Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.FBW virus, remains even after multiple scans/cleanings


  • This topic is locked This topic is locked
8 replies to this topic

#1 blotsome

blotsome

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 January 2009 - 09:58 AM

I have basically followed the procedures from http://www.bleepingcomputer.com/forums/t/193515/internet-activity-while-idle/. This is my roommate's Dell Latitude D620 laptop (running XP SP3) that is having the issue. I ran MBAM 3 times. The first scan found a dozen items related to Trojan.Vundo.H. The last two times it scanned clean. I've run SASW twice, first time it found "Adware.Vundo Variant/ACE" and the last time it scanned clean (save a tracking cookie). I've run F-Secure online maybe 4 times, and every time it finds Vundo.FBW (virus) in a randomly named .ini file in the System32 folder. I've also run ATF Cleaner, VundoFix, and SDFix. The issue that my roommate was suffering from was popups and a slow computer/internet connection. Like every time you would click on a link, a new browser window would open with an ad for a fake anti-virus or something else. That problem is gone, but I'm concerned about the last issue that F-Secure keeps finding but can't clean (yet MBAM and SASW don't find). Thanks!

BC AdBot (Login to Remove)

 


#2 czhang

czhang

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tallahassee, FL
  • Local time:05:09 AM

Posted 18 January 2009 - 10:15 AM

I once got the Vundo virus, which later caused a "userinit.exe failed to initialize" problem. The symptoms you described seems to be very similar to what I experienced. At that time I used largely Post #9 in the following link by KaZoom to remove the Vundo virus (Please refer to Post #10 if you are interested in what I did then to remove Vundo).

http://www.bleepingcomputer.com/forums/ind...mp;#entry904528

I sincerely hope that this might be of some help to you.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:09 AM

Posted 18 January 2009 - 10:25 AM

I have basically followed the procedures from http://www.bleepingcomputer.com/forums/t/193515/internet-activity-while-idle/. This is my roommate's Dell Latitude D620 laptop (running XP SP3) that is having the issue. I ran MBAM 3 times. The first scan found a dozen items related to Trojan.Vundo.H. The last two times it scanned clean. I've run SASW twice, first time it found "Adware.Vundo Variant/ACE" and the last time it scanned clean (save a tracking cookie). I've run F-Secure online maybe 4 times, and every time it finds Vundo.FBW (virus) in a randomly named .ini file in the System32 folder. I've also run ATF Cleaner, VundoFix, and SDFix. The issue that my roommate was suffering from was popups and a slow computer/internet connection. Like every time you would click on a link, a new browser window would open with an ad for a fake anti-virus or something else. That problem is gone, but I'm concerned about the last issue that F-Secure keeps finding but can't clean (yet MBAM and SASW don't find). Thanks!



SDFix is best reserved for supervised use only

Would you post that log and the first MBAM one please
Chewy

No. Try not. Do... or do not. There is no try.

#4 blotsome

blotsome
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 January 2009 - 10:39 AM

As for the first reply, there doesn't seem to be any files in system32 that meet that description (nor that command in start up). Here is the first log:


SDFix: Version 1.240
Run by Jane on Sat 01/17/2009 at 01:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt16A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt16C.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt171.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt17F.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt182.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt198.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt19B.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt19E.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1A0.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1A2.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1A6.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1A9.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1AB.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1B0.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1B3.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1B5.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1B7.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1BC.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1C1.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1C3.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1C8.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1CA.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1CF.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1D4.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1D6.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1DB.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1E0.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1E3.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1E8.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1EA.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1EC.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1EE.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1F3.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt1FE.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt207.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt21A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt21F.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt223.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt226.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt229.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt22E.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt237.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt23B.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt24A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt252.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt255.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt258.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt260.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt263.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt266.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt274.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt27C.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt288.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt28A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt28D.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt292.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt294.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt297.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt29A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt29D.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt29F.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt2A2.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt2B4.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt567.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5EF.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5F2.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5F4.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5F7.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5FA.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5FC.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt5FF.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt602.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt605.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt607.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt60A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt60D.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt60F.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt612.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt615.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt617.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt61A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt61D.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt61F.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt622.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt625.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt628.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt62A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt62D.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt63C.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt65A.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt660.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt66C.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt66E.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt677.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt679.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt67B.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt67D.tmp - Deleted
C:\DOCUME~1\Jane\LOCALS~1\Temp\.tt67F.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 13:52:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000124

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Graboid\\tools\\nntp\\archiver.exe"="C:\\Program Files\\Graboid\\tools\\nntp\\archiver.exe:*:Disabled:archiver"
"C:\\Program Files\\Graboid\\tools\\nntp\\player.exe"="C:\\Program Files\\Graboid\\tools\\nntp\\player.exe:*:Disabled:player"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 16 Jan 2009 137,539 A.SH. --- "C:\WINDOWS\system32\bbwucl.dll"
Fri 16 Jan 2009 137,539 A.SH. --- "C:\WINDOWS\system32\bizigiso.dll"
Fri 16 Jan 2009 137,400 A.SH. --- "C:\WINDOWS\system32\gawajaso.dll"
Fri 16 Jan 2009 137,400 A.SH. --- "C:\WINDOWS\system32\rrorlv.dll"
Fri 16 Jan 2009 102,683 A.SH. --- "C:\WINDOWS\system32\ruhopama.dll"
Sun 8 Apr 2007 24,064 ...H. --- "C:\Documents and Settings\Jane\Desktop\~WRL2452.tmp"
Mon 24 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!



and MBAM

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 5.1.2600 Service Pack 3

1/17/2009 1:14:48 PM
mbam-log-2009-01-17 (13-14-48).txt

Scan type: Quick Scan
Objects scanned: 58423
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 11
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bimewefi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hagiyobi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dumepiwo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\rewuguti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\walikahe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ngiezf.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\fojoseve.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{faf11e9f-e29b-4f96-9261-09da50aa6739} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{faf11e9f-e29b-4f96-9261-09da50aa6739} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4b800a9-85f4-43c0-a994-23455a4b63bb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b4b800a9-85f4-43c0-a994-23455a4b63bb} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c49bac6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vetoguhewa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2f7a895a (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bimewefi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\bimewefi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\bimewefi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rewuguti.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rewuguti.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ngiezf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hagiyobi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iboyigah.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nisejeti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\itejesin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dumepiwo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\rewuguti.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\siveraja.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bimewefi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\walikahe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fojoseve.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\R5OM7UVP\YzPgCMf[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:09 AM

Posted 18 January 2009 - 10:47 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1083498

Did you disable teatimer as specified in rigel's post?

If it was enabled please disable and rerun a new scan with an updated MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#6 blotsome

blotsome
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 January 2009 - 10:57 AM

TeaTimer was never active. I just verified that the checkbox is unchecked.

[edit]I'm running a full MBAM scan now, may take a couple hours.

Edited by blotsome, 18 January 2009 - 11:34 AM.


#7 blotsome

blotsome
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 18 January 2009 - 12:56 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1665
Windows 5.1.2600 Service Pack 3

1/18/2009 12:56:14 PM
mbam-log-2009-01-18 (12-56-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 94065
Time elapsed: 47 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:09 AM

Posted 18 January 2009 - 01:20 PM

Hi blotsome,

If you are still having problems, that means that the scans are deleting bad files, but are not able to touch the files regenerating the bad "stuff". I would recommend moving to the HJT forums.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:09 AM

Posted 18 January 2009 - 09:58 PM

Hello blotsome,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/196308/vundo-virus-infection-multiple-scanners-cannot-fully-remove/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users