Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo virus - hidden iexplorer process runs


  • This topic is locked This topic is locked
4 replies to this topic

#1 Geraldg

Geraldg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 25 May 2009 - 12:23 PM

I've used the VundoFix program, the SUPERAntiSpyware program and of course the malwarebytes product.

I've run malwarebytes in both Safe and Normal modes. In Safe mode, I've run it at least 7 times now.

I've got the infected files/registry entries down to 9 in Safe mode.

No matter what I try, I cannot get these 3 files deleted nor the registry files removed.
The memory module file (zzyxuadt.dll ) does get removed

The result is that the iexplorer process will launch by itself (shortly after a reboot), but you will
NOT see the actual GUI browser window - just the process is running. I kill the process (using
Task Manager), but after a few minutes, it will start again. Eventually, I'll see an IE window
appear indicating I have a virus and then to download the Spydoctor antivirus program.

I saw the sysguard entry in my Startup list (I used msconfig to see it), but I've disabled
it from running. Then, I ran Malwarebytes, etc. I no longer see the sysguard in the
startup list.

So - any suggestions on how to remove these remaining 3 files?

Here are the malwarebytes logs:
#1 Full Mode

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/24/2009 4:06:09 PM
mbam-log-2009-05-24 (16-06-09).txt

Scan type: Quick Scan
Objects scanned: 81479
Time elapsed: 14 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{03f04d68-b423-4d45-bc1a-ae69725fba46} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zzyxuadt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

-----

#2 Safe Mode

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/24/2009 4:48:32 PM
mbam-log-2009-05-24 (16-48-32).txt

Scan type: Quick Scan
Objects scanned: 80895
Time elapsed: 12 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

-----

#3 Safe

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/24/2009 5:12:58 PM
mbam-log-2009-05-24 (17-12-58).txt

Scan type: Quick Scan
Objects scanned: 80877
Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\owvvixks (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{92981def-ab3f-4851-ad17-8c45ef7e59be} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rxdejhum (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\gzctcln.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\snqsald.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Geraldg

Geraldg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 25 May 2009 - 12:24 PM

I should also point out that I used to be running Norton Internet Security 2009 on this
PC until this past Friday (when I encountered the problem). I removed NIS 2009
and installed the free AVG product (on advice from a PC expert). In either case,
NIS and AVG have been hit-or-miss in finding some of what malware is finding.

#3 Geraldg

Geraldg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 25 May 2009 - 04:51 PM

Well - now my computer does a spontaneous reboot on it's own...

#4 Geraldg

Geraldg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 25 May 2009 - 09:28 PM

I think I'm all fixed up now. With the help from the folks at Malwarebytes, they actually
pointed me back to this forum to download ComboFix. After running that and Malwarebytes
again, it appear all the viruses are removed.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:40 AM

Posted 26 May 2009 - 12:39 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users