Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


infected with trojan vundo i think

  • Please log in to reply
4 replies to this topic

#1 srk_fan22


  • Members
  • 59 posts
  • Local time:07:41 AM

Posted 25 April 2009 - 02:24 PM

For the past week or so pop-ups have been coming up when I use internet explorer, and the main thing is that windows automatic security updates are automatically turned off. I turn it on manually, but then the next time I open my computer, they are turned off. I downloaded MBAM and did full scans. I have been running scans daily for about 3 days now and every day trojan.vundo shows up. the message comes up saying that the computer needs to be restarted to remove some infected files, so i click ok and it restarts. Then I run another scan and it comes up clean. however, if i run another scan some time later, Trojan.Vundo shows up again.
Any help would be greatly appreciated. Thanks!

I am running on Windows XP SP3 and my anitivirus is eset nod32 version 4.0.314

also, heres the log from my latest mbam scan:

Malwarebytes' Anti-Malware 1.36
Database version: 1959
Windows 5.1.2600 Service Pack 3

4/25/2009 3:13:44 PM
mbam-log-2009-04-25 (15-13-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 148176
Time elapsed: 26 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by srk_fan22, 25 April 2009 - 02:33 PM.

BC AdBot (Login to Remove)


#2 rigel



  • Members
  • 12,944 posts
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:41 AM

Posted 25 April 2009 - 08:26 PM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#3 dlilpyro


  • Members
  • 11 posts
  • Local time:06:41 AM

Posted 25 April 2009 - 09:32 PM

I'm having this problem too and when I tried to use RootRepeal and it shut down my computer.

#4 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:41 AM

Posted 25 April 2009 - 09:43 PM

Please download and run Processexplorer


Under file and save as, create a log and post here

copy and paste into a reply

No. Try not. Do... or do not. There is no try.

#5 srk_fan22

  • Topic Starter

  • Members
  • 59 posts
  • Local time:07:41 AM

Posted 27 April 2009 - 04:18 PM

heres my rootrepeal log:

ROOTREPEAL © AD, 2007-2008
Scan Time: 2009/04/27 17:12
Program Version: Version
Windows Version: Windows XP SP3

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA86D000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89FA000 Size: 8192 File Visible: No
Status: -

Name: fluvafjc.sys
Image Path: fluvafjc.sys
Address: 0xF84B4000 Size: 61440 File Visible: No
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF8A58000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA998C000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{25BEE38A-9975-41A4-8855-150195B4BA83}\RP50\change.log
Status: Size mismatch (API: 20704, Raw: 19840)

Path: C:\Documents and Settings\user\Local Settings\Temp\~DF162F.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt
Status: Allocation size mismatch (API: 216, Raw: 0)

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x81d82630

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x81d81a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x81d81e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x81d82460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x81d82280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x81d81c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x81d820b0

Stealth Objects
Object: Hidden Code [ETHREAD: 0x828f9500]
Process: System Address: 0x81d80790 Size: -

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users