Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo, trojans, adware, rogue installers. keeps coming back.. please help!


  • This topic is locked This topic is locked
1 reply to this topic

#1 belezaj16

belezaj16

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:57 PM

Posted 04 January 2009 - 01:10 PM

I accidentally posted this in "am I infected, what do I do".. but am new to this.. so I posted this one here.
last night I encountered some popup problems, (I use firefox now) on my xp computer..
so I ran both mbam and suprerantispyware.. both coming up with vundo files, and trojans, after deleting and rebooting twice, it seemed like everything was alright. until I opend up the computer this morning... and I did a rescan of everything and it seems like it keeps coming back and returning upon restart.
although there are no more popus like their were last night.

any help?! please! I hear vundo is hard to delete. I'd appreciate any quick responses on how to remove completely.
thanks!!!

here is the last mbam full scan from last night:

Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 5.1.2600 Service Pack 2

1/4/2009 1:15:34 AM
mbam-log-2009-01-04 (01-15-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 196740
Time elapsed: 1 hour(s), 0 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4ea9b44-78f3-4bcf-b55d-51cdfc05fed7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4ea9b44-78f3-4bcf-b55d-51cdfc05fed7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\terivepuro (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\totoft.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5ZJQT2ZY\divx[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5ZJQT2ZY\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP144\A0026735.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iwvxnrmd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.









and here is the quick scan I did this morning:

Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 5.1.2600 Service Pack 2

1/4/2009 12:38:42 PM
mbam-log-2009-01-04 (12-38-42).txt

Scan type: Quick Scan
Objects scanned: 59058
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtuTmjg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hadreehu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkkiHxx.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6fbc78a-41da-4fc9-87c7-e02c75eea7f8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b6fbc78a-41da-4fc9-87c7-e02c75eea7f8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\terivepuro (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtutmjg -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtutmjg -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\awtuTmjg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gjmTutwa.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gjmTutwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hadreehu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uheerdah.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkkiHxx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRHwXQI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5ZJQT2ZY\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\LJAI96CK\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\S6AJ89N9\load[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:57 PM

Posted 04 January 2009 - 01:12 PM

Hello.

I have replied to your topic in the Am I Infected Forum here.

Please continue the discussions in the topic above. If we are unable to resolve your problem there, you will be asked to post in this forum.

This topic is now closed.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users