Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan? Help!


  • Please log in to reply
3 replies to this topic

#1 dupsta

dupsta

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 29 May 2008 - 11:32 PM

Grrrr….
I have a virus that is driving me nuts!!!
I will post my logs here in at the end.
I am running WinXp pro.
This virus will not allow me to open any application, including firefox. I can not open my registry (REGEDIT) The error is "Registry editing has been disabled by your administrator"
This is just a home comp, directly connected to the modem. No network. I use to admin privileges.

So I am writing and downloading software from my Mac and going back and forth with a jump drive.

Spybot search and destroy will not run, the app will not open.

Spy hunter will not open.

XP_ex_fix will not open.

FixVundo was downloaded from Symantec. I ran the scan, every 10 sec I had to hit, "don’t close". The scan finally went through and it said it did not find Vundo.

So I was able to download Malware Anti Malware.
It ran perfect. I was unable to update it though. When I opened it on my PC, it tried to update but never could connect. The trojan was shutting down the connection I guess. But I did do the scan. Everytime it found all the problems. It deleted the infections but it did mention the registry was locked and on startup it would delete those files.
Yet the virus is still here, everytime I boot up it is back.
Safe mode, Safe mode networking, Safe mode with everything turned off in startup menu, it still lurks.

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 39363
Time elapsed: 19 minute(s), 8 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 6
Registry Keys Infected: 38
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 31

Memory Processes Infected:
c:\WINDOWS\tg9vchpqqw\command.exe (AdWare.CommAd) -> Failed to unload process.
c:\program files\network monitor\netmon.exe (Trojan.DNSChanger) -> Unloaded process successfully.
C:\WINDOWS\mrofinu1000106.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\Fonts\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\tg9vchpqqw\asappsrv.dll (AdWare.CommAd) -> Unloaded module successfully.
C:\WINDOWS\system32\fccaXPiJ.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Program Files\QdrDrive\QdrDrive16.dll (Adware.AdBand) -> Unloaded module successfully.
C:\WINDOWS\system32\{4304b663-4406-7747-0166-6c35fa55471b}.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\{5d7f0a1d-e889-91aa-1b7d-ba07d35fd4fd}.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\fccyaWop.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdservice (AdWare.CommAd) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdservice (AdWare.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdservice (AdWare.CommAd) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f377815-a254-4241-b4c6-fdb3a9eeed4c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3f377815-a254-4241-b4c6-fdb3a9eeed4c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\AppID\{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{10b64bdf-2e05-4a8a-b470-a3c651d0ad00} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{10b64bdf-2e05-4a8a-b470-a3c651d0ad00} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83c35173-e029-42f1-9692-0341ee379a0d} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83c35173-e029-42f1-9692-0341ee379a0d} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0fe58b2a-6824-2df6-1178-2e1fe161d422} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{0fe58b2a-6824-2df6-1178-2e1fe161d422} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5bde9717-4c82-eb0b-488c-5f0b93b5dea6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5bde9717-4c82-eb0b-488c-5f0b93b5dea6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{310fed5d-7ac0-50a9-3fe4-c412563838ed} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{310fed5d-7ac0-50a9-3fe4-c412563838ed} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Sidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mySearchAssistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9aee7fa8-0da7-4c8a-8b3e-fbb6b979c657} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9aee7fa8-0da7-4c8a-8b3e-fbb6b979c657} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccyawop (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{bb80631c-1233-9538-fe5b-dd757a1420f5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Adapter 5.1.3214 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9aee7fa8-0da7-4c8a-8b3e-fbb6b979c657} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccaxpij -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccaxpij -> Delete on reboot.

Folders Infected:
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\tg9vchpqqw\asappsrv.dll (AdWare.CommAd) -> Delete on reboot.
c:\WINDOWS\tg9vchpqqw\command.exe (AdWare.CommAd) -> Delete on reboot.
c:\program files\network monitor\netmon.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccaXPiJ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\JiPXaccf.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\JiPXaccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1060284298-2146977427-725345543-1003\Dc581.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1060284298-2146977427-725345543-1003\Dc591.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1060284298-2146977427-725345543-1003\Dc597._ (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll._ (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anthony\Local Settings\Temp\cmdinst.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Content.IE5\XL4L673N\installer[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive16.dll (Adware.AdBand) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{4304b663-4406-7747-0166-6c35fa55471b}.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\{5d7f0a1d-e889-91aa-1b7d-ba07d35fd4fd}.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\mrofinu1000106.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anthony\Application Data\fszvu.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Fonts\svchost.exe (Worm.IRCBot) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccyaWop.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> Quarantined and deleted successfully.




After start up. no applications would launch, As soon as I launch firefox, it would shut down. I had not acces to REGEDIT. I could not run Search and Destroy. I was back where I started. So I ran it again!







Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 38998
Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
c:\WINDOWS\tg9vchpqqw\command.exe (AdWare.CommAd) -> Failed to unload process.

Memory Modules Infected:
c:\WINDOWS\tg9vchpqqw\asappsrv.dll (AdWare.CommAd) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdservice (AdWare.CommAd) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdservice (AdWare.CommAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdservice (AdWare.CommAd) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\tg9vchpqqw\asappsrv.dll (AdWare.CommAd) -> Delete on reboot.
c:\WINDOWS\tg9vchpqqw\command.exe (AdWare.CommAd) -> Delete on reboot.
C:\WINDOWS\system32\fccaXPiJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JiPXaccf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JiPXaccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive16.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{4304b663-4406-7747-0166-6c35fa55471b}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{5d7f0a1d-e889-91aa-1b7d-ba07d35fd4fd}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\atmtd.dll.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\fccyaWop.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.



I am running it again right now! Any thoughts?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:34 AM

Posted 30 May 2008 - 12:12 AM

If you had asked first you could be using the latest definitions

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

and with that infection you'll need all the help you can get, it's a nasty one

rerun MBAM after updating and stay off the internet until you have run some other tools/scans

Edited by DaChew, 30 May 2008 - 12:16 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 dupsta

dupsta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 30 May 2008 - 02:39 AM

Thanks for the link. I ran the setup. I have no good news. Although everytime I run the scan it does find something bad. . Over and over. But this is the only scan I can run on my system. HijackThis wil not even install. No luck with the others listed above also. I wish I could get into my regestry and just look around, but I am locked out of that too. This is crazy! Bit over my head

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:34 AM

Posted 30 May 2008 - 02:55 AM

MBAM is best from normal mode if possible

See if you can install SDFix in safe mode,

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

a windows utility like winrar can extract it and then you could manually install the folder on the root directory of C drive

Edited by DaChew, 30 May 2008 - 02:56 AM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users