Vundo Variants A,B, C

Discussion in 'Malware Help (A Specialist Will Reply)' started by Drushen, Jun 6, 2008.

  1. Drushen

    Drushen Private E-2

    Hi. I have Vundo Variants A,B,C which windows live one care detects but is unable to remove. It claims to remove it, but when I reboot. The scanner picks up different variants of Vundo. I have followed all the procedures of ther READ & RUN ME FIRST. Malaware removal guide. Attached will be logs from the various program scans. Prior to the guide I have run VundoBeGone in safe mode which did not detect Vundo, I assume this false negative result is due to removal of certain registry entries after my analysis of my HiJackThis Log. Vundo mess with dll of Winlogon proxy. I kind of this out. I have now downloaded the windosws malicious software removal tool and want to run.

    I want to now after analysis of the logs various program mentioned in the Malaware Removal guide , am I finally rid of this trojan?

    Your Help will be greatly appreciated
    Kind Regards

    P.S Many thanks to the Major Geeks team, for your guide.
     

    Attached Files:

    Drushen, Jun 6, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    We need the other two logs from SUPERAntispyware and Malwarebytes.

    Are you running antivirus software from Microsoft and from Symantec? What do you have installed from Symantec besides Norton Security Scan?

    Your logs do seem to be basically clean especially from Vundo. I have some minor steps for you to do.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    After clicking Fix, exit HJT.

    Now reboot your PC.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 7, 2008
    #2
  3. Drushen

    Drushen Private E-2

    Thank you for your great help Chasalang, greatly appreciated.

    I could not locate the location of the Malwarebytes Log, so I copied it from the program, under the log section

    Malwarebytes' Anti-Malware 1.15
    Database version: 834

    10:55:52 AM 2008/06/07
    mbam-log-6-7-2008 (10-55-52).txt

    Scan type: Quick Scan


    Objects scanned: 36743
    Time elapsed: 7 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)


    (No malicious items detected)

    Files Infected:

    (No malicious items detected)


    I dont know where the superantispyware log stored itself. I tried searching for it but could not find it. I do however remember that scan removed some files.
    Folders Infected:
     
    Drushen, Jun 9, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The procedure for SUPERAntispyware explains how to get logs: SUPERAntiSpyware - running & getting a log

    You need to answer my question in message # 2 and also finish doing what I ask you to do in that message.
     
    chaslang, Jun 9, 2008
    #4
  5. Drushen

    Drushen Private E-2

    Thanks here is the SAS log.


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/06/2008 at 02:12 AM

    Application Version : 4.15.1000

    Core Rules Database Version : 3475
    Trace Rules Database Version: 1466

    Scan type : Complete Scan
    Total Scan Time : 01:02:32

    Memory items scanned : 655
    Memory threats detected : 0
    Registry items scanned : 8699
    Registry threats detected : 7
    File items scanned : 35084
    File threats detected : 5

    Trojan.Media-Codec
    C:\Users\Drushen\Favorites\Online Security Test.url

    Malware.SpyLocked
    HKCR\videoaccessactivex.Chl
    HKCR\videoaccessactivex.Chl\CLSID

    Trojan.Media-Codec/V4
    C:\Program Files\Video Add-on\ot.ico
    C:\Program Files\Video Add-on\ts.ico
    C:\Program Files\Video Add-on\uninst.exe
    C:\Program Files\Video Add-on
    HKU\S-1-5-21-332601266-467600200-1553415820-1000\Software\Online Add-on
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#UninstallString

    Adware.Vundo Variant/Rel
    HKU\S-1-5-21-332601266-467600200-1553415820-1000\Software\Microsoft\rdfa
     
    Drushen, Jun 10, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not post any logs inline! This was mentioned in the READ & RUN ME!! You posted both MBAM and SAS logs inline.

    You still need to complete my instructions in message # 2.
     
    chaslang, Jun 10, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds