Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various viruses (trojan.vundo, virusremover2008, seneka)


  • Please log in to reply
3 replies to this topic

#1 cantcme99

cantcme99

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2009 - 12:52 PM

I just ran a Malwarebyte scan and it identified many infected files on my laptop. I first knew my computer had picked something up last week while running Avast (I have since deleted Avast and installed a 30 day trial of ESET. Below is the log from the scan. It wasn't able to remove everything- I'm rescanning now and it's found two files (they are the trojan.vundo). Also when I restarted my computer, I got a message saying some file was not valid and to check my system diskette (I'll post verbatim next time I restart.) What do I do now? Thanks for your help!



Malwarebytes' Anti-Malware 1.32
Database version: 1624
Windows 5.1.2600 Service Pack 3

1/6/2009 12:29:05 PM
mbam-log-2009-01-06 (12-29-05).txt

Scan type: Quick Scan
Objects scanned: 59291
Time elapsed: 33 minute(s), 41 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 7
Registry Keys Infected: 27
Registry Values Infected: 6
Registry Data Items Infected: 13
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\hgGvWoNG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\keyhgrep.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mejiyuwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rotawapo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dobipimo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cofxqunj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kbhybf.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ee0278a-0df0-4b40-a8b2-3652f7d16f7a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0ee0278a-0df0-4b40-a8b2-3652f7d16f7a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxnhiiy (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9397c382-c069-4c78-9a77-2cbdcff6faf2} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9397c382-c069-4c78-9a77-2cbdcff6faf2} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{665f0f76-0d29-451e-b1b2-7ccc510c4d64} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{665f0f76-0d29-451e-b1b2-7ccc510c4d64} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{665f0f76-0d29-451e-b1b2-7ccc510c4d64} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9397c382-c069-4c78-9a77-2cbdcff6faf2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ee0278a-0df0-4b40-a8b2-3652f7d16f7a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\013c8bdc (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yoyemejila (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqafutomobunito (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxodomalokahu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\hggvwong -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mejiyuwo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mejiyuwo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mejiyuwo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvwong -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kbhybf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\byXNhiIy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGvWoNG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\GNoWvGgh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GNoWvGgh.ini2 (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\keyhgrep.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perghyek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dobipimo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rotawapo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mejiyuwo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cofxqunj.dll (Trojan.Vundo) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-3745906722-1234518957-622439482-1006\Dc6.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3745906722-1234518957-622439482-1006\Dc7.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp21.exe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janna Hustwit\Local Settings\Temp\xemaosrnwc.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janna Hustwit\Local Settings\Temp\rasesnet.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janna Hustwit\Local Settings\Temp\seneka37bf.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HE1DS7RL\pldr8[1].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janna Hustwit\Local Settings\Temporary Internet Files\Content.IE5\3F1BRX0W\CARMMLRB (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janna Hustwit\Local Settings\Temporary Internet Files\Content.IE5\45YK6PCS\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janna Hustwit\Local Settings\Temporary Internet Files\Content.IE5\YLO3AT2T\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\iguheridubayav.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekampirpwal.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekancvsbuwi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaoxlppirv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 cantcme99

cantcme99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2009 - 01:06 PM

The start up error message did not repeat itself on start up again, so that's good. I'm rescanning a third time now and it's not finding anything.

Is this all I need to do? Is it fixed? Also, I read another post about the Seneka rootkit thing. Is this the same thing I had? Do I need to deal with identity theft stuff now???

#3 Tehsplink

Tehsplink

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Near London
  • Local time:05:07 PM

Posted 06 January 2009 - 02:54 PM

Common myth... not every virus will steal your information or identity.

Please could you provide us with one more malwarebytes log just so we can verify that your infection has been removed.



Thanks ;)
Please PM me if i have been assisting you and do not reply for 24 hours!

#4 cantcme99

cantcme99
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 06 January 2009 - 03:30 PM

Thank you! I changed some passwords just in case. It seems to be alright now. I'm relieved, but having the system restore disks sent to me from HP anyway. I probably need to do this anyhow.



Malwarebytes' Anti-Malware 1.32
Database version: 1624
Windows 5.1.2600 Service Pack 3

1/6/2009 3:18:13 PM
mbam-log-2009-01-06 (15-18-13).txt

Scan type: Quick Scan
Objects scanned: 58747
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users