Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help with Trojan Vundo


  • This topic is locked This topic is locked
6 replies to this topic

#1 thunderboltkid

thunderboltkid

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 14 May 2009 - 12:10 AM

I have windows xp, and today I started getting random popups so I used Malwarebytes' Anti-Malware (because I have it, because I was on this forum once before), and I did a full scan and then clicked to remove all the Trojan Vundo things, but it said I needed to reboot the computer in order for it to be completed, which it has told me before so I took this to be normal. Then, when the computer restarted, only the desktop picture appeared, without any icons or the start bar, and I had to use task manager to get them up.

I have also tried running SUPERAntiSpyware (because I have that also from the last time I was here) on safe mode, and it did the same thing telling me to reboot, and then when restarted, there's nothing on the desktop.

Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 14 May 2009 - 09:41 AM

Hi,

Try this instead:

1. Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

2. Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#3 thunderboltkid

thunderboltkid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 16 May 2009 - 12:07 PM

sorry this took so long... computer kept closing the windows.

anyway. the vundo fix thing searched and found nothing, so i guess theres no more vundo?

and the kaspersky thing is:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 16, 2009 17:35:07
Records in database: 2185851
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 71119
Threat name: 5
Infected objects: 17
Suspicious objects: 0
Duration of the scan: 01:12:55


File name / Threat name / Threats count
C:\WINDOWS\system32\userinit.exe/C:\WINDOWS\system32\userinit.exe Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\DOCUME~1\User\LOCALS~1\Temp\mousehook.dll/C:\DOCUME~1\User\LOCALS~1\Temp\mousehook.dll Infected: Trojan-Dropper.Win32.Agent.aozs 4
C:\Documents and Settings\User\Incomplete\Preview-T-3545425-blue bird club penguin.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\User\Incomplete\Preview-T-3545425-in this together flipside club.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\User\Incomplete\Preview-T-3877629-ghosting mother.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\User\Incomplete\Preview-T-5745425-blue bird club penguin.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\User\Incomplete\Preview-T-5745425-in this together flipside club.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\Documents and Settings\User\Local Settings\Temp\ntdll64.dll Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\Documents and Settings\User\My Documents\My Music\gwar\sad songs elton john 39.wma Infected: Trojan-Downloader.WMA.Wimad.d 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SBOP8XGZ\lsp[1].exe Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\WINDOWS\system32\dllcache\userinit.exe Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\WINDOWS\system32\susonuno.exe Infected: Packed.Win32.Krap.q 1
C:\WINDOWS\system32\userinit.exe Infected: Trojan-Dropper.Win32.Agent.aozs 1

The selected area was scanned.




thanks for the help

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 May 2009 - 12:34 PM

Hi,

Well, your pc is heavily infected, but let's try to deal with it. :thumbsup:

1. Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll"
"C:\Documents and Settings\User\Incomplete\Preview-T-3545425-blue bird club penguin.mp3"
"C:\Documents and Settings\User\Incomplete\Preview-T-3545425-in this together flipside club.mp3"
"C:\Documents and Settings\User\Incomplete\Preview-T-3877629-ghosting mother.mp3"
"C:\Documents and Settings\User\Incomplete\Preview-T-5745425-blue bird club penguin.mp3"
"C:\Documents and Settings\User\Incomplete\Preview-T-5745425-in this together flipside club.mp3"
"C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll"
"C:\Documents and Settings\User\Local Settings\Temp\ntdll64.dll"
"C:\Documents and Settings\User\My Documents\My Music\gwar\sad songs elton john 39.wma"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SBOP8XGZ\lsp[1].exe"
"C:\WINDOWS\system32\susonuno.exe") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

2. Go to http://windowsupdate.microsoft.com
Install the ActiveX-control, if you are asked to do so.
Now, click Custom
Now, Install XP Service Pack 3

3. Now, do a new scan with Kaspersky Online Scanner, and post the logfile in your next reply. :flowers:

#5 thunderboltkid

thunderboltkid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 18 May 2009 - 11:38 AM

log file:

Deleting files
"C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll" not deleted
"C:\Documents and Settings\User\Incomplete\Preview-T-3545425-blue bird club penguin.mp3" deleted
"C:\Documents and Settings\User\Incomplete\Preview-T-3545425-in this together flipside club.mp3" deleted
"C:\Documents and Settings\User\Incomplete\Preview-T-3877629-ghosting mother.mp3" deleted
"C:\Documents and Settings\User\Incomplete\Preview-T-5745425-blue bird club penguin.mp3" deleted
"C:\Documents and Settings\User\Incomplete\Preview-T-5745425-in this together flipside club.mp3" deleted
"C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll" not deleted
"C:\Documents and Settings\User\Local Settings\Temp\ntdll64.dll" deleted
"C:\Documents and Settings\User\My Documents\My Music\gwar\sad songs elton john 39.wma" deleted
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SBOP8XGZ\lsp[1].exe" deleted
"C:\WINDOWS\system32\susonuno.exe" deleted


kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 17:14:01
Records in database: 2191292
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 78212
Threat name: 2
Infected objects: 37
Suspicious objects: 0
Duration of the scan: 01:16:41


File name / Threat name / Threats count
C:\WINDOWS\system32\autochk.dll/C:\WINDOWS\system32\autochk.dll Infected: Trojan-Spy.Win32.Agent.argt 28
C:\Documents and Settings\NetworkService\protect.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\Documents and Settings\User\protect.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\User\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\WINDOWS\$NtServicePackUninstall$\userinit.exe Infected: Trojan-Dropper.Win32.Agent.aozs 1
C:\WINDOWS\system32\autochk.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\WINDOWS\system32\config\systemprofile\protect.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\WINDOWS\Temp\msb.dll Infected: Trojan-Spy.Win32.Agent.argt 1

The selected area was scanned.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 May 2009 - 12:45 PM

Hi,

I think you are dealing with a file infector.
Though, I want this to be confirmed, so I'm going to redirect you to the HijackThissection of this forum.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Give them a link and my opinion. :thumbsup:

Good luck. :flowers:

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 21 May 2009 - 10:59 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/228425/trojan-infection-file-infector/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users