Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Impossible Malware Problem


  • Please log in to reply
4 replies to this topic

#1 ChaDMcBaDD

ChaDMcBaDD

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 05 October 2008 - 06:14 PM

windows xp
SP 2
pentium 4, 1.8 ghz
256 ram

i have used these programs trying to fix my problem:

spyware blaster, spybot S&D, ad-aware 2008, windows defender, HJT, avira antivir personal, CCleaner, panda anti-rootkit, GMER, dr delete, f secure blacklight,




I might have vundo, i might not. i might have 10 different things. all info im about to give may be out of order.

first let me add that i can tell whatever i have is keylogging everything i say because while im typing it skips letters and lags. my computer has never done this before.

also explorer.exe is messed up. it resets itself every once in a while. its annoying.

I have warning pop-ups come up. theres 2 different ones. they say download cleanup tool, and the other says download antivirus 2009. sometimes random websites just pop-up. in the adressbar, it will sometimes include something i googled or typed and put it into the sites adress.

this is not an exact example: searchme.com/=searchresults"whatever i typed"-entry-aba22

fling.com, searchme.com, registrydefender.com, the list is endless, they truely are random. the site has been different almost everytime.

spybot found like 20 entries of vundo, 4 of smitfraud-c, like 15 webhancer, some other stuff.

spybots tool for LSP had found 4 protocols that were bad, but they are gone now. i did something right.

my dad downloaded an mp3 off limewire, and avira says identified it as a trojan downloader. im guessing this is what caused it all.

ok so theres a BHO not found on HJT but IS found on spybots BHO list. it says the BHO is being run off a .dll file in system 32 folder.



after running all programs possible, and there still being malware, let me just say i took matters into my own hands. i downloaded dr. delete and went into my system32 folder. my dad downloaded the song about 11pm. i search all files created around that time area. i found core.cache.dsk, and a some .dlls with weird random names, along with .ini files with weird random names. i tried deleting. didnt work. went to safe mode. only thing deleteable was core.cache.dsk.

i can be very assured that this randomly named .dll file connected to the BHO only spybot is registering is causing all the problems.

also, i noticed some of them tried to hide under microsoft outlook express library. i know this for a fact because they were created at the same exact time as the other files, and have random names. i dont even use outlook express anyways, so i deleted them.



when i start up, it says that:

primary hard drive 1 cannot be found.

also, after i log in, my computer basically slows down to a snails pace. veryyyyy slow. i open up my task manager, and find out theres hardly anything using up my CPU. but its extremely weird: none of the processes have a username! for instance, svchost and services dont have SYSTEM next to them. so i go to the users tab, there are none! then how am i logged on? after about 5 minutes everything eventually goes to normal.

if im not connected to the internet, my connection manager pops up wanting me to connect, like whatever has infected me is trying to phone home or something.

also, nothing comes up in the icon tray like its supposed to, when i load. no volume control, no teatimer.

thats why i thought i had a rootkit, but all the programs didnt find anything.

in conclusion:

even if i manage to delete the .dll and BHO, im pretty sure on start up it will just recreate it.

what do i do.

Edited by ChaDMcBaDD, 05 October 2008 - 06:24 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,032 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 05 October 2008 - 06:18 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 ChaDMcBaDD

ChaDMcBaDD
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 05 October 2008 - 06:22 PM

also, avira has found multipule instances of vundo.hk and vundo.gen

and ive googled antivirus 2009 and its not really like it. i dont think i have it, but maybe im wrong.


figures, the one anti-spyware program i dont have is the one i need.

Edited by ChaDMcBaDD, 05 October 2008 - 06:28 PM.


#4 ChaDMcBaDD

ChaDMcBaDD
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 05 October 2008 - 07:12 PM

i followed ur instructions. i had to restart my comp(already knew i would). heres the log.

man i have got to hand it to them, malware bytes is damn good. they got this vundo thing down. im gonna start suggesting malwarebytes to whoever asks about antispyware.


Malwarebytes' Anti-Malware 1.28
Database version: 1231
Windows 5.1.2600 Service Pack 2

10/5/2008 6:54:33 PM
mbam-log-2008-10-05 (18-54-33).txt

Scan type: Quick Scan
Objects scanned: 55379
Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\wvUoMdCS.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11c7f475-07ee-459b-a6b0-b350f5681142} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{11c7f475-07ee-459b-a6b0-b350f5681142} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{143aeeae-b7a4-45a3-8e10-0d6b3eee1f74} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d99ca0a6-14f3-4543-8d88-f2f7d92f81be} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvuomdcs -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvuomdcs -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\wvUoMdCS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\SCdMoUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\SCdMoUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6b67bcb2.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6b67bcb2.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,032 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 05 October 2008 - 07:37 PM

Now run the Full Scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users