Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.win32.netbooster


  • Please log in to reply
17 replies to this topic

#1 beau0090

beau0090

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 04 June 2008 - 10:20 AM

I got infected. OS is XP Pro SP2. Can someone give me some good info to get this clean? I have Symantec AV installed, so that is keeping me from getting to the net to get the SmitFraudFix .exe I am on the road, with only terminal access to the net, but without being able to download the programs. I will return home on the 6th and will be able to use another machine to receive the programs. I can view emails and this forum while away, but will have to wait until friday to do some work on the laptop. Will get info prelim now and work on Friday with much appreciation in advance.
Thanks,
Curtis

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 04 June 2008 - 05:21 PM

Run the SmitFraudFix when you get a chance and follow it up with a full system scan with Malwarebytes' Anti-Malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 06 June 2008 - 02:36 PM

OK, On the other Laptop and got the two programs SmitFraudFix and MalwareBytes. Running Smitfraudfix from normal mode in Windows, and selected 2 (safe mode in SFF). It gets to the point where it asks if I want to clean the registry and I type Y, but it comes back with a windows Message saying that registery editing has been disabled by my admin. I have admin rights on my box and I believe I have done it in the past, so I think this has been tampered with. Now the software won't let me go through. Should I exit and rerun it and type N at the prompt?
Thanks

#4 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 06 June 2008 - 02:39 PM

It says in the script that It cannot find the file specified

#5 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 06 June 2008 - 05:52 PM

OK, wasn't sure what all was going on with the SmitFraudFix, but it finally finished, then I launched the MalwareByte program and did a full scan. It appears that it worked. I did a reboot (had to hold the pwer button for a hard shutdown), then powered up quick and gave me a .dll error about the second one in the list on the report.

Here it is, please help me figure out if I need to do anything further.
I really appreciate your help to this point, this site has been a life saver.

Malwarebytes' Anti-Malware 1.15
Database version: 834

5:35:58 PM 6/6/2008
mbam-log-6-6-2008 (17-35-44).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 189990
Time elapsed: 2 hour(s), 50 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 19
Registry Values Infected: 4
Registry Data Items Infected: 13
Folders Infected: 2
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXQjgFx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rqRHwVmm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e5c2fb20-43e3-4803-b18f-b8f9a4d0b2f0} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e5c2fb20-43e3-4803-b18f-b8f9a4d0b2f0} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4f26bedb-d89b-44a1-948b-5d523292dadf} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f26bedb-d89b-44a1-948b-5d523292dadf} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrhwvmm (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msupdate (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{76a98b47-2064-4dec-8ad8-2517ebc07cc2} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76a98b47-2064-4dec-8ad8-2517ebc07cc2} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0f32ee72-aaf6-47e3-9882-8c988c977cdc} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\atfxqogp.bxwf (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4f26bedb-d89b-44a1-948b-5d523292dadf} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4b34480 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0f32ee72-aaf6-47e3-9882-8c988c977cdc} (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqjgfx -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqjgfx -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-640-1489965-23923) -> No action taken.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> No action taken.

Files Infected:
C:\WINDOWS\system32\cbXQjgFx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xFgjQXbc.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xFgjQXbc.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rqRHwVmm.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047018.dll (Trojan.Zlob) -> No action taken.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047020.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047021.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047022.exe (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047023.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\edrw.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Resources\RomStat.dll (Trojan.Clicker) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> No action taken.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\Process.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ialyjqfi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mssrv32.exe (Rootkit.Agent) -> No action taken.
C:\WINDOWS\boqnrwdmnow.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\atfxqogp.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\etc\services.ra-sap (Heuristics.Reserved.Word.Exploit) -> No action taken.

#6 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 06 June 2008 - 06:42 PM

Sorry, I must have taken an old copy of the log file. Here is the latest. Now I do not get the windows error on login about the dll.
Everything seems to working fine, no Symantec pop-ups saying they stopped a bad email (had 100's of them per minute before and during the malware scan), no Virus Threat! near the clock in the tray.

Am I in the clear so far?
Thanks,


Malwarebytes' Anti-Malware 1.15
Database version: 834

5:36:52 PM 6/6/2008
mbam-log-6-6-2008 (17-36-51).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 189990
Time elapsed: 2 hour(s), 50 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 19
Registry Values Infected: 4
Registry Data Items Infected: 13
Folders Infected: 2
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXQjgFx.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRHwVmm.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e5c2fb20-43e3-4803-b18f-b8f9a4d0b2f0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e5c2fb20-43e3-4803-b18f-b8f9a4d0b2f0} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4f26bedb-d89b-44a1-948b-5d523292dadf} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f26bedb-d89b-44a1-948b-5d523292dadf} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrhwvmm (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winctrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{76a98b47-2064-4dec-8ad8-2517ebc07cc2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76a98b47-2064-4dec-8ad8-2517ebc07cc2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f32ee72-aaf6-47e3-9882-8c988c977cdc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bxwf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4f26bedb-d89b-44a1-948b-5d523292dadf} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4b34480 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0f32ee72-aaf6-47e3-9882-8c988c977cdc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqjgfx -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqjgfx -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-640-1489965-23923) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cbXQjgFx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xFgjQXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xFgjQXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRHwVmm.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047018.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047020.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047021.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047022.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047023.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\edrw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Resources\RomStat.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Process.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ialyjqfi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mssrv32.exe (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\boqnrwdmnow.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\atfxqogp.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\etc\services.ra-sap (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:48 AM

Posted 06 June 2008 - 10:43 PM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and post the new log report.

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.
  • Please copy & paste the contents of that text file into your next reply.
-- If you receive this error: "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid", a new copy and instructions on where to put it can be found here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 07 June 2008 - 08:44 AM

I did the scan, delete, reboot sequence a couple of times with MWB and this is the last log I received. It appears now that the system is clean. I just ran VundoFix and it found nothing on the PC.

I just don't want to get onto the network without knowing things are clean.
Thanks,


Malwarebytes' Anti-Malware 1.15
Database version: 836

9:12:37 PM 6/6/2008
mbam-log-6-6-2008 (21-12-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190432
Time elapsed: 1 hour(s), 31 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047025.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0047026.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0048069.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E6F5A918-AD34-497C-88BE-E26A4927E233}\RP359\A0048073.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#9 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 07 June 2008 - 08:45 AM

Here's what the VundoFix log had



VundoFix V7.0.5

Scan started at 8:32:10 AM 6/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:48 AM

Posted 07 June 2008 - 02:00 PM

Looking better. Lets do a couple more things to see if we find anything else.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 07 June 2008 - 03:59 PM

The ATF Cleaner link doesn't seem to be working. I have the SuperSntiSpyware downloaded, but I can't find the atribune.org website.
Thanks,

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:48 AM

Posted 08 June 2008 - 06:28 AM

ATF Cleaner alternate download links
http://majorgeeks.com/ATF_Cleaner_d4949.html
http://www.snapfiles.com/get/atfcleaner.html
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 08 June 2008 - 09:15 PM

Yep, Super caught a couple of infected things too. I need to get back on the network now however, and get some email. I will be on shortly and log off quick, hopefully nothing happens in that time.
Thank you for being patient with me and guiding me through this process.

Here is the Super Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2008 at 09:04 PM

Application Version : 4.15.1000

Core Rules Database Version : 3477
Trace Rules Database Version: 1468

Scan type : Complete Scan
Total Scan Time : 01:11:25

Memory items scanned : 189
Memory threats detected : 0
Registry items scanned : 14270
Registry threats detected : 9
File items scanned : 134602
File threats detected : 1

Trojan.Unknown Origin
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#DeviceDesc

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:48 AM

Posted 09 June 2008 - 07:28 AM

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 beau0090

beau0090
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 09 June 2008 - 01:29 PM

The Computer is running fine, and I haven't seen any signs of infection since I ran the MalwareBytes software. Is there any reason to believe there might still be stuff found on the box? Should I periodically clean the pc every couple of days to make sure there is nothing there?

I really appreciate your help with this, this had me very worried.
Best Regards,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users