BleepingComputer.com: Clean-up after MBAM removed Trojan.Agent and Trojan.Vundo.H

Hi,

Could someone please help me to clean up my machine after MBAM removed Trojan.Agent and Trojan.Vundo.H? MBAM looks like it worked but suspiciously there's a file that was deleted that returned by itself.

1. Removed Trojan.Agent using MBAM.


2. Updated MBAM

.. must have forgotten to tick remove ...


3. Looked in C:\WINDOWS and both deleted file were gone. dkblmn.dll was in c:\avenger directory (MBAM must have done that) so I deleted it.

4. After a while, C:\WINDOWS\dkblmn.dll reappeared and I checked my registry and found that the infected registry data item (LSA\Notification Packages) was there. I can't manually delete dkblmn.dll using a normal delete.

5. MBAM shows as clean

Hi,

Sorry for the delay in responding. Please do this:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
  
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    Extended
    
    
  • Scan Options:
    Scan Archives
    Scan Mail Bases
  
  
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.


To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Hi Superbird,

Thanks for looking into this for me. I ran Kaspersky Online Scanner and it didn't report any problems. Any other scans I should run?

What are the problems exactly?

Quote

Which file do you mean?

Hi Superbird,

When I noticed my machine slowing down, I ran MBAM. It removed Trojan.Agent. On a later scan, MBAM then found Trojan.Vundo.H.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dkblmn.dll -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\dkblmn.dll (Trojan.Vundo.H) -> Delete on reboot.

After rebooting, dkblmn.dll wasn't in c:\windows any more. It was in c:\avenger\ (I think MBAM put it there). I deleted dkblmn.dll. After a few hours, I had a look in c:\windows and dkblmn.dll was there again. I checked the registry and the registry entry that MBAM said it deleted (LSA/Notification Packages) was there.

MBAM doesn't indicate a problem with c:\windows\dkblmn.dll when I run scans now. I'm guessing either my machine is not fully clean or I visited the same web site that I got the initial infection from. I'm looking for some help to make sure my machine is fully clean.

I had a read on this forum that I can send suspicious files to http://www.virustotal.com/. I submitted c:\WINDOWS\dkblmn.dll and several antiviruses said that dkblmn.dll is infected.

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Trojan.Win32.Hiloti!IK
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 TR/Agent.cfuy
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 BHO.IRP
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 Trojan.Agent.cfuy
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 Trojan.Win32.Hiloti
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 -
McAfee 5616 2009.05.15 Hiloti.gen
McAfee+Artemis 5616 2009.05.15 Hiloti.gen
McAfee-GW-Edition 6.7.6 2009.05.15 Trojan.Agent.cfuy
Microsoft 1.4602 2009.05.16 Trojan:Win32/Hiloti.gen!A
NOD32 4080 2009.05.15 a variant of Win32/Kryptik.MT
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 Suspicious file
PCTools 4.4.2.0 2009.05.15 -
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.51.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 Trojan-Win32/Hiloti.gen!A
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 -

So it seems like Symantec (which I'm using) and Kaspersky (which I just ran) seem to think that the file is OK but AVG and Microsoft think the file is a problem. Should I download AVG and give that a try?

This post has been edited by cav175: 16 May 2009 - 03:59 AM

Hi,

Ah okay, it's clear to me now.

I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/topic34773.html

Give them a link to this topic.

Good luck.

Thanks for your time Superbird.

I've created a new topic in the HijackThis section here.

Ok, that's good.

I will inform a moderator to close this topic.

As requested, thank you superbird.

Topic closed.

Hello cav175,

A few additional notes here. Hello,

Now that you have posted an HJT topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom