Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan


  • This topic is locked This topic is locked
5 replies to this topic

#1 wes1584

wes1584

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 14 February 2010 - 07:20 PM

I think I am infected with this trojan. Stopzilla keeps detecting it on login and keeps trying to remove it. However I am still having all kinds of issues. I get IE popups a lot. It seems to have disabled my system restore because when I try and run it it says something like "It has been disabled by a group policy please contact your domain admin" Can't fix that either cause it says regedit is disabled also. Since Stopzilla couldn't take care of it I tried downloading Malwarebytes. The installation went fine until the end when I tried to run it. It seems that just as it finishes up the exe files are deleted so that I can't run it. I am assuming that the Vundo trojan is doing this as a defense mechanism. I am running out of ideas on what else to try so I would greatly appreciate it if anyone can help me.

Edited by wes1584, 14 February 2010 - 07:47 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:49 PM

Posted 14 February 2010 - 08:56 PM

Hello Wes,try running RKill.... then MBAM (MalwareBytes) and post the loscan log in your next reply.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way as the malware programs will start again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 14 February 2010 - 09:34 PM

Hello, I downloaded RKill and ran it just like you said. the DOS box popped up finished up and left me this log:


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Documents and Settings\Owner\Desktop\rkill.pif


Rkill completed on 02/14/2010 at 20:28:34.


Afterwards I ran the Malwarebytes installation again and it did the same thing as before. As soon as installation finished up it notified me it certain files were not found which are the exe files required to run it.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:49 PM

Posted 14 February 2010 - 10:24 PM

Hello, appears we need a deeper look in here.

You will need to Download and Run DDS which will create a Pseudo HJT Report as part of its log..
If for some reason you cannot perform a step, move on to the next.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 wes1584

wes1584
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 15 February 2010 - 01:55 PM

Ok I did all those steps and submitted a new thread where you told me to. Thanks

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:49 PM

Posted 15 February 2010 - 04:40 PM

Looks good,you're in good hands.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

Edited by boopme, 15 February 2010 - 04:42 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users