Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant figure this one out...


  • This topic is locked This topic is locked
12 replies to this topic

#1 djay72

djay72

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 28 November 2008 - 05:55 PM

Alright guys I have a trojan that keeps telling me to Download Antivirus 2009. I am running XP Pro SP1. I can't get any of the other SP's to dl. What it will do is firstly open a new tab on my browser (FireFox Vr. 3.0.4) then it will minimize my browser, bring up a pop-up window and ask me if I would like to download Antivirus 2009. I 'x' out of it but when I open my browser there is the new tab running Antivirus 2009 scan. I have Malwarebytes and have run it in safe and regular mode on my computer. I also get random tab openings in my browser to various sites..(ie Blogs.smacchat.com, yellow.com, fling.com...etc)

Below is a copy of the quick scan log...anyone wanna help me out and let me know what Ive got. I also run spybot Search and Destroy and Ad-aware 7.1.0.11 but when I run that I get an exception and the program shuts down. (I have sent the report to Ad-aware)

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

11/28/2008 5:40:18 PM
mbam-log-2008-11-28 (17-40-13).txt

Scan type: Quick Scan
Objects scanned: 57353
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6cfacc67 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fc9fffb (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\waliriro.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\waliriro.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Here's hoping someone can help me out.... :thumbsup:

Files Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ibageraz.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.

Edited by djay72, 28 November 2008 - 06:13 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:05 PM

Posted 28 November 2008 - 06:17 PM

After you ran Mbam, did you reboot the computer? If not please do so and run and post another scan
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 28 November 2008 - 06:18 PM

I have..the problem seems to go away for a little bit then right back on. But I will try it again.

#4 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 28 November 2008 - 06:37 PM

Alright I ran a scan..and this is what I got...


Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

11/28/2008 6:22:44 PM
mbam-log-2008-11-28 (18-22-38).txt

Scan type: Quick Scan
Objects scanned: 57291
Time elapsed: 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pfnoc (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pfnoc (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fc9fffb (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\waliriro.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\waliriro.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zaregabi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ibageraz.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\waliriro.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\drivers\evnmqkk.sys (Trojan.Downloader) -> No action taken.


Did the remove and reboot...and ran the scan again... and this is what I got...

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

11/28/2008 6:34:45 PM
mbam-log-2008-11-28 (18-34-42).txt

Scan type: Quick Scan
Objects scanned: 57141
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks guys...

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:05 PM

Posted 28 November 2008 - 06:54 PM

This will not work with Vista or W 98
------------


Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 November 2008 - 08:26 AM

Garmanma...how long does this scan usually take...I left this thing run last night for somewhere close to 2 hours with nothing. :thumbsup:

#7 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 November 2008 - 09:13 AM

Okay ran it just now and everything seemed to work...here is hoping. One question though...I still get a dll that has an error upon start up?

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:05 PM

Posted 29 November 2008 - 09:19 AM

Which one? post it here
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 November 2008 - 09:28 AM

Thanks for the quick reply...its the dunumeda.dll

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:05 PM

Posted 29 November 2008 - 01:05 PM

That doesn't appear to be a legit dll. One possibility is, it is a leftover from cleaning up your computer.
As long as your computer is running OK otherwise, you can download Autoruns:
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
Open it and look for the .dll and check the box by it.

Other than that I suggest preparing a HJT log following these instructions:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post in the proper forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 November 2008 - 06:30 PM

Garmanma..I want to say thanks for helping me get this off of my puter. As for the Dll error..I can live with it.

#12 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 29 November 2008 - 09:16 PM

Guess whats back...I turned off the computer for a while and when I restarted it started again. This is really getting annoying. :thumbsup:

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:05 PM

Posted 02 December 2008 - 10:26 PM

Hello djay72,

I see that you have now posted a log in the HiJack This forum here: http://www.bleepingcomputer.com/forums/t/183634/tried-malwarebytes/ Now that you have posted this log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users