antivirus trojan.vundo virus found
Hello,
I am lost on what to do, I am new to using SAV corporate edition 10.1. I had a user that had logged in and opened something that caused a lot of windows to open. They shut down there computer immediatly but I think the virus partially got installed. When the user logs in in says that the user cannot load specified module. A missing .dll file window, located in C:\documents and settings\user\local\temp, but when I look there the missing .dll file is not there. Symantec has quarantined it along with 37 other files. If I manually delete these two missing .dll files using symantec will this cause more problems. I did download the trojan.vundo removal tool and disabled auto protect and rebooted in safemode disconnected from the network and it found nothing. Can I post a log file to see if any one can help me? Let me know you need if you can help.
thanks
slak
Comments
Install this Rapid Release...
Please install this rapid release and run full scan on the computer.
symrapidreleasedefsx86.exe
Kind Regards,
Vinjaram
Symantec.
For more info....
You can check this..
http://www.symantec.com/security_response/writeup....
Kind Regards,
Vinjaram
Symantec.
Hi Vinjaram, SAV is up to
Hi Vinjaram,
SAV is up to date on the virus definitions and I have ran a couple of full scans on the computer.
As the second reply you posted I downloaded the trojan.vundo removal tool and started up in safe mode and it said it didn't find any virus. ufkemt.dll =trojan.vundo. So the virus is trying to start up from the temp directory. when I look at history in symantec it shows that it keeps finding that vundo but it does not quarantine it, it says file left alone.
Thanks,
slakk
Worst Threat
Trojan.Vundo is the worst malware i have ever come across specially when it comes to removal..
If its just one PC ...easiest and fastest resolution would be to re-image the PC.
As the files download from temp some times they club themselves with Rootkits to hide from User Level thus you will keep deleting User Level DLL files and the rootkit will keep downloading new files with diffrent names. these files hook themselves to each and every running process so it mkes it impossible to delete them even unlocker won't be able to do that as it will even hook itself to Winlogon , Lsass etc.
However if this is a crtitical machine then submit as number of files as you can
use sysinternals rootkit revealer or Iceword to find if there are any rootkit service installed on the system
Submit as many files as you can.
Don't go by the Vundo removal tools as they are a year or 2 old and was active for those variant from last year there have been many new variants of rootkits working with diffrent mechanisms aswell.So only if there is a removal tool 2-3 months old only that will help and I don't think this is any new tool from symantec on vundo.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Hi Virkram, Thanks for the
Hi Virkram,
Thanks for the advice, it is just one machine and my next step is to reimage computer. You have dealt with this virus before correct, what were the simptons that you had with it. So this missing .dll file messege that pops up when a certain user logs in, is the trojan.vundo trying to load from the temp directory. I just wanted to know how someone would get this virus and how to tell if the virus is actually running or trying to run.
Thanks slakk
Vundo
I have seen many variants Vundo all working diffrenlt with diffrent file names and sometimes ways of infecting is also diffrent..
But mostly I have noticed a downloader assoicated with this Trojan.They come from Compromised or Fake Websites .Once it has downloaded to your system it will start hooking itself to processes for its existence to either it will simply hook itseld to explorer.exe ( which is very easy to remove) or all running processes or Winlogon.
Sometimes it also installs a service on the computer.
If it is getting detected it uses a very complex algo to download new files or same file again and again.
It will download it in %temp% mostly but the main file could be sitting else where..
%windir%\system32 or drivers or temp in windows ..
Noaways the main downloader file that dowloads the Vundo trojan is kept hiddenfrom user level that is they are installed in Kernel Layer ( rootkits ) so they become very hard to detect.
Once that file is detected or removed by Antivirus you are free.
But this Trojan. Vundo name is a generic name and there are more than 1000 varinats of trojan.Vundo working difrently doing the same job.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Vundo Variants
I have just gotten rid of this Trojan.Vundo. Mine happened to be TrojanDownloader:WIn32/Tracur.B
This basically affected my internet for the most part by re-directing my browser to various pages such as bestwebsearch and others along with not allowing me get anywhere at all. I stopped using IE and started using Mozilla Firefox and low and behold it started to get re-directed as well. While using Mozilla, IE kept opening itself up and popping up on it's own, usually with virus type threats saying my computer was infected. When this happened, Norton said it was FakeAvalert. Norton would only block this and attempted to remove the Vundo, but to no avail.
I tried running HijackThis, then Malwarebytes, then Combofix. These seem to only remedy the problem for a day. I finally found a couple of other free software to use to find the source of the problem which happened to be an added dll file in my windows/system32 folder. As Vikram-Kumar said, it does tend to attach in different ways and create different files on each computer. This Tracur.B created a cryptdll32.dll file in my system folder and 2 entries in my registry. I also had 10.tmp in my system folder and possibly another number.tmp folder. I also had to remove a _c00A something something file from there as well. I had to use an unlocker tool to remove these files because they say access denied or windows needs it to run. I found out it was a bad file because some anti-virus software found it and couldn't remove it so I sent it to ThreatExpert to have it analyzed and found out it was a bad trojan. Basically it attaches itself to any generic host process file it can. It also kept me from being able to do a system restore. Thankfully, everything is now removed and running smoothy.
By the way, I found all that I needed to remove using Advanced SystemCare 3 and RegRun 6. Advanced SystemCare has free version software and RegRun 6 is a 30 day free trial. I removed the files I found that the software couldn't using Unlocker Assistant.
Hope this helps those of you who haven't gotten rid of these variants yet.
@ Candella1--I agree it needs
@ Candella1--I agree it needs in depth analysis to remove this threat as nowadays it uses User Mode rootkits very often..you were lucky tht Regrun6 or Advanced System care found and removed it for you this time..next time may be even SEP would remove may next time there would be some other 3rd party tool/app that will remove it...But no AV is 100% secure that is no AV know about all of them in the wild..
I guess RegRun6 was able to find it because its not there in Virustotal.com list..and neither is MalwareBytes yet..
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
if you have a suspected virus
if you have a suspected virus that cannot detect by SEP you should submit it the symantec security response to anylyze the suspected virus
:-)
Would you like to reply?
Login or Register to post your comment.