Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo.gen.k won't go away


  • Please log in to reply
14 replies to this topic

#1 Miche2Cor517

Miche2Cor517

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 08 October 2008 - 11:42 PM

Greetings, this is my first Bleeping Computer post, and i am not ususlly a blog/threads? user, although slightly more computer literate than a novice
(BTW -- love the name of your site, so very appropriate!!)

Posting from my wireless laptop because my desktop has become very unstable and can't even access internet now.
Home Desktop: Dell Dimension
Windows XP
Internet Explorer 7.0
scan daily with McAfee and Ad-Aware
have never had such a severe problem with it; have never had to reformat

Have been battling Trojan Vundo.gen.k for almost a week now.

As of 5 minutes ago, I had a clean Ad-Aware and McAfee virus scan; BUT, I'm not convinced that the thing is really gone.
The main question in this post is:

IS THERE SOMETHING ELSE I SHOULD DO TO MAKE SURE THE TROJAN IS GONE AND ALL THE CORRUPTED SYSTEM FILES IT MAY HAVE ATTACKED ARE REPAIRED?


If you want/need more info and the play-by-play of events over the last 5 days, keep reading...


Husband first discovered problem on routine Ad-Aware scan. Unfortunately, he did not inform me of any problem.
He said there was a line entry in the log under Tracking Objects that had a green smiley with horns.
He said he "removed" it as usual, as he has with the daily dozen or so Tracking Cookies and MRU objects.

Then the *#&)@ hits the fan.
Certain things on the internet not working. For one example: I have a separate hotmail (live.com) email address. While I could log on to the account and see my Inbox, it would not open individual emails for me to read (did NOT happen when I accessed same email account from our wireless laptop).
Husband also said that "internet would work for about an hour, then freeze".
Then the internet just stopped working altogether (but, could still get our email from Outlook Express on the Dell, and had no problem with any internet things when connected wireless in our home on the hp laptop).

Ad-Aware did not pick up any other problems like the one my husband initially found. Initially, when my husband ran manual McAfee scans, he said they came up clean also. However, 2-3 days ago, when I decided to run another McAfee antivirus scan myself, the trojan showed up; AND when I reviewed the log file for McAfee, I discovered it had been "Repaired (removed)" every day since 10/2/08 by the "Real-Time" scan; oddly enough, my "Manual Scan" on 10/6/08 only showed as "Quarantined".

I subsequently googled as much as I could find about this Vundo.gen.k and found out it's a nasty bugger.
randomly generated, self-replicating System32 dll files
attached to the winlogon and explorer.exe files

I have run "FixVundo" "VundoFix" and "VirtumondoBeGone" and all come up clean, no vundo found.

Then thinking my explorer.exe and winlogon files are corrupted, I booted from the WindowsXP start up disk and let it run it's automatic repair thing. I've actually done that a few times now, because I kept getting various errors....including .... the blue screen of death!! in the middle of the Windows set up/automatic repair process where the
"problem detected" was
BAD_POOL_CALLER

Windows then restarted itself, and the Set Up process resumed automatically (don't ask me?)

Was able to get onto internet for a brief moment, tried to run Windows Update (so I could get my Service Pack 2 again), but the Update program wasn't running and couldn't manually start it, wouldn't let me??

Another error I kept getting was a window where the title was
Explorer.exe - ENTRY POINT NOT FOUND
The procedure entry point Encode Pointer could not be located in the dynamic link library Kernel32.dll


That's when I knew I was out of my league; I have NO IDEA what any of that means.

SO, TODAY,
Windows is up and running (from the disk) (I am fearful of restarting/rebooting because what I read was that the trojan was activated every time Windows started).

A McAfee pop-up window showed up shortly after start up. It found a "Potentially Unwanted Program" PrcViewer. This was a new development, I have not seen that pop-up or program name in this whole time I've been trying to fix the problem. MA was able to remove it. ?????

I was able to print a document from Word (which we HAD to do tonight).

I was able to, again, run Ad-Aware and McAfee virus scans manually, neither of which detected any trojan.


But I'm scared to do anything else, like try to connect to the internet or see if that Automatic/Windows Update problem has been corrected.

So, thanks for listening, you guys are like therapists too. Have been so frustrated and exhausted over this the past week.

Any advice on how I can be sure the computer is clean and repaired is GREATLY, GREATLY APPRECIATED!!!!
I just want to know if it's safe to surf again :thumbsup:


Thanks,
Miche
2 Cor 5:17

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 08 October 2008 - 11:59 PM

Run this scan. If you don't want to connect the problem machine to the internet download the following two files (links for these files are given below) on another computer and transfer them across on a CD or pen drive:

mbam-setup.exe
mbam-rules.exe


Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 09 October 2008 - 12:50 AM

Thank you
running now.
i am using the wireless lap top for this post.

to copy and paste the log file, do you see any risk in copying that note pad file and transferring it (via pen drive) onto the laptop so I can post the log for you?

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 09 October 2008 - 01:04 AM

There shouldn't be a problem transferring the file over if you hold down the Shift key when you plug the drive in. This will prevent any software on the drive from running.

You can run Flash Disinfector to make sure the pen drive is clean:

http://www.techsupportforum.com/sectools/s...Disinfector.exe
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 09 October 2008 - 01:31 AM

Well, good thing I didn't trust Ad-aware and mcafee...
here's the log
Did First scan. Did have to restart to complete removal of some items; restarted without any glitches.
Then ran Malware again. Second scan log came up completely clean. See below



Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 1

10/9/2008 1:07:26 AM
mbam-log-2008-10-09 (01-07-26).txt

Scan type: Quick Scan
Objects scanned: 51685
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\ljJCRIXn.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c5085c9-c744-4d9f-abf2-7afdb2326ab9} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7c5085c9-c744-4d9f-abf2-7afdb2326ab9} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87} (Rootkit.ADS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\kernelexe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ljjcrixn -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\ljjcrixn -> Delete on reboot.

Folders Infected:
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\ljJCRIXn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\nXIRCJjl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nXIRCJjl.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Unist1.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Uninst2.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32:rdaa.dll (Rootkit.ADS) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2f308719.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2f308719.txt (Trojan.Vundo) -> Quarantined and deleted successfully.



SECOND SCAN AFTER RESTART --

Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 1

10/9/2008 1:56:24 AM
mbam-log-2008-10-09 (01-56-24).txt

Scan type: Quick Scan
Objects scanned: 52708
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SO NOW MALWARE SHOWS CLEAN. ARE THERE MORE CLEANERS THAT I SHOULD USE?
THANKS AGAIN! YOU ARE AWESOME!!


Miche

#6 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 09 October 2008 - 01:33 AM

Also, forgot to ask,
since Internet Explorer had so many problems itself, should I remove it completely and downlowad fresh copy?

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 09 October 2008 - 01:36 AM

Also, forgot to ask,
since Internet Explorer had so many problems itself, should I remove it completely and downlowad fresh copy?

I wouldn't bother unless you are still experiencing problems with IE.

You log showed Rootkit and Backdoor infections. These can be particularly nasty and your online passwords may have been compromised.

Rerun the Malwarebytes scan, but this time do the Full Scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 09 October 2008 - 01:43 AM

You log showed Rootkit and Backdoor infections. These can be particularly nasty and your online passwords may have been compromised.

Rerun the Malwarebytes scan, but this time do the Full Scan.




Running full scan now. (i had a feeling this was a nasty infection)

about the online passwords, do i recitify that by just resetting all my previously used passwords on all password-requiring sites?

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 09 October 2008 - 01:48 AM

about the online passwords, do i recitify that by just resetting all my previously used passwords on all password-requiring sites?

Yes, I would change the passwords. And I would also monitor any email/bank accounts etc that have been accessed from this machine for suspicious activity.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 09 October 2008 - 07:15 AM

Well, I fell asleep mid-scan:
but here's the report from the full system scan -- 1 additional file detected
I removed it
then turned off System Restore

now am running a full scan again -
will not see results of scan until after work this afternoon

if the repeat full scan is clear, what is the next step?

is there another scanner or fix tool?

I will run as many scanners/sweepers as you think necessary to try to be sure this thing is gone
(escpecially since it seems to be one where our system security and passwords may be in danger).

thanks again!! you guys are awesome
(did I see somewhere that I could donate to the website?)

Here's the log file from last night's full system scan --

Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 1

10/9/2008 7:52:57 AM
mbam-log-2008-10-09 (07-52-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 110550
Time elapsed: 1 hour(s), 0 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000044.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 09 October 2008 - 04:58 PM

That last log looks much better. Now run this scan:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 11 October 2008 - 02:04 PM

Thanks for keeping up with me; things were a little hectic the last few days and not able to pay full attention to fixing this problem.

I did as last instructions:

ATF cleaner came out completly clean on the first scan.

SUPERAntiSpyware found the following:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/10/2008 at 09:54 AM

Application Version : 4.21.1004

Core Rules Database Version : 3594
Trace Rules Database Version: 1581

Scan type : Complete Scan
Total Scan Time : 01:08:06

Memory items scanned : 192
Memory threats detected : 0
Registry items scanned : 6807
Registry threats detected : 21
File items scanned : 21647
File threats detected : 1

Adware.Viewpoint Toolbar
HKLM\Software\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32#ThreadingModel
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\ProgID
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\Programmable
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\TypeLib
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\VersionIndependentProgID
HKCR\ViewBar.ViewBar.1
HKCR\ViewBar.ViewBar.1\CLSID
HKCR\ViewBar.ViewBar
HKCR\ViewBar.ViewBar\CLSID
HKCR\ViewBar.ViewBar\CurVer
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\0
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\0\win32
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\FLAGS
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\HELPDIR
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{F8AD5AA5-D966-4667-9DAF-2561D68B2012}


performed the quarantene/remove procedure; did have to reboot to complete removal process.

Ran SASW again and came up clean; no infections found.

Awaiting your next instructions. Thanks AGAIN!!!!!!!!


#13 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 11 October 2008 - 10:20 PM

COPY OF MESSAGE SENT TO "BLEEPIN' JANITOR" Sat, 10/11/08 @ 11:15pm

Hello Bleepin' Janitor....
BTW, love this website (even the name is SO appropriate).
I first posted as a new memeber on 10/9/08 for help with trojan removal.
"Budapest" / Bleepin' Cynic has been extremely helpful but as I am waiting for further instructions, I came across a thread that you are helping another memeber with a Backdoor trojan
"Backdoor.Tidserv HELP" http://www.bleepingcomputer.com/forums/t/173124/backdoortidserv-help/

I read you initial caution about these type of trojans
My initial scan did show Backdoor and rootkit infection.
I feel at this point I must reformat the harddrive. I have personal and confidential business information on the computer and need to guarantee it's safety.

I have 2 main questions:

FIRST:
you mentioned about the router "If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. " The infected Dell Desktop has been disconnected from the internet since I realized there was infection. It is usually "always on" broadband connection through a router that also gives us wireless in our home. I have been using our wireless laptop this whole time to correspond, do web research and download spyware programs, then burning them to CD and transfering them to the desktop. I don't even know if our router has a password, and I'm assuming it doesn't because i've never had to use it.

I KNOW THIS I PROBABLY A SILLY QUESTION, BUT BY THIS POINT, I'M PARANOID: IS THE LAPTOP IN ANY DANGER FROM THIS SAME INFECTION JUST BECAUSE IT IS GETTING IT'S WIRELESS SIGNAL FROM THE SAME ROUTER THAT THE DESKTOP WAS HARDLINE CONNECTED TO?

And part b of the first question, how do I password protect my router?



SECOND QUESTION:
When we do reformat (and yes, i'm going to pay someone to come and do it for me), and we back up all our personal data files, IS THERE A CHANCE THAT THE TROJAN WOULD BE IN ANY OF THOSE FILES? WILL I BE REINFECTING THEN NEWLY WIPED HARDDRIVE?


Everyone dreads this day and scenario, but I just want to say THANK YOU for this website, I was going out of my mind before I found it. Now I'm just going out of my mind because I really do have to reformat...but at least I know it's the right decision and I wouldn't have know that without the help of BleepingComputer.com

I don't know how i'll get a response from this message (I'm very new at this whole forums thing). So I guess I'll be checking my "message" box for a reply; but I'll also copy this message to my thread and you could post a reply there also I guess.

"Trojan Vundo.gen.k won't go away" http://www.bleepingcomputer.com/forums/t/173474/trojan-vundogenk-wont-go-away/

With sincerest appreciation,
Miche

#14 Miche2Cor517

Miche2Cor517
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:46 AM

Posted 12 October 2008 - 08:52 PM

THIS IS A COPY OF MESSAGE I SENT TO BUDAPEST ("Bleepin' Cynic") TONIGHT
:thumbsup:

Hello Bleepin' cynic

Wanted to follow up on a topic you were helping me with last week. I saw that you were online tonight, and thought I would send you a message. I'm guessing that's how I would get in touch with you to seek further advice on an unfinished topic.

From 10/9/08 "Trojan Vundo.gen.k won't go away" http://www.bleepingcomputer.com/forums/ind...=173474&hl=

Infection included "Backdoor" and "Rootkit"
Well, I've decided that the only safe solution for my personal info and confidenial business files is to Reformat the hard drive.

The final piece of advice I will as of you...
When I back up my personal files (My Documents, pics, music files, etc.) is there a chance that those files will be carrying remnants of the trojan? I'm assusming I should run all the aforementioned scans on the external harddrive before I reload them onto the newly reformatted harddrive.


I've asked a few people (not computer specialists) and they seem to believe there is little to no threat (and even if there were remnants of the trojan, it would be too "watered down" to cause a viable threat. But I really wanted to know what you had to say.....

btw -- (you're birthday wouldn't happen to be 8 days before Christmas? I have a friend (SPPRS) -- who i have been out of touch with -- computer saavy, very cynical, but hysterical, and happens to love Guiness - that I just noticed is one of your icons; anyway, his birthday is 8 days before christmas, it's an inside joke, but it would be mind-boggling if you are acutally him)

Your assistance has been invaluable!! I look forward to any additional guidance you can offer.

Miche

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 12 October 2008 - 09:31 PM

When I back up my personal files (My Documents, pics, music files, etc.) is there a chance that those files will be carrying remnants of the trojan? I'm assusming I should run all the aforementioned scans on the external harddrive before I reload them onto the newly reformatted harddrive.

There is a chance of this. But if you scan the files with Malwarebytes, SuperAntiSpyware and whatever anti-virus you use you should be okay.

btw -- (you're birthday wouldn't happen to be 8 days before Christmas?

No.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users