PDA

Просмотр полной версии : TR/Vundo.Gen



CJb3LL
04.05.2007, 18:01
Hi!
AntiVir tells me that C:\WINDOWS\system32\nnnkijk.dll is the trojan horse TR/Vundo.Gen
I run HiJackThis and AVZ as explained in the 'tutorial'. I have added them to this thread.
I do not know what to do next. Please, help me. Thank you very much.

drongo
04.05.2007, 18:13
First of all, you should update database of avz (File/Database update).
Secondly, all logs you should make in normal mode , when all unnecessary programs are closed , and your browser (Internet explorer ) is still running. !Is that a problem to do this ?
Meantime,
please run AVZ, go to File - Custom scripts, copy the Code, paste it to Custom scripts window and Run the script.



begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\temp\NavBrowser.exe','' );
QuarantineFile('C:\Programme\TortoiseSVN\iconv\win dows-1252.so','');
QuarantineFile('C:\WINDOWS\system32\nnnkijk.dll',' ');
BC_ImportQuarantineList;
BC_LogFile(GetAVZDirectory + 'boot_copy.log');
BC_Activate;
RebootWindows(true);
end.


After that please upload quarantined file(s) according to the Rules.
Please use http://virusinfo.info/upload_virus.php?tid=9477 to upload.

P.S. I think, Antivir is correct ;) But still we would like to see your quarantined file(s) according to the Rules.

CJb3LL
04.05.2007, 19:14
Thank you for your help! I have executed your script.
Unfortunately I do not understand Russian, so I hope that I uploaded the quarantined files correctly. If not, please let me know.
I have also updated the AVZ-Database. Should I make new logs and add them to this thread?

drongo
04.05.2007, 20:03
Ok , nnnkijk.dll it is a bad thing :)
According to kaspersky , it is :not-a-virus:AdWare.Win32.Virtumonde.jf
Other 2 files , i think clean , but we will get an answer from kaspersky laboratory shortly ( i hope ).
Now, about healing your computer :we have here 2 options .It is up to you what option to choose !
The First option is your antivirus.
Boot in safe mode (http://virusinfo.info/showthread.php?t=9282), scan all your disks with antivir and, choose option to delete a virus , when antivir will find nnnkijk.dll .Reboot your PC after antivirus will finish to scan your computer.
The second option :

Please disconnect from the internet , disable your antivir.
run AVZ, go to File - Custom scripts, copy the Code, paste it to Custom scripts window and Run the script.


begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\WINDOWS\system32\nnnkijk.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_LogFile(GetAVZDirectory + 'boot_clr.log');
BC_Activate;
RebootWindows(true);
end.
---------------------------------------------------------------------------------------------
After execution option 1 or 2 (or both :))) )
Please do a new logs(all 3) (according to our rules) and please make sure not in the safe mode.

P.s. Sorry for my English :) I hope we will translate the uploading page shortly ;)

Rene-gad
04.05.2007, 20:11
Unfortunately I do not understand Russian
... but Your English is OK ;).
BTW: What language is Your native one?-it's only my own curiosity, you can ignore this question.

Ok , nnnkijk.dll it is a bad thing :)
Not so bad. It could be worse :). It's only

not-a-virus:AdWare.Win32.Virtumonde.jf

The First option is you antivir....

Correct.:thumbsup: Bet just before scanning pls.
- update the signatures of Antivir
- switch off the system recovery
- empty all temp-maps (a little help for it You'll receive from here (http://www.clearprog.de))

CJb3LL
04.05.2007, 20:43
It seems that option two worked. The file nnnkijk.dll is deleted and after a reboot no warning appears.
But I think it is better running a complete scan also?
Then I will generate the three log-files and add them to this thread.
@both: Your English is good.
@Rene-gad: My native language is German. I think, I read your tutorial in German, right?

Ok, cu later! And thank you again!

Rene-gad
04.05.2007, 20:54
But I think it is better running a complete scan also? Yepp!

I think, I read your tutorial in German, right?
Rischtisch :D

NickGolovko
05.05.2007, 06:03
Rene-gad needs a prize for such a perfect advertisement of our service. :)

CJb3LL
05.05.2007, 18:26
Sorry for my late answer.
I run a complete scan and then I generated the logs in normal mode. I have added them to this thread.

I think the trojan horse has gone.
Thanks alot to all of you. You are a great team.

Rene-gad
05.05.2007, 18:40
@CJb3LL
pls. fix with HiJackThis


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - C:\WINDOWS\system32\nnnkijk.dll (file missing)
O20 - Winlogon Notify: nnnkijk - nnnkijk.dll (file missing)
than make the new logs.

drongo
05.05.2007, 18:50
Yep, it is gone ( still, it wasn't a Trojan - it is more an advertising tool ;) )
Your computer deserve some cosmetic cleaning , in order to do that please fix these lines in Hijack This these two also, if you don't have those programs anymore:



O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Protocol: haufereader - (no CLSID) - (no file)

CJb3LL
05.05.2007, 19:01
Ok, I fixed these five items. Now I will make the logs.

drongo
05.05.2007, 19:36
For now site :www.aldi.com- it is your start page. Do you like to change it ?

CJb3LL
05.05.2007, 19:38
This is just the startpage of my internet explorer, but normally I am using Firefox, so this is unimport which startpage is set in IE.

drongo
05.05.2007, 20:27
Fine :)

CJb3LL
06.05.2007, 02:58
Here are the new logs as promised:

Rene-gad
06.05.2007, 09:50
@CJb3LL
The logs don't show any sign of malware.

Сегодня 01:58
It were better to sleep at this time ;).

drongo
06.05.2007, 10:46
It will be nice, if you will send a copy of this one (before that protect it with pass virus in zip ): C:\Programme\SPSSEVAL\ProductRegistration.exe
directly to the creator of AVZ. You can find his mail in "about" @ avz.

CJb3LL
06.05.2007, 12:27
It were better to sleep at this time ;).
Yes, that's right ;-)

Ok, I have send the virus.zip of ProductRegistration.exe to the author of AVZ.