Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo


  • Please log in to reply
19 replies to this topic

#1 deejen

deejen

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 10 December 2008 - 06:34 PM

I had arecent infection and took care of it with your help. Now I keep getting vondo infections over and over. I have ran malawarebytes, sdfix, superantispyware. I have win xp, nod 32, a firewall. Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 10 December 2008 - 06:40 PM

Did you run SuperAntiSpywear in Safe Mode? If not, try that and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 10 December 2008 - 08:17 PM

ran it and only adware tracking cookies cant find log, only has older ones

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 10 December 2008 - 08:34 PM

Run another scan with Malwarebytes (quick scan in normal mode) and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 11 December 2008 - 12:42 AM

okay this is weird I had scanned twice today and had vondo and now I scanned and dont, I will try again in the morning and let you know

#6 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 12 December 2008 - 04:30 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1486
Windows 5.1.2600 Service Pack 2

12/12/2008 3:29:58 PM
mbam-log-2008-12-12 (15-29-58).txt

Scan type: Quick Scan
Objects scanned: 47629
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jinuwayi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jofopobu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\diwevari.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sohejokapu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpme30f6724 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jofopobu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jofopobu.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jinuwayi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iyawunij.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\diwevari.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jofopobu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fimabini.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nakonaze.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 12 December 2008 - 05:43 PM

Now scan with DrWebCureIt in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 12 December 2008 - 06:57 PM

ran it, it came up clean

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 12 December 2008 - 08:16 PM

So how's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 December 2008 - 12:20 AM

its better hopely it will stay that way thanks

#11 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 December 2008 - 04:27 AM

its back..................

#12 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 13 December 2008 - 04:28 AM

its back..................



Malwarebytes' Anti-Malware 1.31
Database version: 1486
Windows 5.1.2600 Service Pack 2

12/13/2008 3:26:01 AM
mbam-log-2008-12-13 (03-26-01).txt

Scan type: Quick Scan
Objects scanned: 48635
Time elapsed: 8 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\veyekuke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\parodupa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tezohonu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\palifomu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\yazeriza.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e03c54b8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sohejokapu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpme30f6724 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tezohonu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tezohonu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\palifomu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\palifomu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\palifomu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\veyekuke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ekukeyev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vobozudu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tezohonu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\parodupa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\palifomu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\yazeriza.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\worusego.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#13 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 14 December 2008 - 02:27 AM

I also seem to have a hijacker, my pages keep diverting to fling .com.................

#14 deejen

deejen
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 14 December 2008 - 02:45 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1486
Windows 5.1.2600 Service Pack 2

12/14/2008 1:44:59 AM
mbam-log-2008-12-14 (01-44-59).txt

Scan type: Quick Scan
Objects scanned: 46840
Time elapsed: 11 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tedegeru.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70882beb-0349-4c9d-a26e-f89b83fa1ca2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sohejokapu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tedegeru.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\delekuwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mokosuha.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mubohome.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tarekalu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\repudana.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\winvsnet.tmp (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMFVLfe.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\wavvsnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 14 December 2008 - 03:34 AM

Run this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Also, what Java entries do you have in Add/Remove Programs under the Control Panel?

And Malwarebytes is up to database 1499.

Edited by Budapest, 14 December 2008 - 03:39 AM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users