Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Varient


  • Please log in to reply
1 reply to this topic

#1 willyk

willyk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 July 2008 - 03:28 AM

Hi Guys,

Yesterday the problems began, first of all IE and firefox would load but not let me search anything in google, no ads POPPING UP OR NOTHING ONLY THIS.

Now firefox just crashes, safari is all i can use.

I tried many things to remove but couldn't, as it sits i have uninstalled all anti virus software and internet monitoring software and just ran SUPERantispyware in safe mode, here is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/23/2008 at 03:21 PM

Application Version : 4.15.1000

Core Rules Database Version : 3512
Trace Rules Database Version: 1503

Scan type : Quick Scan
Total Scan Time : 00:07:36

Memory items scanned : 475
Memory threats detected : 1
Registry items scanned : 403
Registry threats detected : 7
File items scanned : 6036
File threats detected : 2

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\OPNNKLCU.DLL
C:\WINDOWS\SYSTEM32\OPNNKLCU.DLL

Trojan.Vundo-Variant/Small-GEN
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAACD536-5601-47AD-8266-90A3107C7396}
HKCR\CLSID\{FAACD536-5601-47AD-8266-90A3107C7396}
HKCR\CLSID\{FAACD536-5601-47AD-8266-90A3107C7396}\InprocServer32
HKCR\CLSID\{FAACD536-5601-47AD-8266-90A3107C7396}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\compaq\Cookies\compaq@atdmt[2].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-1004336348-1682526488-725345543-1003\Software\Microsoft\rdfa

I have also ran malwarebytes and this is the report

Malwarebytes' Anti-Malware 1.22
Database version: 982
Windows 5.1.2600 Service Pack 2

16:06:49 23/07/2008
mbam-log-7-23-2008 (16-06-49).txt

Scan type: Quick Scan
Objects scanned: 39198
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\opnnkLCU.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wxqslrel.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faacd536-5601-47ad-8266-90a3107c7396} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{faacd536-5601-47ad-8266-90a3107c7396} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\VnrPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28b46bf1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm2b87586d (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnnklcu -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnnklcu -> Delete on reboot.

Folders Infected:
C:\Program Files\VnrPack (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\opnnkLCU.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\UCLknnpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UCLknnpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wxqslrel.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lerlsqxw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\plate611.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Program Files\VnrPack\trgts.gz (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wyktflfq.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\BM2b87586d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM2b87586d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\compaq\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\Documents and Settings\compaq\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.


Im am running windows XP and this happened after an installation of ESET AV and Internet Security


i shall await instruction

Thanks

Edited by willyk, 23 July 2008 - 04:13 AM.


BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 23 July 2008 - 05:09 AM

Hi,

Run MBAM again, and post the logfile that opens. :thumbsup:

Edited by superbird, 23 July 2008 - 05:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users