Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Antivirus 2009 infestation


  • Please log in to reply
12 replies to this topic

#1 Jeff Roper

Jeff Roper

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 27 December 2008 - 01:24 AM

I have those annoying pop ups caused by Antivirus 2009. I have not installed Antivirus 2009, at least it doesn't show up in my add/remove list. I am running XP Pro SP3. I use Firefox 3. I have run Malwarebytes Anti-Malware several times. I finds malware and removed it, but the problems still exist. Each time I run Anti-Malware, it finds more problems. I think I need professional help with this one.

Thanks,

Jeff

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 December 2008 - 04:53 AM

Hi,

First do a new full scan with MBAM, and post the logfile in your next reply.

Also, do this:
Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#3 Jeff Roper

Jeff Roper
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 27 December 2008 - 02:55 PM

Below is the MWB report. I will run the Kaspersky Online Scanner next. I just installed AVG Anti-Virus yesterday and it was popping up with infection warnings while MWB was scanning. I will run a scan with it too since it has not done one yet.

Thanks,

Jeff

Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 5.1.2600 Service Pack 3

12/27/2008 11:49:46 AM
mbam-log-2008-12-27 (11-49-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 159718
Time elapsed: 1 hour(s), 43 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\kinodike.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmc788a2d4 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kinodike.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kinodike.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\kinodike.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\pabululu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 December 2008 - 04:27 PM

Hi,

Ok, I'll wait for your reply with the Kaspersky-log. :thumbsup:

#5 Jeff Roper

Jeff Roper
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 27 December 2008 - 08:53 PM

Sorry this is taking so long, I have been in and out today. I scanned the system with AVG Anti-Virus and it found 8 more infections. I couldn't figure out how to get a report out of the free version to post here. I will now proceed with Kaspersky.

Thanks,

Jeff

#6 Jeff Roper

Jeff Roper
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 27 December 2008 - 09:25 PM

I guess what I have is the Vundo Trojan. I thought it had something to do with Antivirus 2009, but that was just the ad that just popped up the most. I'm currently running Kasperly on the problem computer and it is taking a while to download the database.

Thanks,

Jeff

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2008 - 07:24 AM

Hi,

Yes it could be you have a Vundo-infection too, but we'll deal with it. First I need the Kaspersky logfile. :thumbsup:

#8 Jeff Roper

Jeff Roper
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 28 December 2008 - 11:52 AM

Here's the Kasperly report. It took almost 7 hours to finish.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 23:06:28
Records in database: 1522053
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 109558
Threat name: 5
Infected objects: 5
Suspicious objects: 4
Duration of the scan: 06:51:50


File name / Threat name / Threats count
C:\Documents and Settings\Jeff\Application Data\Thunderbird\Profiles\2m2h1a6l.default\Mail\Local Folders\Old Sent Mail Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Jeff\Application Data\Thunderbird\Profiles\2m2h1a6l.default\Mail\roperengineering.com\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\Jeff\Application Data\Thunderbird\Profiles\2m2h1a6l.default\Mail\roperengineering.com\Junk Infected: Trojan-Spy.Win32.Goldun.bce 1
C:\Documents and Settings\Jeff\Application Data\Thunderbird\Profiles\2m2h1a6l.default\Mail\roperengineering.com\Junk Infected: Worm.Win32.AutoRun.rsu 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0106871.dll Infected: Trojan.Win32.Monder.afvy 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0106878.dll Infected: Trojan.Win32.Monder.afvy 1
C:\WINDOWS\SYSTEM32\yivevono.dll Infected: Trojan.Win32.Monder.afwb 1

The selected area was scanned.

I it looks like the Vundo may have been taken care of by AVG. What next?

Thanks,

Jeff

#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2008 - 11:59 AM

Hi,

If exist, delete this file: C:\WINDOWS\SYSTEM32\yivevono.dll

Then, do a new full scan with MBAM. Post the logfile in your next reply. :thumbsup:

#10 Jeff Roper

Jeff Roper
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 28 December 2008 - 02:39 PM

The MWB scan didn't find anything, but AVG popped up a window. I clicked on remove threats and it said that a file was not found. I'm not sure which one. Here is the MWB report, a report from AVG follows:

Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 5.1.2600 Service Pack 3

12/28/2008 11:23:52 AM
mbam-log-2008-12-28 (11-23-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 161736
Time elapsed: 1 hour(s), 48 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is a report from AVG Resident Shield Detection:

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Trojan horse Vundo.CI";"C:\WINDOWS\system32\mlJCTnOf.dll";"Moved to Virus Vault";"12/26/2008, 11:25:40 PM";"file";"C:\WINDOWS\system32\MRT.exe"
"Trojan horse Generic12.AEWU";"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0106867.dll";"Moved to Virus Vault";"12/26/2008, 11:50:51 PM";"file";"C:\WINDOWS\System32\svchost.exe"
"Virus found FakeAlert";"C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\GKK16NNV\freescan[1].htm";"Moved to Virus Vault";"12/27/2008, 10:19:18 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Virus found FakeAlert";"C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\XCQEJBCD\freescan[1].htm";"Moved to Virus Vault";"12/27/2008, 10:19:24 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S56RKX6Z\pldr8[1].htm";"Moved to Virus Vault";"12/27/2008, 10:31:34 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S56RKX6Z\pldr8[2].htm";"Moved to Virus Vault";"12/27/2008, 10:31:35 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Vundo.CS";"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1113\A0106542.dll";"Moved to Virus Vault";"12/27/2008, 11:15:32 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.AEWU";"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0106867.dll";"Deleted";"12/27/2008, 11:16:19 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Vundo.CI";"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1127\A0107081.dll";"Moved to Virus Vault";"12/27/2008, 11:16:39 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.AEWU";"C:\WINDOWS\SYSTEM32\kivebeki.dll";"Moved to Virus Vault";"12/27/2008, 11:35:24 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ACIM";"C:\WINDOWS\SYSTEM32\kafehera.dll";"Moved to Virus Vault";"12/27/2008, 11:35:30 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\SYSTEM32\nenosivu.dll";"Moved to Virus Vault";"12/27/2008, 11:36:30 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\SYSTEM32\reforola.dll";"Moved to Virus Vault";"12/27/2008, 11:36:53 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\SYSTEM32\yidekuti.dll";"Moved to Virus Vault";"12/27/2008, 11:37:21 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\SYSTEM32\dorilisu.dll";"Moved to Virus Vault";"12/27/2008, 11:37:22 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\pldr8[1].htm";"Moved to Virus Vault";"12/27/2008, 11:38:35 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\Temp\tmp1.exe";"Moved to Virus Vault";"12/27/2008, 11:40:51 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\Temp\tmp10.exe";"Moved to Virus Vault";"12/27/2008, 11:40:51 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\Temp\tmp45.exe";"Moved to Virus Vault";"12/27/2008, 11:40:51 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.ADHJ";"C:\WINDOWS\Temp\tmpA2.exe";"Moved to Virus Vault";"12/27/2008, 11:40:52 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.AFQT";"C:\WINDOWS\SYSTEM32\yivevono.dll";"Moved to Virus Vault";"12/28/2008, 9:10:17 AM";"file";"C:\WINDOWS\Explorer.EXE"
"Trojan horse Generic12.AFQT";"C:\WINDOWS\SYSTEM32\yivevono.dll";"Infected";"12/28/2008, 9:10:47 AM";"file";"C:\WINDOWS\Explorer.EXE"
"Trojan horse Generic12.AFJD";"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1123\A0106785.dll";"Moved to Virus Vault";"12/28/2008, 10:27:18 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"Trojan horse Generic12.AFJD";"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1123\A0106786.dll";"Moved to Virus Vault";"12/28/2008, 10:27:18 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

Do you think I am cured? Thanks for all your help.

Jeff


#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 December 2008 - 04:45 AM

Hi,

To be sure, do this:

Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

#12 Jeff Roper

Jeff Roper
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 29 December 2008 - 11:09 PM

I ran VundoFix.exe and it found no problems. My AVG Anti-Virus is still finding problems, but they don't seem to be related to Vundo. The latest was called a "Trojan Horse Generic12.AFQT". The pop ups have stopped, so I think I'm good to go for a while.

Thanks for all your help.

Jeff

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 December 2008 - 07:59 AM

Hi,

please do this:

Download zoek.exe
Run it, a logfile will pen.
Post that logfile in yur next reply. :thumbsup:

Edited by superbird, 30 December 2008 - 07:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users