Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Opening Random Ad Sites


  • Please log in to reply
5 replies to this topic

#1 mastiffmat

mastiffmat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 05 January 2009 - 08:31 AM

Hi

I have some sort of infection on my laptop. Gave it to my Dad for half an hour and he managed to get it on there - impressed (NOT).

Symptoms are that when I'm browsing (I use Firefox), random new windows, sometimes in Firefox and sometimes in IE, open up showing advertisments that are clearly unrelated to the site I am visiting. It happens even when I'm on our own intranet web pages. Sometimes I am seeing 10 or so new windows opening simultaneously. An example of the URL it opens is:

http://zustaus.com/r_cmtp?u=http%3A%2F%2Fg...&rid=753215

I'm running Symantec Antivirus but a full scan has revealed no issues.

Some of the pages that are opening are unsavoury and this is on my work laptop so I'm very keen to get it fixed. All help is greatly appreciated.

I am running Windows XP Professional SP3. Auto update is pretty much up to date. Firefox is verion 3.0.5

Many thanks

Mat

Edited by mastiffmat, 05 January 2009 - 08:34 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:33 PM

Posted 05 January 2009 - 08:36 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1066875

Please follow these directions and post a MBAM log
Chewy

No. Try not. Do... or do not. There is no try.

#3 mastiffmat

mastiffmat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 05 January 2009 - 11:35 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1066875

Please follow these directions and post a MBAM log


Thanks Chewy. Yep - I have a Trojan. See below.

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

2009-01-05 16:28:45
mbam-log-2009-01-05 (16-28-37).txt

Scan type: Quick Scan
Objects scanned: 70159
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dimumeku.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\wamatama.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\pamozeni.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d36227b6-8a1a-451a-99d3-20692bd9efae} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d36227b6-8a1a-451a-99d3-20692bd9efae} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc70f322 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dozajohubi (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdf43c0be (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wamatama.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wamatama.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\pamozeni.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\pamozeni.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dimumeku.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ukemumid.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mapagomu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\umogapam.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\seloheyu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\uyeholes.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wawiwome.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\emowiwaw.ini (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\wamatama.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\pamozeni.dll (Trojan.BHO) -> No action taken.
C:\Downloads\InstallAVg_77080703.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\system32\yayaBRHa.dll (Trojan.Vundo) -> No action taken.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:33 PM

Posted 05 January 2009 - 03:34 PM

Would you run it again and post a log showing where you let MBAM remove the infection, vundo-H can be a bear to remove
Chewy

No. Try not. Do... or do not. There is no try.

#5 mastiffmat

mastiffmat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 06 January 2009 - 05:06 AM

Ran it once and got this:

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

2009-01-06 09:10:07
mbam-log-2009-01-06 (09-10-07).txt

Scan type: Quick Scan
Objects scanned: 70137
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vihokaso.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\hatutiza.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\wamatama.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d36227b6-8a1a-451a-99d3-20692bd9efae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d36227b6-8a1a-451a-99d3-20692bd9efae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc70f322 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dozajohubi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdf43c0be (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hatutiza.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\hatutiza.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wamatama.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wamatama.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dimumeku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ukemumid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mapagomu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umogapam.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seloheyu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uyeholes.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vihokaso.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\osakohiv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wawiwome.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emowiwaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wamatama.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\hatutiza.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-4146857130-2152016099-3336979773-1122\Dc23.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayaBRHa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


After reboot, ran the scan again and it found a few still. Iterated several times and I'm now down to just 3 issues which seem to be the same each time I run it. The log file is as follows (same every time now):

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

2009-01-06 10:03:14
mbam-log-2009-01-06 (10-03-14).txt

Scan type: Quick Scan
Objects scanned: 70205
Time elapsed: 1 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d36227b6-8a1a-451a-99d3-20692bd9efae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d36227b6-8a1a-451a-99d3-20692bd9efae} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dozajohubi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Any way to get this last bit out?

Many thanks for your help - much appreciated!


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:33 PM

Posted 06 January 2009 - 08:31 AM

That's much better, let's run ATFCleaner and SAS exactly as specified here

http://www.bleepingcomputer.com/forums/ind...p;#entry1073748
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users