Thread: [SOLVED] Possible Trojan Vondu virus and slow performance.
View Single Post
Old 12-04-2008, 06:42 PM   #4 (permalink)
Katana
Analyst, Security Team
 
Katana's Avatar
 
Join Date: Nov 2007
Location: Manchester, UK
Posts: 1,357
OS: W2K SP4 + XP SP2 + Vista


Re: Possible Trojan Vondu virus and slow performance.
Information

Quote:
Your instructions also mentioned a new Hijackthislog.
Don't worry about that yet :)

There are a lot of open ports on your machine, do you play a lot of online games or have several P2P programs ?
----------------------------------------------------------- -----------------------------------------------------------
Step 1

Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


----------------------------------------------------------- -----------------------------------------------------------
Step 2

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/319876-possible-trojan-vondu-virus-slow-performance.html#post1838701
Comment:: Katana
Collect::[4]
c:\documents and settings\All Users\Application Data\830483350\582137331.exe
File::
c:\windows\Tasks\EasyShare Registration Task.job
Folder::
c:\documents and settings\All Users\Application Data\830483350
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"Share-to-Web Namespace Daemon"=-
"dscactivate"=-
"DellSupportCenter"=-
"582137331"=-
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-
  • Save this as CFScript.txt and place it on your desktop.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


----------------------------------------------------------- -----------------------------------------------------------
Step 3


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Combofix Log
  • Kaspersky Log
  • How are things running now ?
__________________
Katana is offline