Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have Viruses, Need Help Using Hijackthis


  • Please log in to reply
12 replies to this topic

#1 pbs

pbs

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 02 June 2008 - 11:59 AM

I have downloaded hijackthis, but when i go so save the log, i cant find where it saves it at. please help. i am going to post the log on here but i cant find the log.

Edited by Orange Blossom, 02 June 2008 - 04:46 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


#2 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 04 June 2008 - 08:31 AM

Someone, please help fast, there are alot of viruses on my computer. thanks

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:38 PM

Posted 04 June 2008 - 08:37 AM

what operating system are you using?

what programs to fight the infection?

HJT posts can take several days to get a response
Chewy

No. Try not. Do... or do not. There is no try.

#4 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 05 June 2008 - 11:01 AM

i am using windows xp. i have no programs right now. my norton antivirus subscription just ran out

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:38 PM

Posted 05 June 2008 - 11:12 AM

See if you can install MBAM and run a scan, do a clean and then post that log

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#6 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 06 June 2008 - 03:03 PM

Malwarebytes' Anti-Malware 1.15
Database version: 834

3:01:38 PM 6/6/2008
mbam-log-6-6-2008 (15-01-37).txt

Scan type: Quick Scan
Objects scanned: 38927
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 35
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 50

Memory Processes Infected:
C:\Program Files\VAV\vav.exe (Rogue.VistaAntivirus2008) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\bhptjbbt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\deiuhcad.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUnNdAS.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xxyxWOhE.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c009B6AA.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{961cbf0d-64ba-43ea-b043-3bbe14f5c0f3} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{961cbf0d-64ba-43ea-b043-3bbe14f5c0f3} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyxwohe (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/setup.dll (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7545d8c8-f53c-4e2f-8fa0-d248ef4a6e61} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{51cf80dc-a309-4735-bb11-ef18bf4e3ad9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b0eceac-f597-4858-a542-d966b49055b9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{031cbf6a-c70e-4177-a0d4-c5268ee311fb} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1f1e775-1b21-454d-8d38-7c16519969e5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c009b6aa (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1053f40a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\setup.dll (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update loader (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvunndas -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvunndas -> Delete on reboot.

Folders Infected:
C:\Program Files\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bhptjbbt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tbbjtphb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deiuhcad.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dachuied.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUnNdAS.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\SAdNnUvw.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\SAdNnUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxWOhE.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\VAV\vav.exe (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\setup.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\ClientAX.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~16.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~17.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~19.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~21.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~27.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~2E.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~4D.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~5D.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~66.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~6A.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~82.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~8E.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~A3.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~B.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~C.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehdthwld.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqgbcpwd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lrkntsph.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nkshujph.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyawxvT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\K6NQAWJU\install_2322_MHwyN3wxMDEwMDAwMDAwfHx8fHx8fHw_[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\TK2G40Z1\install_2322_MHwyMHwxMDEwMDAwMDAwfHx8fHx8fHw_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\TK2G40Z1\install_2322_MHwyN3wxMDEwMDAwMDAwfHx8fHx8fHw_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\UFAKD7TD\install_2322_MHwyN3wxMDEwMDAwMDAwfHx8fHx8fHw_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\UFAKD7TD\install_2322_MHwyOHwxMDEwMDAwMDAwfHx8fHx8_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\UFAKD7TD\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\USN79FCK\install_2322_MHwyMHwxMDEwMDAwMDAwfHx8fHx8fHw_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.cpl (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav.ooo (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav0.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\VAV\vav1.dat (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c009B6AA.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xpupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C4BC9.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00DDA02.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Desktop\Vista Antivirus 2008.lnk (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.

#7 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 06 June 2008 - 03:29 PM

I ran the quick scan again right after the first time and got this log




Malwarebytes' Anti-Malware 1.15
Database version: 834

3:22:30 PM 6/6/2008
mbam-log-6-6-2008 (15-22-30).txt

Scan type: Quick Scan
Objects scanned: 38516
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c00CD14E.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00cd14e (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wvUnNdAS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SAdNnUvw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SAdNnUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bhptjbbt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deiuhcad.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxWOhE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\UFAKD7TD\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c009B6AA.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00CD14E.dat (Trojan.Agent) -> Delete on reboot.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:38 PM

Posted 06 June 2008 - 04:15 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

would you try the ATF cleaner and SAS from mode please
Chewy

No. Try not. Do... or do not. There is no try.

#9 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 11 June 2008 - 03:51 PM

Sorry for the late reply, here is the log


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/11/2008 at 02:33 PM

Application Version : 4.15.1000

Core Rules Database Version : 3479
Trace Rules Database Version: 1470

Scan type : Complete Scan
Total Scan Time : 01:20:15

Memory items scanned : 161
Memory threats detected : 0
Registry items scanned : 5389
Registry threats detected : 9
File items scanned : 63169
File threats detected : 10

Trojan.Unknown Origin
[A00F2413CB28.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\TEMP\_A00F2413CB28.EXE
C:\DOCUME~1\COMPAQ~1\LOCALS~1\TEMP\_A00F2413CB28.EXE
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\_A00F2413CB28.EXE

Trojan.Vundo-Variant/Small
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36481c1d-5a3e-41b8-bce9-eee9871bf09f}
HKCR\CLSID\{36481C1D-5A3E-41B8-BCE9-EEE9871BF09F}
HKCR\CLSID\{36481C1D-5A3E-41B8-BCE9-EEE9871BF09F}\InprocServer32
HKCR\CLSID\{36481C1D-5A3E-41B8-BCE9-EEE9871BF09F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DGKKRJJU.DLL
C:\WINDOWS\SYSTEM32\HHLKBMCJ.DLL
C:\WINDOWS\SYSTEM32\NRIKWFGT.DLL
C:\WINDOWS\SYSTEM32\OADHVCUM.DLL
C:\WINDOWS\SYSTEM32\PXBVYIFF.DLL

Trojan.Unclassified-Packed/Suspicious
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B4A78D29-52B1-4A7B-BAC0-1471BEDF9836}
HKCR\CLSID\{B4A78D29-52B1-4A7B-BAC0-1471BEDF9836}
HKCR\CLSID\{B4A78D29-52B1-4A7B-BAC0-1471BEDF9836}\InprocServer32
HKCR\CLSID\{B4A78D29-52B1-4A7B-BAC0-1471BEDF9836}\InprocServer32#ThreadingModel
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SETUP.DLL

Adware.180solutions/Seekmo/Zango
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\SEEKMOINSTALLER.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:38 PM

Posted 11 June 2008 - 04:00 PM

With a rootkit and hidden trojan downloader, you can reinfect a machine in a matter of minutes, after this much time it's best to start over from the beginning and repeat all the steps

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

In my limited experience you kill these infections fast or you reload

If your computer is turned off for days and it's not on the internet then it can't be reinfected

An advantage for waiting is, it allows the good programs to catch up with the bad ones

Be sure and update before you attempt a rescan and fix
Chewy

No. Try not. Do... or do not. There is no try.

#11 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 12 June 2008 - 04:54 PM

here is the first log:

Malwarebytes' Anti-Malware 1.17
Database version: 850

4:49:02 PM 6/12/2008
mbam-log-6-12-2008 (16-48-57).txt

Scan type: Quick Scan
Objects scanned: 37305
Time elapsed: 25 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 10
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hgGvsPhE.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\vtUmKEwu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00581AA.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c6090c1-0ce5-4218-9350-02fe6a8506c9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7c6090c1-0ce5-4218-9350-02fe6a8506c9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtumkewu (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00581aa (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update loader (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hgGvsPhE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\EhPsvGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EhPsvGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmKEwu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c00581AA.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#12 pbs

pbs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 14 June 2008 - 10:21 AM

here is the log for sas:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/13/2008 at 11:41 AM

Application Version : 4.15.1000

Core Rules Database Version : 3479
Trace Rules Database Version: 1470

Scan type : Complete Scan
Total Scan Time : 01:19:36

Memory items scanned : 151
Memory threats detected : 0
Registry items scanned : 5381
Registry threats detected : 0
File items scanned : 63201
File threats detected : 0

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:38 PM

Posted 14 June 2008 - 10:27 AM

How is your computer running now?
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users