Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Adware.Vundo Varient/Rel


  • Please log in to reply
11 replies to this topic

#1 pavs

pavs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 08 January 2009 - 11:36 AM

Hello everyone

This is my first post on the forums, but I have visited the site a few times. Usually I'm able to get rid of these things with SuperAntiSpyware (SAS) and Spybot search and destroy. But this one just won't go away. Everytime I scan my PC, restart and remove quarantines, the thing keeps coming back. And If I go online, the number of viruses and adware triples. I've scanned with bitdefender online scan, and I'm running a second scan now. I've ran SAS a bunch of times in safe mode and regular mode, it was helping at first, but once I turned internet on, the pop ups came back. These pop ups are not too annoying, I only get one or two everytime I open a new explorer window. I also disabled system restore points for now. Here are the Logs of some scans, most of the adware seems to be stuck in registry.

Latest SAS scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2009 at 11:00 AM

Application Version : 4.24.1004

Core Rules Database Version : 3698
Trace Rules Database Version: 1674

Scan type : Complete Scan
Total Scan Time : 00:46:18

Memory items scanned : 402
Memory threats detected : 0
Registry items scanned : 7202
Registry threats detected : 32
File items scanned : 31046
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\MS Track System#Uid

the one before that

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2009 at 09:58 AM

Application Version : 4.24.1004

Core Rules Database Version : 3698
Trace Rules Database Version: 1674

Scan type : Complete Scan
Total Scan Time : 00:47:09

Memory items scanned : 448
Memory threats detected : 0
Registry items scanned : 7202
Registry threats detected : 37
File items scanned : 31091
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@specificclick[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@adopt.specificclick[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@specificmedia[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@adbrite[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@ads.pointroll[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@atdmt[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@linkstattrack[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@tribalfusion[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@doubleclick[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\adware+vundo+variant+rel
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\adware+vundo+variant+rel#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\adware+vundo+variant+rel#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\adware+vundo+variant+rel#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs


here is the very first scan I did after I noticed that there might be a problem (all scans before this had only cookies, and I felt bo problems with my PC)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2009 at 10:30 PM

Application Version : 4.24.1004

Core Rules Database Version : 3698
Trace Rules Database Version: 1674

Scan type : Complete Scan
Total Scan Time : 01:05:45

Memory items scanned : 483
Memory threats detected : 4
Registry items scanned : 7235
Registry threats detected : 65
File items scanned : 32832
File threats detected : 42

Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\EFCCDCSS.DLL
C:\WINDOWS\SYSTEM32\EFCCDCSS.DLL
C:\WINDOWS\SYSTEM32\LJJDWMNO.DLL
C:\WINDOWS\SYSTEM32\LJJDWMNO.DLL
C:\WINDOWS\SYSTEM32\EFCBRQJD.DLL
C:\WINDOWS\SYSTEM32\EFCBRQJD.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{550A5BBF-8557-403B-AB52-835A75DF8AF5}
HKCR\CLSID\{550A5BBF-8557-403B-AB52-835A75DF8AF5}
HKCR\CLSID\{550A5BBF-8557-403B-AB52-835A75DF8AF5}\InprocServer32
HKCR\CLSID\{550A5BBF-8557-403B-AB52-835A75DF8AF5}\InprocServer32#ThreadingModel
HKU\S-1-5-21-3007920881-929526359-3499477487-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{550A5BBF-8557-403B-AB52-835A75DF8AF5}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\efccdCss

Adware.Prun-A
C:\WINDOWS\SYSTEM32\PRUNNET.EXE
C:\WINDOWS\SYSTEM32\PRUNNET.EXE
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Rootkit.Agent/Gen-SENEKA
HKLM\system\controlset001\services\seneka
C:\WINDOWS\SYSTEM32\DRIVERS\SENEKAOEWJBOET.SYS

Adware.Tracking Cookie
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@cdn.at.atwola[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@ad.yieldmanager[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@tacoda[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@forum.usenext[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@questionmarket[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@chitika[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@revsci[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@tribalfusion[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@atwola[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@media6degrees[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@myroitracking[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@doubleclick[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@at.atwola[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@html[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@pro-market[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@adtrafficstats[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@serw.clicksor[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@288_[3].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@wmvmedialease[1].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@gomyhit[2].txt
C:\Documents and Settings\Pavel Mazirka\Cookies\pavel mazirka@banner[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace
HKLM\Software\Microsoft\ACBF5461
HKLM\Software\Microsoft\ACBF5461#acbf5461
HKLM\Software\Microsoft\ACBF5461#Version
HKLM\Software\Microsoft\ACBF5461#acbff9e1
HKLM\Software\Microsoft\ACBF5461#acbf9004
HKU\S-1-5-21-3007920881-929526359-3499477487-1004\Software\Microsoft\CS41275
HKU\S-1-5-21-3007920881-929526359-3499477487-1004\Software\Microsoft\FIAS4018

Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]
HKU\S-1-5-21-3007920881-929526359-3499477487-1004\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]

Trojan.Unclassified/C00-Installer
C:\DOCUMENTS AND SETTINGS\PAVEL MAZIRKA\LOCAL SETTINGS\TEMP\SMCHK.EXE
C:\DOCUMENTS AND SETTINGS\PAVEL MAZIRKA\LOCAL SETTINGS\TEMP\_A00F985C69E.EXE

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\MLJDWVSI.DLL

Rootkit.SENEKA-Trace
C:\WINDOWS\SYSTEM32\SENEKA.DAT
C:\WINDOWS\SYSTEM32\SENEKADF.DAT
C:\WINDOWS\SYSTEM32\SENEKALOG.DAT
C:\WINDOWS\SYSTEM32\SENEKAYKMLYPBQ.DLL

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSERRORS.LOG
C:\WINDOWS\SYSTEM32\TDSSADW.DLL
C:\WINDOWS\SYSTEM32\TDSSINIT.DLL
C:\WINDOWS\SYSTEM32\TDSSL.DLL
C:\WINDOWS\SYSTEM32\TDSSMAIN.DLL
C:\WINDOWS\SYSTEM32\TDSSSERF1.DLL
C:\WINDOWS\SYSTEM32\TDSSSERVERS.DAT

Rootkit.TDSServ/Fake
C:\WINDOWS\TEMP\TDSSDBBC.TMP
C:\WINDOWS\TEMP\TDSSDBCC.TMP

I'm trying to find the Bitdefender log, but I think CCleaner might've deleted that.....

Thanks a million for all you help!!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:36 PM

Posted 08 January 2009 - 12:46 PM

Hello and welcome. first I am moving this topic to the Am I Infected forum.
Next I would like you to now run this scan.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pavs

pavs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 08 January 2009 - 04:11 PM

Hey there, thanks for replying!!!

I ran Malwarebytes, here is the Log:


Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 3

1/8/2009 4:08:46 PM
mbam-log-2009-01-08 (16-08-46).txt

Scan type: Quick Scan
Objects scanned: 61163
Time elapsed: 22 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\purygf.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7089e8e7-f2a3-450e-a3f6-1d51ac42c8b7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7089e8e7-f2a3-450e-a3f6-1d51ac42c8b7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7089e8e7-f2a3-450e-a3f6-1d51ac42c8b7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{daa07812-5c88-4ccc-8d25-10fef65b77b1} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{5a148cf2-9c7b-4499-8e25-c9383a5e8680} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2a1c5cb-c0ef-4689-9436-f62cca1c5383} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndFibu7.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndfibu7.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\purygf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\necfwxjy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yjxwfcen.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umpowcak.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekamdbwexhn.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pavel Mazirka\Application Data\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 08 January 2009 - 04:44 PM

Hello.

Let's run MBAM again this time it's a full scan and see if those files/registry keys are still there.

Run Malwarebytes Anti-Malware again(Full Scan)
  • Double click on Malwarebytes Anti-Malware that is on your desktop.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the log once you are done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 pavs

pavs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 08 January 2009 - 10:47 PM

Sorry for taking so long to reply.

I ran the full scan and here is what showed up.

Malwarebytes' Anti-Malware 1.32
Database version: 1632
Windows 5.1.2600 Service Pack 3

1/8/2009 10:46:27 PM
mbam-log-2009-01-08 (22-46-27).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|H:\|I:\|J:\|L:\|)
Objects scanned: 157778
Time elapsed: 1 hour(s), 38 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7D83713C-ADAB-4793-AA3D-B89DDB8C654A}\RP235\A0050293.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7D83713C-ADAB-4793-AA3D-B89DDB8C654A}\RP239\A0050588.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7D83713C-ADAB-4793-AA3D-B89DDB8C654A}\RP418\A0108418.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7D83713C-ADAB-4793-AA3D-B89DDB8C654A}\RP418\A0108419.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7D83713C-ADAB-4793-AA3D-B89DDB8C654A}\RP418\A0108420.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Thanks for all your support!!!

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 09 January 2009 - 01:17 PM

Hello.

That looks good.

Those files that MBAM took out are related to your system restore points which are infected. No need to worry about that, we will remove any other restore points once you create a new restore point and remove the older ones :thumbsup:

How is your computer running right now? Looks good to me so far but a TDSS related restore points was found which bugs me a little. Let's run a GMER scan to make sure. Also TDSSserv is a rootkit which has backdoor functions, this is why most experts would suggest a format or reinstall once you have this kind of infection because you may have been already compromised.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

POst back with the GMER log and how is your computer running?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 pavs

pavs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 13 January 2009 - 07:08 PM

Hey, sorry for taking so long, I've been really busy with work last few days. The computer is running smooth as butte, thanks for all your help and advice.
Here is the text GMER text:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-13 16:35:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF74ED0D0]
SSDT sptd.sys ZwEnumerateKey [0xF74F2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F3340]
SSDT sptd.sys ZwOpenKey [0xF74ED0B0]
SSDT sptd.sys ZwQueryKey [0xF74F3418]
SSDT sptd.sys ZwQueryValueKey [0xF74F3298]
SSDT sptd.sys ZwSetValueKey [0xF74F34AA]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB3CD0F20]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload BA78C8AC 5 Bytes JMP 8A81C770
? System32\Drivers\ai50sfdc.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F750406C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7504018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75269AE] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F750406C] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74EDAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74EDC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74EDB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74EE748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74EE61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F750329A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A9081E8
Device \FileSystem\Fastfat \FatCdrom 89EC5790
Device \Driver\usbuhci \Device\USBPDO-0 8A81D790
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A90A1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A90A1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A90A1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A90A1E8
Device \Driver\usbuhci \Device\USBPDO-1 8A81D790
Device \Driver\PCI_NTPNP7010 \Device\00000052 sptd.sys
Device \Driver\PCI_NTPNP7010 \Device\00000052 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-2 8A81D790
Device \Driver\usbuhci \Device\USBPDO-3 8A81D790
Device \Driver\usbehci \Device\USBPDO-4 8A863790
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8991E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8991E8
Device \Driver\Cdrom \Device\CdRom0 8A7841E8
Device \Driver\Cdrom \Device\CdRom1 8A7841E8
Device \Driver\Cdrom \Device\CdRom2 8A7841E8
Device \Driver\usbstor \Device\00000082 89EE1790
Device \Driver\NetBT \Device\NetBt_Wins_Export 89F091E8
Device \Driver\NetBT \Device\NetbiosSmb 89F091E8
Device \Driver\usbstor \Device\00000085 89EE1790
Device \Driver\usbstor \Device\00000086 89EE1790
Device \Driver\NetBT \Device\NetBT_Tcpip_{C5E5C8B6-7883-4927-97C4-67074EFB397E} 89F091E8
Device \Driver\usbstor \Device\00000087 89EE1790
Device \Driver\usbstor \Device\00000088 89EE1790
Device \Driver\usbuhci \Device\USBFDO-0 8A81D790
Device \Driver\usbuhci \Device\USBFDO-1 8A81D790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89EEB588
Device \Driver\usbuhci \Device\USBFDO-2 8A81D790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89EEB588
Device \Driver\usbuhci \Device\USBFDO-3 8A81D790
Device \Driver\usbehci \Device\USBFDO-4 8A863790
Device \Driver\Ftdisk \Device\FtControl 8A8991E8
Device \Driver\ai50sfdc \Device\Scsi\ai50sfdc1Port3Path0Target0Lun0 8A71C1E8
Device \Driver\ai50sfdc \Device\Scsi\ai50sfdc1 8A71C1E8
Device \FileSystem\Fastfat \Fat 89EC5790
Device \FileSystem\Cdfs \Cdfs 89EB9790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x40 0xC2 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB1 0xC7 0x92 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDA 0xAD 0xF1 0x1F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x39 0x9E 0x42 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE4 0xD5 0xF9 0x4A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE4 0xD5 0xF9 0x4A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x40 0xC2 0x0C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0x72 0x60 0x96 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x59 0xDD 0xBE 0x79 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xCB 0x52 0x06 0xAC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE4 0xD5 0xF9 0x4A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE4 0xD5 0xF9 0x4A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCA 0x40 0xC2 0x0C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB1 0xC7 0x92 0xA5 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDA 0xAD 0xF1 0x1F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x39 0x9E 0x42 0x55 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE4 0xD5 0xF9 0x4A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xE4 0xD5 0xF9 0x4A ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.14 ----

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 13 January 2009 - 08:35 PM

Hello.

Looks good, you should run an online scan to make sure there's nothing else..

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
Need to run now.. Post back with the online scan log once it's complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 pavs

pavs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 15 January 2009 - 11:27 AM

wow, I guess it wasn't that clean after all

Scanning Report
Thursday, January 15, 2009 10:01:35 - 11:25:04
Computer name: PAVMASTER
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 29 malware found
INI/Vundo.A (virus)
C:\WINDOWS\SYSTEM32\DJQRBCFE.INI (Submitted)
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Adinterax (spyware)
System
TrackingCookie.Adrevolver (spyware)
System
TrackingCookie.Advertising (spyware)
System
TrackingCookie.Atdmt (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Mediaplex (spyware)
System
TrackingCookie.Questionmarket (spyware)
System
TrackingCookie.Revsci (spyware)
System
TrackingCookie.Specificclick (spyware)
System
TrackingCookie.Statcounter (spyware)
System
TrackingCookie.Tradedoubler (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
Trojan-Downloader.HTML.Agent.kb (virus)
C:\RECYCLER\NPROTECT\00002070 (Renamed & Submitted)
Trojan-Downloader.Win32.Zlob.iej (virus)
C:\RECYCLER\NPROTECT\00002102 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00002113.EXE (Renamed & Submitted)
Trojan-Downloader:W32/Zlob.HMS (virus)
C:\RECYCLER\NPROTECT\00002101 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00002115.EXE (Renamed & Submitted)
Trojan-Downloader:W32/Zlob.HMT (virus)
C:\RECYCLER\NPROTECT\00002063 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00002114.EXE (Renamed & Submitted)
Trojan-Downloader:W32/Zlob.HMU (virus)
C:\RECYCLER\NPROTECT\00002092 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00002093 (Renamed & Submitted)
Trojan-Downloader:W32/Zlob.HMV (virus)
C:\RECYCLER\NPROTECT\00002062 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00002072 (Renamed & Submitted)
Trojan-Downloader:W32/Zlob.HMW (virus)
C:\RECYCLER\NPROTECT\00002082 (Renamed & Submitted)
C:\RECYCLER\NPROTECT\00002087 (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 44042
System: 3874
Not scanned: 19
Actions:
Disinfected: 0
Renamed: 13
Deleted: 0
None: 16
Submitted: 14
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\GRINTL32.DLL
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\GRINTL32.DLL
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\GRINTL32.DLL
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\GRINTL32.DLL
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\VB_GRTOC.XML
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\VB_GRTOC.XML
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\VB_GRTOC.XML
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\VB_GRTOC.XML
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\1033\VB_GRTOC.XML
C:\DOCUMENTS AND SETTINGS\PAVEL MAZIRKA\LOCAL SETTINGS\TEMP\~ROMFN_0000154C
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_2898216512_2293760_30945

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 2.8.8110, 2009-01-15
F-Secure Pegasus: 1.20.0, 2009-00-13
F-Secure AVP: 7.0.171, 2009-01-15
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 15 January 2009 - 06:16 PM

Hello.

wow, I guess it wasn't that clean after all

Actually, it's fairly clean. A brief summary of what F-Secure found:

1. Some tracking cookies, which isn't going to do much.
2. 1 vundo file
3. Some bad files in your Recycle folder.

Therefore, technically the only "active" infection it found was that one vundo file.

Delete Files/Folders manually

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK



Navigate to the folder C:\WINDOWS\SYSTEM32
Find the file called DJQRBCFE.INI<- Delete it if it's there.

Then Navigate to C:\RECYCLER
Find the folder called NPROTECT<- Delete it if it's there..

As an example to delete a file:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

As an example to delete a folder:
To delete C:\Program Files\BadFolder
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Program Files folder
Right click on Bad Folder and then from the menu that appears, click Delete


Restart your computer once your done

Make sure those files/folder is not there afterwards.

Let me know how it goes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 pavs

pavs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 17 January 2009 - 11:57 AM

Hey,

I've looked really hard for those files and they're not in the system.

Thanks for all your help!!!!

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 18 January 2009 - 11:43 AM

Hello.

That's good, they have been removed then. :thumbsup:

Any problems? How's your computer running?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users