Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

newbie...need help


  • Please log in to reply
5 replies to this topic

#1 crazyjoe86

crazyjoe86

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 03 January 2009 - 03:52 PM

Hello...Im new here...wasn't sure where to post at...But I think I have a virus or something on my computer...probably several...lol...anyway...I can across this site by downloading HIJACK THIS thing....I have generated a log.....please tell me if it's okay to post it.....Thank you for your time....Joe

Edited by Orange Blossom, 03 January 2009 - 04:07 PM.
Moving from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 AM

Posted 03 January 2009 - 04:27 PM

Hello Joe. Welcome to BC.

This forum is not for analysing HijackThis log. Please do not post one unless specifically requested.

Please give us some more details:
-What do the popups show? Ads for antivirus products?
-What operating system are you running?
-What antivirus programs, if any, do you have installed?

In any case, you are infected. Let's start off with running MalwareBytes.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

#3 crazyjoe86

crazyjoe86
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 03 January 2009 - 05:08 PM

Hey thanks for the help Im running XP with AVG and SPYBOT ...here's the log file I generated....



Malwarebytes' Anti-Malware 1.31
Database version: 1604
Windows 5.1.2600 Service Pack 2

1/3/2009 4:07:22 PM
mbam-log-2009-01-03 (16-07-09).txt

Scan type: Quick Scan
Objects scanned: 93531
Time elapsed: 25 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 31
Registry Values Infected: 9
Registry Data Items Infected: 7
Folders Infected: 6
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\koguholu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fineloto.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\zobedagu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\guhuvafa.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\biboreza.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\nazoluha.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hanurowi.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0cf7045-e6ef-410b-bae4-abf2686a5c69} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0cf7045-e6ef-410b-bae4-abf2686a5c69} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0cf7045-e6ef-410b-bae4-abf2686a5c69} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\downloader.downloaderctrl.1 (Adware.2020search) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a88e9cc2 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kipolukitu (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmabbdaf5e (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{82336a8d-6cd0-4647-b791-75fca8cf2b39} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virusremover2008 (Rogue.VirusRemove) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fineloto.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fineloto.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fineloto.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\guhuvafa.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\guhuvafa.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\hanurowi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\hanurowi.dll -> No action taken.

Folders Infected:
C:\Program Files\Temporary (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> No action taken.

Files Infected:
C:\WINDOWS\system32\geligehu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\uhegileg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\koguholu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ulohugok.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tiwowovi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ivowowit.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ziweyabu.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\guhuvafa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\zobedagu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fineloto.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\biboreza.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\nazoluha.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\hanurowi.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\fivurume.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gomujude.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gugamage.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hulubera.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\madikisi.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\reyefenu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rorijeya.dll.tmp (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wetutibe.dll.tmp (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMabbdaf5e.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMabbdaf5e.txt (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Joseph\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk (Rogue.VirusRemove) -> No action taken.


wasn't sure if I was supposed to take any action yet of not...thanks again...Joe

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 AM

Posted 03 January 2009 - 05:24 PM

Hello Joe.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable AVG:
  • Please navigate to the system tray on the bottom right hand corner and look for this Posted Image sign.
  • Right click it-> select Quit Control Center.
  • A warning will pop up, click Yes
To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Run MalwareBytes again, this time, remove all the items flagged. If prompted to restart do so right away.

Run another scan after to make sure the infection stays gone.

With Regards,
The Panda

#5 crazyjoe86

crazyjoe86
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 03 January 2009 - 08:31 PM

Hey Panda...your the best...I believe it's gone...Thanks a million....

Malwarebytes' Anti-Malware 1.31
Database version: 1604
Windows 5.1.2600 Service Pack 2

1/3/2009 7:28:31 PM
mbam-log-2009-01-03 (19-28-31).txt

Scan type: Quick Scan
Objects scanned: 92737
Time elapsed: 20 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 AM

Posted 03 January 2009 - 09:07 PM

Hello.

Let's get off an F-Secure scan to check for anything left.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users