Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems. Trojan.Vundo MS Juan Malware.Trace, Please Help.


  • Please log in to reply
7 replies to this topic

#1 wmyy

wmyy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 11 February 2009 - 10:47 PM

Hi. I appreciate you taking your time to help. I recently downloaded a Yahoo Messenger. Later on I decided that I didn't need it so I uninstalled the program. After that I opened Firefox and noticed strange pop ups continuously coming up. Strange blank pages with long URLs ending in Superjuan, I realized it must have been a virus of some kind.

After some advice I:
Downloaded Malwarebytes.
Preformed the required Updates.
Preformed a Full Scan.
Removed the infected files.



After that I recived a message that said something along the lines of 'Not all of the files could be removed, and they will be removed upon restart.'
and received this log after restart.


Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 2

2/11/2009 3:30:17 AM
mbam-log-2009-02-11 (03-30-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 89292
Time elapsed: 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 17
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qtsloiwg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUlMdEX.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mumurp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ddcCssRL.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccssrl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{de001ef3-6191-4415-a911-894d29adb04a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{de001ef3-6191-4415-a911-894d29adb04a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7084066-a7ca-4224-9b8d-8aeb6bc49da7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e7084066-a7ca-4224-9b8d-8aeb6bc49da7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{de001ef3-6191-4415-a911-894d29adb04a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7084066-a7ca-4224-9b8d-8aeb6bc49da7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0be44ba (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\vtulmdex -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\vtulmdex -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ddcCssRL.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mumurp.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUlMdEX.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\XEdMlUtv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XEdMlUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtsloiwg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gwiolstq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\g\Local Settings\Temporary Internet Files\Content.IE5\8LMJGPU3\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\g\Local Settings\Temporary Internet Files\Content.IE5\GBQPKJEX\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\g\Local Settings\Temporary Internet Files\Content.IE5\GBQPKJEX\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eglgyvng.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfeFYQi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfGawUn.dll (Trojan.Vundo) -> Delete on reboot.



I preformed another Quick Scan and recived this log :


Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 2

2/11/2009 3:37:16 AM
mbam-log-2009-02-11 (03-37-16).txt

Scan type: Quick Scan
Objects scanned: 55391
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----

There are numerous files under the Quarantine tab, and I'm curious as to what to do with them. If I delete them will the virus return?

I also read that Trojan Vundo is also known as MS Juan

Are these the same thing? How severe was this infection, and am I clear now? If not what steps should I take.

I appreciate whatever help I can receive. Thank you for your time.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:56 PM

Posted 13 February 2009 - 11:41 PM

As the log posted in the above post is an MBAM log, I am moving this topic from the HiJack This forum to the Am I Infected forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 PM

Posted 13 February 2009 - 11:49 PM

HI you are correct about the virus name and iy is stubborn/ You can delte/empty the quarantine if your PC is running well. Files are quarantined and can no longer harm the PC. They are put there first in case they were files important to the normal operation of the machine. That said we will run more tools to be sure you are clean. Please post back 2 logs.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Rerun MBAM,like this as your database i a little old.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 PM

Posted 15 February 2009 - 03:06 PM

OK sometime that happens with SAS,sometimes the log shows up after a full shutdawn and reboot, Did you run it from your regular user account? Did you notice if it had removed somethings?

In the meantime we need to Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 wmyy

wmyy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 15 February 2009 - 03:26 PM

When I went into safe mode there were two Computer administrator accounts (Is this normal? One had the default name, and icon , and one had the customized name, and icon, (The one that normally shows up when I start up normally) but they were both administrator accounts). I clicked on the first one, and did the Scan with Super from there.
After I rebooted I clicked on my normal Administrator account, and tired to retrieve the Super Log from there, and it didn't exist.

I clicked Start -> Control Panel -> User Accounts -> And it only had one Administrator accounts listed. I could have sworn I saw two when I tried to enter safe mode before. So

Anyway, I restarted the computer ,and went back into the strange first Administrator account that only shows up if I try to go into safe mode. I opened Super from there, and the log showed up, So I saved it from there to the normal Administrator account.


I restarted again, and went into Normal mode as opposed to Safe mode.

I don't know what the deal is with all of that, but it worked, and now I can post the Log here. I don't know if I made a mistake. Why are there two Administrator accounts? And why does one only show up when I want to go into Safe Mode. Confused.

Anyway, Moving on.

Here is the Log for SuperAntispy


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2009 at 01:50 PM

Application Version : 4.25.1012

Core Rules Database Version : 3755
Trace Rules Database Version: 1719

Scan type : Complete Scan
Total Scan Time : 00:29:49

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 4089
Registry threats detected : 7
File items scanned : 15247
File threats detected : 1

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Rogue.Component/Trace
HKLM\Software\Microsoft\A0BE5634
HKLM\Software\Microsoft\A0BE5634#a0be5634
HKLM\Software\Microsoft\A0BE5634#Version
HKLM\Software\Microsoft\A0BE5634#a0befbb4
HKLM\Software\Microsoft\A0BE5634#a0be9251

Adware.Vundo/Variant-Six129
C:\WINDOWS\SYSTEM32\DGONBD(2).DLL


And here is the log for Malwarebytes that I ran in normal mode.


Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 2

2/15/2009 2:16:48 PM
mbam-log-2009-02-15 (14-16-48).txt

Scan type: Quick Scan
Objects scanned: 60462
Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






Thank you for your help. :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 PM

Posted 15 February 2009 - 03:46 PM

Now this looks clean. Are thee any more symptoms ? One more question..when you downloaded Yahoo application ,where did you get it as it was odd to get this infection from there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 wmyy

wmyy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 15 February 2009 - 04:03 PM

I don't remember where I got it from. I assumed I googled "Yahoo messenger", and downloaded it from there website. I didn't notice any problems until I tried to Uninstall it. Then that's when the trouble started. I suppose it could have been from something else. A few days prior I was noticing A CD symbol blinking next to my mouse pointer. As if I had put something into the CD Drive. When there wasn't.

After I ran Malwarebytes for the first time the problems didn't continue.
,But I did notice something strange in the Scheduled Tasks that looked suspicious.
I right clicked and clicked on properties, and looked at the path and I noticed It was one of the files listed the first time I ran Malwarebytes, I assume it was one of the files that was in quarantine, but even when I deleted those files from Quarantine, the strange file was still under my Scheduled Tasks. I disabled the task, and deleted it. I don't think It's really a problem. Just wondering.
And now my computer seems to be running fine.


About the two Administrator accounts. Is that normal?


Also I plan to Format my computer in the future. And install Windows XP (I'm already running it, but when I format I assume it won't be there any more so I'll have to reinstall it.)

Should I download Malwarebytes again to keep Just in case?

And what should I use as a firewall?



I appreciate your help.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 PM

Posted 15 February 2009 - 04:36 PM

Most every XP system have a least 2 "administrator" type accounts. One is
the normally hidden "administrator" account and the other are your standard
user accounts that have "administrator" type access. This is normal.

I would keep MBAM around
I would recommend either the Comodo or ZoneAlarm walls. I use Comodo. Look here http://www.bleepingcomputer.com/forums/topic3616.html

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users