Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Variant/resident Keeps Coming Back!


  • Please log in to reply
7 replies to this topic

#1 reywal

reywal

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 May 2008 - 08:32 AM

Im newbie here. Found this site after a tiring search.

Here it is:

my desktop icons and taskbar are gone. i tried using the task manager's "ctrl-alt-del" but the desktop and taskbar would just appear for several seconds and then gone again.

SUPER ANTISPYWARE can detect and even remove them in safe mode (did this several times) but my pc will just run normally in only a matter of minutes.

My desktop and taskbar will disappear again immediately after windows defender pops up a notice that it detected changes in the settings.


I have nod32 installed but it cannot detect them. I have hijackthis.

what should i do? please help

Edited by reywal, 11 May 2008 - 08:37 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:47 AM

Posted 11 May 2008 - 08:46 AM

All kinds of unpredictable behavior happens when you are running 2 antivirus programs at the same time, and then an infection.

Try going into safe mode


and running a scan with nod from there, I would uninstall defender myself or totally disable it in vista

post the logs from nod and SAS please

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

also from this scan

Edited by DaChew, 11 May 2008 - 08:48 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 reywal

reywal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 May 2008 - 09:51 AM

thanks for the quick reply

Please allow me to post SAS first: (nod scanning is in progress)

FIRST SCAN

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2008 at 10:07 AM

Application Version : 4.1.1036

Core Rules Database Version : 3458
Trace Rules Database Version: 1449

Scan type : Complete Scan
Total Scan Time : 00:58:01

Memory items scanned : 152
Memory threats detected : 1
Registry items scanned : 5271
Registry threats detected : 0
File items scanned : 51177
File threats detected : 2

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\MLJCVMNN.DLL
C:\WINDOWS\SYSTEM32\MLJCVMNN.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Atty. Alpuerto\Cookies\atty._alpuerto@2o7[1].txt
server.iad.liveperson.net [ C:\Documents and Settings\Atty. Alpuerto\Application Data\Mozilla\Firefox\Profiles\nrnl63dh.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Atty. Alpuerto\Application Data\Mozilla\Firefox\Profiles\nrnl63dh.default\cookies.txt ]


___________________________________________

SECOND SCAN

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2008 at 04:47 PM

Application Version : 4.1.1036

Core Rules Database Version : 3458
Trace Rules Database Version: 1449

Scan type : Quick Scan
Total Scan Time : 00:01:06

Memory items scanned : 177
Memory threats detected : 1
Registry items scanned : 332
Registry threats detected : 0
File items scanned : 2381
File threats detected : 1

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\VTUMJYOL.DLL
C:\WINDOWS\SYSTEM32\VTUMJYOL.DLL

________________________________________________________

THIRD SCAN

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2008 at 10:33 PM

Application Version : 4.1.1036

Core Rules Database Version : 3458
Trace Rules Database Version: 1449

Scan type : Complete Scan
Total Scan Time : 00:50:57

Memory items scanned : 149
Memory threats detected : 1
Registry items scanned : 5274
Registry threats detected : 0
File items scanned : 64925
File threats detected : 1

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\BYXQGWUL.DLL
C:\WINDOWS\SYSTEM32\BYXQGWUL.DLL

______________________________________________________


NOTE:

It is IE BROWSER ADD ON that windows defender detects seconds before the desktop and taskbar disappear.

I will post NOD32 log later on.

Edited by reywal, 11 May 2008 - 09:53 AM.


#4 reywal

reywal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 May 2008 - 04:49 PM

I cant copy nod32's scanner log.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:47 AM

Posted 11 May 2008 - 05:14 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

let's do a scan with something that will give us a good log
Chewy

No. Try not. Do... or do not. There is no try.

#6 reywal

reywal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 May 2008 - 05:20 PM

HERE IT IS SIR:

Malwarebytes' Anti-Malware 1.12
Database version: 740

Scan type: Quick Scan
Objects scanned: 37247
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnLccAP.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\geBqQGxw.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0c436ea7-e39c-48f1-aa60-747ff2bde51d} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0c436ea7-e39c-48f1-aa60-747ff2bde51d} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6c23ab0c-0244-4b01-8253-bee724d0d2ec} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c23ab0c-0244-4b01-8253-bee724d0d2ec} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebqqgxw (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6c23ab0c-0244-4b01-8253-bee724d0d2ec} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnlccap -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnlccap -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbXNExWN.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\NWxENXbc.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\NWxENXbc.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nnnLccAP.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\PAccLnnn.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\PAccLnnn.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\geBqQGxw.dll (Trojan.Vundo) -> No action taken.

NOTE:

After the cleaning, two items have remained and it says they cannot be removed
though my DESKTOP AND TASKBAR ARE ALREADY SHOWING!!!

Edited by reywal, 11 May 2008 - 05:23 PM.


#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:47 AM

Posted 11 May 2008 - 05:25 PM

reboot and run another quick scan
Chewy

No. Try not. Do... or do not. There is no try.

#8 reywal

reywal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 11 May 2008 - 09:00 PM

I DID WHAT YOU TOLD ME SIR:

Here is the log

Malwarebytes' Anti-Malware 1.12
Database version: 740

Scan type: Quick Scan
Objects scanned: 37202
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBqQGxw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnLccAP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
_________________________________________________________________________________

I DID A RESCAN AND HERE IS THE NEXT LOG

Malwarebytes' Anti-Malware 1.12
Database version: 740

Scan type: Quick Scan
Objects scanned: 37356
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_____________________________________

WHAT DO YOU THINK SIR, DO I HAVE ALL THE REASONS TO JUBILATE? :flowers: :thumbsup:

Edited by reywal, 12 May 2008 - 05:09 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users