 picks up Trojan.Vundo again. (Yes, I did shut down System Restore before running the programs both in normal and safe mode). The common factor seems to be IE7, so I have removed it and installed FireFox. I will start with the Laptop - Here is the HJT log:

Attached Files



BC AdBot (Login to Remove)

 


m

#2 PurpleFLSTF

PurpleFLSTF
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 06 May 2008 - 06:21 AM

An additional interesting development...I completely uninstalled IE7, followed by removing Internet Explorer from Windows Components, however when I tried to use Windows Update, an IE7 window opened rather than FireFox, which I set as default. IE7 does not show up in the "Add or Remove Programs" nor does CCleaner show up under the Tools section. More reason for me to think that IE7 is tied to the problem.

#3 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:30 AM

Posted 19 May 2008 - 04:03 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#4 PurpleFLSTF

PurpleFLSTF
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 24 May 2008 - 10:53 AM

Rahina,
Thanks for getting back to me. I did all that you listed in the post, but needed to get these teacher's computers up for finals. I downloaded all of their important documents to an external drive, scanned them from a clean system with MalwarBytes, OneCare, and NAV, and formatted both computers after running CCleaner on the drives using NSA 7 pass cleaning. Boot sector on one drive was corrupt, so I dropped a new drive in and then reloaded them both. The strangest part was that after removing IE and making Mozilla the default (removed IE completely, including from the windows components and registry), that IE was still being activated by the virus. Oh, well. Problem solved and both computers now virus free. Both teachers were given the links to BleepingComputer tutorials on keeping their systems virus free. THANKS,

Trevor

P.S. This can be closed out as resolved.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users