Jump to content
DaChew

McAfee Vundo Knockdown dragout

Recommended Posts

OK but it's not MBAM breaking anything. You are seriously infected and that is what is your problem. Bruce is most likely going to ask for files etc. If you can upload them that would be great. He is aware of this thread.

Share this post


Link to post
Share on other sites

Looking at your last log I can see that we removed a file that was neither in memory nor had a start point and it removed without a reboot (forced) .

I am sure that you know already but this means that this file and its removal was not the cause of the boot issues .

I am busy now but will check back in to see where you want to go with this .

Share this post


Link to post
Share on other sites

I apologize for infering that my favorite program broke anything, I have suspected a rootkit for quite some time but nothing was finding or catching it

If the repair disk does not work I will be moving the hard drive to my computer to retrieve data, I will have subs disinfector open before opening the drive, if anyone wants me to save any files before I format I will be glad to, I have not deleted anything from any quarantine

Share this post


Link to post
Share on other sites

right before running the MBAM scan I had installed spybot and sd helper and immunized and ran a scan and got one vundo related file/value

I disabled a couple of suspicious addons in IE7 and unchecked 2 or 3 exceptions in windows firewall, one of which was limewire which i thought had been uninstalled

Share this post


Link to post
Share on other sites
I am a freshman over at MRU and I do a lot of maleware fixes for friends and clients and have used the MBAM for a few months

In this case I decided to document the fixes and try to understand the process better, that's why I used MBAM first, what I need help on, is have I screwed up some dependencies by not using vundofix or sdfix?

thank you

Thank you for the response, as a student I am expected to fix my own problems in a shadow log but not allowed to use advanced tools, understandably. This is a friends computer and I was afraid it might need combofix, I have run every tool I can including rootkit scanners and it's beginning to look like a shell error. AFAIK I am breaking no rules by posting a HJT log here as long as it's not mine.

The other tools found a few items, I was hoping if someone here more experienced in reading MBAM logs saw something critical they would advise.

thanks again

I am running kasp online scanner on a badly patched OS right now

I think I have found the original infector in the limewire data folder

it's 117KB nero7ultimateiso.zip ??

I will upload to jotti to make sure all this is not in vain and for my own understanding

I have decided to delete the primary partition, do I need to write zeros to the drive?

Share this post


Link to post
Share on other sites

If you are trying to reformat the entire system. Delete the main partition and format it NTFS. All data on that system will be lost assuming it only has 1 partition. Malware, minus very tiny exceptions, does not survive a format.

Share this post


Link to post
Share on other sites

back in the old days I used zap to kill nt partitions, is there any need for me to upload anything before I destroy all traces?

Share this post


Link to post
Share on other sites

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Friday, April 18, 2008 4:04:13 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 17/04/2008

Kaspersky Anti-Virus database records: 712987

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

A:\

C:\

D:\

E:\

Scan Statistics:

Total number of scanned objects: 28825

Number of viruses found: 4

Number of infected objects: 7

Number of suspicious objects: 0

Duration of the scan process: 00:36:34

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\036c18d48c34864b5ebd494f8ceb4ebc_8abe1c70-78a9-4e6a-acd3-2ec5402e8b9c Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3c91260f5be7267fcce324f75d813ca1_8abe1c70-78a9-4e6a-acd3-2ec5402e8b9c Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ca220cb92738373cc259a472f03251e_8abe1c70-78a9-4e6a-acd3-2ec5402e8b9c Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a473726ba1d83f5e37b28261635c4dc4_8abe1c70-78a9-4e6a-acd3-2ec5402e8b9c Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f41d0e63d35c08b9786da644069e2bb5_8abe1c70-78a9-4e6a-acd3-2ec5402e8b9c Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ffb4b45090e03b81d624675fcbbd70da_8abe1c70-78a9-4e6a-acd3-2ec5402e8b9c Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.53780 Infected: Trojan.Win32.VB.cng skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\Jordans Music\dead men walking.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\Owner\Desktop\Jordans Music\highvoltage.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\Owner\Desktop\Jordans Music\Nero7 Premium v7.5.02 iSO.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped

C:\Documents and Settings\Owner\Desktop\Jordans Music\Nero7 Premium v7.5.02 iSO.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Owner\Desktop\Jordans Music\report card soulja boy tell em.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008041820080419\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF5C8A.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF5C95.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{7329998B-A789-4944-93C5-D5FD94CAB080}\RP1\change.log Object is locked skipped

C:\VundoFix Backups\iifgEttr.dll.bad Infected: Packed.Win32.Monder.gen skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Scan taken on 17 Apr 2008 23:57:27 (GMT)

A-Squared Found Trojan-Downloader.Win32.VB.dck

AntiVir Found TR/Dldr.VB.dck

ArcaVir Found Adware.Virtumonde.Ic

Avast Found Win32:VB-FXE

AVG Antivirus Found Dropper.Generic.VUZ

BitDefender Found Trojan.Downloader.VB.VOT

ClamAV Found Trojan.Downloader-26456

CPsecure Found Troj.Downloader.W32.VB.dck

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found Trojan:W32/VB.BJQ, Trojan-Downloader.Win32.VB.dck

Fortinet Found W32/VB.DCK!tr.dldr

Ikarus Found Virus.Win32.VB.FXE

Kaspersky Anti-Virus Found Trojan-Downloader.Win32.VB.dck

NOD32 Found probably a variant of Win32/TrojanDropper.VB.NAI (probable variant)

Norman Virus Control Found W32/DLoader.GBUP

Panda Antivirus Found Bck/VB.ABN

Sophos Antivirus Found Mal/Generic-A

VirusBuster Found nothing

VBA32 Found Trojan-Downloader.Win32.VB.dck

Scan taken on 18 Apr 2008 00:01:07 (GMT)

A-Squared Found nothing

AntiVir Found TR/Dldr.WMA.Wimad.N

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found Trojan-Downloader.WMA.Wimad.n

Fortinet Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found Trojan-Downloader.WMA.Wimad.n

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

Share this post


Link to post
Share on other sites
Looking at your last log I can see that we removed a file that was neither in memory nor had a start point and it removed without a reboot (forced) .

I am sure that you know already but this means that this file and its removal was not the cause of the boot issues .

I am busy now but will check back in to see where you want to go with this .

I have thought about this and what else I did and I can not say I agree with your analysis

that file was missed in numerous scans earlier, every time I did some thing to this infection it was like peeling another layer on an onion, I think I touched a deep nerve that last fix

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.