Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo + Others,in Sys Restore


  • Please log in to reply
25 replies to this topic

#1 jerryc

jerryc

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 April 2008 - 12:23 PM

i'm doing this for a friend.
dell inspiron 6000, xp pro sp2, updated, 504m memory. ran very slow.
i am injured & cant type well, i do know some things abt security &xp.
i turned off lots in startup,rebooted safemode and emptied temp & temp int files & recycle bin. small change.
found norton, mcafee,yahoo anti-v,del others, kept mcafee,updated &scanned. little change.
did trend housecall, found vundo.brq & a couple other things, said it couldnt fix, but then they were not on the list; ran better.
ran asquared, found a bunch, ran better
ran kaspersky online, found 10 v in 35 locations including sys restore, saved file, did not attempt manual remove
ran eset online scan; first time it was running 45 mins & i went to bed, next am it was gone, no log file. tried 2x more, it ran 5 sec & disappeared. later it ran ok, found several things, fixed some.
ran adaware se, found more, deleted them, ran better
ran kas again, 10 v 29 locations
ran bit defender online, found a bunch, fixed some, ran better

now runs almost how it should, but there are things still showing up in scans esp in sys restore.
i have all logs from scans
i have not run hjt yet.
thx for any assisstance

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 21 April 2008 - 01:03 PM

Welcome to the brave new world of malware suites, would you post that last kasp log?
Chewy

No. Try not. Do... or do not. There is no try.

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 21 April 2008 - 01:55 PM

they have now just Macaffe Antivirus on board?

did you use the Norton removal tool for Norton

http://service1.symantec.com/SUPPORT/tsgen...005033108162039


you could run superantispyware on it
http://www.superantispyware.com/superantis...efreevspro.html

the exe is http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

and post the report it produces :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 21 April 2008 - 02:03 PM

The infected RP***\A00*****.exe file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 April 2008 - 05:34 PM

here is last kasp scan;; should i post any of others? i will do the superantispy. norton remove w/add-remove, not its own remover. not sure but there may be another anti-v still on, seems they thought '1 good more better'
thx



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 20, 2008 8:17:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/04/2008
Kaspersky Anti-Virus database records: 717772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66488
Number of viruses found: 6
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 01:26:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\pax89104.exe.bac_a03516/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\pax89104.exe.bac_a03516 NSIS: infected - 1 skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\pax89104.exe.bac_a03516 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\qabroybc.dll.bac_a03516 Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\sijtauuj.dll.bac_a03516 Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\TGbn1dll.exe.bac_a03516/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\TGbn1dll.exe.bac_a03516/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\TGbn1dll.exe.bac_a03516 NSIS: infected - 2 skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\TGbn1dll.exe.bac_a03516 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\ufwfvmif.dll.bac_a03516 Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\vxlvtwel.dll.bac_a03516 Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Mabel\.housecall6.6\Quarantine\xjfytktu.dll.bac_a03516 Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Mabel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\Temp\sqlite_ax25I3puaXpAIap Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\Temp\~DF7496.tmp Object is locked skipped
C:\Documents and Settings\Mabel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mabel\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mabel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\A0010398.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP14\change.log Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0003057.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0004058.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0009334.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0009336.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0009338.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010123.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nve skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010140.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010249.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010250.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010251.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010253.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010254.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010255.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010255.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0010255.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1A863A97-AE39-44D1-906E-495330307BAA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_AZcgEHCIo5SKJaT Object is locked skipped
C:\WINDOWS\Temp\mcafee_tRCo6iZSbs7jsTs Object is locked skipped
C:\WINDOWS\Temp\mcmsc_02tDA5boM7xGJhB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_o5seF4tGapuPJaV Object is locked skipped
C:\WINDOWS\Temp\mcmsc_oehYl5ohRIWlIUR Object is locked skipped
C:\WINDOWS\Temp\sqlite_3YIvsCAGHQGU19n Object is locked skipped
C:\WINDOWS\Temp\sqlite_7ewWrR4SeBYODLx Object is locked skipped
C:\WINDOWS\Temp\sqlite_CipdEYwXacFDzNp Object is locked skipped
C:\WINDOWS\Temp\sqlite_s9jYHhwKZ0AZ491 Object is locked skipped
C:\WINDOWS\Temp\sqlite_Uj0yNpUDHkkFJgo Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 21 April 2008 - 05:58 PM

scans are going to keep finding malware in quarantine and restore, that does not indicate an infection


Packed.Win32.Monder.gen in restore might indicate a more recent vundo/Virtumonde infection

I wouldn't want to reinstall it

Other than those pesky alerts from installed AV, how are things running? Any bad popups?

I would never use 2 resident AV programs, it's hard finding just one that will work right.
Chewy

No. Try not. Do... or do not. There is no try.

#7 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 April 2008 - 08:48 PM

yes, i know and have explained to friend about 1 anti-v.
it runs pretty good, no popups.
there are no alerts from installed anti-v, all listings are from online scanners. the mcafee is current, recectly installed and updated; i was disappointed that it does not show these things, and allowed the comp to run so poorly.
what do i do about the things listed? i had thought, turn off sys rest, somehow delete contents, follow paths on other things and delete also, then restart and make a new restore point, but i wasnt sure. you say "I wouldn't want to reinstall it" as though that were a choice. ??? i think there should be no signs left, isn't that right?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 21 April 2008 - 08:59 PM

I would follow quietman's guide and first create a new restore point then delete the old ones

You might empty those quaratines also

I had a client that set spybot to run every morning with a scan, three years later I was trying to extract her data and do a clean install, the computer froze solid when I opened that backup/quaratine folder
Chewy

No. Try not. Do... or do not. There is no try.

#9 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 21 April 2008 - 09:26 PM

ok, made new restore point, did disclean as per Q-man.
will now run superantispy
how exactly to empty quarantines? best done from safemode? follow path and delete folder and thats it?

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 21 April 2008 - 09:39 PM

C:\Documents and Settings\Mabel\.housecall6.6\
Chewy

No. Try not. Do... or do not. There is no try.

#11 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 April 2008 - 01:10 AM

this is the SUPERAntiSpyware Scan Log


-----------------------------------------------
http://www.superantispyware.com

Generated 04/21/2008 at 08:30 PM

Application Version : 4.0.1154

Core Rules Database Version : 3444
Trace Rules Database Version: 1436

Scan type : Complete Scan
Total Scan Time : 00:51:41

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 6016
Registry threats detected : 27
File items scanned : 17662
File threats detected : 16

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
HKCR\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
HKCR\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}\InprocServer32
HKCR\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTTRSP.DLL
HKLM\Software\Classes\CLSID\{A3BD8D9E-83D5-4791-B70B-EBF8C4B4FF78}
HKCR\CLSID\{A3BD8D9E-83D5-4791-B70B-EBF8C4B4FF78}
HKCR\CLSID\{A3BD8D9E-83D5-4791-B70B-EBF8C4B4FF78}\InprocServer32
HKCR\CLSID\{A3BD8D9E-83D5-4791-B70B-EBF8C4B4FF78}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABB.DLL
HKLM\Software\Classes\CLSID\{C08E582D-F889-4831-98A2-C87A964ECA95}
HKCR\CLSID\{C08E582D-F889-4831-98A2-C87A964ECA95}
HKCR\CLSID\{C08E582D-F889-4831-98A2-C87A964ECA95}\InprocServer32
HKCR\CLSID\{C08E582D-F889-4831-98A2-C87A964ECA95}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCYV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BD8D9E-83D5-4791-B70B-EBF8C4B4FF78}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C08E582D-F889-4831-98A2-C87A964ECA95}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
HKCR\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}

Adware.Tracking Cookie
C:\Documents and Settings\Mabel\Cookies\mabel@overture[1].txt
C:\Documents and Settings\Mabel\Cookies\mabel@statcounter[2].txt
C:\Documents and Settings\Mabel\Cookies\mabel@adopt.euroclick[1].txt
C:\Documents and Settings\Mabel\Cookies\mabel@ehg-eset.hitbox[2].txt
C:\Documents and Settings\Mabel\Cookies\mabel@revsci[2].txt
C:\Documents and Settings\Mabel\Cookies\mabel@ehg-kasperskylab.hitbox[2].txt
C:\Documents and Settings\Mabel\Cookies\mabel@hitbox[2].txt
C:\Documents and Settings\Mabel\Cookies\mabel@www.adtrak[2].txt

Rogue.ErrorFighter
HKLM\Software\ugac

Rootkit.Unclassified/KR_Done
C:\WINDOWS\system32\kr_done1

Rogue.TrustedAntiVirus
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP\0000#DeviceDesc

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\BBADD.INI
C:\WINDOWS\SYSTEM32\VYCDD.INI
C:\WINDOWS\SYSTEM32\VYCDD.INI2

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\XOGGQBLD.DLL

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 22 April 2008 - 04:50 AM

Troj/Krone-A is a downloader Trojan for the Windows platform.

Troj/Krone-A includes functionality to download, install and run new software to the Temp folder. Troj/Krone-A is a downloader Trojan for the Windows platform.

Troj/Krone-A includes functionality to download, install and run new software to the Temp folder.

When Troj/Krone-A is installed the following files are created:

<Temp>\temp_.bat
<System>\kr_done1

The file temp_ is used to delete Troj/Krone-A. The file kr_done1 is a clean data file that may be safely deleted.


Edited by DaChew, 22 April 2008 - 04:58 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 22 April 2008 - 08:07 AM

Seems you had more malware on your system then you suspected. Lets investigate some more.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 22 April 2008 - 12:22 PM

m'warebytes log. dang; goes fast, cleans a lot
but the other log was before i hit cleanup so some was already gone when i started running malwarebytes.
did not say to restart but i am now, will see how it starts and runs


--------------------------------------------
Malwarebytes' Anti-Malware 1.11
Database version: 670

Scan type: Quick Scan
Objects scanned: 34925
Time elapsed: 15 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winpfz37.sys (Malware.Trace) -> Quarantined and deleted successfully.

Edited by jerryc, 22 April 2008 - 12:45 PM.


#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:07 AM

Posted 22 April 2008 - 12:46 PM

they have been real busy updating that program

here's my first scan

14 Feb 2008
Malwarebytes' Anti-Malware 1.03
Database version: 361


that's a lot of database updates for 9 weeks
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users