Very Dangerous Problem (Not previously addressed) : Trojan Vundo

howard_hopkinso · Jun 10, 2007

Yes, just ignore those. I did say to fix them(if there).

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 11, 2007

I have attached fresh AVG Antispyware and HJT logfiles as requested.

The Combofix did not work well (computer rebooted in middle) and the logfile that was produced came under the format of a "bat" file which I was unable to attach to my reply.

Please advice.

Here they are, had some problem uploading file in the previous post. Sorry for double-posting.

howard_hopkinso · Jun 11, 2007

All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

Follow the instructions for Combofix as per step12 of the instructions HERE.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 11, 2007

What? I have set the thing to quaratine though.

Scanner-Settings-"How to act" Set default for detected malware to: Quarantine-then I clicked scan.

howard_hopkinso · Jun 11, 2007

Yes, AVG Antispyware should be set to quarantine it`s results as per the instructions.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 12, 2007

I have attached fresh HJT and AVG Antispyware logs.

howard_hopkinso · Jun 12, 2007

You haven`t posted a Combofix log as requested. Pleas do so in your next reply.

It also appears you`re running more than one antivirus programme. Uninstall one of them immediately.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\cnshook.dll

O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

O9 - Extra button: Yahoo 3.5G¦Ì?¨®¨º - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)

O9 - Extra button: ???¡¤???? - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1& sid=5042&show=ignore&url=http://www.taobao.com/vertical/mall/pro.php?allyesPara= 816 (file missing)

O9 - Extra button: ???¡é?¨²¨º? - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)

O9 - Extra button: ???¡éWIDGET - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

O9 - Extra button: ?¨¦?¡ã¨¢?¨¬¨¬ - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: DT?¡ä?¡¥¨¤¨¤?¡Â - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: ??¨¤¨ª¨¦?¨ª????? - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)

O11 - Options group: [!CNS] ?D??¨¦?¨ª?

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\DOWNLO~1\cnshook.dll

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as a Combofix log.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 12, 2007

DoOne.

Attached is a fresh HJT logfile.

However Combofix could not be run on my computer.

Please advice.

howard_hopkinso · Jun 12, 2007

What seems to be the problem with running Combofix?

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 12, 2007

DoOne!

Combofix was unable to load somehow, the blue screen just said "Please wait" and nothing happened.

Attached are fresh HJT and Avenger logfiles.

Please advice.

howard_hopkinso · Jun 12, 2007

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\3721<Delete the entire folder.

Reboot into normal mode and post a fresh HJT log.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 12, 2007

Could not find folder C:\PROGRA~1\3721 with Pocket Killbox.

Perhaps another Avenger script is needed.

BTW: In the virus vault of AVG Antivirus, I have a list of different Trojans which has been detected. Should I wipe them away?

momok · Jun 13, 2007

Hi,

You should clear the Antivirus vault. Regarding the 3721 folder, you are supposed to boot into safe mode and manually delete it. Do not use pocket killbox for the job.

Regards,
Your friendly momok =)

This thread is for the use of OKai only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 13, 2007

I believe that the 3721 is a chinese govn. issued virus, and I was unable to delete it manually. As I said earlier it may need another Avengr script to delete it.Thanks Momok I have cleared the virus vault.

howard_hopkinso · Jun 13, 2007

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 13, 2007

Please find fresh Avenger & HJT logfiles attached.

Please advice.

howard_hopkinso · Jun 14, 2007

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Chinese keywords
3721

Close control panel

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll (file missing)

O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32

O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
C:\program files\3721<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

OKai · Jun 14, 2007

Unable to find:

C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
C:\program files\3721<Delete the entire folder.

Attached is a fresh HJT logfile, I saw in the logfile that there is another instance of "Cns" nasty.

Please advice.

Oh by the way, my computer has been completely cleaned against the Trojan Vundo right? Since my antivirus program does not notify me anymore regarding its presence. :hotouch:

howard_hopkinso · Jun 14, 2007

Go HERE and follow the manual removal instructions. Don`t worry if you can`t find some of the entries.

Yes, your vundo infection is long gone.

Post a fresh HJT log once done.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 14, 2007

In Windows NT/2000/XP it is possible to move the files so that they cannot be reloaded. Open the Command prompt (Start -> Programs -> Accessories) and type:

cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll
Reboot and load the Command prompt again. Type:

cd "%WinDir%\Downloaded Program Files"
del cns*.*
The first time you reboot after deleting or moving CnsMin you'll get an error about not being able to find it. Ignore this. To clean up the remaining traces of the software that cause this, open the registry (Start -> Run -> regedit) and delete the following keys:

Umm I'm not quite sure how to type the command in the command prompt, when I enter cd "%WinDir%\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

Nothing happens it just says cannot be found inside the command prompt.

Can I use the "Removal tools" on the website you gave me?

Please advice.

howard_hopkinso · Jun 14, 2007

I think you`re meant to type the filepath, see below.

cd "C:\windows\Downloaded Program Files"
del cns*.*

Regards Howard

OKai · Jun 15, 2007

Can you be so kind as to translate all that jargon to me? Because I seriously do not know how to type them. Sorry.

howard_hopkinso · Jun 15, 2007

Ok, open a command prompt by clicking start/run and typing cmd into the run box and pressing the enter key.

Copy and past this at the command prompt.

cd "C:\windows\\Downloaded Program Files"
ren CnsMin.dll CnsDel.dll

Press the enter key. Type exit to exit the command window.

Reboot your system and open the command windows again. Copy and paste the following at the command prompt.

cd "C:\windows\Downloaded Program Files"
del cns*.*

press the enter key, then type exit to close the command window. Reboot your system again and post a fresh HJT log.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

OKai · Jun 17, 2007

Attached is fresh HJT logfile. The second time I typed it in the CMD it just stated that those files refuse to be located/inspected.

Please advice.

howard_hopkinso · Jun 17, 2007

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Click edit and choose find. Type CnsHook into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to CnsHook and display them in the righthand pane. Right click on any such CnsHook entries and choose delete.

Now click edit again and choose find next. Again, delete any entries that reference CnsHook.

Repeat the above, until no more CnsHook entries are found.

Then, repeat the above for this file name. CnsMin

Post a fresh HJT log when done.

Regards Howard

This thread is for the use of OKai only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Very Dangerous Problem (Not previously addressed) : Trojan Vundo

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 2,127 +6

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Posts: 35 +0

Posts: 21,238 +17

Similar threads