|
The Friendly Place to Get Help and Support! Here you will find free, friendly and courteous help and support for all your computing and photography needs. We also have forums where you can just relax and have fun, talk about anything you want to discuss within board guidelines, and share your interests and hobbies with others. Our portal (Home) page contains several activities and games where you can just relax. It also contains an ecard service. You are welcome to browse the forums to see what we have to offer, but you must register in order to participate. Some forums, games and activities are viewable only after you register. If you are new, click here to get started. |
 |
|
| Author |
Message |
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Mon Jul 07, 2008 1:24 pm Post subject: vundo |
|
|
I have trogen vundo. I can't do anything unless im in safe mode(right now im on the laptop) my personal desktop has it. I ran a squared and it found nothing, but when i start up my pc regular mode i get the trogen warning then everything dissappears(windows wise and that bottom bar where the start memnue also leaves.) I can't do anything as I said unless im in safemode. So how do I delete this trogen, and I'm not even sure how I got it as I haven't been downloading very much and what i did download i unnstalled.
As I said a squared found nothing. I really don't want to run a million programs and they find nothing as it takes hours to scan it seems like. so how do I go about removing this trojan in safe mode. Also will it solve that no windows thing cause I didn't have that problem till i clicked remove all in that menue that pops up about the trojan.
Thanks so much...I'm really counting on this help as i don't want to have to redo my stupid pc....again(although the last time it was just cause I wanted too lol. I wanted to see if I could do it my self  and I did...
Thanks a bundle.
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
pepperpot
Site Admin
User is Offline
Joined: 23 Nov 2006
Posts: 2474
Location: Venezuela
|
| Posted: Mon Jul 07, 2008 7:39 pm Post subject: |
|
|
Have you tried running the scan in safemode?
Is A-squared the only scan you have?
Apparently the Trojan.Vundo is a component of an adware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email.
First of all turn off System Restore, as System Restore may back up the Trojan
Vundo infects computers due to a vulnerability in Sun Java. It attaches to the memory, it also attaches to the Explorer.Exe and Winlogon (dll).
Read more here: http://en.wikipedia.org/wiki/Vundo
Wwe - seeing that you do not wish to run run a million scans I would suggested you wait on Repa to further assist you
What operating system is the desktop? and Which version of IE is it?
_________________
"Spirituality is not religion, religion divides people. Believing in something unites" |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Mon Jul 07, 2008 8:56 pm Post subject: |
|
|
I'm using vista, I ran a squared and systematic and took up 2 days, and systematic found thing
I dont use ie but i have 7 on the pc.
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
Repa
Site Admin
User is Offline
Joined: 26 Nov 2006
Posts: 1901
Location: North Carolina
|
| Posted: Mon Jul 07, 2008 9:29 pm Post subject: |
|
|
|
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Tue Jul 08, 2008 6:21 am Post subject: |
|
|
So since I can only boot in safe mode my windows dissappear in regular mode do I follow the safe mode one?
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Tue Jul 08, 2008 7:04 am Post subject: |
|
|
I just got done runny all those programs and none of them find anything  but I know I have ot cause when I start it up regularly I get a opup about it then all my windows and task bar leaves and don't come back.
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
Repa
Site Admin
User is Offline
Joined: 26 Nov 2006
Posts: 1901
Location: North Carolina
|
| Posted: Tue Jul 08, 2008 11:36 am Post subject: |
|
|
Were you able to download and run in Safe Mode with Networking in the Administrator account the program VirtumundoBegone at:
http://www.bleepingcomputer.com/forums/topic18610.html
If not, go to Safe Mode with Networking and download the tool and run it according to the instructions given at the link above.
If that doesn't work, I suggest you go to Sticky#6 and follow the step-by-step procedures there, running as many of the scanners suggested as you can in the Administrator account in Safe Mode. If none of the scanners can remove (or locate) the malware, follow the step in Sticky#6 for downloading and running HijackThis and post the results. If you cannot run HijackThis in Normal Mode, run it in Safe Mode. Do not allow it to fix anything until I see the results.
Removing malware can be a lengthy process. If you don't have the patience to follow the suggested procedures outlined above, then I suggest you reformat your hard drive and reinstall Windows.
Note: this Trojan is like a spy, it monitors your every move, including keystoke patterns, passwords, login names, lots of stuff you don't want anyone knowing about, and submits all this data back to the person that created it. Do not use this computer for banking or purchasing anything with credit cards until you are sure it has been completely removed. It's likely you got it from an email.
_________________
Repa
Older than dirt!
Last edited by Repa on Tue Jul 08, 2008 11:45 am; edited 1 time in total |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Tue Jul 08, 2008 11:38 am Post subject: |
|
|
I'll follow it.... I downloaded the stuff on this laptop and moved it to my desktop I'll start on sticky 6 here in a few....thanks.
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Tue Jul 08, 2008 6:43 pm Post subject: |
|
|
OK i got rid of it I deleted everything in the temp folder manually after writing ow the location.
NOW...when i start it up in regular mode it says it can't find the torgen or something I didn't get the file name. Do you need to file name to see if it was important? cause i can write it down and tell you, but i thik since it was in the tmp folder that it was the trogen, so how do i fix that?
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
Repa
Site Admin
User is Offline
Joined: 26 Nov 2006
Posts: 1901
Location: North Carolina
|
| Posted: Tue Jul 08, 2008 9:45 pm Post subject: |
|
|
| wwe9112 wrote: |
OK i got rid of it I deleted everything in the temp folder manually after writing ow the location.
NOW...when i start it up in regular mode it says it can't find the torgen or something I didn't get the file name. Do you need to file name to see if it was important? cause i can write it down and tell you, but i thik since it was in the tmp folder that it was the trogen, so how do i fix that? |
I take it that you can now run in Normal mode? What do you mean by "it says it can't find the trogan...?" What is the "it" you are talking about? Yes, I'd like to see the filename, and I'd also like to see a HijackThis log. Please post one for me according to the instructions given in Sticky#6. Before running HijackThis, do the following:
Turn off System Restore(Vista Instructions):
1. Click Start
2. Right-Click Computer > Properties > choose Advanced System Settings option in the left menu listing
3. If UAC is enabled, you will get a UAC prompt. At this, click Continue.
4. Click System Protection tab
5. Untick any drive listed and in the popup window and click Turn off System Restore.
6. Click Apply > Ok
This will get rid of any bad files remaining in the Restore files.
Make sure that Hidden Files and Folders are visible (Vista Instructions):
1. Right Click Start > Explore > Organize
2. Select Folder and Search Options
3. Select the View tab
4. Under the Hidden files and folders heading select Show hidden files and folders
5. Uncheck the Hide extensions for know file types option
6. Uncheck the Hide protected operating system files (recommended) option
7. Click Apply > Ok
Also, do the following:
1. Empty out these three(3) folders once your system is clean. (just the contents and not the folder itself) by running Disk Cleaner. Make sure these 3 are checked and then press "ok" to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
2. Open your IE browser and select Tools>Internet Options:
Delete cookies
Delete Files – check delete all offline content
Click ok
3. Run ccleaner if you have it.
Now, download and run HijackThis according to the instructions in Sticky#6. Run in Normal mode and post the logfile. Do not attempt to fix anything in HijackThis.
Then, you can turn System Restore back on (To re-enable System Restore, follow steps 1-4 above for turning it off and then Tick the Drives you wish to enable System Restore on and click Apply and OK.
Set a new restore point. Once I have examined the HijackThis log, I'll let you know if there is anything else that needs to be done.
_________________
Repa
Older than dirt!
Last edited by Repa on Tue Jul 08, 2008 10:04 pm; edited 2 times in total |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Tue Jul 08, 2008 9:48 pm Post subject: |
|
|
OK I'lldo this in the mornng it's almost 1 and I don't do good followin directions when I can't think right thanks for your help...I WILL DO THIA TOMORROW! So I'm not bailing lol. Just getting ready for bed
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Wed Jul 09, 2008 6:56 pm Post subject: |
|
|
| Quote: |
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:17 PM, on 7/9/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {01A33D85-4706-452A-B71A-99510ADA8C0C} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2BCD565F-D0BA-4107-88DA-D14DBDD0C377} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {45C171AD-4F7B-4F3A-9B4B-F1BDD97486A1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {863CD344-0404-4F7B-B3B2-EB1214176393} - (no file)
O2 - BHO: (no name) - {89602E18-857A-4067-9F82-5F005DD41D46} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A543B70F-ADEF-4780-80BC-864548F30BD9} - (no file)
O2 - BHO: (no name) - {B3BDF8F6-F017-47D4-B6D8-B2FAB794BD01} - (no file)
O2 - BHO: (no name) - {E8349145-F631-4469-A7FE-C11BF2B051DC} - (no file)
O2 - BHO: (no name) - {F2D684F3-7732-48DA-8A6D-B8421A7792C2} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{156F12C0-B2C7-443D-B117-C5D6086918A5}: NameServer = 71.252.0.12 71.242.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{156F12C0-B2C7-443D-B117-C5D6086918A5}: NameServer = 71.252.0.12 71.242.0.12
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Advanced WindowsCare Boost Service (AwcService) - IObit - C:\Program Files\IObit\Advanced WindowsCare 3 Beta\awcservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\Windows\runservice.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 7961 bytes
|
sorry for the delay my mum had my b-day early and just got on 
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
Repa
Site Admin
User is Offline
Joined: 26 Nov 2006
Posts: 1901
Location: North Carolina
|
| Posted: Thu Jul 10, 2008 6:48 pm Post subject: |
|
|
Your trojan is still there, or some remenant of it. The CLSID 01A33D85-4706-452A-B71A-99510ADA8C0C is ConHook aka Chisyne trojan variant - VirtuMonde/Vundo adware Trojan-Downloader.Win32.ConHook.gen. This variant uses a Browser Helper Object (BHO) in Internet Explorer.
Do not use this computer for any purpose that provides banking or credit card information, personal identification info, etc. Do not use it to email anyone. I am still analyzing your HijackThis log and will get back to you as soon as I can.
_________________
Repa
Older than dirt! |
|
| Back to top |
|
|
wwe9112
Royal Geek
User is Offline
Joined: 14 Jun 2007
Posts: 1167
|
| Posted: Thu Jul 10, 2008 7:09 pm Post subject: |
|
|
OK thanks.
_________________
if there was room for another God, and Almighty was ok with it, He would pick me because I'm just that darn good |
|
| Back to top |
|
|
Repa
Site Admin
User is Offline
Joined: 26 Nov 2006
Posts: 1901
Location: North Carolina
|
| Posted: Sat Jul 12, 2008 12:30 pm Post subject: |
|
|
Sorry this took so long, wwe. A site was down that I needed information from, and I had to wait for it to come back up. I was concerned that you had another trojan, and needed to verify it. Turns out the avgrsstx.dll I was concerned about is ok, it's part of AVG 8.0. Several lesser sites had been reporting it as a backdoor trojan. I couldn't find it on Granny's computer, which still has AVG 7.5 (and still updating automatically everyday), so I had to be sure.
Run a HijackThis scan and have it fix the following by placing a check in the appropriate box and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {01A33D85-4706-452A-B71A-99510ADA8C0C} - (no file)
Then run another scan with HijackThis and post the logfile.
_________________
Repa
Older than dirt! |
|
| Back to top |
|
|
|
|
|
|
|
|
All times are GMT - 7 Hours
Goto page 1, 2 Next
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Affiliates and Friends:
    
  
| |
|
