Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Attacked by several Trojans (Vundo, Neprodoor!, Agent)

  • This topic is locked This topic is locked
1 reply to this topic

#1 Dave Finlay

Dave Finlay

  • Members
  • 148 posts
  • Local time:09:58 PM

Posted 28 March 2009 - 09:49 PM

I guess you could say I got a good dose of karma, I just hope that you guys won't judge me or refuse to help me for what I'm about to describe. Two night s ago, I acquired a crack for one of my programs, and scanned it with both my anti-virus (Symantec AntiVirus) and MalwareBytes upon downloading it. When I opened up the program, it was akin to opening up a can of worms. My internet access was severed, my anti-virus went haywire and got overwhelmed, and what scared me the most is that a screen-full of warning messages from my anti-virus, attempting to intercept e-mails popped up........there aren't viruses that send your info out like that, right?

Long story short, my main account was being held hostage by these trojan/viruses, and barely if at all functioned (i.e wasn't allowed access to the folder or Task Manager). I had no internet access on the laptop at all no matter what account. I had to create another account via Safe Mode in order to scan my laptop with MalwareBytes and SuperAntiSpyware. Both picked up some Trojans (located in WINDOWS/System32/userinit and quarantined/deleted them, but some required re-boot to delete them. And when I did, the same Trojans popped back up again anyways.)

I've run HijackThis and saved the log (for anyone that wants to see it). My anti-virus also has listed the Trojans that immediately popped up when I opened that program (which I've since deleted), and has them listed as "being cleaned successfully", yet I can't delete them from the Risk History list, nor do they appear on the Quarantine list or any subsequent scans (so I assume that they're gone or at least dormant). The buggers that it picked up were:

Packed.Generic.209 (3 of them)
Trojan.Neprodoor!inf (2 of them)
Trojan.Vundo (1)

The ones picked up by initial Anti-Malware and SuperAntiSpyware scans:

Trojan.Agent (2 of them) (from WINDOWS/System32/userinit)

Since then I've managed to:

- restore my laptop's internet access, with a program called "LSPfix".
- deleted my old main account and its folders/files, which had some nasty stuff in its temp file that probably was that didn't allow me to access the entire folder.
- Have done numerous virus/spyware/adware scans with a handful of programs. All that's come up since is these two Trojan.Agent files from WINDOWS/System32/userinit.exe (via MalwareBytes and SuperAntiSpyware) that keep re-spawning when I delete them. The trojans that my anti-virus initally intercepted (Neprodoor, Vundo etc.) and which I listed in my first post were "cleaned" right on the spot, and are listed as having been cleaned successfully by the AV. They might be gone, I dunno. Every other virus scan has yielded nothing.

Still, I'm wondering whether I'm compromising my laptop and my security as I speak. I've seeked help elsewhere and was told that Neprodoor is a pretty nasty toolkit that embeds itself in Windows' ndis.sys file, among others and is difficult to get rid of. But like I said, it's listed as "cleaned" by my AV and I haven't seen any signs of it since. They suggested that I re-format, thing is that this laptop requires a portable floppy disk drive to load the SATA drivers into it during re-installation..........I don't have a portable floppy. Unless I can use my microSD card (which is technically a portable drive) to load the drivers I can't re-install.

Do you think I'm in the clear now after that initial attack, or are there probably still well-hidden backdoors and rootkits at work as I speak? I may have further risked myself just by registering to this forum........I've deathly afraid of having my personal information and passwords leaked.

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:58 PM

Posted 29 March 2009 - 12:22 AM

Hello Dave Finlay,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/214825/my-laptop-was-recently-attacked-by-several-trojans-not-sure-if-im-safe-help/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.

This leaves you with a choice:

1) Have this thread reopened and the HiJack This log topic deleted


2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.

Please send a Private Message indicating your choice.

Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users