Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection I Think [Moved]


  • Please log in to reply
6 replies to this topic

#1 jburruso

jburruso

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 01 August 2009 - 03:57 PM

Hey Guys
I've been fighting with what I think is a vundo infection for the past few days. It started with the program changing my desktop background and prompting me to buy antivirus software. I ran malwarebytes to remove that and some of the infection.

The next day a notification popped up prompting me to purchase anti virus software again and said my computer was infected. I recognized the name as a rogue program so I installed superantisoftware and ran a full scan. This stopped all of the popups.

From there the only problem I had was what I think was browser hijacking. Anything I google searched relating to anti malware was redirected to either some random ad site or to rds.yahoo.com. I ran superantispyware again and deleted more trojans from the registry and tried to run malwarebytes after but the program closed and sent me back to the login screen. When I logged in again it said that windows explorer wasnt working and left me with an empty black screen.

So here I am right now. I opened up the the task manager and started a new task under iexplore.exe. I'm unable to get to any of my other files.

I'm using a HP running windows vista and would appreciate your help.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:10 AM

Posted 01 August 2009 - 07:37 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:10 AM

Posted 01 August 2009 - 08:35 PM

So here I am right now. I opened up the the task manager and started a new task under iexplore.exe


Try explorer.exe, it's in the windows folder.

See if you can get us the last couple of MBAM logs?
Chewy

No. Try not. Do... or do not. There is no try.

#4 jburruso

jburruso
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 02 August 2009 - 12:57 AM

Thanks.
Here's tuesdays's mbam log:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6001 Service Pack 1

7/28/2009 10:28:17 PM
mbam-log-2009-07-28 (22-28-17).txt

Scan type: Quick Scan
Objects scanned: 87570
Time elapsed: 10 minute(s), 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 3
Files Infected: 29

Memory Processes Infected:
C:\Windows\System32\drivers\smss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Windows\System32\dmime32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d97fc677-694d-4a75-ac89-a5b85c2bcfed} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a36d2a01-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10129214 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\drivers\smss.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\drivers\smss.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\dmime32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\dmime32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\10129214 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Program Files\runit (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\ghaf8jkdfd.dll (Trojan.Zlob.H) -> Delete on reboot.
c:\programdata\10129214\10129214 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\programdata\10129214\10129214.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\fhnse1837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\joseph burruso\AppData\Local\Temp\7418.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\Users\joseph burruso\AppData\Local\Temp\C208.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\joseph burruso\AppData\Local\Temp\temp1_atomix virtual dj pro v 5 2+crack.zip\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\joseph burruso\AppData\Local\Temp\temp1_atomix virtual dj pro v 5 2+crack.zip\crack\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\ppc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\runit\config.txt (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\221.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\221.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\222.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\222.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\223.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\223.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\224.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\224.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\225.music.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\225.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\226.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\226.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\227.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\227.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\228.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
c:\Windows\System32\systemx86\228.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\dmime32.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Joseph Burruso\Desktop\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

and here's thursdays:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6001 Service Pack 1

7/30/2009 11:09:22 AM
mbam-log-2009-07-30 (11-09-22).txt

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I was logged off after I tried to scan today.
My browser keeps getting redirected to clickover.cn and rds.yahoo too.

#5 jburruso

jburruso
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 02 August 2009 - 01:16 AM

I checked to see if I could run another scan and it went through this time. Here's the log:

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6001 Service Pack 1

8/1/2009 8:05:04 PM
mbam-log-2009-08-01 (20-05-04).txt

Scan type: Quick Scan
Objects scanned: 83598
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
C:\Windows\System32\sdra64.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\System32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\Windows\System32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\System32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:10 AM

Posted 02 August 2009 - 01:30 AM

http://www.prevx.com/filenames/X9302470815...SDRA64.EXE.html

The filename is associated with the malware groups:

Rootkit
Worm
Cloaked Malware
Information Stealer


One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#7 jburruso

jburruso
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 02 August 2009 - 04:42 AM

I decided to restore the computer back to factory settings and start from scratch again. Everything seems to be running fine.
I appreciate all of your help with this. If there is anything else that should be done could you please let me know? Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users