TechSpot

Can't remove Trojan.vundo

By Juiceinla
Nov 9, 2009
  1. Hi there, and thank you for this site. My laptop/Windows XP (professional) has been infected with a couple variants of the Vundo Virus and something mcAfee calls "spyware-agent.bw.gen.e. I am having most of the problems your other forum members are experiencing (slow start up; looping and repetitious IE pop ups telling me to install mcAfee site advisor on a yahoo tool bar which I dont use; constant 100% process load in task manager, unable to boot in any form of safe mode, inability to run various malware removal tools)

    I found your website while researching the issue and began to try to remove the viruses. I disabled system restore, In normal mode because I cannot access safe mode).

    Then I backed up my personal files, ran mcAfee virusscan, emptied its quarantine file of over 35,000 (not a typo) files sitting there, emptied recycle bin.

    Then I used cCleaner.

    One of the first problems I encountered was not being able to access msconfig, in any way you or other sites suggested. i never resolved the problem, but I ran hijackthis.

    Next I ran Superantispyware (log attached)
    I ran Malwarebyte's antimalware (log attached) and encountered bad image errors.

    At the end of my MBAM scan it identified about 30 infected files and I hit "remove the files" it began to do so then indicated about 5-6 could not be removed, and asked me to restart my laptop again to remove them. So I did immediately.

    Before, during and after windows was loading on reboot I began to get "Bad Image" errors associated with many programs and a dll file "wifufulu.dll". MBAM identified the wifufulu.dll as malware in the scan. I assume this means the trojan/virus was trying to load at start up, and am wondering if that is right, and if so, has MBAM gotten rid of it? Here are the bad image files:

    c:/windows/system32/Lsass.exe
    c:/windows/system32/services.exe
    c:/windows/system32/wifufulu.dll
    c:/windows/system32/mbamgui.exe
    c:/windows/system32/hkcmd.exe
    c:/windows/system32/igfxtray.exe
    c:/windows/system32/igfxpers.exe
    c:/windows/system32/nerocheck.exe
    c:/windows/system32/syntpenh.exe
    c:/windows/system32/mcagent.exe
    c:/windows/system32/WLtray.exe
    c:/windows/system32/QTTask.exe
    c:/windows/system32/iTunesHelper.exe
    c:/windows/system32/Rundll32.exe
    c:/windows/system32/ctmon.exe
    c:/windows/system32/adobeupdate.exe
    c:/windows/system32/reader_sl.exe
    c:/windows/system32/MBAM.exe


    Is this normal? I restarted my laptop later, without getting the bad image error messages, and re-ran malwarebyte's. it turned up one infected file- a trojan.vundo in c://windows/system32/- another "dll" file with the random name. I chose remove, but it seems obvious this trojan is embedded deep and not going anywhere.

    What now? Some people say run combofix, but that scares me.

    thank you soo much.
     
  2. Juiceinla

    Juiceinla TS Rookie Topic Starter

    Just wondering if I have done something wrong, since I see so many other questions get responses and I haven't gotten any at all. I will happily correct my post, if someone will let me know what the problem is. I am lost without my home computer!!!

    I would very much appreciate any response, even if you have no idea what to do to help me.

    Thanks again!
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please try to be patient. You've only be here for a few hours- some others have been waiting a few days.

    Did you run the third scan with HijackThis? I need to see that log- preferably pasted in the next reply instead of being attached.

    You can run the VundoFix if you like first, then do the HijackThis scan afterward.,Okay to attach Vindo log:
    Please download VundoFix.exe HERE and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    I'll review the logs and we'll go from there.
     
  4. Juiceinla

    Juiceinla TS Rookie Topic Starter

    Oh wow, I am a total jack ***! so sorry, really I am. I just saw all these other posts where people did things wrong, and thought- huh, maybe I'm a bigger *****. Thank you for being patient with me, and I totally don't want to cut in front of anyone else. Please go ahead and drop me back into the proper place in the queue.

    I ran the Vundofix.exe . It ran fine, then said I had no infected files and did not generate a log.

    So then I ran HijackThis, and as you can see below, some of the files that other programs have identified as trojans/virus or associated with Vundo are listed in the hijackThis log, such as: " wezavova.dll" and c:\windows\system32\wifufulu.dll" and the lsass.exe was infected.

    so at any rate here is my HijackThis log, please take your time in responding. I am very much appreciative.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:42:45 PM, on 11/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\iDumpPro\NMSAccessU.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {93e34689-cb26-4bf8-b15a-1e09435a3b5a} - gakikedo.dll (file missing)
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://*.mcafee.com
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138929833601
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138933755310
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: wezavova.dll c:\windows\system32\wifufulu.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: werosamuw - {c9578673-720c-45f9-977a-b3d87e284978} - (no file)
    O21 - SSODL: mayezoguw - {54f0761f-659f-42cb-bacc-adf7112a1607} - c:\windows\system32\wifufulu.dll (file missing)
    O22 - SharedTaskScheduler: mujuzedij - {c9578673-720c-45f9-977a-b3d87e284978} - (no file)
    O22 - SharedTaskScheduler: tokatiluy - {54f0761f-659f-42cb-bacc-adf7112a1607} - c:\windows\system32\wifufulu.dll (file missing)
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 7455 bytes


    Thanks again, you guys are lifesavers.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix should remove the 'left over' entries:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    When finished, please run the following online scan:
    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    (If there is any problem running the online scan, don't worry about it- I'll give ou a different one. Kaspersky has been working on a new version lately and occasionally it has been down)

    Rescan with HijackThis.

    Attach log and report for Combofix and Kaspersky.
    Paste in new HijackThis log. We'll see if the remaining Vundo entries have been removed.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Oops! Board hiccup! Removing duplicate.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...