TechSpot

Infected By Vudno Trojan, help

By bluzx6r
May 4, 2008
  1. I am infected by the vundo trojan and can not seem to get rid of this thing. It all started when my wife decided to join myspace and click on links that would allow her to tweak her myspace profile. Nex thing I know, we are getting pop ups like crazie, and .dll startup error messages and Norton antivirus realtime alerts that vundo exists but Norton's cant do anything about it. Attached is my HJTlogfile. Please let me know what to do next. I would greately appreciate the assistance.

    Mike
     
  2. bluzx6r

    bluzx6r TS Rookie Topic Starter

    Here is the HJT logfile. Well I tried to attach it to this reply, but its saying "errors"
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi bluzx6r,

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)AVG log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of bluzx6r only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. bluzx6r

    bluzx6r TS Rookie Topic Starter

    Anti Root kit reported no problems. AVG anti spyware is bundled into AVG security. The link that you gave me only allows for anti-virus to be installed, not anti-spyware. Attached are the HJT logs and combofix log.

    Thanks
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Time to update the instructions. AVG just started doing that. Also did you use to have Norton then removed it?

    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm

    =========================================

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    =================================================

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    =====================================================

    Afterwards run a fresh Hijackthis log and attach here with MBAM log


    This thread is for the use of bluzx6r only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. bluzx6r

    bluzx6r TS Rookie Topic Starter

    I have never had a software firewall before and have never ever once gotten a virus or any sort of adaware problem until now. I do have a Linksys router that I use as my firewall and have it locked down pretty good.

    Attached are the logs you requested.

    Thanks!!
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I see entries for Mcafee, Norton, and AVG all active in memory.

    I am guessing you want to keep AVG?

    Run this... Norton Removal Tool = ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe


    Go to Start - control panel - add/remove programs - uninstall Mcafee

    ======================================

    Do a scan with Hijackthis and check the following entries

    O2 - BHO: (no name) - {05BE0ECB-15CB-4505-AD94-D4706DD9C431} - C:\WINDOWS\system32\iifdccYS.dll (file missing)
    O2 - BHO: (no name) - {4789D447-1462-4A3D-8917-1E41F140EB67} - C:\WINDOWS\system32\xxyawtsQ.dll (file missing)


    Close all windows except Hijackthis and select Fix Checked

    Close Hijackthis for now

    =========================================

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    ======================================
     
  8. bluzx6r

    bluzx6r TS Rookie Topic Starter

    Hello,

    There is nothing in add/remove programs for MaCafee. The "remove" Norton link you sent, does that remove Norton anti-virus from my PC? If so, I dont want to do this as this is my main AV software.

    The txt file for the scan is too large. It is 127kb.

    Thanks
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Like I said I was guessing you wanted to keep AVG. You need to uninstall AVG as having 2 active AV programs is not good.

    Attach it as 2 separate files
     
  10. bluzx6r

    bluzx6r TS Rookie Topic Starter

    AVG has been removed.

    Here are the two attachments.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I looked through Symantec knowledge base and it looked like your product is discontinued. Not 100% on that though.

    Most of the kaspersky log is just a Quarantined infection in the Norton

    1) Navigate to and delete the contents of this folder but not the folder itself:
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

    2) VERY IMPORTANT - Did you knowingly install the TWD Industries remote administration tool, also known as VNC Viewer? The reason I ask is because it could be considered legit if you used it for help ect. But if an infection installed it on your behalf somebody may have had full access to everything on your machine.
     
  12. bluzx6r

    bluzx6r TS Rookie Topic Starter

    Hey,

    Yes I purposely installed VNC on this machine.

    I also followed the steps to delete the qurantine items.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...