Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes' won't remove registry malware


  • Please log in to reply
4 replies to this topic

#1 da1geek

da1geek

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 08 November 2008 - 12:46 AM

So yes, long story short, even after following cleaning tutorials, and following solutions to similar problems, i can not seem to resolve this issue! I had not problem finding the source of the problem, and apparently neither did Malwarebytes' anti Malware :thumbsup: . Of course, time and time again, even after it's removal, usually with in and hour or so, it comes back :flowers: .

Here is the log from MAM:
(the bolded files are the returning ones)

Malwarebytes' Anti-Malware 1.30
Database version: 1368
Windows 5.1.2600 Service Pack 2

11/7/2008 9:10:55 PM
mbam-log-2008-11-07 (21-10-53).txt

Scan type: Quick Scan
Objects scanned: 59770
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\yorerufo.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a3cef17-b322-4109-8dbc-1be1f86ebc6b} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6a3cef17-b322-4109-8dbc-1be1f86ebc6b} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yugefikila (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\yorerufo.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\yorerufo.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\setekefi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ifeketes.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\puhelero.dll (Trojan.BHO.H) -> No action taken.
c:\WINDOWS\system32\yorerufo.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\2hf5EPc0.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sadeyoli.dll (Trojan.Agent) -> No action taken.




====================================================================================================

Also, i am aware that these are also returning problems which are only occasionaly detected by MAM and was not contained in this error report:

CPM32e3526f (location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)




Any help is greatly appreciated!

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:42 AM

Posted 08 November 2008 - 01:04 PM

Please reboot your computer and update Malwarebytes. This time do a FULL scan and post the new log here
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 da1geek

da1geek
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 08 November 2008 - 01:29 PM

Ok, so i ran the full scan as well as Spy Bots' S&D but to no avail, still returning.

Malwarebytes' Anti-Malware 1.30
Database version: 1368
Windows 5.1.2600 Service Pack 2

11/8/2008 8:16:46 AM
mbam-log-2008-11-08 (08-16-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192059
Time elapsed: 1 hour(s), 11 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\8jh2GRe6.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yugefikila (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\8jh2GRe6.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\2hf5EPc0.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

#4 da1geek

da1geek
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 08 November 2008 - 02:09 PM

Holy shiz! Ok, so i just ran an extra quick scan because now one of the more popular maleware trojan, had returned after haveing no problem being deleted before (antivirus pro 2009). Here is the newest log only a few hours later with seventy more files detected, then with the full scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1368
Windows 5.1.2600 Service Pack 2

11/8/2008 12:06:42 PM
mbam-log-2008-11-08 (12-06-37).txt

Scan type: Quick Scan
Objects scanned: 61049
Time elapsed: 13 minute(s), 30 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 9
Registry Data Items Infected: 3
Folders Infected: 7
Files Infected: 39

Memory Processes Infected:
C:\Program Files\GetModule\GetModule27.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\opnmLcay.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnmlcay (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro2009 (Rogue.Antivirus2008) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.Antivirus2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall (Adware.Mirar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule27 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2009 (Rogue.Antivirus2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yugefikila (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\31d0f1f3 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karna.dat -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\karna.dat -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> No action taken.

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> No action taken.
C:\Program Files\GetModule (Trojan.Agent) -> No action taken.
C:\Program Files\AntivirusPro2009 (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\data (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT (Rogue.Antivirus2008) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Application Data\GetModule (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Start Menu\Programs\AntivirusPro2009 (Rogue.AntivirusPro2009) -> No action taken.

Files Infected:
C:\WINDOWS\system32\opnmLcay.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\8jh2GRe6.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\mlJCRkli.dll (Trojan.Vundo.H) -> No action taken.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> No action taken.
C:\Program Files\GetModule\GetModule27.exe (Trojan.Agent) -> No action taken.
C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\AVEngn.dll (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\htmlayout.dll (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\pthreadVC2.dll (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\Uninstall.exe (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\wscui.cpl (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\data\daily.cvd (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT\msvcm80.dll (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT\msvcp80.dll (Rogue.Antivirus2008) -> No action taken.
C:\Program Files\AntivirusPro2009\Microsoft.VC80.CRT\msvcr80.dll (Rogue.Antivirus2008) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Start Menu\Programs\AntivirusPro2009\AntivirusPro2009.lnk (Rogue.AntivirusPro2009) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Start Menu\Programs\AntivirusPro2009\Uninstall.lnk (Rogue.AntivirusPro2009) -> No action taken.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wpv4911.cpx (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\2hf5EPc0.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.
C:\WINDOWS\system32\ssqOGXoP.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wini1087100.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Desktop\AntivirusPro2009.lnk (Rogue.Antivirus) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro2009.lnk (Rogue.Antivirus2008) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\~.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Jacob Breazile.YOUR-0CDC4F5844.000\Local Settings\Temp\wrdwn8 (Trojan.FakeAlert) -> No action taken.

Will restart and rescan.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:42 AM

Posted 08 November 2008 - 02:49 PM

I would suggest posting an HJT log
Start by reading the preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Then post you log here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

They are rather busy, so p;ease be patient
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users