Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With A Few Trojans


  • Please log in to reply
8 replies to this topic

#1 tj1182

tj1182

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 29 September 2008 - 10:25 PM

All of a sudden when I started up my PC today I got this systems virus 2008 or something similar. I googled it and installed mbam and tried to remove it. The fake virus scanner doesnt pop up no more but I did some more scans and a whole bunch of trojan.vundo.h keeps coming and says to delete after reboot, which doesn't work, and now the clock in my toolbar says, "virus alert!" with the time using a 24-hour clock.

At first I couldn't even access the start menu along with windows explorer.

I'm new to this, so any help will be greatly appreciated.

Edited by tj1182, 29 September 2008 - 10:31 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:02 PM

Posted 30 September 2008 - 12:02 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

MBAM will need some help, let's start with ATFCleaner and SAS from safe mode

Read or print the directions and follow them exactly

I will need three logs, the last MBAM one, the SAS one and then a new MBAM one done after you have updated the scanner and done another quick scan
Chewy

No. Try not. Do... or do not. There is no try.

#3 tj1182

tj1182
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 30 September 2008 - 12:43 AM

Thanks. I'll try it but I can't get into safe mode, the PC restarts before it try to start up.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:02 PM

Posted 30 September 2008 - 12:51 AM

Are you saying that it starts to enter safe mode then reboots?

Tapping the F8 key requires a little practise and exact timing on newer computers as they boot so fast
Chewy

No. Try not. Do... or do not. There is no try.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:02 PM

Posted 30 September 2008 - 12:54 AM

try this scanner from normal mode if you can't get safe mode to work

Download this file to your Desktop: http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
Start the setup_.exe-file and click "Next".
The tool will be unzipped now to his own folder on the Desktop, confirm this by pressing "Next" again.
Now, click "Scan" to start the quick scan.
When it's finished, the found malware will be showed to you, press "Delete".
Now click the button "Reports" in the main screen and save the logfile to your Desktop.
Post this logfile in your next reply
After that you'll get this message: "Do you want to uninstall?", choose "Yes".
The tool will be deleted then.

You failed to mention what operating system you are using, go ahead and post those MBAM logs

Do, or do not. There is no 'try.'

Edited by DaChew, 30 September 2008 - 12:56 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 tj1182

tj1182
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 30 September 2008 - 02:00 AM

Are you saying that it starts to enter safe mode then reboots?

Tapping the F8 key requires a little practise and exact timing on newer computers as they boot so fast


As soon as the loading screen comes up in safe mode it reboots.

#7 tj1182

tj1182
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 30 September 2008 - 02:01 AM

try this scanner from normal mode if you can't get safe mode to work

Download this file to your Desktop: http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
Start the setup_.exe-file and click "Next".
The tool will be unzipped now to his own folder on the Desktop, confirm this by pressing "Next" again.
Now, click "Scan" to start the quick scan.
When it's finished, the found malware will be showed to you, press "Delete".
Now click the button "Reports" in the main screen and save the logfile to your Desktop.
Post this logfile in your next reply
After that you'll get this message: "Do you want to uninstall?", choose "Yes".
The tool will be deleted then.

You failed to mention what operating system you are using, go ahead and post those MBAM logs

Do, or do not. There is no 'try.'



OK, I'll "do" it now. :thumbsup: I'm using XP.

Here's my MBAM log file.

Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 3

9/29/2008 10:53:09 PM
mbam-log-2008-09-29 (22-53-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 248539
Time elapsed: 2 hour(s), 30 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qoMdBQHw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sjsyhgus.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jkkKcDTM.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0966f3d5-c170-42b2-91cc-dbfdc77e9625} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkkcdtm (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0966f3d5-c170-42b2-91cc-dbfdc77e9625} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fe2d0a99-b9aa-4e46-b522-64d08839bfff} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{fe2d0a99-b9aa-4e46-b522-64d08839bfff} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\slttgwuo (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\slttgwuo (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0966f3d5-c170-42b2-91cc-dbfdc77e9625} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomdbqhw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdbqhw -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jkkKcDTM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMdBQHw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wHQBdMoq.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wHQBdMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sjsyhgus.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\WinSpeedUp\lxt_wsu28.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP432\A0098834.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP432\A0098836.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP432\A0098837.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP432\A0098854.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\bsrdal.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by tj1182, 30 September 2008 - 02:04 AM.


#8 tj1182

tj1182
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 30 September 2008 - 02:03 AM

Are these things serious threats? This is my work PC and I have a lot of sensitive data on here. Should I be concerned?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:02 PM

Posted 30 September 2008 - 04:40 AM

With these symptoms and a vundo-H infection I would have disconnected from the internet, backed up my data and reloaded

I might continue the disinfection while offline
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users