Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Keys with Trojan.Vundo, Adware.VideoEgg, Numerous Rogues & Malware


  • Please log in to reply
8 replies to this topic

#1 cjc_999999

cjc_999999

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 17 December 2008 - 09:39 PM

Just downloaded MBAM & ran my first scan with it. It brought up the following problems with my computer.

Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3

18/12/2008 01:26:50
mbam-log-2008-12-18 (01-26-50).txt

Scan type: Quick Scan
Objects scanned: 67976
Time elapsed: 54 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6039e6c-bde9-4de5-bb40-768caa584fdc} (Trojan.Vundo) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{85589b5d-d53d-4237-a677-46b82ea275f3} (Unknown.Malware) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Not selected for removal.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Documents and Settings\mike\Local Settings\Application Data\yogqw_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
E:\Documents and Settings\mike\Local Settings\Application Data\yogqw_nav.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
E:\Documents and Settings\mike\Local Settings\Application Data\yogqw.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
E:\Documents and Settings\mike\Local Settings\Application Data\yogqw.exe (Adware.Navipromo.H) -> Quarantined and deleted successfully.

As you can see from this I decided not to remove the infected Registry Keys as I was unsure whether or not it was safe to do this using MBAM. Would just like to know if it is safe to go ahead with this. Thank you very much in advance.

Edited by Orange Blossom, 17 December 2008 - 10:32 PM.
Move from XP forum to Am I Infected. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 AM

Posted 17 December 2008 - 10:55 PM

Yes that's safe. plaese continue.

Folllow with
ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


SAS
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 cjc_999999

cjc_999999
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 18 December 2008 - 09:08 PM

Hi boopme, this is the resultant log that you wished me to paste ... you're step by step guide is second to none btw

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/19/2008 at 01:57 AM

Application Version : 4.23.1006

Core Rules Database Version : 3678
Trace Rules Database Version: 1657

Scan type : Complete Scan
Total Scan Time : 02:51:41

Memory items scanned : 195
Memory threats detected : 0
Registry items scanned : 9637
Registry threats detected : 9
File items scanned : 92918
File threats detected : 3

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EC93FEF-A9B5-41F5-82D3-9C3E6BF0BD19}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6EC93FEF-A9B5-41F5-82D3-9C3E6BF0BD19}
HKU\S-1-5-21-1482476501-1229272821-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6EC93FEF-A9B5-41F5-82D3-9C3E6BF0BD19}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6EC93FEF-A9B5-41F5-82D3-9C3E6BF0BD19}

Adware.ClickSpring/Outer Info Network
HKLM\Software\Outerinfo
HKLM\Software\Outerinfo#InstallDirectory
E:\Program Files\Outerinfo\outerinfo.ico
E:\Program Files\Outerinfo

Trojan.Media-Codec/V3
E:\Program Files\Video ActiveX Access

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 AM

Posted 18 December 2008 - 09:27 PM

Hello again, thank you. Well we have found more junk. Ok I realize my answer to your earlier question may have been vague. I meant it is safe to use "Click Remove" and to do o.
Well now I want you to open MBAM aain. Cick the Update tab,
After that please rescan,Click remove ,post a new log and reboot the PC thanks.
Tell me how the machine is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 cjc_999999

cjc_999999
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 19 December 2008 - 02:59 PM

Hi again, here is my latest log. Understood what you meant in ur first reply to my original post btw but thnx 4 clarifying it. The machine seems to be running much better now, especially the internet.

Malwarebytes' Anti-Malware 1.31
Database version: 1520
Windows 5.1.2600 Service Pack 3

19/12/2008 19:49:45
mbam-log-2008-12-19 (19-49-45).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 243311
Time elapsed: 5 hour(s), 51 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DFC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DInf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DnngCon (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DNIdent (Trojan.ConHook) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
E:\Program Files\WebMediaPlayer (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\resources (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\skins (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\updates (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.

Files Infected:
E:\Program Files\WebMediaPlayer\dxva_sig.txt (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\sqlite3.dll (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\uninst.exe (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\resources\languages_v2.xml (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\resources\webmedias (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\Program Files\WebMediaPlayer\skins\classic.skn (Rogue.WebMediaPlayer) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\xgpevcwi_navps.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\xgpevcwi_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer (Rogue.WebMediaPlayer) -> Delete on reboot.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 AM

Posted 19 December 2008 - 03:37 PM

Ok good. We need to go MBam one more time,get another log. MSJUAN is stubborn.
btw getting media players from suspect sites(and I 'm sure you didn't know they wewre suspect at the time) may have contracted these .
We have a freware link in BC of tested,fre and clean wares... Freeware Replacements For Common Commercial Apps
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 cjc_999999

cjc_999999
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 19 December 2008 - 11:32 PM

Ok this is the result of my last full scan & the log. Wasn't sure what the MSJUAN you mentioned was though.

Malwarebytes' Anti-Malware 1.31
Database version: 1520
Windows 5.1.2600 Service Pack 3

20/12/2008 04:21:43
mbam-log-2008-12-20 (04-21-43).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 241218
Time elapsed: 5 hour(s), 21 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Documents and Settings\All Users\Start Menu\Programs\WebMediaPlayer (Rogue.WebMediaPlayer) -> Delete on reboot.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:01 AM

Posted 20 December 2008 - 12:01 AM

OK looks real good. If there are no more signs that you have any infections then,,

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 cjc_999999

cjc_999999
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 20 December 2008 - 11:02 AM

Thank you very much for all your help. Hopefully now my system will stay clean & run smoothly. Just one other thing that is bugging me about the computer at the mo. The (D:) drive has taken to disappearing whenever it likes over this last few months. Currently, if I try to click on it it gives me this message

D:\ is not accesible

The file or directory is corrupted & unreadable.

Probably should have mentioned this with my original post but the strange thing is it reappears again just whenever it wants as tho nothing had happened to it.

Edited by cjc_999999, 20 December 2008 - 11:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users