Hi,

After installing Norton Ghost yesterday, today, when i started up my computer, my TrendNet Pc-Cillin anti-virus program picked up a virus.

It also kept popping up a "dangerous website - close web browser and do not reopen" msg even tho i wasn't even browsing the internet.
I'm pretty sure that's a case of virus/spyware. And a dialog kept poping up...said my comp had a virus

It said it cleaned it...and I should reboot. I did, but i'm not sure if it's 100% removed (if it even is). I did a couple of scan...but I still want to be sure it's all cleaned up.

Thanks.

Edit: I think the virus is still there....the "dangerous website - close web browser and do not reopen" msg still kept reappearing, w/ sites im not on
And, the comp is really running a lot slower than before.
A "DrWatson Debugger failed...needs to close" error msg also appears...after the whole system freezes...a reboot is needed.

I'm on Win XP Pro.

Hello, I need to ask if you meant Trend Micro not Trend net. Have you tried scanning from safe mode with the anyivirus?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Yes, I meant Trend Micro PC-Cillin, Not trendnet (i got a new wireless router a while ago by trendnet...got them confused) sry!

Here is my log:

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Quick Scan
Objects scanned: 38132
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnnLcDW.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRLfgHY.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnnlcdw (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcab133f (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMbf9820a3 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nnnnLcDW.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRLfgHY.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Timothy Leung\Local Settings\Temporary Internet Files\Content.IE5\WD8X18GS\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amrnnhds.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ymngkqvr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\svehost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Timothy Leung\Desktop\lsass.zip (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


(Ran in safe mode).
Thanks.


Also, after running the scan, the computer seems to be "half" in Safe mode. (I selected boot Windows normally after the scan). Only administrator accounts appear on the welcome screen, and the computer theme is the classic version (like the one in safe mode), not the XP blue style. It does not say the " Safe Mode" text anywhere.

I've tried doing another reboot, to no avail.

Thanks.

MBAM is mostly meant to run in normal mode when it's full strength

See if you can repeat the scan in normal mode if not then you'll need to use Superantispyware from safe mode

I've tried running the scan in "normal mode".

After the scan, it asks me to reboot. I do so. Afterward, i run the scan again, but the same trojans keep showing up.


And as i said before, the comp seems to be "half in safe mode" (see post above).

Thanks.

download SAS
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

update it, close the program, reboot into safe mode, run the program, let it fix/remove any malware

post the log into a reply

I should also mention, my internet seems to be very slow right now. It's taking forever to download SAS.

As i mentioned above, I just got a new TrendNet TEW-852BPR wireless router. Could that be affected the internet speed, or could it be the virus?
My other computer's internet is also very slow.


(I'm currently downloading SAS...will run the scan and post back the log ASAP).

It's best to tackle one problem at a time, it's always better to use wired connections for download, wireless works great some times and awful other tmes

It's a lot of trouble to try and fix a badly infected computer and often it's a good idea to disconnect it from the internet

You may be fixing one problem and then a hidden component is downloading and replacing or even upgrading malware you removed.

I couldn't even download it....the download froze halfway. Tried again, same thing. I had to use my other computer to download it, then transfer it over.


Then, it can't install. Says "system administrator has set policies to prevent this installation". My account is an administrator account. I've also tried using the default admin account, but same msg appears.

so...i can't even install it.

Oops, didnt see ur above reply.

I should've mentioned, I'm connected to my wireless router via Wired...so yea.


I've disconnected my infected comp from the internet now.


(pls see my above post)thxs



Edit: Not sure if it's just my bad internet right now, but I can't acess some websites like Facebook (I can through a proxy though...sometimes), even on my (hopefully)uninfected computer.

It's pretty obvious the infection is getting worse, or you have added a new one to an older one, the vundo is obvious in the log and looks to be something fairly recent and particularly nasty

http://www.bleepingcomputer.com/forums/ind...10&hl=vundo

You could try this but I doubt it would work

The hijackthis forum is still backed up and very busy


Your infection really extends beyond the realm of the selfhelp tools

O man....how did i get this infection?!!?

The day before, I used internet explorer instead of Opera, which is what i usually used. Wonder if that's the problem..


Thanks, I will try that link you gave me when i get home (am currently at school).

If it doesn't work, I'm guess I should post a hijackthis this log in the HiJackthis forum?

For security measures, i've also disconnected my computer from the internet.

coincidence, depends upon where you got ghost?

one little trojan downloader can be 20 KB if I remember right, I did a test to see why my clients using limewire were all
hosing their computers a couple of years ago, I was going to reload the computer anyway, you've never seen a wookie pull a cat 5 cable so fast

haha...you're right..

OK, i'll try the link you sent me when i get home, & i'll post any results i get.

but when i tried installing SAS yesterday , remember i got that error message ? that msg Might come up again if i i try installing those 2 you sent me..guess we'll see.

Thanks!

OK, tried both tools, both found something apparantely, cleaned + restarted it, but MAM still finds the trojan.

post the SAS log and the most recent MBAM one

Well don't ask me why...but i just ran two MAM scans....and they both came up clean:

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Quick Scan
Objects scanned: 41096
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------

However, I still cannot install SAS...i get the error msg saying Admin has set policies that doesn't allow me to install, even though I'm in an admin account (as i mentioned earlier) (screenshot: http://img131.imageshack.us/my.php?image=a...eserrorym9.png)

And it's changed to "Windows classic theme"...I can't get back the "Win XP" style theme.
And on the welcome screen, the limited accounts have disappeared. Only the admin accounts exist (like in safe mode, but i'm Not in SM). however some programs like network magic report the program "cannot be started in safe mode". This "non-xp normal style" happened after I first did a MAM scan in safe mode. It found the infection, rebooted, then this "non xp normal style" started happening

And computer still seems slower overall.


Thanks.

The malware has control and self help tools won't fix it, it's time to make the preparations for posting in the HJT forum.

OK, I've posted it: http://www.bleepingcomputer.com/forums/topic143662.html

(hope i didn't do anything wrong)

thanks for your help.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.