After strange problems I gave Avst! Home a try and it promptly found and removed VunDrop trojan (and others on bootscan, but i didn’t find the log for these). So far so good. Since then I receive to small Vista pop up windows after logging in. The system can no longer open jkkLcBRL.dll and fqeseuah.dll. I don’t regret that much because both have been infected by the trojan. But I wonder what keeps trying to access these dll’s. Obviously there’s still something which shoun’t be there and the pop ups are annoying.
Of course I googled the problem but it seems that the dll names have been randomly created hence google doesnt find a single hit. What should be done?
Both haven’t been infected, both are nothing but malicious content, typically vundo randomly generated file names, as you found when you googled them you would find zero hits.
What is happening is that the files have been removed but there are still registry entries that try to run the vundo malware only to find that they aren’t there any more.
You can use HiJackThis run a scan and find the entries relating to those files and ‘fix’ them.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
First you don’t appear to have an active firewall so I presume you are using the Vista firewall, which by default doesn’t check outbound traffic. Tough you can enable it, it is rule based and ‘you’ have to create the rules.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Thanks, problem is fixed!
Concerning the firewall, netlimiter includes a powerful firewall checking in- and outbound trafic. It made me suspicious in the first place.
And yes, UAC is disabled. I know it would offer a better protection but it’s simply too annoying due to frequent changes in this sensible area.
HJT seems to be great. A good deal less confusing than processmonitor of sysinternals
Yes HJT is a good tool but does require analysis, but there are plenty of places where you can get that. ProcessMonitor has its uses, but in this case it wouldn’t have found anything as the registry entries without the files running wouldn’t have been detected.
By the way, how does HJT determine which regestry entries are to be showed? I mean, there are tons of them but nevertheless there was only a handful displayed. Does it only show those of processes invoked since systemstart or how does it work? What does HJT actually when scanning? Thanks for education
It is simply reporting ‘running’ processes regardless of when they start, you might have noticed that it also reports itself running and you the user start that.
If a process is running because of a registry entry started it then it will show the correcponding registry entry.