Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Again ?


  • Please log in to reply
14 replies to this topic

#1 conoflex

conoflex

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 20 June 2008 - 03:46 AM

I dunno how but i got this but only windows defender found it Win32/Vundo.gen!M and it won't get rid of it defender says error when trying, vundofix finds nothing !! then Kaspersky detects this one win32.monder.aaa and deleted it, so i run malwarbytes and this is what that found

Malwarebytes' Anti-Malware 1.18
Database version: 871

09:37:00 20/06/2008
mbam-log-6-20-2008 (09-36-57).txt

Scan type: Quick Scan
Objects scanned: 108944
Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\geBSkkki.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a98d0065-7326-41b5-b8d9-c5b692cdb82f} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\video.bho (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{681147c4-d615-461a-960f-655871e315c3} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{681147c4-d615-461a-960f-655871e315c3} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{748742a2-159f-4dc7-8fd6-5e293708b4a7} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{b48caa94-24b2-475e-b6ff-a5d79c5fdefd} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a98d0065-7326-41b5-b8d9-c5b692cdb82f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\autorun.inf (Trojan.Agent) -> No action taken.
C:\Windows\System32\geBSkkki.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> No action taken.


any help please would be great

Thanks Andy

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


BC AdBot (Login to Remove)

 


#2 cornzey

cornzey

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 20 June 2008 - 06:17 AM

Hi there,

Is there a reason why no action has been taken on every infected item?

Try deleting them and re-boot the system and re-run a MBAM scan and see if they re-appear.

Hope this helps,
Cornzey

Posted Image

If I'm giving you help and I don't reply within 24 hours PM me with the topic link.



Avast Anti-Virus - Zone Alarm Firewall
Stay Protected.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 20 June 2008 - 06:53 AM

"No action taken" usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile". Please review these instructions (scroll down) and rescan. After performing a new scan, post the log results in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 conoflex

conoflex
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 20 June 2008 - 11:54 AM

yes you are right i hadn't clicked remove, did that now all gone after reboot, but the Vundo.gen!M one keeps coming back only with windows defender and no other program detects it

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 20 June 2008 - 12:00 PM

Did the scan provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 conoflex

conoflex
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 20 June 2008 - 01:59 PM

Did the scan provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?


This is what defender says (wouldn't delete it came up with error)

defender snip


and this is the last malwrebytes log

Malwarebytes' Anti-Malware 1.18
Database version: 871

19:45:56 20/06/2008
mbam-log-6-20-2008 (19-45-56).txt

Scan type: Quick Scan
Objects scanned: 110201
Time elapsed: 15 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\ssqoOhIA.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\geBspmKb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\pmnnnoNf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\mljjGArP.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9be594d-a7a8-485b-83b1-e94ce69ba45c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c9be594d-a7a8-485b-83b1-e94ce69ba45c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f86b11f3-0ce1-475f-9541-5329bf7b3597} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM5f31d2e4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f86b11f3-0ce1-475f-9541-5329bf7b3597} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqoohia -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ssqoohia -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ssqoOhIA.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\AIhOoqss.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\AIhOoqss.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBspmKb.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\bfowydws.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\pmnnnoNf.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\mljjGArP.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Its starting to do my head in now.

Andy

Edited by conoflex, 20 June 2008 - 01:59 PM.

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 20 June 2008 - 03:37 PM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your screenshot appears to have been cut off and its not showing any threat. If its a file, get a second opinion. Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

Also advise exactly what the error said.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 conoflex

conoflex
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 21 June 2008 - 06:20 AM

yes did reboot this is the last log file

Malwarebytes' Anti-Malware 1.18
Database version: 871

20:45:11 20/06/2008
mbam-log-6-20-2008 (20-45-11).txt

Scan type: Quick Scan
Objects scanned: 108836
Time elapsed: 12 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\geBspmKb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pmnnnoNf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mljjGArP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ssqoOhIA.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

IF you look at the screenshot the item at the top of the list is what it reported as the threat (TROJAN:WIN32/VUNDO.GEN!M SEVERE) and the error message at the end is what it said after i tried to delete it, underneath is all that it said about it anything above what u can see does not describe anything about it ONLY what you can see.
That was the trouble it was showing this but couldn't do anything with it.

Must admit all seems clear now but i am going to run another mbam scan later and i will post the log here.

Thanks for the help
Andy

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 21 June 2008 - 06:57 AM

I'm using a slow dial-up so maybe the screenshot did not load fully when I tried to view it yesterday resulting in it appearing to be cut off.

The file in question is geBspmKb.dll located in the C:\Windows\system32 folder. MBAB is indicating it removed and deleted that file successfully. So yes, run MBAM again and post a new log. Also continue as follows:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 conoflex

conoflex
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 24 June 2008 - 06:49 AM

this is the latest mbam log i did

Malwarebytes' Anti-Malware 1.18
Database version: 871

10:52:35 24/06/2008
mbam-log-6-24-2008 (10-52-35).txt

Scan type: Quick Scan
Objects scanned: 106172
Time elapsed: 13 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And this is the SUPERAntiSypware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2008 at 12:35 PM

Application Version : 4.15.1000

Core Rules Database Version : 3489
Trace Rules Database Version: 1480

Scan type : Complete Scan
Total Scan Time : 01:00:47

Memory items scanned : 245
Memory threats detected : 0
Registry items scanned : 9232
Registry threats detected : 0
File items scanned : 223597
File threats detected : 21

Adware.Tracking Cookie
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@ads.aol.co[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@ar.atwola[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@e-2dj6wbmyalcpkfp.stats.esomniture[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@e-2dj6wfmyghazeko.stats.esomniture[2].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@e-2dj6whkockajgfp.stats.esomniture[2].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@ehg-futurepub.hitbox[2].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@nextag.co[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@ontrackinternational[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@track.asus[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@tracking.summitmedia.co[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@www.googleadservices[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@www.googleadservices[3].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\andy_callear@www.googleadservices[6].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy_callear@adnetserver[2].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy_callear@apmebf[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy_callear@bs.serving-sys[2].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy_callear@questionmarket[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy_callear@sales.liveperson[1].txt
C:\Users\Andy Callear\AppData\Roaming\Microsoft\Windows\Cookies\Low\andy_callear@sales.liveperson[2].txt

Unclassified.Unknown Origin
F:\UTILITIES\1 OLD UTILS\NOADWARE 5\KEYGEN.NFO
F:\UTILITIES\ULEAD PHOTO EXPLORER 8.5\ULEAD PHOTOEXPLORER 8.5 - BIDJAN\KEYGEN.NFO

why is it that when i checked the file before opening it found nothing and yet i had all this trouble when i did ?

Do u think i'm all ok now ?

Many thanks for your help
Andy

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 24 June 2008 - 08:07 AM

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 conoflex

conoflex
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 25 June 2008 - 04:05 AM

It's running smooth and no reports all seems fine :thumbsup:

ONE thing tho why is it that when i checked the file with mbam etc before opening it found nothing and yet i had all this trouble when i did ?


Again many thanks for your time and help.

Andy

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 25 June 2008 - 06:44 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

why is it that when i checked the file with mbam etc before opening it found nothing and yet i had all this trouble when i did ?

Sorry but I'm not sure what you are asking here. Checked what file with MBAM?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 conoflex

conoflex
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 AM

Posted 28 June 2008 - 05:48 AM

"why is it that when i checked the file with mbam etc before opening it found nothing and yet i had all this trouble when i did ?
Sorry but I'm not sure what you are asking here. Checked what file with MBAM? "


The file i opened that caused all this which had been downloaded i ran mbam and kaspersky on it with "right click" run anti virus and it found nothing as soon as i opened it all this vundo stuff started.

AsRock Fatal1ty Z77 Pro/Intel i7 3770k/Water Cooled

/32GB RipjawX PC3-1866/Aus Xonar D2/PM/Crucial M4 128gb SSD/2TB Hitachi 6gb/2TB Seagate 6gb

/Asus 7970 TOP/Corsair HX 850watt PSU /Bitfenix Shinobi XL/Asus 24x DVDRW/Iiyama Prolite E2773HDS/Akasa Internal DuoSwap Caddy

 


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,780 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 28 June 2008 - 07:56 AM

I'm not sure actually what file activated the infection because there were so many involved. I suspect it could have been the autorun.inf which started things. I do know that MBAM was not responsible.

Vundo/Virtumundo is a Trojan that infects a system with malicious Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe. The infection is responsible for launching annoying pop up advertisements and downloading more malicious files which slows your computer and hampers system performance. Newer variants of Vundo typically use bogus warning messages to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a rogue security application like WinFixer, WinAntiVirus Pro, ErrorSafe, SystemDoctor, WinAntiSpyware, WinAntiSpy, WinReanimator and others to fix it. The messages can mimic system messages so they appear as if they are generated by the Windows Operating System.

Vundo spreads via Internet Relay Chat (IRC) and peer-to-peer networks, through emails containing links to websites that exploit your web browser’s security holes and by exploiting a vulnerability in older versions of Sun Java. When you click on a link in a Vundo-laced email, Internet Explorer launches a site that stealthy installs the Trojan so that it can run every time you startup Windows.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users