Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Alert! In Tray Next To Time


  • This topic is locked This topic is locked
17 replies to this topic

#1 Dit

Dit

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 18 July 2008 - 01:38 PM

I have seen a number of posts on this and have tried to follow the suggested remedies but to no avail. Here are a few additional details to my situation:

- I can only logon as Administrator in Safe Mode.

- No internet access (Right now I'm using another computer, downloading any recommedations to a USB thumbdrive and copying these over to the infected machine.)

- Safe Mode will not allow me to Install any new programs, therefore only executables can be moved and used on the infected machine.

- Running Spybot, SDfix, and Smitfraudfix powers down the computer after these programs run for a few minutes (Note: this is not an overheating problem but a part of the virus)

I'm ready to try anything at this stage ......

BTW, I did get the following rapport file from Smitfraudfix:

SmitFraudFix v2.329

Scan done at 6:19:24.00, Fri 07/18/2008
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\explorer.exe
C:\WINDOWS2\system32\cmd.exe

hosts


C:\


C:\WINDOWS2


C:\WINDOWS2\system


C:\WINDOWS2\Web


C:\WINDOWS2\system32


C:\WINDOWS2\system32\LogFiles


C:\Documents and Settings\Administrator.DITWORK


C:\Documents and Settings\Administrator.DITWORK\Application Data


Start Menu


C:\DOCUME~1\ADMINI~1.DIT\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="OCMAPIHK.DLL"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS2\\system32\\userinit.exe,"
"System"=""


Rustock



DNS



Scanning for wininet.dll infection


End

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:17 PM

Posted 18 July 2008 - 03:34 PM

Please try this,it's better in normal mode but run it from safe first'

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 18 July 2008 - 03:41 PM

Thanks. As I mentioned above, I have no internet capability on the infected machine so I downloaded the 'manual' updates but don't think they were recognized. I'm running the quick scan now.

#4 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 18 July 2008 - 03:43 PM

So far 12 "objects infected" found. I have a doctors appointment but I'll be right back at this when I return in an hour or so. Thanks again, it feels great just being able to do anything with this problem.

#5 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 18 July 2008 - 05:35 PM

I followed the instructions, rebooting normally to allow mbam to complete its mission. After about 15-20 minutes the only thing that showed up was the "Virus Alert!" next to the time on the taksbar and nothing else worked. I had to go back into Administrator Safe mode to copy the mbam log to USB thumb drive to be able to send it here. BTW, the Virus Alert! next to the taskbar time also shows up if I logon using my normal user name in Safe Mode. I just noticed logged in under my normal user name in Safe Mode, I also get the "control panel disabled by administrator" as well as no run command, no access to drives, etc.

MBAM log follows:

Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

11:51:29 AM 7/18/2008
mbam-log-7-18-2008 (11-51-29).txt

Scan type: Quick Scan
Objects scanned: 53090
Time elapsed: 15 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8099a8a-29e7-4002-bac4-0501e982fabf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8099a8a-29e7-4002-bac4-0501e982fabf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0e42aa6 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\dnawgsyh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\hysgwand.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\wkibbcsg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\gscbbikw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\clbinit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Local Settings\Temp\bindsrv2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Local Settings\Temp\atmadm2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deeter\Desktop\Casino King.lnk (Adware.Casino) -> Quarantined and deleted successfully.

Edited by Dit, 18 July 2008 - 07:22 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:17 PM

Posted 18 July 2008 - 09:38 PM

Ok this may be a tough one. Reboot PC,update the MBAM then scan again please. Post another log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 19 July 2008 - 12:29 AM

Since I have no internet connection with the infected machine, I cannot update the MBAM. I've downloaded and unzipped the update databases on my other computer but have not found a way to associate the update databases with the MBAM program when I use it on the infected machine. One other thing, as mentioned before, when I attempted to use Spybot S&D, the computer shut down after SBS&D had found a couple of problems; however, the computer did not shut completely down and when I tried to power on, my "Compaq F10=ROM based setup" screen was completely screwed up and the computer locked. I had to remove the battery and disconnect power to shut down after that. On top of this, when I plug the computer back in, if I simply drop my mouse, the power comes on. If this virus is down into my BIOS, I'm really in trouble.

I just attempted to run MBAM again (sans updates) and after finding the same five problems it initially found before, the power shut off as with the other spyware / malware /anti-virus programs. Looks like it may be time to recover as much as I can and toss this hard drive. I hate to let the bad guys win....these punks should be in jail. I have close to six year's work in jeopardy here --- data related to my work - trying to locate our missing soldiers from the war in Vietnam.

For what it's worth, I finally managed to get through another MBAM quick scan under my user profile in Safe Mode. The log follows: BTW, the Virus Alert! next to the time in the taskbar is gone.

Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

9:26:33 PM 7/18/2008
mbam-log-7-18-2008 (21-26-33).txt

Scan type: Quick Scan
Objects scanned: 53131
Time elapsed: 15 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93000739-cc0d-4feb-b82f-5f7c64d7395d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93000739-cc0d-4feb-b82f-5f7c64d7395d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Dit, 19 July 2008 - 02:35 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 PM

Posted 19 July 2008 - 06:49 AM

Please open the SDFix folder or download XP_CodecRepair.inf and save it to your desktop. <- for Windows XP ONLY.
  • Right-click on XP_CodecRepair.inf and select Install from the Context menu.
  • Note: To download the .inf file, go to File, choose "Save page as" All Files and save XP_CodecRepair.inf to your desktop.
  • Then log off or reboot to apply the changes.
Since you have no Internet connection, manually download the updates from another computer, save them to a flash (usb, pen, thumb, jump) drive or CD and transfer to the infected machine. Then just double-click on mbam-rules.exe to install. After performing a new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Edited by quietman7, 19 July 2008 - 06:50 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 19 July 2008 - 02:59 PM

Slow progress...when I log on under my profile in Safe Mode now, I have access to all drives, the run cmd, and control panel. MBAM log follows: (Note - I did reboot but it shut down the MBAM program prior to shutting down. Also, reboot accomplished normally but when logging on to my profile, the Virus Alert msg next to time is gone from the taskbar, but the hour glass cursor does not surrender to the 'normal' arrow cursor so nothing works. Even though the hour glass cursor remains, suggesting some process is in progress, the drive light does not come on )

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

9:55:03 AM 7/19/2008
mbam-log-7-19-2008 (09-55-03).txt

Scan type: Quick Scan
Objects scanned: 52627
Time elapsed: 14 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18857a58-78ad-458f-b23c-70459d51ac35} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{18857a58-78ad-458f-b23c-70459d51ac35} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ef6e2e3c-f57d-49e3-b932-b1ce390eb7e5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ef6e2e3c-f57d-49e3-b932-b1ce390eb7e5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83d71852-60a5-4bc1-87c3-228010451ec2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\cipqsr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\eesl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\cwcqbkov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\gccjbwju.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\jvhuej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Local Settings\Temporary Internet Files\Content.IE5\4TIJGDU7\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Local Settings\Temporary Internet Files\Content.IE5\O7C741WB\CAZIKF3D (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Local Settings\Temporary Internet Files\Content.IE5\O7C741WB\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\evgratsm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS2\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dit\Local Settings\Temp\lwpwer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by Dit, 19 July 2008 - 03:11 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 PM

Posted 19 July 2008 - 05:54 PM

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, the rescan again anyway and post a new log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 19 July 2008 - 07:03 PM

Reboot was accomplished. Still have to run MBAM in Safe Mode (normal mode still inoperable). When I booted in Safe Mode this time, there was no task bar so I had to Cntl-Alt-Del to Task Manager and New Task into Explorer to get a task bar. The "your in Safe Mode" pop-up kept popping up and wiping out the task bar so I had to CTL-ALT-DEL 3 times before having enough time to run MBAM. If instructed, I will reboot normally following this scan. ((Following normal reboot, still get the hour glass cursor, with no control (including no response from CTL-ALT-DEL) for about ten minutes and then the screen goes black))

New log follows:

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

2:00:15 PM 7/19/2008
mbam-log-7-19-2008 (14-00-15).txt

Scan type: Quick Scan
Objects scanned: 52582
Time elapsed: 13 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{297a41b5-3c41-4dc2-8ebc-04f923a3c8d8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{297a41b5-3c41-4dc2-8ebc-04f923a3c8d8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Delete on reboot.

Edited by Dit, 19 July 2008 - 07:19 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:17 PM

Posted 19 July 2008 - 10:05 PM

Reboot and scan again . We are making progress. we may need to still run another tool too. These things can take time,it's not unusual.
Still no internet?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 19 July 2008 - 11:20 PM

Still have to use Safe Mode and no internet yet. During the last normal reboot to finish the MBAM cleaning, screen did not go black as before but still no functionality.

Thanks for your continued assistance, log follows:

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

6:17:04 PM 7/19/2008
mbam-log-7-19-2008 (18-17-04).txt

Scan type: Quick Scan
Objects scanned: 52514
Time elapsed: 14 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{990f40bd-76d8-426c-a91a-5f9219447e37} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{990f40bd-76d8-426c-a91a-5f9219447e37} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Dit, 19 July 2008 - 11:20 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 PM

Posted 20 July 2008 - 06:48 AM

Still have to use Safe Mode and no internet yet

Please clarify what is happening when you try to use normal mode? You said previously it was inoperable. Does that mean you cannot boot into normal mode, all programs don't work in normal mode or only some do?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Dit

Dit
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 20 July 2008 - 09:46 AM

I've given brief descriptions of what has been happening when I boot in normal mode prior to many of my earlier MBAM logs. Things have slowly evolved but since the disappearance of the "Virus Alert!" in the task bar, the computer locks with the hour glass cursor appearing over the task bar but no control. The latest change was - the task bar (with hour glass cursor) remained indefinitely. Prior to that, this screen eventually dropped out leaving only a black screen (with normal cursor). Still continue to have to unplug to shut down as CTL-ALT-DEL has no effect. Step-by-step when I reboot after running MBAM and I receive the "must reboot in order for MBAM to complete the removal process":

1) I answer 'yes' to "must shut down"
2) Computer reboots and I don't hit F8 (normal logon)
3) The windows user logon screen appears giving me my normal logon profile
4) I logon
5) What I have described above.

In anticipation of another MBAM run, I ran MBAM again and got another change - - after the reboot and the user logon screen, a normal (movable) cursor comes up on a black screen but no task bar. CTL-ALT-DEL still does nothing and I have to shut down by unplugging or by holding down the power button. The latest MBAM log follows"

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

9:13:19 PM 7/19/2008
mbam-log-7-19-2008 (21-13-19).txt

Scan type: Quick Scan
Objects scanned: 52591
Time elapsed: 14 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b1d51088-31f4-46f3-be44-8f3ce47c089e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b1d51088-31f4-46f3-be44-8f3ce47c089e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows2\system32\urqqhgxo -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS2\system32\urqQhGXo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS2\system32\oXGhQqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS2\system32\oXGhQqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Dit, 20 July 2008 - 10:54 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users