Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo with Multiple Trojans Blocking XP Function


  • Please log in to reply

#1
Sarah82

Sarah82

    New Member

  • Member
  • Pip
  • 5 posts
Rorschach112 over at the Malware Removal Forum said I should take my problem to this forum. I was getting webpage redirects and other strange behavior and a Virus Total scan of a suspicious file indicated my laptop running Windows XP is infected with Vundo/Monderb. But as soon as I attempted to start removing it by downloading various programs (such as Spybot S&D and Microsoft IE7 to replace the IE6 its currently running) the malware apparently realized I was onto it and the next time I booted, Windows XP demanded a password even though it was never set up to use a password.

I have since tried booting into Safe Mode and even tried various things after booting from the XP SP2 disk into the Recovery Console such as Bootcfg, Fixmbr and Fixboot. This was all done before I realized there are programs that gets rid of the Vundo/Monderb problem, such as VundoFix and Virtumundobegone.

But I can run those or HiJackThis, etc, until I can get Windows to work by getting past this password problem. In other words, I think I can solve the problem if I can just get past the password problem.

Even when I boot into Safe Mode, I am shown two accounts, one for Admin and one for the primary user. Both accounts want a password to proceed. Neither account ever required a password before. I have tried just leaving the password space blank and hitting enter and I have also tried using 0, 00, 000, and 0000 as passwords. But nothing seems to be working. This computer was fully up-to-date with XP SP3 and McAfee and was taken over by the malware.

I have now set up a parallel XP installation in order to access the files on the computer. So I am now able to boot and access files using the parallel install. Can I try and neutralize Vondo from there, using the standard recommendations here at GTG?

Using the parallel install, I was able to download and install the AVG anti-virus software suite. I ran a full AVG scan a a variety of trojans were found. I suspect these are the kinds of nasties that will keep coming back if I don't take some additional steps to deep root them out. Can you take a look at the report generated by AVG and then advise me on what I should do in terms of running some additional utilities to permanently root out this variety of malware? I'm going on the assumption that while AVG was helpful in this initial step, it is not enough to keep this stuff away. Here's the AVG report:

"Scan ""Scan whole computer"" was finished."
"Infections found:";"20"
"Infected objects removed or healed:";"20"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"14"
"Information count:";"0"
"Scan started:";"Wednesday, July 16, 2008, 8:34:30 PM"
"Scan finished:";"Wednesday, July 16, 2008, 9:08:50 PM (34 minute(s) 19 second(s))"
"Total object scanned:";"467721"
"User who launched the scan:";"js"

"Infections"
"File";"Infection";"Result"
"D:\Documents and Settings\Owner\Local Settings\Temp\software.php";"Trojan horse Generic10.BCZJ";"Moved to Virus Vault"
"D:\Documents and Settings\Owner\Local Settings\Temp\software.php:\$IG$IH$IF\gpefaowr.exe";"Trojan horse Generic10.BCPU";"Moved to Virus Vault"
"D:\Documents and Settings\Owner\Local Settings\Temp\software.php:\$IG$IH$IF\wbxdpgfeqod.dll";"Trojan horse Generic10.BCZJ";"Moved to Virus Vault"
"D:\WINDOWS\system32\awtuuUMD.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\cbyocbyt.dll";"Virus found Vundo";"Moved to Virus Vault"
"D:\WINDOWS\system32\clbdll.dll";"Trojan horse BackDoor.Generic9.AZWO";"Moved to Virus Vault"
"D:\WINDOWS\system32\dapabpbu.dll";"Trojan horse BHO.ERV";"Moved to Virus Vault"
"D:\WINDOWS\system32\drivers\clbdriver.sys";"Trojan horse Downloader.Tibs.9.AG";"Moved to Virus Vault"
"D:\WINDOWS\system32\efcYSkii.dll";"Trojan horse BHO.ERS";"Moved to Virus Vault"
"D:\WINDOWS\system32\fccyxwwT.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\jtevps.dll";"Trojan horse BHO.ERM";"Moved to Virus Vault"
"D:\WINDOWS\system32\kkrdpmih.dll";"Trojan horse BHO.ERM";"Moved to Virus Vault"
"D:\WINDOWS\system32\lermwpfh.dll";"Trojan horse Generic10.BCRA";"Moved to Virus Vault"
"D:\WINDOWS\system32\mavzhh.dll";"Trojan horse Generic10.BCRA";"Moved to Virus Vault"
"D:\WINDOWS\system32\opnnLFwu.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\opnnLFwu.zip";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\opnnLFwu.zip:\opnnLFwu.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\ssqOfdBt.dll";"Trojan horse Generic10.BCAY";"Moved to Virus Vault"
"D:\WINDOWS\system32\tcbtew.dll";"Trojan horse BHO.ERV";"Moved to Virus Vault"
"D:\WINDOWS\system32\xneibugw.dll";"Trojan horse BHO.ERU";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\js\Cookies\js@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"C:\Documents and Settings\js\Cookies\js@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt";"Found Tracking cookie.Findwhat";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt:\findwhat.com.539b0606";"Found Tracking cookie.Findwhat";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"D:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
  • 0

Advertisements


#2
The Skeptic

The Skeptic

    Trusted Tech

  • Technician
  • 4,075 posts
In principle, what I would aim to do is to transfer the data from the blocked installation into the new XP installation and uninstall the blocked installation. Data transfer can be done with Window Explorer. Please note that you will have to reinstall all your programs like you do in a "normal" installation.

If you agree to do this then move the data to the new installation or even better, keep it also backed up in case something go wrong. Don't install your other programs yet.

After moving and backing up the data delete the folder of the first windows installation. Now click Start > Run. Type msconfig and click BOOT.INI. Click Check All Boot Paths and allow the removal of the uninstalled program path.

Now move back to the malware forum and continue with your topic.

Notes:

1: It looks like AVG did it's job and removed malware from the first installation. Assuming this is the case I would run some other malwarwe programs to decrease the chance of contaminating the new installation with files moved from the old one. This should be done at the present state, before you move the data files. Click the link to the malware forum from the list below and run all the preliminary programs prior to HJT. Only then move your data and remove the old installation.

2: The reason I ask you not to install your programs yet is to simplify and shorten the cleanup process in the malware forum. Install the programs only after the computer is declared clear.

3: I hope you will be able to remove the old installation. It might be that no permission will be given without a password. If this happens then we are in square one.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP