Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remnants Of A Trojan That Just Won't Go?


  • Please log in to reply
1 reply to this topic

#1 Tinribs

Tinribs

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 05 May 2006 - 07:43 AM

All,

I've been asked to clean up a PC belonging to one of my directors. It was, as suspected, riddled with all kinds of duff stuff so I did the following:
1)UPdated AV software (Mcaffe enterprise) to latest DATS
2) ran the latest version of Spybot S&D - found 290 odd items, fixed them all after a reboot.
3) ran the latest version of Adaware personal - found 10 or so items and fixed them all
4) Ran windows updates - not much required but all completed.
5) Rebooted PC - all seems fine except that when I boot the PC with no network connection four iexplorer windows pop open all trying to get to http://62.4.84.53. After some research I found a reference to this IP address in a symantec article regarding the Vundo trojan. I ran the removal tool they supplied but this found nothing. I did, however, find the following regiostry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}

If I remove them they pop back in after the next reboot. If I try safe mode explorer.exe will only run for a split second before dropping out. I can run other processes (msconfig, regedit) in safe mode but no matter what I edit out of the registry or how I remove startup items etc, the above registry entries appear and the explorer windows pop open on the next reboot.

The PC is running a fully patched version of XP Home with a fully updated version of McAfee Enterprise installed. Windows Firewall is active.

The PC needs to go back to the director today but any suggestions as to how to proceed when it (inevitably) comes back would be gratefully received.

TIA

Tinribs

PS - first post btw!
PPS - I'm an IT Tech Supp so don't be afraid to get "technical" with me ;)

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:56 PM

Posted 05 May 2006 - 07:52 AM

Hello Tinribs

The Symantec fix does not always work to remove Vundo. I suggest you see the self-help tutorial How To Remove Winfixer/Virtumonde/Msevents/Trojan.vundo.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users