Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo trojans and seneka rootkits


  • This topic is locked This topic is locked
2 replies to this topic

#1 littlefishy

littlefishy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 05 February 2009 - 06:19 PM

The problem started last night when I noticed that my legitimate Google search results were occasionally being redirected to ad sites (I've seen the other threads on this, but I have other issues as well). I ran a scan with AVG and came up with a whole lot of "trojan.vundo.h", which it quarantined. I assumed that the problem was fixed and went to bed.

This morning I started up my computer (running XP home service pack 3 by the way) and found a message saying that my computer would be restarted in a minute because the "DCOM server process launcher" service had terminated. I rebooted in safe mode and scanned again with AVG, this time enabling scanning for rootkits. The restart message popped up again in the middle of the scan - scary to see this happen in safe mode - so I looked up how to stop it and ended up using this method, which worked:

Start -> Run -> type services.msc
Select "DCOM Server Process Launcher"
Right Click -> Properties
Change Startup type to Disabled
Click on Recovery Tab
Change all failures to Take No Action

After that I finished the AVG scan. It found 12 rootkits with "seneka" in the name and claimed to have removed them, but when I updated and ran Malwarebytes Anti-Malware, it found the same ones, plus more. It removed those and the latest scan shows nothing, but I am still having the issue with Google results and I'm afraid to get out of safe mode to see how things are running.

Also, looking through Malwarebytes logs, I discovered that it had caught a bunch of trojan.vundo along with some trojan.downloader and trojan.TDSS a month ago, so I wonder if this could be a re-infection somehow? Thanks in advance for any advice on all this.

Edited by littlefishy, 05 February 2009 - 06:24 PM.


BC AdBot (Login to Remove)

 


#2 littlefishy

littlefishy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 05 February 2009 - 06:46 PM

I've posted in the HijackThis logs forum as well - http://www.bleepingcomputer.com/forums/t/200924/vundo-seneka-browser-redirection/

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 05 February 2009 - 06:52 PM

It appears that you have already posted a hijackthis log here.

Please be patient while waiting for assistance. HJT Helpers are all volunteers regardless where you post a log. While waiting for a response, you should not ask for help elsewhere or make changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) Any modifications you make on your own can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the HJT Helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

If you had posted your log here, similar rules would apply. We would ask that you be patient while awaiting a reply and refrain from asking for help elsewhere.

If you followed any other advice already, please ensure you inform the HJT Team Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

To avoid confusion, I am closing this topic. If you still need assistance after your log has been reviewed and you have been cleared, please start a new topic. If you have any questions, please PM me or another moderator.

Thanks for your cooperation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users