Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reinfection - Vundo has returned


  • Please log in to reply
3 replies to this topic

#1 louispasteur

louispasteur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 09 January 2009 - 11:12 PM

I got this virus. I don't know how but I got it. Norton Internet Security was "protecting" my PC. Or I thought it was. Turns out that you have to pay extra to get the really good protecting. It was like buying a condom with a coupon stapled to it. Norton wanted 99 USD to take care of it. Compaq wanted 59 or 69 USD. Microsoft wanted about the same. And Comcast had no idea what to do.

There was no way that I was going to pay for it. And nobody should have to. Soooo I put my customer service skills to use and talked to Norton. I was firm, but polite. Then I escalated to that persons supervisor. Again, I was firm but polite. Then I escalated to that persons supervisor. It took about 30 hours for a call to my cell phone. But they did call.

I explained my case once more, taking care to mention the various class action lawsuits that Norton was facing right now because of subscription issues. They relented and agreed to provide me with the premium service.

What surprised me as I watched the very able technician take remote access of my PC was that he navigated to http://www.bleepingcomputer.com and downloaded COMBOFIX.

Evidently that was what Norton was charging 99 USD for. Other than going into the DOS prompt to delete some files that's what he did. It was after COMBOFIX finished that I lost my connection to the internet. He advised me that I should check with my ISP to get advice on getting connected again.

After 2 hours on the phone with comcast and another escalation with them I had to go to the store and pickup a new cable modem. After some blind troubleshooting the other PC on the modem got connected again. I don't know how that happened.

The next day I contacted the same tech at Norton. After explaining all that I did he guided me into my PC. He also took me to a Norton site that I should have known about before this all happened. It was a site with 26 commonly used Symantec tools.

http://service1.symantec.com/SUPPORT/tsgen...005103109480139

It is worth checking out. During our first session he uninstalled Norton Internet Security 2009 from my system. But there were still remnants left. And it was those little pieces that was preventing me from getting online. After downloading the correct tool from the other PC onto my thumb drive and transferring it to my PC I ran it and was online again. You don't realize how much you depend on the net until you loose it.

I couldn't agree more with others about the fate of the miscreants who came up with Antivirus 2009 and all the others. I didn't loose any data, so far as I can tell. It was just the biggest hassle getting back to where I wanted to be. I fell violated as anybody would be, and will be again.

Here it is now, just 1 day later and Vundo has returned. I got a pop up from Norton saying that it detected Vundo and fixed it.

From my reading here I suspect there is more knowledge and advice than is available with Norton.

I would appreciate any advice or help that you can provide.



Here is my log - I did remove all after saving the log and did reboot as instructed to complete the removal

Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 3

1/9/2009 10:09:02 PM
mbam-log-2009-01-09 (22-08-20).txt

Scan type: Quick Scan
Objects scanned: 59675
Time elapsed: 1 hour(s), 8 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hgGyaBQG.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kvhndjrf.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nnnLfdda.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7931321e-237d-4d5a-b1fc-6d40324d21c3} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7931321e-237d-4d5a-b1fc-6d40324d21c3} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnlfdda (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7931321e-237d-4d5a-b1fc-6d40324d21c3} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18a190a2 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggyabqg -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggyabqg -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hgGyaBQG.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\GQBayGgh.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\GQBayGgh.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kvhndjrf.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\frjdnhvk.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nnnLfdda.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\temp\armwcesxon.tmp (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\temp\winvsnet.tmp (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4T5IAV08\winsinstall[1].exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E64E8S1Q\upd105320[1] (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:18 AM

Posted 10 January 2009 - 12:01 AM

Hi and welcome to BC!

Vundo can be a very hard infection to remove. We will do our best. Let's revisit Malwarebytes.

C:\WINDOWS\system32\hgGyaBQG.dll (Trojan.Vundo.H) -> No action taken.

This line generally indicated that you didn't tell the program to remove the infection. Please try running Malwarebytes with these instructions.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 louispasteur

louispasteur
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 10 January 2009 - 01:18 PM

My previous entry had the log that was saved before I deleted everything that malwarebytes had found. I did delete everything and then rebooted as it suggested I do. My PC would not reboot, it got stuck in the process, so I had to restart again with a hard shut down via the power button. When I did that I got a windows screen suggesting that I go with a restore from the last good restore point. I did that and windows started up as normal. I ran malwarebytes again and this time it found one instance of Vundo. I deleted that one and restarted again. I ran Malwarebytes and Norton again and this time they found nothing.

My PC seems to be running just fine since this all happened last night. It is quick and responsive. Could it be that I am free from infection or am I just deluding myself?

Below is the lastes report from Malwarebytes -

Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 3

1/10/2009 12:10:09 PM
mbam-log-2009-01-10 (12-10-09).txt

Scan type: Quick Scan
Objects scanned: 60451
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:18 AM

Posted 10 January 2009 - 03:29 PM

It looks good, but Vundo can be very hard to clean. Let's go through some more scans and see what is found. Another thing to note is different scanners "look" at the problem in different ways. Run these please...

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Then...
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
These two will take some time. I would print the instructions out because they are so lengthy. Let me know if problems arise.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users