Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan: Vundo!grb on my home PC!


  • Please log in to reply
10 replies to this topic

#1 mikedeez68

mikedeez68

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 16 April 2009 - 03:19 PM

A few days ago I got the Vundo!grb on my computer from a download.

My McAffee recognized it immediately and "removed" it. Obviously, it wasn't completely removed. It kept finding it and kept removing it...still does.

I remember turning off my computer without shutting it down the proper way. When I started it again, McAffee was going crazy again. I ran a full system scan and nothing was found.

I surfed around on the web (with Firefox) and all websites loaded properly and displayed fine. But I kept getting these stupid pop ups that were obvious spam/viruses from the Vundo!grb file.

Even now, my computer seems to be working fine and functioning properly (offline). I currently have it offline from my wireless. I've downloaded Ad-Aware, which found a few bad files which were quarantined. Every time I start my computer up, McAffee keeps finding the Vundo file in my C drive (C:\Windows\system32\aridabuz.tmp).

At first, my computer wouldn't shut down at all from the start menu. But since I ran Ad-Aware, I have been able to shut it down...somewhat. With the exception of taking a long time to shut down the run.dll program, which I always have to end manually.

I read a few posts similar to the problems to what I'm having, but mine sounded a little different. I'm hoping it's not severe.

All passwords have been changed and my important files were backed up a few weeks before, thankfully. Browser histories have been cleared, the program that downloaded the virus has been removed and I haven't signed on anything requiring a password since.

Where do I go from here? Can/should I connect to the internet?

Please advise! Thanks in advance.

Also, I'm using Windows XP...

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 16 April 2009 - 07:36 PM

Hi and welcome to BC. Let's run 3 tools and get 2 logs.
First run ATF and SAS:

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mikedeez68

mikedeez68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 17 April 2009 - 07:36 AM

Here are my logs.

Just as a note to the SUPER log...I began scanning late night and fell asleep. Woke up and it was done, but my computer froze. It found 11 items from the get go. So I had to restart and scan again. But, as soon as it found the 11 things, I just clicked 'next'...hope that's not a problem.
====================================================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/17/2009 at 08:02 AM

Application Version : 4.26.1000

Core Rules Database Version : 3849
Trace Rules Database Version: 1803

Scan type : Complete Scan
Total Scan Time : 00:30:00

Memory items scanned : 244
Memory threats detected : 0
Registry items scanned : 8257
Registry threats detected : 11
File items scanned : 31888
File threats detected : 0

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL

Unclassified.Unknown Origin
HKU\S-1-5-21-3243360431-1358848133-1554332018-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}

InstaFinderK BHO
HKU\S-1-5-21-3243360431-1358848133-1554332018-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933}

Trojan.FavoriteMan Variant
HKU\S-1-5-21-3243360431-1358848133-1554332018-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B}

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace
HKU\S-1-5-21-3243360431-1358848133-1554332018-1006\Software\Microsoft\FIAS4057

=====================================================================

Malwarebytes' Anti-Malware 1.36
Database version: 1992
Windows 5.1.2600 Service Pack 3

4/17/2009 8:27:24 AM
mbam-log-2009-04-17 (08-27-24).txt

Scan type: Quick Scan
Objects scanned: 86176
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4102ff26-19c0-4c88-9c15-64f33c1a79ff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4102ff26-19c0-4c88-9c15-64f33c1a79ff} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll,schannel.dll,digest.dll,msnsspc.dll) Good: (msapsspc.dll, ,schannel.dll, ,digest.dll, ,msnsspc.dll) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
===================================================

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 17 April 2009 - 06:19 PM

Hello. good progress. I don't feel thst will br problem is you ran ATF first. Let's do another quick scan and tell me how it's running now.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mikedeez68

mikedeez68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 18 April 2009 - 11:22 AM

Hello boop,

Below you will find the second MBAM log.

My computer seems to be running much better. I surfed around the net and didn't run into any pop ups or anything like that. My McAffee hasn't been finding anything or going crazy either.

I did have a few other questions though. When I researched the virus online, McAffee suggested that I turn off the system restore feature within the system properties. It was one of the first things I did before running a lot of this software. Should I turn it back on now, or leave it off?

Also (and I'm sure you'll be able to tell me after looking at the log), am I out of the woods? Can/should I continue using my computer normally or am I still at risk from this virus? Will it be 100% completely removed?

And, if I am 100% clear, should I continue to run these malware and anti-spyware programs you suggested? Let me know what you think.

Thanks so much for all your help!!! :thumbsup:


Here is the second log:
==========================
Malwarebytes' Anti-Malware 1.36
Database version: 2001
Windows 5.1.2600 Service Pack 3

4/18/2009 12:01:08 PM
mbam-log-2009-04-18 (12-01-08).txt

Scan type: Quick Scan
Objects scanned: 86548
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 mikedeez68

mikedeez68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 18 April 2009 - 11:23 AM

Oh yeah, almost forgot...

In MAMB, when I look at the quarantine tab, it looks like the program has a bunch of stuff quarantined...

Should I delete those files? They are all registry key files.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 18 April 2009 - 06:44 PM

Hey mikedeez68
You are good to go, Empty the quarantine.
Update and run both Mbam and SAS at least weekly. have you defragged the Hard drive this year? ATF every couple months. By ruuning them often they will generally run faster as they are oon top of things.

I usually reset the restore last. I know they all do it first but I rather have at least an infected one than none to fall back on. I always post this last so I will so that you will be set up properly.

Thanks for droppig by BC :thumbsup:

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 mikedeez68

mikedeez68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 19 April 2009 - 06:29 PM

Excellent.

All steps have been complete and everything seems to be working great!

Just one more question...is it good/is there a point to have all of these malware/spyware programs on my computer all at once? In addition to MAMB and Super, I also have Ad-Aware and my McAffee running.

I'm guessing it can't hurt...?

Anyway, thanks again for all your help! You save my computer! :thumbsup: Kudos.

- Mike D

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 19 April 2009 - 06:44 PM

My personal opinion is keep 1 AV (McAfee) .. MBAM and SAS.. The others I would Uninstall. Update them weekly and prior to scans.. You do have a firewall enabled. Check for the need to Defragment the hard drive a few times a year.

you're welcome!!

Edited by boopme, 19 April 2009 - 06:45 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 mikedeez68

mikedeez68
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 19 April 2009 - 07:00 PM

I'll get rid of Ad-Aware...

And yes, I do have a firewall via McAffee and I definitely defrag every few months at least!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:34 PM

Posted 19 April 2009 - 10:51 PM

OK cool!! Good luck mikedeez68
Please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users