Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus 2009


  • Please log in to reply
3 replies to this topic

#1 bsheurs

bsheurs

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 14 January 2009 - 01:23 AM

infected with antivirus 2009. im getting a bunch of pop ups wanting me to install antivirus 2009 because its saying im infected. been running superantispyware and malwarebytes several times. still not fixing it. i have windows xp. heres the two most recent logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/14/2009 at 01:18 AM

Application Version : 4.24.1004

Core Rules Database Version : 3708
Trace Rules Database Version: 1683

Scan type : Complete Scan
Total Scan Time : 00:55:04

Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 5846
Registry threats detected : 5
File items scanned : 66110
File threats detected : 9

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKU\S-1-5-21-3634496520-2245192505-2113527514-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32

Adware.Tracking Cookie
C:\Documents and Settings\Brian\Cookies\brian@becometrueclick[2].txt
C:\Documents and Settings\Brian\Cookies\brian@enhance[2].txt
C:\Documents and Settings\Brian\Cookies\brian@bridge1.admarketplace[1].txt
C:\Documents and Settings\Brian\Cookies\brian@revenuehit[2].txt
C:\Documents and Settings\Brian\Cookies\brian@admarketplace[1].txt
C:\Documents and Settings\Brian\Cookies\brian@goldenstarclick[2].txt
C:\Documents and Settings\Brian\Cookies\brian@casalemedia[2].txt

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-3634496520-2245192505-2113527514-1006\SOFTWARE\Microsoft\fias4013

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1513\A0125576.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1513\A0125577.EXE




__________________________________________________________________________________________________


Malwarebytes' Anti-Malware 1.32
Database version: 1649
Windows 5.1.2600 Service Pack 3

1/13/2009 11:32:51 PM
mbam-log-2009-01-13 (23-32-51).txt

Scan type: Quick Scan
Objects scanned: 60767
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\wugobaha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\moleyido.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\terumeke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\zekelizu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\toboxf.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{40d7e8d3-96dd-4191-a111-a88df54e5b5f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{40d7e8d3-96dd-4191-a111-a88df54e5b5f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d59a43f-4a96-4648-b5fd-3bc76f667d7f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3d59a43f-4a96-4648-b5fd-3bc76f667d7f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{40d7e8d3-96dd-4191-a111-a88df54e5b5f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3d59a43f-4a96-4648-b5fd-3bc76f667d7f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2ccce9d0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wutiruboha (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2fffda4c (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\moleyido.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\moleyido.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\moleyido.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\terumeke.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\terumeke.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\toboxf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\degenize.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ezineged.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\filerofa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\aforelif.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ladilasa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\asalidal.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lelajoge.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\egojalel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wugobaha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ahaboguw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zekelizu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\terumeke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ragutali.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\moleyido.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\neyirano.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nodotuwo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\suwofada.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uvthef.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vabavena.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\zafinowe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp36.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmpB1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmpFB.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vopuvemi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,885 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:18 PM

Posted 14 January 2009 - 10:49 AM

The malware you have is constantly changing to hide from the security programs. I see you have the latest updates for Super Antispyware. MalwareBytes AntiMalware has updated since your last scan. Suggest you run a quick scan with it after updating.

If you did not run SAS in safe mode, I suggest you do that for the next scan. It may take a day or so for both programs to update the detection items for the malware you have.

Use Secunia online scanner to find missing updates for the most vulnerable programs to exploits. Old Sun Java programs are known to be exploited by Vundo. After updating Java go to the add/Remove program and remove all older Java programs.
http://secunia.com/vulnerability_scanning/online/

Edited by buddy215, 14 January 2009 - 10:50 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 bsheurs

bsheurs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 14 January 2009 - 11:16 AM

heres the new malwarebytes.

Malwarebytes' Anti-Malware 1.32
Database version: 1652
Windows 5.1.2600 Service Pack 3

1/14/2009 11:15:39 AM
mbam-log-2009-01-14 (11-15-39).txt

Scan type: Quick Scan
Objects scanned: 60554
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\SYSTEM32\valutune.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2fffda4c (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\valutune.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\valutune.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\valutune.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\jevepazi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\hofanite.dll (Trojan.Agent) -> Delete on reboot.

#4 bsheurs

bsheurs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 14 January 2009 - 11:24 AM

Use Secunia online scanner to find missing updates for the most vulnerable programs to exploits. Old Sun Java programs are known to be exploited by Vundo. After updating Java go to the add/Remove program and remove all older Java programs.
http://secunia.com/vulnerability_scanning/online/



Status / Currently Processing:
There might be problems loading the Java Applet in your browser.

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users