Trojan.Vundo

Gara-gara download file dari internet, trus di-run tanpa discan dulu, my laptop was infected by Trojan.Vundo. Setiap menjalankan IE, setelah beberapa saat akan muncul notifikasi dari symantec antivirus di laptop saya yang menyebutkan bahwa ada security risk di laptop saya. Symantec lalu merekomendasikan untuk me-reboot laptop. Tapi rupanya, symantec tidak betul-betul berhasil membersihkan trojan ini karena setelah di-reboot, akan keluar notifikasi lagi dari symantec untuk trojan yang sama tapi dengan file dll yang selalu berbeda-beda. Duh :(

Symantec Auto-Protect Results

Symantec AntiVirus Notification (1)

Symantec AntiVirus Notification (2)

Coba di-scan ulang menggunakan symantec antivirus, hasilnya no virus found. Coba scan juga dengan menggunakan Symantec Trojan.Vundo Removal Tools 1.5.0 hasilnya sama yaitu no virus found.

Symantec Trojan.Vundo Removal Tools 1.5.0

Tapi setiap menjalankan IE, beberapa saat kemudian akan muncul notifikasi lagi dari symantec. Trojan nya di-removed dan registry dibetulin oleh symantec, disuruh reboot. Tapi ya begitu terus berulang alias tidak benar-benar hilang trojan nya. FYI, apabila menggunakan browser selain IE, mis: Firefox atau Safari, tidak akan muncul notifikasi tersebut.

Coba browsing sana-sini akhirnya nemu situs bleepingcomputer yang ngasih tahu cara menghilangkan trojan ini. Ada dua removal tools yang disarankan yaitu VundoFix dan VirtumundoBeGone. VundoFix dicoba, hasilnya no virus found tetapi notifikasi dari symantec masih muncul. Nah, yang kedua baru benar-benar bisa menghilangkan si trojan ini.

Yang saya lakukan adalah sbb.:
- Jalankan windows dengan VGA mode (saya gak bisa masuk ke safe mode, jadi saya pake VGA mode).
- Jalankan aplikasi VirtumundoBeGone.exe yang telah didownload sebelumnya.
- Ketika dijalankan, laptop tak berapa lama muncul blue screen (hal ini memang yang diharapkan) dan restart dengan sendirinya.
- Setelah windows start lagi, coba jalankan IE dan notifikasi symantec tidak muncul lagi alias Trojan.Vundo berhasil dihilangkan. #:-s

Berikut adalah log dari VirtumundoBeGone:

[03/25/2008, 20:56:07] - VirtumundoBeGone v1.5 ( “D:\Profiles\qsg2967\Desktop\VirtumundoBeGone.exe” )
[03/25/2008, 20:56:13] - Detected System Information:
[03/25/2008, 20:56:13] - Windows Version: 5.1.2600, Service Pack 2
[03/25/2008, 20:56:13] - Current Username: XXXXXXX (Admin)
[03/25/2008, 20:56:13] - Windows is in NORMAL mode.
[03/25/2008, 20:56:13] - Searching for Browser Helper Objects:
[03/25/2008, 20:56:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/25/2008, 20:56:13] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/25/2008, 20:56:14] - BHO 3: {E9383002-FC55-4330-B9C9-67E03BC5C840} ()
[03/25/2008, 20:56:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/25/2008, 20:56:14] - Checking for HKLM\…\Winlogon\Notify\hgdaxxw
[03/25/2008, 20:56:14] - Found: HKLM\…\Winlogon\Notify\hgdaxxw - This is probably Virtumundo.
[03/25/2008, 20:56:14] - Assigning {E9383002-FC55-4330-B9C9-67E03BC5C840} MSEvents Object
[03/25/2008, 20:56:14] - BHO list has been changed! Starting over…
[03/25/2008, 20:56:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/25/2008, 20:56:14] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/25/2008, 20:56:14] - BHO 3: {E9383002-FC55-4330-B9C9-67E03BC5C840} (MSEvents Object)
[03/25/2008, 20:56:14] - ALERT: Found MSEvents Object!
[03/25/2008, 20:56:14] - Finished Searching Browser Helper Objects
[03/25/2008, 20:56:14] - *** Detected MSEvents Object
[03/25/2008, 20:56:14] - Trying to remove MSEvents Object…
[03/25/2008, 20:56:15] - Terminating Process: IEXPLORE.EXE
[03/25/2008, 20:56:16] - Terminating Process: RUNDLL32.EXE
[03/25/2008, 20:56:16] - Disabling Automatic Shell Restart
[03/25/2008, 20:56:16] - Terminating Process: EXPLORER.EXE
[03/25/2008, 20:56:16] - Suspending the NT Session Manager System Service
[03/25/2008, 20:56:16] - Terminating Windows NT Logon/Logoff Manager
[03/25/2008, 20:56:17] - Re-enabling Automatic Shell Restart
[03/25/2008, 20:56:17] - File to disable: C:\WINDOWS\system32\hgdaxxw.dll
[03/25/2008, 20:56:17] - Renaming C:\WINDOWS\system32\hgdaxxw.dll -> C:\WINDOWS\system32\hgdaxxw.dll.vir
[03/25/2008, 20:56:17] - File successfully renamed!
[03/25/2008, 20:56:17] - Removing HKLM\…\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/25/2008, 20:56:17] - Removing HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/25/2008, 20:56:17] - Adding Kill Bit for ActiveX for GUID: {E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/25/2008, 20:56:17] - Deleting ATLEvents/MSEvents Registry entries
[03/25/2008, 20:56:17] - Removing HKLM\…\Winlogon\Notify\hgdaxxw
[03/25/2008, 20:56:17] - Searching for Browser Helper Objects:
[03/25/2008, 20:56:17] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/25/2008, 20:56:17] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/25/2008, 20:56:17] - Finished Searching Browser Helper Objects
[03/25/2008, 20:56:17] - Finishing up…
[03/25/2008, 20:56:17] - A restart is needed.
[03/25/2008, 20:56:23] - Attempting to Restart via STOP error (Blue Screen!)

3 Responses to “Trojan.Vundo”

  1. Abihaha Says:

    Hayo… file naon tah nepi ka poho scan heula? buru-buru ya… menjelang pemberlakuan UU internet ha ha ha…
    Pake PCMAV emang gak kena?

  2. wahyu Says:

    wah, mas riyadi, thx atas infonya, tp pas gw scan pertama, gw lupa, kirain bluescreen karena error, jadinya gw restart paksa, eh sekarang nongol lagi tuh file *.dll ga jlazz….

  3. Lu-Q Says:

    kalau baca log nya emang sengaja blue screen … [03/25/2008, 20:56:23] - Attempting to Restart via STOP error (Blue Screen!) … begitu pula yang saya baca di internet … and it’s normal as expected.

Leave a Reply

:) :( :d :"> :(( \:d/ :x 8-| /:) :o :-? :-" :-w ;) [-( :)>- more »