Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo, trojans, adware, rogue installers. keeps coming back.. please help!


  • Please log in to reply
22 replies to this topic

#1 belezaj16

belezaj16

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 12:39 PM

last night I encountered some popup problems, (I use firefox now) on my xp computer..
so I ran both mbam and suprerantispyware.. both coming up with vundo files, and trojans, after deleting and rebooting twice, it seemed like everything was alright. until I opend up the computer this morning... and I did a rescan of everything and it seems like it keeps coming back and returning upon restart.
although there are no more popus like their were last night.

any help?! please! I hear vundo is hard to delete. I'd appreciate any quick responses on how to remove completely.
thanks!!!

here is the last mbam full scan from last night:


Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 5.1.2600 Service Pack 2

1/4/2009 1:15:34 AM
mbam-log-2009-01-04 (01-15-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 196740
Time elapsed: 1 hour(s), 0 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4ea9b44-78f3-4bcf-b55d-51cdfc05fed7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4ea9b44-78f3-4bcf-b55d-51cdfc05fed7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\terivepuro (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\totoft.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5ZJQT2ZY\divx[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5ZJQT2ZY\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP144\A0026735.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iwvxnrmd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.









and here is the quick scan I did this morning:
Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 5.1.2600 Service Pack 2

1/4/2009 12:38:42 PM
mbam-log-2009-01-04 (12-38-42).txt

Scan type: Quick Scan
Objects scanned: 59058
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtuTmjg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hadreehu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkkiHxx.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6fbc78a-41da-4fc9-87c7-e02c75eea7f8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b6fbc78a-41da-4fc9-87c7-e02c75eea7f8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\terivepuro (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtutmjg -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtutmjg -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\awtuTmjg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gjmTutwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gjmTutwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hadreehu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uheerdah.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkkiHxx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRHwXQI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5ZJQT2ZY\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\LJAI96CK\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\S6AJ89N9\load[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 01:09 PM

Hello belezaj16.

What antimalware programs are installed on this computer, please? Do you have an antivirus, or other program that provides realtime protection?

I suspect you are being reinfected because you lack these.

With Regards,
The Panda

Edited by PropagandaPanda, 04 January 2009 - 01:09 PM.


#3 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 01:11 PM

hello! and thanks for helping.. I have spybot, mbam and also superantispyware.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 01:14 PM

Hello.

Looks like you need an antivirus installed.

Please disable SpyBot as it can interfere with installations.

To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Also take a new MBAM scan log and we'll go from there.

If possible, keep the use of the computer to a minimal.

With Regards,
The Panda

#5 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 01:18 PM

ok. will do.. but I have a question...
I've had avg before on another computer, and it seems to not have helped or detected half as much as those three programs I have installed on this computer. do those 3 not count as antivirus?

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 01:23 PM

Hello.

The protection that an antivirus provides is not the same as those of the programs you listed.

Though an AV might not be great at removing infections, it will help prevent reinfection.

With Regards,
The Panda

#7 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 01:28 PM

hello.. I can't download the resetteatimer.bat

when I click on it I just get a document in a new window. so I roght clicked and it will just save as a text document

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 01:30 PM

Hello.

Save the file on your desktop. If you do not have view file extensionns enabled..
  • Double click the My Computer icon.
  • In the explorer window that pops-up, select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Remove the checkmark from the checkbox labeled Hide File Extensions for Known File Types, if it is not already unchecked.
  • Click the Apply button and then the OK button.
Rename the file from resetteatimer.txt to resetteatimer.bat.

With Regards,
The Panda

#9 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 01:36 PM

ok. thanks! that worked... sorry if I seem slow. just hang with me no this. lol
I'll be back with the mbam log.
just one more question.. do you want a full scan log or just a quick scan?

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 01:43 PM

Hello.

Let's go with full.

With Regards,
The Panda

#11 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 01:47 PM

alright, downloading avira.
will do a scan, then mbam scan and report back shortly...
just a note a full scan usually takes about an hour on this computer.


so tty then! thanks once again :thumbsup:

#12 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 04:39 PM

I ran avira and it removed sum of about 44 problems.
then I ran mbam here is the log:

Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 5.1.2600 Service Pack 2

1/4/2009 4:38:23 PM
mbam-log-2009-01-04 (16-38-23).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 197019
Time elapsed: 56 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\terivepuro (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP145\A0026783.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP146\A0026791.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 04:56 PM

Hello Mark.

One more time please :thumbsup: .

MBAM said it took them out. Want to make sure they don't return.

With Regards,
The Panda

#14 belezaj16

belezaj16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:31 AM

Posted 04 January 2009 - 04:57 PM

Mark? I'm sorry, this is Belezaj16. lol

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 AM

Posted 04 January 2009 - 05:01 PM

Sorry! Saw a user with a name Mark looking at this topic.

The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users