Cant figure this one out...

Alright guys I have a trojan that keeps telling me to Download Antivirus 2009. I am running XP Pro SP1. I can't get any of the other SP's to dl. What it will do is firstly open a new tab on my browser (FireFox Vr. 3.0.4) then it will minimize my browser, bring up a pop-up window and ask me if I would like to download Antivirus 2009. I 'x' out of it but when I open my browser there is the new tab running Antivirus 2009 scan. I have Malwarebytes and have run it in safe and regular mode on my computer. I also get random tab openings in my browser to various sites..(ie Blogs.smacchat.com, yellow.com, fling.com...etc)

Below is a copy of the quick scan log...anyone wanna help me out and let me know what Ive got. I also run spybot Search and Destroy and Ad-aware 7.1.0.11 but when I run that I get an exception and the program shuts down. (I have sent the report to Ad-aware)

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

11/28/2008 5:40:18 PM
mbam-log-2008-11-28 (17-40-13).txt

Scan type: Quick Scan
Objects scanned: 57353
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6cfacc67 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fc9fffb (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\waliriro.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\waliriro.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Here's hoping someone can help me out....

Files Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ibageraz.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.

Edited by djay72, 28 November 2008 - 06:13 PM.

After you ran Mbam, did you reboot the computer? If not please do so and run and post another scan

I have..the problem seems to go away for a little bit then right back on. But I will try it again.

Alright I ran a scan..and this is what I got...


Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

11/28/2008 6:22:44 PM
mbam-log-2008-11-28 (18-22-38).txt

Scan type: Quick Scan
Objects scanned: 57291
Time elapsed: 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pfnoc (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pfnoc (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fc9fffb (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\waliriro.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\waliriro.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ibageraz.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\drivers\evnmqkk.sys (Trojan.Downloader) -> No action taken.


Did the remove and reboot...and ran the scan again... and this is what I got...

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

11/28/2008 6:34:45 PM
mbam-log-2008-11-28 (18-34-42).txt

Scan type: Quick Scan
Objects scanned: 57141
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks guys...

This will not work with Vista or W 98
------------


Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• Please be patient as the scan may take up to 20 minutes to complete.
• When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Garmanma...how long does this scan usually take...I left this thing run last night for somewhere close to 2 hours with nothing.

Okay ran it just now and everything seemed to work...here is hoping. One question though...I still get a dll that has an error upon start up?

Which one? post it here

Thanks for the quick reply...its the dunumeda.dll

That doesn't appear to be a legit dll. One possibility is, it is a leftover from cleaning up your computer.
As long as your computer is running OK otherwise, you can download Autoruns:
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
Open it and look for the .dll and check the box by it.

Other than that I suggest preparing a HJT log following these instructions:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post in the proper forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Garmanma..I want to say thanks for helping me get this off of my puter. As for the Dll error..I can live with it.

Guess whats back...I turned off the computer for a while and when I restarted it started again. This is really getting annoying.

Hello djay72,

I see that you have now posted a log in the HiJack This forum here: http://www.bleepingcomputer.com/forums/t/183634/tried-malwarebytes/ Now that you have posted this log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff