PDA

View Full Version : Trojan.Vundo - Symantic Antivirus Notification - need help



mcryder26
2007-07-19, 23:02
I apparently have the Vundo trojan. My computer is a mess. It is a Toshiba laptop running XP, and has SSD and Symantic Antivirus runing.

The computer is consumed with pop up windows alerting "Registry change denied"

I am sending this request for help from another computer. I'm a novice, so I can use all help available.

Thanks!

tashi
2007-07-20, 03:25
Hello.

Please follow the procedure in this link to produce the two logs requested: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

If necessary using the second computer to do so.

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you as soon as available. Regards. :)

mcryder26
2007-07-21, 00:03
Guess I am computer dummy. I ran the eTrust on line scanner, and it found three viruses, but I can't figure out how to save the "log". Is there some other software I need for that? While I was running the on line scan, I didn't realize I was suppose to disable my Symantec software, so the Symantec found the following:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader
File: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977\A0135569.exe
Location: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977
Computer: JBARNES04441
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, July 20, 2007 12:56:23 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Downloader.MisleadApp
File: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977\A0135570.exe
Location: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977
Computer: JBARNES04441
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, July 20, 2007 2:12:08 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.Vundo
File: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977\A0136606.dll
Location: C:\System Volume Information\_restore{51B2433B-9DF3-4C49-BC34-1E3F1DBA4033}\RP977
Computer: JBARNES04441
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Friday, July 20, 2007 2:47:08 PM

What do I do now? Download the two "hijack this" software and run them? If so, I don't see any instructions for doing that. I seem to be stuck in the instructions.

tashi
2007-07-21, 00:24
Hello.


4) HiJackThis log - Trend Micro HijackThis 2.0.2

This version should be used if you are running Windows Vista.

Direct executable (http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.exe)
Zip file (http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.zip)
Installer version (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe)

Quick Start Guide (http://www.trendsecure.com/portal/en-US/threat_analytics/quick_start_guide.php)

OR:

5) HiJackThis log - Merijn's HijackThis v1.99.1

Direct executable (http://www.merijn.org/files/HijackThis.exe)
Zip file (http://www.downloads.subratam.org/hijackthis.zip)


Double click HijackThis.exe.
Hit None Of The Above, just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click that, save the log somewhere, and copy/paste (http://www.webmasternow.com/copyandpaste.html) (no attachments) into your (Click --> ) own new topic (http://forums.spybot.info/newthread.php?do=newthread&f=22)
a) The HJT log
b) The on-line Anti Virus scan log/report

"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)

As you don't have Windows Vista, you can use Merijn's HijackThis v1.99.1. to start off with. The direct executable does not need unzipping, which makes it simpler. :) A log is needed from one version only.

Don't worry about the log from the on-line anti virus scanner for now.

Then start your topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and post the HJT log there. Thanks. ;)

Hope that helps.

mcryder26
2007-07-21, 17:19
:alien:

md usa spybot fan
2007-07-21, 18:30
mcryder26:

I see you posted in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum in the following thread:
Many viruses! Here is my HJT log. Please help!
http://forums.spybot.info/showthread.php?t=16205
However, it appears that posted the HijackThis log as an attachment in spite of the following instruction:


Click that, save the log somewhere, and copy/paste (http://www.webmasternow.com/copyandpaste.html) (no attachments) into your (Click --> ) own new topic (http://forums.spybot.info/newthread.php?do=newthread&f=22)
I suggest that you copy and paste the HijackThis log to another post in that same thread so that the assistance with your problem is not delayed.

mcryder26
2007-07-21, 22:06
Please let me know if I did it right this time....sorry for being a nimrod.

tashi
2007-07-21, 22:24
No worries, a little bit of panic/mind fuzziness is normal when one's computer is infected. ;)

Helpers are in different time zones, but if no one has picked it up by this evening, I will ask one to take a look.