Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan Dll's Not Completely Removed By Vundofix.exe


  • Please log in to reply
3 replies to this topic

#1 the_minister

the_minister

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 19 August 2008 - 04:57 PM

Hi

My first post so please be gentle ...

My brother's Windows XP (SP2) PC suddenly began to hang when performing searches on www.google.co.uk

McAfee detected the Vundo trojan and duly 'removed' a few files. Still google hangs.

I followed the instructions to let VundoFix.exe scan then remove infected files. It found about nine such .dll and .ini files. It removed seven and couldn't remove two. I restarted the machine as instructed but began a never ending loop of finding the two problem files and not being able to delete them, restarting, fail to delete, rescan etc. I've attached a log showing which files seem to be created by Vundo. It appears that each time I delete the seven files, two are undelete-able, seven are deleted but then they appear again (random names) some time later (on restart?). Either way I cannot completely purge the PC of the files that VundoFix.exe identifies as being problematic.

I can see that the files in question (usually an eight character random string of alpha-numerics followed by .dll or .ini for example nnnnLbaY.dll) are owned by the logged in user with read/write/execute permissions. However the files are not removable by a conventional 'rm -f <file.name>' Linux command (I'm used to Linux/UNIX rather than Windows and so run Cygwin a Linux command line emulator that maps to DOS commands); 'Permission denied'.

I used VirtumundoBeGone.exe to check for any nasties, I've attached the log but it seems there were no infections of this type.

I ran HijjackThis.exe and have attached a log. When I ask HijackThis to fix the following two objects:
O4 - HKLM\..\Run: [840b6e6e] rundll32.exe "C:\WINDOWS\system32\rrfjmcqf.dll",b
O4 - HKLM\..\Run: [BM87385df2] Rundll32.exe "C:\WINDOWS\system32\dpbxxfsi.dll",s

The .dll's are STILL present, even if I again try and remove them manually. Minutes later the other random .dll's and .ini's are back in C:\WINDOWS\system32\

Please could someone help me figure out how to get these files off my brothers PC.

Thanks in advance!

the_minister

Attached Files



BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:05:12 PM

Posted 02 September 2008 - 10:45 AM

Hello and Welcome to the forums!

My name is Mas_pogi/Mark and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

#3 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:05:12 PM

Posted 03 September 2008 - 07:34 AM

hi coach.

Hi.

Please bear with me as we clean your computer. If you have some question, do not hesitate to ask.

Please follow the steps below:
  • Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main "Select Files to Delete" choose: Select All.
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

  • Rename Hijackthis:
    • Locate the program Hijackthis.
    • Select the file, right-click and select Rename.
    • Please change the name to: koalabear
    Click the koalabear.exe(renamed hijackthis.exe) and do a system scan only. Post the fresh log in your next reply.

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
In your reply please post the fresh hijackthis log and result of kaspersky's. Copy and paste it in your reply. Do not attach it.
Thanks.

Mark

#4 the_minister

the_minister
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 11 September 2008 - 05:05 AM

Thanks for the advice folks.

In the meantime I went ahead and used MalwareBytes' Anti-Malware and Spyware Blaster to remove the aforementioned sticky files.

HINT: make sure you get the latest version.

After a reboot the troublesome files had been removed. I've now secured my brothers computer by not allowing such annoying virus in in the first place. (Updated java, run regular firewall updates and so on).

Thanks again for your time and assistance

the_minister




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users