locked
picked up trojan vundo hk/hj onecare sees it but has no remedy?? RRS feed

  • Question

  • anyone help? slowly loosing computer functions locks up everything when popups show up.

    Thursday, October 9, 2008 4:14 AM

Answers

All replies

  • Please contact support for help with malware removal. How to reach support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

     

    Thursday, October 9, 2008 5:00 AM
    Moderator
  •  Hey

     

    To know more about why it failed to clean it  can you send me the detailed logs. Logs can be found at

     

    Vista

    1. c:\ProgramData\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG)

     

    XP

    2.      c:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG) (This is if you have win xp)

     

    Note : These are hidden so you have to make sure that you enable show hidden files and folders

     

    Let me know if you face any problem in the above steps

     

    You can email  me the logs at

    montyj@microsoft.com

     

    Thanks

    Monty Jain[MSFT]

     

     

    Thursday, October 9, 2008 5:45 PM
  • ok did it, here you go.I have win xp home 2002 spk 3. ran liveone about 10 times since problem and went to microsoft online scan also about 6 times, and norton online scan 2 times. just put liveone on I think 10-4 before that had norton antivirus 2007  subscription ended 4-5 months ago.also used defender it seen it too so sending you its file also. also someone from microsoft replied and asked me too run liveone in safemode and reply with results, it seen both hj/hk and said it quarantined and to restart computer just like it did in normal mode but didnt contain it. I did and got your info and turned it off.

    Microsoft OneCare Protection Log, (c) 2006
    Started On Sat Oct 04 2008 16:27:48
    ************************************************************
    ************************************************************

    Beginning threat actions
    Start time:Fri Oct 10 2008 23:20:38
    Threat Name:Trojan:Win32/Vundo.HK
    Threat ID:2147608766
    Action:quarantine
    Threat Name:Trojan:Win32/Vundo.HJ
    Threat ID:2147608765
    Action:quarantine
    Resource action complete:Quarantine
    Schema:file
    Path:\\?\C:\Documents and Settings\Owner\Local Settings\Temp\tiqytxls.dll->(UPX)
    Threat ID:2147608765
    Resource refcount:1
    Result:0
    Resource action complete:Quarantine
    Schema:file
    Path:\\?\C:\Documents and Settings\Owner\Local Settings\Temp\bkaidiip.dll->(UPX)
    Threat ID:2147608766
    Resource refcount:1
    Result:0
    Resource action complete:Quarantine
    Schema:containerfile
    Path:\\?\C:\Documents and Settings\Owner\Local Settings\Temp\tiqytxls.dll
    Threat ID:2147608765
    Resource refcount:1
    Result:0
    Resource action complete:Quarantine
    Schema:containerfile
    Path:\\?\C:\Documents and Settings\Owner\Local Settings\Temp\bkaidiip.dll
    Threat ID:2147608766
    Resource refcount:1
    Result:0
    File cleaned/removed successfully
    File Name:C:\Documents and Settings\Owner\Local Settings\Temp\tiqytxls.dll->(UPX)
    Resource action complete:Removal
    Schema:file
    Path:\\?\C:\Documents and Settings\Owner\Local Settings\Temp\tiqytxls.dll->(UPX)
    Threat ID:2147608765
    Resource refcount:1
    Result:0
    File cleaned/removed successfully
    File Name:C:\Documents and Settings\Owner\Local Settings\Temp\bkaidiip.dll->(UPX)
    Resource action complete:Removal
    Schema:file
    Path:\\?\C:\Documents and Settings\Owner\Local Settings\Temp\bkaidiip.dll->(UPX)
    Threat ID:2147608766
    Resource refcount:1
    Result:0
    Finished threat ID:2147608765
    Threat result:0
    Threat status flags:0
    Finished threat ID:2147608766
    Threat result:0
    Threat status flags:0
    Finished threat actions
    End time:Fri Oct 10 2008 23:20:39
    Result:0
    ************************************************************

    Microsoft OneCare Protection Log, (c) 2006
    Stopped On Sat Oct 11 2008 00:12:01 (Exit Code = 0x0)
    ************************************************************
    --------------------------------------------------------------------------------
    Microsoft OneCare Protection Log, (c) 2006
    Started On Sat Oct 11 2008 00:12:49
    ************************************************************
    [Sat Oct 11 2008 00:12:49] Verifying license file...
    [Sat Oct 11 2008 00:12:50] verified!
    [Sat Oct 11 2008 00:12:50] Initializing engine...
    [Sat Oct 11 2008 00:13:35] initialized!
    [Sat Oct 11 2008 00:13:35] Verifying RTP plugin...
    [Sat Oct 11 2008 00:13:40] verified!
    [Sat Oct 11 2008 00:13:41] Initializing RTP plugin state...
    [Sat Oct 11 2008 00:13:45] initialized!
    Product Version: 1.5.1958.0
    Engine Version: 1.1.4005.0
    AS Signature Version: 1.45.380.0
    AV Signature Version: 1.45.380.0
    ************************************************************
    Signature updated on Sat Oct 11 2008 00:18:10
    Product Version: 1.5.1958.0
    Engine Version: 1.1.4005.0
    AS Signature Version: 1.45.430.0
    AV Signature Version: 1.45.430.0
    ************************************************************

    Saturday, October 11, 2008 8:38 PM
  • TROJAN WIN32.VUNDO HJ / TROJAN WIN32.VUNDO HK

    " U N B E L I E V A B L E !! ", Im sitting home about 2:30PM  Sunday my cell phone rings, didnt recognize the number, almost didnt answer it but did. The guy says hes from Microsoft LiveOne Care, MY JAW DROPPED, NO WAY!!, This is a trick right??  Microsoft never calls anyone. He says hes going to help fix my problem, Ok,what the heck. boot the computer, he asks if I will download Microsoft Easy Assist remote program, so I do. he then says hes going to check a few logs to see whats going on, takes 2 minutes.Then he says hes going to run a program and goes into DOS and downloads SMITFRAUDFIX.EXE  (http://www.smff.notlong.com/),  runs about 45 min.s then he checks a couple things and says hes going to run another program and downloads COMBOFIX,EXE  (http://www.bleepingcomputer.com/combofix/how-to-use-combofix). and logs off. takes about 45 min.s. After that it reboots my computer and he asks me to open IE and go to a couple websites and check it out. No popups! he then checks LiveOne to make sure everythings good, and says your all set, have a nice day, thats it. total time 1hr.45mins. AWESOME! I just cant believe Microsoft called me. I didnt even call them, I just put up this post and replied to the email confirmation. Im still in awe. I surfed the web looking for current info on these trojans,everything came up 2004-2007 . Microsoft said this is a new version and less than 550 cases are known. just for info I ran Spybot, Adaware 2007, McAfee Stinger, after updating and they didnt see them. Norton and LiveOne online scans and Windows Defender saw it and also said it was removed, but wasnt. they also left the programs on my desktop if I need them later. These Trojans were picked up by my kids on YOUTUBE, and it pops up in its own full window and has a red microsoft emblem in the upper left hand side with a download bar under it running across most of the web page and it starts downloading then pops up a gray box that says "YOUR COMPUTER MAY BE INFECTED CLICK TO SCAN YOUR COMPUTER" something like that. that same window pops up once in awhile, and also other minimized webpages here and there that look innocent enough. I closed them right away so I dont know what they were. It disabled my restore path, turned off microsoft updates which affected LiveOne and slowly slowed my computer down where anything you opened, start menu my computer etc.. , would open very slowly and not let them close with no navigation, but it would let Internet Explorer open if you did it quickly when it 1st comes up but with limited navigation, you have to do it quick. I hope this helps anyone having a similair problem. Thanks Microsoft for helping a seemingly insignificant consumer.

    Tuesday, October 14, 2008 4:44 AM
  • I'm very pleased to read that your problem has been resolved and that perhaps your forum nickname no longer applies. :-)

    -steve

     

    Tuesday, October 14, 2008 4:01 PM
    Moderator
  •      " NO LONGER A FRUSTRATED CONSUMER "

    Yes, everythings good, You guys did an awesome job. I'm no longer a frustrated consumer.  KUDO'S to Microsoft.

    Wednesday, October 15, 2008 3:41 AM