Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Vundo ( and others) Trojan infections


  • Please log in to reply
4 replies to this topic

#1 Papa Chanoli

Papa Chanoli

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 01 November 2009 - 05:03 AM

Hello. I'm new here so I'm going to try to make this as concise and helpful as possible.

I'm running Windows XP home. I have AVG 9.0 paid version and windows defender running on my PC. I use the standard windows firewall. I'm getting rapid pop up ads when I run Firefox or IE.

When I boot up the computer. Windows defender is turned off so I have to turn it back on. windows defender scans or AVG scans do find occasional trojans, the types of which I'll list at the end of this. Reboots bring reinfection. The pop up's don';t stop after the scan heals or removes infections. I get a warning each time I boot regarding logon.exe failing. I cannot remember the text but I will repost the text tomorrow. (too tired now. I've been up trying to resolve this for long hours.)

Windows defender cannot update but I got a batch file copy from microsoft.com that allows it to update. I can post that batch file text if needed.

I tried to install malwarebytes to see if that could kill the infection, but it will not install. The malwarebytes .exe file does not install and the warning i get when i use the shortcut after a fresh install says the path does not exist. My assumption is the trojan creator got tired of malwarebytes screwing up his fun and turned the tables on malwarebytes. ( That assumption is based on my ignorant guess. )

I do not know where windows puts screen shots so I can't show you the screen shot of the latest barrage of infections AVG found. I'll write the names of the Trojans below. AVG does not succeed in preventing these babies from reinstalling themselves, and the infection does not appear to have a pattern. different .dll files show up each time, with a variety of names I've unfortunately become remotely familiar with.

The currently quarantined infections are numerous copies of these Trojan Horses:
Vundo.IG
Generic15.ACRY
Generic15.AFFK
Agent2.YLG
Generic15.AHMR
Vundo.IH
Vundo.II

These are all either in restore directories or in windows/system32 but I doubt that surprises any of you experts. The .dll and .dll.tmp files they are in all have some nice exotic sounding evil bastard names. 8)

I don't know what more I can do to help anybody who would be so kind as to direct my efforts to battle this baby. I'm sure for an expert this would be an easy kill, but I need someone to point me to the gun and show me how to pull the trigger on these bad boys. So far they're meaner than me and I really wanna' show'em who's boss.

Thank you in advance. It's a real encouragement to know there are as many people fighting the hacker punks who create theses things as there are hacker punks to begin with.

Rock on you un-hackers,
Papa Chanoli

BC AdBot (Login to Remove)

 


#2 Papa Chanoli

Papa Chanoli
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 01 November 2009 - 05:08 AM

I should include that I cannot boot into safe mode. I can only boot into normal windows.


Please forgive if I missed some details. I've been at this for a few days. Most of my efforts have gotten me nowhere.


Below is a report of AVG's webshield log of what it was able to block.

And below that is AVG's resident shield report. It shows a number of the files that have been infected including AVg files and Windows defender files. ( i just realized that part)

Web Shield findings
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Trojan horse Vundo.IH";"82.98.231.98/default.aspx?YICuz2DLwzi3dgOl1DcXBug8ykTqamFhJmuFx-somgeJWkXIMmvE0wK5J9XlBAMvNQDMusEuXlk7tmXMjlpJNq6W1-wt1cSP5dLF2Knjt8Gel-YQchU4-dIdgqyrYuknV_BjCdwIWcJYjyw9G5GVZlI7fnkbPzzifFt1QzHTePr5CN_l";"Object was blocked";"10/31/2009, 7:12:25 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IH";"82.98.231.98/default.aspx?7oCuwmPCzzO_eAit3AYnU_kE_0XSVyYndGqNz8gemDC9BhTLAEqC2FS-I9W3BFQub1PEvpZ-BVdu4WLOiw5HMP2W1fl4ivKt9tLM2fjmtJfLzPBLIxc9oI5Phvz9Zb0vUOM0C9ldBpM6gx8_F6WjYFc7enYjM0jkGWB0QTTUeMnIVIyumA";"Object was blocked";"10/31/2009, 7:12:10 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IH";"82.98.231.98/default.aspx?YICuz2DLwzi3dgOl1DcXBug8ykTqamFhJmuFx-somgeJWkXIMmvE0wK5J9XlBAMvNQDMusEuXlk7tmXMjlpJNq6W1-wt1cSP5dLF2Knjt8Gel-YQchU4-dIdgqyrYuknV_BjCdwIWcJYjyw9G5GVZlI7fnkbPzzifFt1QzHTePr5CN_l";"Object was blocked";"10/31/2009, 7:11:55 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
"Trojan horse Vundo.IH";"82.98.231.98/default.aspx?7oCuwmPCzzO_eAit3AYnU_kE_0XSVyYndGqNz8gemDC9BhTLAEqC2FS-I9W3BFQub1PEvpZ-BVdu4WLOiw5HMP2W1fl4ivKt9tLM2fjmtJfLzPBLIxc9oI5Phvz9Zb0vUOM0C9ldBpM6gx8_F6WjYFc7enYjM0jkGWB0QTTUeMnIVIyumA";"Object was blocked";"10/31/2009, 7:11:37 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
"Trojan horse Vundo.IH";"82.98.231.98/default.aspx?7oCuwmPCzzO_eAit3AYnU_kE_0XSVyYndGqNz8gemDC9BhTLAEqC2FS-I9W3BFQub1PEvpZ-BVdu4WLOiw5HMP2W1fl4ivKt9tLM2fjmtJfLzPBLIxc9oI5Phvz9Zb0vUOM0C9ldBpM6gx8_F6WjYFc7enYjM0jkGWB0QTTUeMnIVIyumA";"Object was blocked";"10/31/2009, 7:11:03 PM";"file";"C:\WINDOWS\system32\lsass.exe"
"Trojan horse Vundo.IH";"82.98.231.98/default.aspx?YICuz2DLwzi3dgOl1DcXBug8ykTqamFhJmuFx-somgeJWkXIMmvE0wK5J9XlBAMvNQDMusEuXlk7tmXMjlpJNq6W1-wt1cSP5dLF2Knjt8Gel-YQchU4-dIdgqyrYuknV_BjCdwIWcJYjyw9G5GVZlI7fnkbPzzifFt1QzHTePr5CN_l";"Object was blocked";"10/31/2009, 7:11:03 PM";"file";"C:\WINDOWS\system32\lsass.exe"
"Exploit Rogue scanner (type 871)";"spyware-remover-free.org/index.php?PHPSESSID=259b4c25aa08557e7c8892c5d64253db";"Object was blocked";"10/28/2009, 8:15:03 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"


Resident Shield:

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Trojan horse Vundo.II";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP862\A0179883.dll";"Moved to Virus Vault";"10/31/2009, 11:27:49 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.II";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP862\A0179883.dll";"Moved to Virus Vault";"10/31/2009, 10:27:49 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.II";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP862\A0179883.dll";"Moved to Virus Vault";"10/31/2009, 9:53:22 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\pivejehu.dll";"Moved to Virus Vault";"10/31/2009, 11:21:01 AM";"file";"C:\Program Files\AVG\AVG9\avgui.exe"
"Trojan horse Vundo.II";"C:\WINDOWS\system32\wotizale.dll";"Moved to Virus Vault";"10/31/2009, 8:00:00 AM";"file";"C:\WINDOWS\system32\rundll32.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\vawevoyu.dll";"Moved to Virus Vault";"10/31/2009, 7:16:30 AM";"file";"C:\Program Files\AVG\AVG9\avgcmgr.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\vojijaje.dll";"Moved to Virus Vault";"10/31/2009, 7:16:02 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\sahoruhe.dll";"Moved to Virus Vault";"10/31/2009, 7:15:37 AM";"file";"C:\Program Files\AVG\AVG9\fixcfg.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:15:37 AM";"file";"C:\Program Files\AVG\AVG9\fixcfg.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\sahoruhe.dll";"Moved to Virus Vault";"10/31/2009, 7:15:30 AM";"file";"C:\Program Files\AVG\AVG9\avgupd.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:15:30 AM";"file";"C:\Program Files\AVG\AVG9\avgupd.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:15:16 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\sahoruhe.dll";"Moved to Virus Vault";"10/31/2009, 7:15:05 AM";"file";"C:\WINDOWS\system32\searchfilterhost.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:15:05 AM";"file";"C:\WINDOWS\system32\searchfilterhost.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\sahoruhe.dll";"Moved to Virus Vault";"10/31/2009, 7:15:05 AM";"file";"C:\WINDOWS\system32\searchprotocolhost.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\sahoruhe.dll";"Moved to Virus Vault";"10/31/2009, 7:15:03 AM";"file";"C:\Program Files\AVG\AVG9\avgsrmax.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:15:02 AM";"file";"C:\Program Files\AVG\AVG9\avgsrmax.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:15:02 AM";"file";"C:\WINDOWS\system32\searchprotocolhost.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\sahoruhe.dll";"Moved to Virus Vault";"10/31/2009, 7:14:52 AM";"file";"C:\Program Files\AVG\AVG9\fixcfg.exe"
"Trojan horse Vundo.IH";"C:\WINDOWS\system32\zikewapo.dll";"Moved to Virus Vault";"10/31/2009, 7:14:52 AM";"file";"C:\Program Files\AVG\AVG9\fixcfg.exe"
"Trojan horse Generic15.AHMR";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP860\A0178789.dll";"Moved to Virus Vault";"10/30/2009, 11:49:10 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Agent2.YLG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP861\A0179821.dll";"Moved to Virus Vault";"10/30/2009, 10:35:02 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Generic15.AFFK";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP860\A0178866.dll";"Moved to Virus Vault";"10/30/2009, 10:34:03 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Generic15.AHMR";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP860\A0178789.dll";"Moved to Virus Vault";"10/30/2009, 10:33:55 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Agent2.YLG";"C:\WINDOWS\system32\jagupodi.dll";"Moved to Virus Vault";"10/29/2009, 5:45:39 PM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Generic15.AFFK";"C:\WINDOWS\system32\pumogepe.dll";"Moved to Virus Vault";"10/29/2009, 5:02:58 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178716.dll";"Moved to Virus Vault";"10/27/2009, 11:24:49 AM";"file";"C:\Program Files\Windows Defender\MSASCui.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178730.dll";"Moved to Virus Vault";"10/27/2009, 11:24:49 AM";"file";"C:\Program Files\Windows Defender\MSASCui.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178716.dll";"Moved to Virus Vault";"10/27/2009, 11:24:32 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178730.dll";"Moved to Virus Vault";"10/27/2009, 11:24:29 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178725.dll";"Moved to Virus Vault";"10/27/2009, 11:20:30 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178728.dll";"Moved to Virus Vault";"10/27/2009, 11:20:29 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178716.dll";"Moved to Virus Vault";"10/27/2009, 11:20:23 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178730.dll";"Moved to Virus Vault";"10/27/2009, 11:20:20 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178730.dll";"Moved to Virus Vault";"10/27/2009, 10:40:55 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178729.dll";"Moved to Virus Vault";"10/27/2009, 10:40:55 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178728.dll";"Moved to Virus Vault";"10/27/2009, 10:40:55 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Generic15.ACRY";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178727.exe";"Moved to Virus Vault";"10/27/2009, 10:40:50 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178726.dll";"Moved to Virus Vault";"10/27/2009, 10:40:49 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178725.dll";"Moved to Virus Vault";"10/27/2009, 10:40:48 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178717.dll";"Moved to Virus Vault";"10/27/2009, 10:40:48 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP858\A0178716.dll";"Moved to Virus Vault";"10/27/2009, 10:40:44 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP857\A0178662.dll";"Moved to Virus Vault";"10/27/2009, 10:40:41 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP857\A0178661.dll";"Moved to Virus Vault";"10/27/2009, 10:40:39 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP857\A0178660.dll";"Moved to Virus Vault";"10/27/2009, 10:40:37 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP857\A0178587.dll";"Moved to Virus Vault";"10/27/2009, 10:40:34 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP857\A0178586.dll";"Moved to Virus Vault";"10/27/2009, 10:40:32 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Vundo.IG";"C:\System Volume Information\_restore{1E7C8BDD-2D3F-46EF-8958-BA4964915B33}\RP857\A0178585.dll";"Moved to Virus Vault";"10/27/2009, 10:40:30 AM";"file";"C:\Program Files\Windows Defender\MsMpEng.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:22:21 AM";"file";"C:\WINDOWS\explorer.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:20:13 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:19:32 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:18:51 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IG";"C:\WINDOWS\system32\zopirozu.dll";"Moved to Virus Vault";"10/27/2009, 5:18:15 AM";"file";"C:\Program Files\Java\jre6\bin\jqsnotify.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:18:10 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:17:29 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:16:48 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:16:08 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IG";"C:\WINDOWS\system32\zopirozu.dll";"Moved to Virus Vault";"10/27/2009, 5:15:28 AM";"file";"C:\Program Files\AVG\AVG9\avgsrmax.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:15:27 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:14:46 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:14:05 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:13:24 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IG";"C:\WINDOWS\system32\zopirozu.dll";"Moved to Virus Vault";"10/27/2009, 5:12:51 AM";"file";"C:\Program Files\AVG\AVG9\fixcfg.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:12:43 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IG";"C:\WINDOWS\system32\zopirozu.dll";"Moved to Virus Vault";"10/27/2009, 5:12:28 AM";"file";"C:\Program Files\AVG\AVG9\avgupd.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:12:02 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Generic15.ACRY";"C:\WINDOWS\system32\logon.exe";"Moved to Virus Vault";"10/27/2009, 5:11:21 AM";"file";"C:\WINDOWS\system32\svchost.exe"
"Trojan horse Vundo.IG";"C:\WINDOWS\system32\zopirozu.dll";"Moved to Virus Vault";"10/27/2009, 5:11:17 AM";"file";"C:\Program Files\AVG\AVG9\avgsrmax.exe"
"Trojan horse Vundo.IG";"C:\WINDOWS\system32\zopirozu.dll";"Moved to Virus Vault";"10/27/2009, 5:11:15 AM";"file";"C:\Program Files\AVG\AVG9\fixcfg.exe"

Edited by Papa Chanoli, 01 November 2009 - 05:22 AM.


#3 pcintel

pcintel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 02 November 2009 - 09:49 PM

I tried to install malwarebytes to see if that could kill the infection, but it will not install. The malwarebytes .exe file does not install and the warning i get when i use the shortcut after a fresh install says the path does not exist. My assumption is the trojan creator got tired of malwarebytes screwing up his fun and turned the tables on malwarebytes. ( That assumption is based on my ignorant guess. )


Starting to see this more and more with malware infections. Here is how you trick it.

1.) Install Malwarebytes into a different directory like C:\Mbytes
2.) If the mbam.exe is removed after the install proceed to Step 3. If not, Double click mbam.exe, if mbam.exe doesn't run and the exe is there but does nothing when you double click it, you need to make a copy of it then trying running the copy. Sometimes you may have to rename the .exe to .bat/.com.
3.) Copy the mbam.exe from another machine/thumb drive, but be sure to rename the exe to something like this mbyte.bat before copying the file to your installation folder. You may have to goto into folder options, View Tab, and uncheck "Hide extentions for know file types." to change the .exe to .bat/.com
4.) Copy this renamed file mbyte.bat to the directory you installed Malwarebytes.
5.) Now double click this file like you would an exe and malwarebytes should start up.

#4 Papa Chanoli

Papa Chanoli
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 November 2009 - 10:42 PM

Excellent, I'll get right on it and post the results as soon as possible. Thank you very much for your time and advice.

#5 Papa Chanoli

Papa Chanoli
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 November 2009 - 11:59 PM

Ok, advice step #1 worked like a charm. I ran Malwarebytes and it seems to have eliminated my infections.

The log file is posted below for your interest.

When MWB rebooted automatically Windows defender was still off. I don't know if that's a setting I need to change or if it's a sign of additional infection that remains undetected.

Secondly, Is there a way to be sure my system is clean? Or is Malwarebytes so good that I need no longer wonder? MWB did find numerous things that AVG and Defender apparently were unable to detect or fix.

I'll run MWB once again to see what that does, and await a further post, if I may be so imposing.

No matter how you slice it, this is an awesome site. If I can find a contribution link I'll definitely contribute when I can.

Thank you very much for your help.



Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 5.1.2600 Service Pack 3

11/2/2009 8:18:38 PM
mbam-log-2009-11-02 (20-18-38).txt

Scan type: Quick Scan
Objects scanned: 110278
Time elapsed: 18 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hesokokup (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gipofosi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\korumore.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\niwebazi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vepujoto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\Temp\22.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\cd155966-23f2-42ac-aef5-e9a322559c55.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by Papa Chanoli, 03 November 2009 - 12:01 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users