Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection - Need explicit help


  • Please log in to reply
26 replies to this topic

#1 TechHopeless

TechHopeless

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 10 December 2008 - 11:57 PM

Hi all. I recently acquired what I believe to be the Vundo virus. I get the non-stop pop-ups and cannot seem to get rid of it. I've run McAfee, Stinger, Malware Bytes, Ad-Aware... I think that's everything. In typical Vundo fashion, after deleting the infected files found by the scans, they reappear after restarting the computer or using the internet again. I found one suggested fix that involved booting the computer in safe mode with commands and just deleting the files listed by the scans. This didn't work for me, as all my commands got "file not found" responses. I am unsure what to do at this point and would prefer not to fiddle around with things without knowing what I'm doing.

Any help would be really appreciated. Also, if you could be as explicit as possible in your suggestions, I would really appreciate that, as I likely do not know some of the terminology or steps that are obvious to you guys.

Thanks so much.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 PM

Posted 11 December 2008 - 12:02 AM

Hello run the Malware Bytes again and post the log so we can see what was listed. Also what Operating system is this?

Then Run ATF...
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

ALso SAS
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 12:08 AM

This is Windows XP Home. Gross, I know.

Should I run the quick scan or the full scan on Malware Bytes?

Also, I forgot to mention, I ran the VundoFix scan as well.

I'll follow your other instructions and get back to you. Thanks so much for the speedy reply... I was starting to feel pretty hopeless, as evidenced by my choice of username.... :thumbsup:

#4 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 12:25 AM

Below is the log from a quick scan on Malware Bytes.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/10/2008 11:21:18 PM
mbam-log-2008-12-10 (23-21-10).txt

Scan type: Quick Scan
Objects scanned: 49941
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 18
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b146e589-602f-4d08-ad9a-3cea20499066}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b146e589-602f-4d08-ad9a-3cea20499066}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bab518dd-90cb-4ac0-a7c9-6b71d57e939f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bab518dd-90cb-4ac0-a7c9-6b71d57e939f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b146e589-602f-4d08-ad9a-3cea20499066}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b146e589-602f-4d08-ad9a-3cea20499066}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bab518dd-90cb-4ac0-a7c9-6b71d57e939f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bab518dd-90cb-4ac0-a7c9-6b71d57e939f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b146e589-602f-4d08-ad9a-3cea20499066}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b146e589-602f-4d08-ad9a-3cea20499066}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{bab518dd-90cb-4ac0-a7c9-6b71d57e939f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{bab518dd-90cb-4ac0-a7c9-6b71d57e939f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.94;85.255.112.19 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



My previous scans listed lots of infected files in C:/WINDOWS/system32. Also, one included a "rootkit.agent" which I read was pretty serious??

Let me know if I need to run the full Malware Bytes scan or if I should go ahead with your other steps. Thanks!!!

#5 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 02:29 AM

I followed the rest of your instructions but something didn't work correctly. Once the SAS scan finished in safe mode and I clicked "next," I did not have the option to click "OK" and "Finish" before rebooting. Rather, it said that a reboot was necessary to complete the scan and asked if I wanted to reboot. I clicked "Yes" and, after opening SAS again and trying to find the log to copy/paste here, there were no logs listed. SAS did find 62 infections, including two with "rootkit" in the description.

I haven't had any pop-ups yet in navigating to this site. Perhaps that fixed it already? I will re-run the SAS scan in safe mode overnight and see if it picks up anything else and if it lets me get a log this time.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 PM

Posted 11 December 2008 - 11:49 AM

Hello a couple more things. I see the "No Action Taken" this is usually the result of not clicking Remove Selected after the scan completes. Also the version of MBAM is not updated. So lets be certain. Open MBAM select Update , rescan,Remove Seleted... Rreboot and post another log. Run SAS and post that log also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 11:54 AM

Thanks for the reply. The "No Action Taken" is there because I wasn't sure if removing the files this time around would affect the log. I have been removing them every other time though. I will update it, though.

Also, I re-ran SAS and again, it prompted me to reboot after I pressed "next" on deleting the files. I had no option to press "finish" before rebooting and found, upon reboot, no log in SAS.

I'm unfortunately away from my infected computer (it's finals week and I have a lot to do!) so I won't be able to continue this process until later this evening. Just don't want you to think I'm done / it's fixed / I've given up. Thanks. :thumbsup:

#8 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 11:56 AM

I should also mention that I was able to do a Windows update this morning and didn't have any popups when navigating to weather.com. The only thing that seems to be persisting through the last few scans I've done is something like HKEY\SYSTEM\MS JUAN. Which I know is bad. My computer seems to be acting more normal but if that's still showing up I'm sure it isn't fixed....

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 PM

Posted 11 December 2008 - 12:11 PM

Ok take your time ,we'll be here. Run the scans update and reme and rebooy is good,
Never edit the registry without backing it up first in case you need to recover!!
USE..
ERUNT
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Or Windows
Registry edits can be potentially dangerous; we can revert to the backup if needed.
Go to Start Run type: regedit OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 02:36 PM

Sorry, I'm sure this is an incredibly basic question, but Malware Bytes won't let me check for updates and says my firewall needs to allow it. How do I change my firewall preferences? Or, is there a website where I can d/l the updates? I got Malware Bytes from my university's computer helpdesk on a disk dated the 8th, so I assumed it was completely updated.

EDIT: I found Windows Firewall on my control panel and specified that it allow Malware Bytes. However, I am still getting the error message when I try to update Malware Bytes. I have version 1.31, which is the most recent I can find online.

Edited by TechHopeless, 11 December 2008 - 02:48 PM.


#11 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 03:02 PM

I called my university's help center and they think I have the most recent version too?

Anyways, here's the latest MB scan (after having done the SAS scan twice). This is the log from a quick scan, though. Do I need to do the complete scan instead?

And, since I'm having trouble getting a log for SAS, should I click no when it asks to reboot immediately, see if I can save the log, and then reboot it myself? I'm guessing that's what I should try next.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/11/2008 1:29:27 PM
mbam-log-2008-12-11 (13-29-27).txt

Scan type: Quick Scan
Objects scanned: 49459
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 PM

Posted 11 December 2008 - 03:31 PM

Sorry for the confusion
Malwarebytes' Anti-Malware 1.31 <<< IS correct version
Database version: 1456 <<< Is outdated ,at 1490 now.

here's the full instructions for MBAM ..there's a manual d'load link there too,in the green text.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Edited by boopme, 11 December 2008 - 03:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 04:31 PM

"MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine."




I clicked on the link you had there, saved the exe file, and ran it. I checked my copy of MB and it now says that it is 1475. Is that now the most recent or are you correct that I need to get to 1490? And if that's the case, should I just uninstall / reinstall MB at this point?

Also, I've found something odd with SAS. I can't view any logs under preferences. However, when I check that tab while running the program in safe mode, they are listed! This seems odd....

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 PM

Posted 11 December 2008 - 04:45 PM

Yes reinstall /.. Sometime the SAS logs come back on reboot I don't know why But I have seen them do it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 TechHopeless

TechHopeless
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 11 December 2008 - 05:35 PM

Finally, success!!

I'm posting a few things here. The first is my most recent MB scan. It is with the newest updated version of MB (I reinstalled) and is a quick scan. Please let me know if you need a complete scan.

The second two are two of my SAS scans. One is the first one I did last night that yield 60+ results. The second is the most recent with the files that seem to be persisting.

I won't be back at my computer until late this evening (off to work). Thanks in advance!!!


MB SCAN:

Malwarebytes' Anti-Malware 1.31
Database version: 1490
Windows 5.1.2600 Service Pack 3

12/11/2008 4:13:18 PM
mbam-log-2008-12-11 (16-13-18).txt

Scan type: Quick Scan
Objects scanned: 49903
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\gywtb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxyavuncur.dll (Trojan.Agent) -> Quarantined and deleted successfully.





SAS SCAN 1:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2008 at 00:53 AM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 01:02:35

Memory items scanned : 160
Memory threats detected : 1
Registry items scanned : 4642
Registry threats detected : 54
File items scanned : 14573
File threats detected : 7

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\ZZCZIF.DLL
C:\WINDOWS\SYSTEM32\ZZCZIF.DLL
C:\WINDOWS\SYSTEM32\OBPRHFRW.DLL

Rootkit.NDisProt/Fake
HKLM\System\ControlSet001\Services\Ndisprot.sys
C:\WINDOWS\SYSTEM32\DRIVERS\NDISPROT.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_Ndisprot.sys
HKLM\System\ControlSet003\Services\Ndisprot.sys
HKLM\System\ControlSet003\Enum\Root\LEGACY_Ndisprot.sys
HKLM\System\CurrentControlSet\Services\Ndisprot.sys
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Ndisprot.sys

Rootkit.Cloaked/Service-GEN
HKLM\system\controlset001\services\msqpdxserv.sys
C:\WINDOWS\SYSTEM32\DRIVERS\MSQPDXPXOEOTPA.SYS
HKLM\system\controlset003\services\msqpdxserv.sys

Trojan.Unknown Origin
C:\WINDOWS\system32\sn.txt

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B146E589-602F-4D08-AD9A-3CEA20499066}#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{BAB518DD-90CB-4AC0-A7C9-6B71D57E939F}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{B146E589-602F-4D08-AD9A-3CEA20499066}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{BAB518DD-90CB-4AC0-A7C9-6B71D57E939F}#NAMESERVER

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumonde+removal
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumonde+removal#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumonde+removal#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\virtumonde+removal#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Click1
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs

Rogue.Component/Trace
HKLM\Software\Microsoft\58AFDF81
HKLM\Software\Microsoft\58AFDF81#58afdf81
HKLM\Software\Microsoft\58AFDF81#Version
HKLM\Software\Microsoft\58AFDF81#58af7201
HKLM\Software\Microsoft\58AFDF81#58af1be4

Trojan.Zlob/Media-Codec
C:\DOCUMENTS AND SETTINGS\ALYSSA BLUHM\LOCAL SETTINGS\TEMP\MEDIACODEC.EXE

Trojan.BotNet/Dropper
C:\DOCUMENTS AND SETTINGS\ALYSSA BLUHM\LOCAL SETTINGS\TEMP\TMP397.TMP




SAS SCAN 2:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2008 at 03:12 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 01:04:27

Memory items scanned : 160
Memory threats detected : 0
Registry items scanned : 4636
Registry threats detected : 8
File items scanned : 14817
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users