Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo.H infection


  • Please log in to reply
9 replies to this topic

#1 junio

junio

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 06 December 2008 - 05:20 PM

Computer has been acting up for a few days: running slow, browser locking up.
Yesterday the precata.com/pantomi.com/registrydefender.com pop-ups started.
Installed Malwarebytes' AMW, ran several times in between reboots and the only infection remaining is Trojan.Vundo.H
I've done lots of research and all I know how to do and now need some help.

Running:
XP, SP3
IE7
Have HighjackThis installed and ready to run and post log files.

Thanks much in advance!

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,878 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:45 AM

Posted 06 December 2008 - 09:03 PM

http://www.superantispyware.com/ Works best at finding and removing the malware when scan is run in SAFE MODE AFTER INSTALLING.

Download and install SUPERAntiSpyware Free from the link above.

* Double-click SUPERAntiSypware.exe and use the default settings for installation. (OR the Renamed .EXE)
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates".
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 junio

junio
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 07 December 2008 - 06:05 PM

Sorry for the delay but complete SuperAntiSpyware took 18:30 to run!!! Does Safe Mode make it that much longer to run? I realize it depends on the number of files, etc. to scan, but that seemed excessive. Anyway, the Scan Log results are as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2008 at 04:47 PM

Application Version : 4.22.1014

Core Rules Database Version : 3665
Trace Rules Database Version: 1645

Scan type : Complete Scan
Total Scan Time : 18:30:58

Memory items scanned : 212
Memory threats detected : 0
Registry items scanned : 7862
Registry threats detected : 2
File items scanned : 221263
File threats detected : 38

Adware.Tracking Cookie
C:\Documents and Settings\jp\Cookies\jp@tribalfusion[2].txt
C:\Documents and Settings\jp\Cookies\jp@indextools[2].txt
C:\Documents and Settings\jp\Cookies\jp@chitika[1].txt
C:\Documents and Settings\jp\Cookies\jp@at.atwola[2].txt
C:\Documents and Settings\jp\Cookies\jp@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\jp\Cookies\jp@ads.techguy[2].txt
C:\Documents and Settings\jp\Cookies\jp@tacoda[1].txt
C:\Documents and Settings\jp\Cookies\jp@questionmarket[2].txt
C:\Documents and Settings\jp\Cookies\jp@insightexpressai[1].txt
C:\Documents and Settings\jp\Cookies\jp@marthastewart.122.2o7[1].txt
C:\Documents and Settings\jp\Cookies\jp@ads.pointroll[1].txt
C:\Documents and Settings\jp\Cookies\jp@www.burstbeacon[1].txt
C:\Documents and Settings\jp\Cookies\jp@revsci[2].txt
C:\Documents and Settings\jp\Cookies\jp@ads.bleepingcomputer[2].txt
C:\Documents and Settings\jp\Cookies\jp@www.googleadservices[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@adopt.specificclick[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@ads.pointroll[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@ads.revsci[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@anat.tacoda[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@atwola[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@cbs.112.2o7[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@cbsdigitalmedia.112.2o7[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@collective-media[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@e-2dj6wjmishdzmbq.stats.esomniture[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@e-2dj6wjnyskcpkhp.stats.esomniture[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@edge.ru4[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@imrworldwide[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@insightexpressai[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@nintendo.112.2o7[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@partner2profit[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@precisionclick[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@richmedia.yahoo[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@shopping.112.2o7[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@specificclick[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@track.cbs[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@tripod[2].txt
C:\Documents and Settings\Danistar\Cookies\danistar@www.burstbeacon[1].txt
C:\Documents and Settings\Danistar\Cookies\danistar@www.googleadservices[1].txt

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

#4 junio

junio
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 07 December 2008 - 06:06 PM

I almost forgot---Thank you, Buddy215 for helping me on this!!!

#5 buddy215

buddy215

  • BC Advisor
  • 12,878 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:45 AM

Posted 07 December 2008 - 08:19 PM

SAS did not find Vundo. If you still had it on your comp it usually finds some trace of it.
Did MBAM find it and remove it?

As far as scanning in safe mode---Scanning would be faster because there are less resources being used by
other programs, etc. Just curious, how many Gigabytes of files do you have on your HD? That is a LOOOONG scan time!

I will wait to hear back from you with the answers.

Find "My Web Search (Popular Screensavers)" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way
Next, open My Computer, Drive C, and double-click on the Program Files folder
Right-click and delete the folders for:

*FunWebProducts
* MyWebSearch

Edited by buddy215, 07 December 2008 - 08:29 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 junio

junio
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 07 December 2008 - 08:37 PM

C: has 28.6 GB used (of 86.4)

I ran Malwarebytes' AMW and it still shows up. Keeps coming back after being removed by MAMW. MAMW log file below:

Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3

12/7/2008 7:14:16 PM
mbam-log-2008-12-07 (19-14-16).txt

Scan type: Quick Scan
Objects scanned: 114095
Time elapsed: 52 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hikosekoyi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Earlier, B4 posting to this forum the 1st time, I deleted the infected registry value shown in log file above, rebooted and it returned. Something somewhere else is recreating it on reboot.

Thanks.

#7 buddy215

buddy215

  • BC Advisor
  • 12,878 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:45 AM

Posted 07 December 2008 - 08:53 PM

I edited my last post with so more info on removing the Fun Web products.

Here is the deal on Vundo and the two scanning programs. They both will update tomorrow. I am pretty sure that SAS will update usually around 7pm EST. They sometimes do an early update then a later one.

The experts that could help you more than I are backed up. It could be a week or more before they got to your problem.
I suggest you stay off line and update tomorrow evening to see if those programs can find the problem.
Vundo changes constantly to hide itself from the security programs and they are always playing catch up.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 buddy215

buddy215

  • BC Advisor
  • 12,878 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:45 AM

Posted 07 December 2008 - 09:07 PM

Use Ccleaner to clean up your temporary files, logs, etc. During install you will be offered the Yahoo Toolbar. Uncheck if not
wanted. http://www.ccleaner.com/

You should check all your programs for security updates. A fast way to do that is by using Secunia online scanner. It is fast and accurate. http://secunia.com/vulnerability_scanning/online/

Vundo is known to exploit old Java programs. If yours needs updating, update it, then go to Add/Remove and remove all old
versions of Java. The easiest way to make sure you get the correct Sun Java update is to open Java in the Control Panel (coffee cup) and choose update.

Adobe Flash and Adobe Reader have also been exploited recently.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 junio

junio
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 07 December 2008 - 09:54 PM

Thanks for all the suggestions. I am a bit confused on uninstalling/deleting folders part you instructed above:

Find "My Web Search (Popular Screensavers)" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way
Next, open My Computer, Drive C, and double-click on the Program Files folder
Right-click and delete the folders for:

*FunWebProducts
* MyWebSearch

None of these show up in Add/Remove Programs, nor in the Program Files folder.

#10 buddy215

buddy215

  • BC Advisor
  • 12,878 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:45 AM

Posted 07 December 2008 - 10:16 PM

Good. If they aren't there, don't delete them. :thumbsup:

Using Ccleaner will help a little in reducing scan time. I use it almost daily.

I would do a "quick scan" with SAS tomorrow. That should shorten the scanning a lot.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users