Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Partially Removed Antivirus 2008


  • Please log in to reply
5 replies to this topic

#1 despondent

despondent

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 24 August 2008 - 09:42 PM

hello moderator,
first of all, thank you for your help in advance.

Somehow I got the antivirus 2008 on my computer. I had the telltale red circle with the white X showing up in the tray, along with the pop-up dialog saying my system was infected. It also randomly rebooted a couple of times and displayed a blue screen of death. I have managed to remove most of the virus(I no longer have the pop-ups, red circle or BSOD), but now when I search in the system registry for the phrase "j0e", a bunch of files still appear.I can clear them out, but upon rebooting the always reappear.

I have run HJT and CF, but from reading previous posting, it seems like the moderators always want to rerun it. Therefore before posting in a log, I will wait to be advised.

thank you

Edited by Orange Blossom, 24 August 2008 - 10:49 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 24 August 2008 - 11:01 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 27 August 2008 - 11:01 PM

Logfile after running MB but before rebooting. Also, there are still registry entries w/the virus/trojan present

Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 1

7:57:20 PM 8/27/2008
mbam-log-08-27-2008 (19-57-20).txt

Scan type: Quick Scan
Objects scanned: 40563
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBtUkiI.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55cad3ac-571d-4335-b829-f59bd4f7e192} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{55cad3ac-571d-4335-b829-f59bd4f7e192} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\449f2bd4 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebtukii -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebtukii -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBtUkiI.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\IikUtBeg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IikUtBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsifnybn.dll (Trojan.Vundo) -> Delete on reboot.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 27 August 2008 - 11:09 PM

Please reboot your computer, update and run the scan again.

How's your computer now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 despondent

despondent
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 29 August 2008 - 06:48 PM

hello!
I ran MB twice more. The logfile reads clean. However searching the registry for remnants of the virus still shows up in the MUICache folder. Should I still be concerned?

And also some icons are deleted- "my computer" and "show desktop".

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,039 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:07 AM

Posted 29 August 2008 - 10:24 PM

Hello, from the things I can find MUI is.. by MSFT definition Multilingual User Interface

What is Multilingual User Interface Pack (MUI)?
Multilingual User Interface Pack is a set of language specific resource files that can be added to the English version of Windows Professional. When installed on the English version of Windows, MUI allows the user interface language of the operating system to be changed according to the preferences of individual users to one of the 33 supported languages. This allows large corporations to roll out the same worldwide image with a single install job. Local users can then select the user interface language or it can be set by Group Policy for Organizational Units.

MUI also allows different language users to share the same workstation or roaming users to take their localized user interface from one workstation to another. For instance, one user might choose to see system menus, dialogs and other text in Japanese, while another user logging onto the same system might prefer to see the corresponding text in French.


http://www.microsoft.com/globaldev/DrIntl/faqs/muifaq.mspx

Some more interesting info here by inbfedsp


It also handles ,shell strings. That said, It was noted from all the things I read you DO NOT want to change anything here.
I would suggest as I do not have more knowledge on this is that you post a HiJackThis log and have the experts there determine if that is malware and how to safely get it out.

Please follow the instructions in this tutorial for posting a HijackThis Log.
Preparation Guide for use before posting a HijackThis Log

After you have created it,post the log here HijackThis Logs and Malware Removal and NOT in this topic,thanks.

Click on New Topic and copy/paste the entire log into the reply. Give it a relevant title,perhaps MUICache
Once you have posted the log DO NOT reply to it or change it until contacted or advised to do so by the HJT Team tech.
Should you have any other questions about this ask those here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users