trojan.vundo - Page 3

tetonbob · 03-31-2007, 10:40 PM

Your logs seem clean.

jrdinohio · 04-01-2007, 07:50 AM

Thanks,

I appreciate your help.

tetonbob · 04-01-2007, 09:13 AM

My pleasure....We still have a few items to address.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9

They are outdated, and security risks by having them still installed. Unfortunately, Java does not uninstall previous versions when you update, nor let you know that you should.

Please leave Update 11 alone, as it is the latest update for version 5.

---------------------------------------------------------------------------------------------

Be wary of P2P program downloads. They can have hidden nasties. Scan them before executing, if you must use P2P like Limewire.

---------------------------------------------------------------------------------------------

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't already have them:

SpywareGuard to catch and block spyware before it can execute.
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
FIREWALL
If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one firewall program because they will conflict with each other.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

jrdinohio · 04-04-2007, 04:34 PM

I did every one of the suggested and directed functions. All went well. I still would like to discuss one unfinished piece of business. If you would refer to post #31, I told you how when I open and close the browser, the cpu would run at 100% for sometimes 20 minutes or more. It still does. The system appears to be free of malware but I have the task manager running so I can see what is causing the cpu to run so long . It is one of the six svchost.exe processes. I have gone to Microsoft for information on svchost. One of the blogs recommended downloading a program called tasklist since xp home edition does not let you determine what the svchosts are actually doing. Tasklist does not work either. It says "Error: Class not registered" when i run tasklist /svc. I can run tasklist /? to get a list of the commands and filters so I know the program is running but I cannot get any information on the svchost processes. Do you know how I can find out what those svchost processes are actually doing. Other than that, I am completely satisified with our work on the system. The svchost may be necessary, but for some reason, one of them runs constantly when I open and close the browser. Again, thanks for all your help

tetonbob · 04-04-2007, 08:51 PM

It's normal for Windows XP to have several svchost.exe running. To see which one seems to be using the most resources, and for which application, try using ProcessExplorer. If I had to guess without looking, I'd say Google Updater might be the culprit.

You may need to talk to the folks over in Windows XP forum to help you solve that out, as they are more well versed in the nuances of XP.

jrdinohio · 04-06-2007, 06:04 AM

Just to close this thread, I did go to XP forum and got the fix. I installed Microsoft Update 927891 and it fixes it. This is a known issue with Microsoft and it fixed a bug in automatic updates. Thanks again.

tetonbob · 04-06-2007, 07:11 AM

Thanks for the feedback, glad your issue is resolved.

Happy Computing, and Safe Surfing to you!

03-31-2007, 10:40 PM	#41 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,747 OS: 2000 Pro; XP Pro; XP Home	Re: trojan.vundo Your logs seem clean. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

04-01-2007, 07:50 AM	#42 (permalink)
jrdinohio Registered User Join Date: Feb 2005 Posts: 39 OS: WinXP Home Edition	Re: trojan.vundo Thanks, I appreciate your help.

04-01-2007, 09:13 AM	#43 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,747 OS: 2000 Pro; XP Pro; XP Home	Re: trojan.vundo My pleasure....We still have a few items to address. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 8 J2SE Runtime Environment 5.0 Update 9 They are outdated, and security risks by having them still installed. Unfortunately, Java does not uninstall previous versions when you update, nor let you know that you should. Please leave Update 11 alone, as it is the latest update for version 5. --------------------------------------------------------------------------------------------- Be wary of P2P program downloads. They can have hidden nasties. Scan them before executing, if you must use P2P like Limewire. --------------------------------------------------------------------------------------------- Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't already have them: SpywareGuard to catch and block spyware before it can execute. IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. FIREWALL If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice: Do not install more than one firewall program because they will conflict with each other. Comodo Personal Firewall ZoneAlarm In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

04-04-2007, 04:34 PM	#44 (permalink)
jrdinohio Registered User Join Date: Feb 2005 Posts: 39 OS: WinXP Home Edition	Re: trojan.vundo I did every one of the suggested and directed functions. All went well. I still would like to discuss one unfinished piece of business. If you would refer to post #31, I told you how when I open and close the browser, the cpu would run at 100% for sometimes 20 minutes or more. It still does. The system appears to be free of malware but I have the task manager running so I can see what is causing the cpu to run so long . It is one of the six svchost.exe processes. I have gone to Microsoft for information on svchost. One of the blogs recommended downloading a program called tasklist since xp home edition does not let you determine what the svchosts are actually doing. Tasklist does not work either. It says "Error: Class not registered" when i run tasklist /svc. I can run tasklist /? to get a list of the commands and filters so I know the program is running but I cannot get any information on the svchost processes. Do you know how I can find out what those svchost processes are actually doing. Other than that, I am completely satisified with our work on the system. The svchost may be necessary, but for some reason, one of them runs constantly when I open and close the browser. Again, thanks for all your help

04-04-2007, 08:51 PM	#45 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,747 OS: 2000 Pro; XP Pro; XP Home	Re: trojan.vundo It's normal for Windows XP to have several svchost.exe running. To see which one seems to be using the most resources, and for which application, try using ProcessExplorer. If I had to guess without looking, I'd say Google Updater might be the culprit. You may need to talk to the folks over in Windows XP forum to help you solve that out, as they are more well versed in the nuances of XP. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

04-06-2007, 06:04 AM	#46 (permalink)
jrdinohio Registered User Join Date: Feb 2005 Posts: 39 OS: WinXP Home Edition	Re: trojan.vundo Just to close this thread, I did go to XP forum and got the fix. I installed Microsoft Update 927891 and it fixes it. This is a known issue with Microsoft and it fixed a bug in automatic updates. Thanks again.

04-06-2007, 07:11 AM	#47 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,747 OS: 2000 Pro; XP Pro; XP Home	Re: trojan.vundo Thanks for the feedback, glad your issue is resolved. Happy Computing, and Safe Surfing to you! __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.