Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo-variant/small-gen And Some Other...


  • Please log in to reply
6 replies to this topic

#1 Zagis

Zagis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 12 July 2008 - 08:47 AM

Hello,

My PC is infected with Trojan.Vundo-Variant/Small-GEN and some other threads.

Can you please tell me how can I can rid of them? I run a SuperAntiSpyware scan and here is the content of the log file:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2008 at 00:10 AM

Application Version : 3.9.1008

Core Rules Database Version : 3502
Trace Rules Database Version: 1493

Scan type : Complete Scan
Total Scan Time : 01:05:59

Memory items scanned : 418
Memory threats detected : 1
Registry items scanned : 7378
Registry threats detected : 6
File items scanned : 75832
File threats detected : 1

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\QOMDCRQN.DLL
C:\WINDOWS\SYSTEM32\QOMDCRQN.DLL

Trojan.Vundo-Variant/Small-GEN
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59446AEB-4342-4D30-8BD6-4B3C645F4BB0}
HKCR\CLSID\{59446AEB-4342-4D30-8BD6-4B3C645F4BB0}
HKCR\CLSID\{59446AEB-4342-4D30-8BD6-4B3C645F4BB0}\InprocServer32
HKCR\CLSID\{59446AEB-4342-4D30-8BD6-4B3C645F4BB0}\InprocServer32#ThreadingModel

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKU\S-1-5-21-2562976453-1501877757-2856425377-1006\Software\Microsoft\rdfa

Thanks in advance... :thumbsup:

Edited by Zagis, 12 July 2008 - 08:49 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 PM

Posted 12 July 2008 - 10:01 AM

Now please run this scan...

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Sonic98

Sonic98

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 15 August 2008 - 12:54 PM

Well, I can personally testify that this probably will not work if this has not already been solved. I have been dealing with Trojan.Vundo for bout a couple weeks now. IT was the same one you mentioned variant/small and variant/resident as well as Adware.Vundo. At first I had no problems with pop-ups. It never tried to download or run Antivirus 2009. I have had problems in the past with Antivirus 2008 or XP Antivirus or the fake Windows Security Center, but Ewido or the removal tool were always able to take it off. The only problem I was having this time was it kept disabling automatic updates that's what lead me to research what threat it was.

This one keeps coming back. I first tried Spybot, but think I cancelled mid-detect because I read about something else. I had seen posts on here debating about Malwarebytes and SuperAnti. I tried Malware, and it seemed to remove it, and I was able to enable Automatic updates. A few day later it happened again. After a couple times I tried some other things. I tried both normal and safe mode. I tried SuperAnti,my Symantec Corporate 10.1, Spybot again, Windows Defender, FixVundo, VundoFix, and VundoBeGone. I even tried running full system scans instead of quick like people usually suggest with SuperAnti and Malware on this site. Then all the sudden niether program was able to remove the viruses without having restart. But it seems nothing happens when you restart. Seems like VundoFix, Malware, nor SuperAnti do anything after restart. At least Spybot rescans when you restart. I noticed that around the time I had to restart to clean, I finally start getting Antivirus 2009 pop-ups.


I have not tried Ewido as I usually would because AVG isn't freee anymore, but I about to try the trial because someone told me on PM that they were able to remove it by uninstalling NOD32 and using AVG instead. I will likely have to run Malware or SuperAnti to install it though. I was fixing a friend's computer about a month ago with an Antivirus 2008 infection and I noticed Mcafee, Defender, nor Norton's services would start during install. I'm sure I'm going to have the same problem with AVG's services that I'm having with automatic updates. So, I'll temporarily get Vundo off and get AVG on before it comes back. If AVG doesn't work, I'll see what ComboFix can do.

#4 Sonic98

Sonic98

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 15 August 2008 - 09:35 PM

Well, I tried to install AVG. I tried like 5 times before it finally installed without it cancelling because the AVG services could not be started. After a few re-starts though, the services would no longer start. When I tried to run the program, all I could get was the command line scanner. I don't think I'll worry with ComboFix. I'll just erase and start over.

#5 EricKeo

EricKeo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 11 April 2009 - 01:57 AM

Well, I can personally testify that this probably will not work if this has not already been solved. I have been dealing with Trojan.Vundo for bout a couple weeks now. IT was the same one you mentioned variant/small and variant/resident as well as Adware.Vundo. At first I had no problems with pop-ups. It never tried to download or run Antivirus 2009. I have had problems in the past with Antivirus 2008 or XP Antivirus or the fake Windows Security Center, but Ewido or the removal tool were always able to take it off. The only problem I was having this time was it kept disabling automatic updates that's what lead me to research what threat it was.

This one keeps coming back. I first tried Spybot, but think I cancelled mid-detect because I read about something else. I had seen posts on here debating about Malwarebytes and SuperAnti. I tried Malware, and it seemed to remove it, and I was able to enable Automatic updates. A few day later it happened again. After a couple times I tried some other things. I tried both normal and safe mode. I tried SuperAnti,my Symantec Corporate 10.1, Spybot again, Windows Defender, FixVundo, VundoFix, and VundoBeGone. I even tried running full system scans instead of quick like people usually suggest with SuperAnti and Malware on this site. Then all the sudden niether program was able to remove the viruses without having restart. But it seems nothing happens when you restart. Seems like VundoFix, Malware, nor SuperAnti do anything after restart. At least Spybot rescans when you restart. I noticed that around the time I had to restart to clean, I finally start getting Antivirus 2009 pop-ups.


I have not tried Ewido as I usually would because AVG isn't freee anymore, but I about to try the trial because someone told me on PM that they were able to remove it by uninstalling NOD32 and using AVG instead. I will likely have to run Malware or SuperAnti to install it though. I was fixing a friend's computer about a month ago with an Antivirus 2008 infection and I noticed Mcafee, Defender, nor Norton's services would start during install. I'm sure I'm going to have the same problem with AVG's services that I'm having with automatic updates. So, I'll temporarily get Vundo off and get AVG on before it comes back. If AVG doesn't work, I'll see what ComboFix can do.

Hi Sonic,

I just recently contracted this same freaking virus and I'm having the same problem as you did. Mostly mypc is running ok the only thing I noticed was the automatic updates was disabled. I tried enabling it and was getting a 1058 error. Are you cured now and if so what did you use and do to cure this virus. I am about to pull my freaking hair out of my head. please let me know what you did and if you can post it or reply it here I will greatly appriciate it.

thanks,
Eric K.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 PM

Posted 11 April 2009 - 09:14 AM

Please run the MBAm tool and post the log. The Vundofix and other tools recommended above are at best obsolete and those instructions are not valid. spyBot is OK but it's detection rates have fallen. These are good, SuperAnti,my Symantec Corporate 10.1, Spybot again, Windows Defender.

Edited by boopme, 11 April 2009 - 09:29 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 alkane

alkane

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 28 April 2009 - 10:57 PM

This new variant is particularly tricky. It monitors the delete on reboot entries for any of its component files. If you add an entry in either the CurrentControlSet or the backup it will clear the list. This means that using the steps outlined for previous Vundo variants will only cause the computer to be reinfected on next reboot unless special care is taken.

The offending processes needed to be suspended or shutdown. Unfortunately I haven't gotten a live sample yet, hopefully when I'm off vacation and can touch some client machines. Sorry I couldn't give any help, just trying to steer the discussion in the right direction.

The malware monitors all control sets for entries of its components under HKLM\System\{controlset}\Control\Session Manager key: pendingfilerenameoperations

My thought is, if this is the variant I'm thinking it is, is that a process explorer (SysInternals if its not autodeleted) will have to be used to suspend loaded threads under some of the running processes, run the anti-malware tools, hard power off the machine. It may also be necessary to manually replace some key Windows files as they may have been irreparably modified, from looking at another log from a similarly infected machine (run SysInternals sigcheck over Windows directory and replace from service pack files).

Edited by alkane, 28 April 2009 - 11:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users