Trojan.Vundo infection cleanup - help needed.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nrb.geek, Jun 30, 2008.

  1. nrb.geek

    nrb.geek Private E-2

    Hi all,
    my machine suffered an infection by Trojan.Vundo and Trojan.FakeAlert. These were picked up by Malwarebytes. However, to be sure I've been through a full cleanup process...

    so far nothing suspicious is happening, but wondered whether someone would mind looking over the log files.

    Log file for SAS, Malwarebytes, Combofix attached... MLogs.zip in next messge

    Thanks in advance...

    Nick
     

    Attached Files:

    nrb.geek, Jun 30, 2008
    #1
  2. nrb.geek

    nrb.geek Private E-2

    Mglogs.zip log file attached.

    thanks

    N
     

    Attached Files:

    nrb.geek, Jun 30, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You actually look pretty good. Let's just do this:

    Download and install:Java Runtime 6


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now tell me what other issues you may still be having.
     
    TimW, Jul 1, 2008
    #3
  4. nrb.geek

    nrb.geek Private E-2

    Thanks TimW,
    no other suspicious behaviour to report for the time being. Thanks for your assistance. i'm presuming the two dll files referred to are nasty?

    Sorry for the delay in response - nasty timezone difference. I really appreciate the assistance you guys provide. Please let me know if there's any further steps I should perform; other than that, I'll just try and stay out of trouble.

    Thanks

    nrb
     
    nrb.geek, Jul 1, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet....yes the .dll files were bad.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    2. Click START then RUN
    * Now type "%userprofile%\Desktop\cf" /u in the runbox and click OK.
    * Note: The space between the cf and the /U, it must be there.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    5. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    6. After doing the above, you should work thru the below link:
    How to Protect yourself from malware!
     
    TimW, Jul 1, 2008
    #5
  6. nrb.geek

    nrb.geek Private E-2

    Hi there,
    bad news I'm afraid. No sooner had all this been completed and Sophos reported Troj/Dloadr-BNJ in the system volume Information file. What is odd is that I had definitely disabled the system restore, all firewalls were running etc.

    I'm not sure whether system restore could be switched on as part of a malicious action or not?

    I've attached the log file from Sophos and of course turned off the System Restore again!

    Do you suggest repeating the previous process at this stage?

    Thanks and sorry for this setback

    nrb
     

    Attached Files:

    • SAV.txt
      File size:
      18.9 KB
      Views:
      2
    nrb.geek, Jul 2, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you reboot after turning system restore off?
     
    TimW, Jul 2, 2008
    #7
  8. nrb.geek

    nrb.geek Private E-2

    Yep, I have had system restore turned off for some time.
     
    nrb.geek, Jul 2, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't understand ...you have left system restore off and have also rebooted with it off? If so then you should turn it back on.

    Perhaps you should go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Jul 3, 2008
    #9
  10. nrb.geek

    nrb.geek Private E-2

    Hi TimW,
    sorry, I may not have explained properly. As far as I know system restore had been turned off for some time. ie. I had turned it off early on in evaluating any problems, and had not turned it on again. At no time in the past had there been any indication of their being an infected file in system restore, and in any case my understanding is that turning system restore off will delete any files contained therein, thereby dealing with that instance of an infection.

    What was surprising is that the scan I ran turned up a virus in system restore, which meant that some other process must have turned system restore on. I'm sure I didn't - either that or I'm going crazy??

    Anyway, I have run the bitdefender scan as suggested. It turned up nothing (the log is attached). However Spyware Termintor, the scanner I've used for some time, this morning turned up a new infection (SPR/Tool.Hide.A) in a downloaded file that has been on my drive for sometime. I've removed it and attach that log also.

    I have also turned system restore off and on again.

    Thanks

    Nick
     

    Attached Files:

    nrb.geek, Jul 3, 2008
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have not heard of a virus that can both turn on system restore and inject a file into it.

    Are you still having any issues?
     
    TimW, Jul 4, 2008
    #11
  12. nrb.geek

    nrb.geek Private E-2

    Yes,
    I agree it is pretty strange, but am sure I didn't switch on system restore unknowingly. Other than the additional infection discovered yesterday - in itself somewhat worrying - there hasn't been any notably strange behavior to speak of. I will keep my scans going and a lookout for anything odd.

    Fingers crossed.

    Thanks for your help and sorry this became somewhat drawn out.

    nrb
     
    nrb.geek, Jul 5, 2008
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem ..let me know if you need additional assistance. :)
     
    TimW, Jul 5, 2008
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds