Просмотр полной версии : TR/Vundo.Gen
Hi!
AntiVir tells me that C:\WINDOWS\system32\nnnkijk.dll is the trojan horse TR/Vundo.Gen
I run HiJackThis and AVZ as explained in the 'tutorial'. I have added them to this thread.
I do not know what to do next. Please, help me. Thank you very much.
First of all, you should update database of avz (File/Database update).
Secondly, all logs you should make in normal mode , when all unnecessary programs are closed , and your browser (Internet explorer ) is still running. !Is that a problem to do this ?
Meantime,
please run AVZ, go to File - Custom scripts, copy the Code, paste it to Custom scripts window and Run the script.
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\temp\NavBrowser.exe','' );
QuarantineFile('C:\Programme\TortoiseSVN\iconv\win dows-1252.so','');
QuarantineFile('C:\WINDOWS\system32\nnnkijk.dll',' ');
BC_ImportQuarantineList;
BC_LogFile(GetAVZDirectory + 'boot_copy.log');
BC_Activate;
RebootWindows(true);
end.
After that please upload quarantined file(s) according to the Rules.
Please use http://virusinfo.info/upload_virus.php?tid=9477 to upload.
P.S. I think, Antivir is correct ;) But still we would like to see your quarantined file(s) according to the Rules.
Thank you for your help! I have executed your script.
Unfortunately I do not understand Russian, so I hope that I uploaded the quarantined files correctly. If not, please let me know.
I have also updated the AVZ-Database. Should I make new logs and add them to this thread?
Ok , nnnkijk.dll it is a bad thing :)
According to kaspersky , it is :not-a-virus:AdWare.Win32.Virtumonde.jf
Other 2 files , i think clean , but we will get an answer from kaspersky laboratory shortly ( i hope ).
Now, about healing your computer :we have here 2 options .It is up to you what option to choose !
The First option is your antivirus.
Boot in safe mode (http://virusinfo.info/showthread.php?t=9282), scan all your disks with antivir and, choose option to delete a virus , when antivir will find nnnkijk.dll .Reboot your PC after antivirus will finish to scan your computer.
The second option :
Please disconnect from the internet , disable your antivir.
run AVZ, go to File - Custom scripts, copy the Code, paste it to Custom scripts window and Run the script.
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\WINDOWS\system32\nnnkijk.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_LogFile(GetAVZDirectory + 'boot_clr.log');
BC_Activate;
RebootWindows(true);
end.
---------------------------------------------------------------------------------------------
After execution option 1 or 2 (or both :))) )
Please do a new logs(all 3) (according to our rules) and please make sure not in the safe mode.
P.s. Sorry for my English :) I hope we will translate the uploading page shortly ;)
Rene-gad
04.05.2007, 21:11
Unfortunately I do not understand Russian
... but Your English is OK ;).
BTW: What language is Your native one?-it's only my own curiosity, you can ignore this question.
Ok , nnnkijk.dll it is a bad thing :)
Not so bad. It could be worse :). It's only
not-a-virus:AdWare.Win32.Virtumonde.jf
The First option is you antivir....
Correct.:thumbsup: Bet just before scanning pls.
- update the signatures of Antivir
- switch off the system recovery
- empty all temp-maps (a little help for it You'll receive from here (http://www.clearprog.de))
It seems that option two worked. The file nnnkijk.dll is deleted and after a reboot no warning appears.
But I think it is better running a complete scan also?
Then I will generate the three log-files and add them to this thread.
@both: Your English is good.
@Rene-gad: My native language is German. I think, I read your tutorial in German, right?
Ok, cu later! And thank you again!
Rene-gad
04.05.2007, 21:54
But I think it is better running a complete scan also? Yepp!
I think, I read your tutorial in German, right?
Rischtisch :D
NickGolovko
05.05.2007, 07:03
Rene-gad needs a prize for such a perfect advertisement of our service. :)
Sorry for my late answer.
I run a complete scan and then I generated the logs in normal mode. I have added them to this thread.
I think the trojan horse has gone.
Thanks alot to all of you. You are a great team.
Rene-gad
05.05.2007, 19:40
@CJb3LL
pls. fix with HiJackThis
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - C:\WINDOWS\system32\nnnkijk.dll (file missing)
O20 - Winlogon Notify: nnnkijk - nnnkijk.dll (file missing)
than make the new logs.
Yep, it is gone ( still, it wasn't a Trojan - it is more an advertising tool ;) )
Your computer deserve some cosmetic cleaning , in order to do that please fix these lines in Hijack This these two also, if you don't have those programs anymore:
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O18 - Protocol: haufereader - (no CLSID) - (no file)
Ok, I fixed these five items. Now I will make the logs.
For now site :www.aldi.com- it is your start page. Do you like to change it ?
This is just the startpage of my internet explorer, but normally I am using Firefox, so this is unimport which startpage is set in IE.
Here are the new logs as promised:
Rene-gad
06.05.2007, 10:50
@CJb3LL
The logs don't show any sign of malware.
Сегодня 01:58
It were better to sleep at this time ;).
It will be nice, if you will send a copy of this one (before that protect it with pass virus in zip ): C:\Programme\SPSSEVAL\ProductRegistration.exe
directly to the creator of AVZ. You can find his mail in "about" @ avz.
It were better to sleep at this time ;).
Yes, that's right ;-)
Ok, I have send the virus.zip of ProductRegistration.exe to the author of AVZ.
vBulletin® v4.2.5, Copyright ©2000-2024, Jelsoft Enterprises Ltd. Перевод: zCarot