Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN.VUNDO!GEN 2 has infected me!


  • This topic is locked This topic is locked
3 replies to this topic

#1 Godl-Fire

Godl-Fire

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 06 December 2009 - 12:36 AM

Well Trojan.Vundo!gen2 appears as if it's on my computer. Norton internet secrutiy keeps blocking it from doing anything but not removing it. Once it has done this once, it will pop up saying the same thing a couple minutes later.

system:windows xp

Auto-Protect has detected Trojan.Vundo!gen2
Status: Blocked
Recommended Action: Resolved- No Action
Risk Category: Heuristic Virus
File Name: c:\windows\temp\qhon.tmp\svchost.exe

(note this isnt the only temp file it just creates a new random xxxx.tmp folder every time)

I have posted this on the nortan forums and they refered me to here they said its one of the new Gen 3 rootkits.
i have taken steps suggested on other sites such as disabling system recover then do a full system scan but it picks up absolutly nothing


I NEED HELP!

(in the time i posted this it it had blocked this twice!)

heres some screen shots i took

Posted Image
Posted Image
Posted Image

i did a rootrepeal becouse it sounded like a good idea heres my results

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/05 22:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 0000147A
Image Path: 0000147A
Address: 0xA78A3000 Size: 78720 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x8FC0C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBA5B5000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\owqvgbilqqaarqr.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\hp_administrator\local settings\temp\~dfa20a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~dfb647.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~dffd7d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DLJGXGO\topic250928[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\6DLJGXGO\t_closed[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\JTQAYJPH\index[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\JTQAYJPH\gender_male[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\O8K228M5\av-131269[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\hp_administrator\local settings\temporary internet files\content.ie5\oc0y8ahd\forum103[1].htm
Status: Allocation size mismatch (API: 81920, Raw: 196608)

Path: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OC0Y8AHD\index[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.ci
Status: Visible to the Windows API, but not on disk.

Path: C:\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.dir
Status: Visible to the Windows API, but not on disk.

Path: C:\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\hp_administrator\local settings\application data\microsoft\internet explorer\recovery\active\{4ea5643d-e22d-11de-b096-001731b9dcf3}.dat
Status: Size mismatch (API: 33792, Raw: 32768)

Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091023.049\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x88d77750]!

#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a7d17e8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a99b958

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89c01f40

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a4016b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a9380e8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8ca3130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89bfaec0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x89bf5978

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a7c7e08

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a4026b8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8ca33b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8ca3910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89c7b258

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89c015a0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a90dd60

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a9841e0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a7fb0f8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a7ea848

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a3e06b8

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89c7b5b8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a0a6750

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a4046b8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89c7b428

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x89bf6778

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a3747f0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a2b77f0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89c01180

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a4036b8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa8ca3b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a4056b8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a03a748

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a053750

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a035748

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a063750

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89c01ab0

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a01d6d0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a852370

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x8a027720

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8a86ca70

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x89abd718

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8a83f280

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89be7368

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x89be82f8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x89a8f718

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8a807fb0

==EOF==

dunno what any of it means

ok i think i know why anti virus doesnt pick it up becouse its hasnt been identified i guess... but the autoprotect is blocking something is trying to access it
every time its blocked in history it says a program tryied accesing this 91.212.226.178/311d.exe
so ima keep looking around see if i can find program trying to do that


thanks!

Edited by Godl-Fire, 06 December 2009 - 07:14 PM.


BC AdBot (Login to Remove)

 


#2 Godl-Fire

Godl-Fire
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 06 December 2009 - 07:15 PM

if any guys figure it out while we are waiting PLEASE POST!

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:01 PM

Posted 06 December 2009 - 08:12 PM

No 2 computers are alike - Your problems might be similar but not the same
Please post your own topics



@ Godl-Fire

Status: Hooked by "" at address 0x8a99b958




Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck

Edited by garmanma, 06 December 2009 - 08:16 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:01 PM

Posted 07 December 2009 - 12:29 AM

Hello Godl-Fire,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/277041/infected-by-trojanvundogen-2/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:

Everyone else, please start your own topics. To restore continuity to this topic, I am removing your posts.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users