Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo.KA - a new deep rooted variation of this trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 TrashCompaqtor

TrashCompaqtor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 10 February 2010 - 12:00 AM

I'm having a problem with this vundo.KA trojan, it just started a few days ago after I used Internet Explorer for a short while instead of Firefox... what a Huge mistake that was!

The only antivirus software I was running is AVG 9.0 on Vista Ultimate 32-bit.

I've also tried the following programs: Norton 360, Lavasoft Ad-Aware, Malwarebytes' Anti-Malware, Spybot Search & Destroy, HiJackThis, SUPERAntiSpyware Pro, Microsoft Malicious Software Removal Tool, Avast!, and Webroot Spy Sweeper + Antivirus. Not to mention, also tried a couple of outdated programs designed specifically for the vundo trojan.

AVG is the only one that can detect it, but fails to even forcefully remove it. Malwarebytes did find other trojans and successfully cleaned them, so now I'm still stuck with only vundo.KA ... I should also mention that some Google-analytics files "ga.js" and "urchin.js" have been reported by AVG to be infected, while everything else says they are ok.

Anyways, I'm now starting to see some new posts about this latest vundo trojan variation on other sites... so hopefully it won't be long until virus definitions are updated.

I now use a combo of Malwarebytes and Spybot along with AVG which seems to help keep the popups and link redirects to a minimum for me.... but I didn't have them running when I generated the following .log file. It's totally pointless, but thought I'd go ahead and share it anyways.

CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:27 PM, on 2/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG9_TRAY] "C:\PROGRA~1\AVG\AVG9\avgtray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4034 bytes


I really don't need any replies to this message at all, I'm just doing this to help spread awareness of this new trojan. I'm gonna format and start all over again - and I'll definitely refrain from using IE again!

BC AdBot (Login to Remove)

 


#2 TrashCompaqtor

TrashCompaqtor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 11 February 2010 - 11:15 PM

This problem has been fixed, thanks to the user Neytiri
the solution was found in this guide:
How to fix Google Redirects

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,828 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:24 PM

Posted 12 February 2010 - 02:28 PM

Since the problem seems to be resolved, this topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users