Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/hijacker/virus etc.


  • Please log in to reply
6 replies to this topic

#1 duder55

duder55

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 21 January 2009 - 11:23 AM

Hello,

I've got a Dell Lattitude D630 running Windows XP Professional 2002. Lately I have had all kinds of internet browser (Firefox) issues. Hijacked URLs, Internet Explorer popping open 100s of windows, etc. Pretty ugly. I've cleaned up a few problems in the past but this is beyond my usual methods.

One of the URLs I kept being redirected to was adgardner.com. A google search on that led me to this forum. I read the "before you post" thread, downloaded the dds.scr tool, but was unable to get that to work. When I open it I get two blank DOS looking windows with a cursor in the upper left....then nothing.

I have HJT, anytime I "fix checked" on the list, they go away but always reappear on the next scan. Malwarebytes Anti-Mal shows 48 hits when I run a scan, mostly Vundo related.

Any guidance would be appreciated.

Thanks!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:26 PM

Posted 21 January 2009 - 11:35 AM

Hi and welcome to BleepingComputer :thumbsup:

Let's start with a Malwarebytes log.

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 duder55

duder55
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 21 January 2009 - 02:44 PM

OK, ran the malwarebytes, rebooted and here is the log. (When I restarted I got 5-6 messages pertaining to an invalid .dll trying to run):

---------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1408
Windows 5.1.2600 Service Pack 3

1/21/2009 1:20:48 PM
mbam-log-2009-01-21 (13-20-48).txt

Scan type: Quick Scan
Objects scanned: 63973
Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tayufazu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ravebavi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nelufuyu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58112d7-731d-4aab-b0e3-974016d9c996} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f58112d7-731d-4aab-b0e3-974016d9c996} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fcwpssn (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fcwpssn (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1f2fdc45 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ganekidizi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\tayufazu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\tayufazu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\ravebavi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\ravebavi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\nelufuyu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\nelufuyu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fatodogi.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\tayufazu.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\ravebavi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nelufuyu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\drivers\dmargcd.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zotokohu.dll (Trojan.Agent) -> Delete on reboot.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:26 PM

Posted 21 January 2009 - 02:50 PM

Next step:

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 duder55

duder55
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 22 January 2009 - 03:04 PM

OK, that was bizzare, but i got the report to generate. I downloaded SDFix (as admin), rebooted in Safe mode (as admin) and when I tried to run SDFIx, I kept getting the following messages - as in 100s of them:

-dnif.exe-
Application or Dll c:\windows\system32\azorww.dll is not a valid windows image. Please check against your installation diskette.

Also got them for fofajivo.dll.


It got so bad that every application on my machine would do this. SDFIx just ran and ran, never finished. So, because I had work to try to do I logged back in and opened SDFix in regular mode, and ran the Norman malware software. That deleted several files and got things running MUCH better. Then I was able to get the SDFix to run.

report:


Checking Files :

No Trojan Files Found




Folder C:\Program Files\Helper - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 13:20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:rundll32"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:rundll32"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE:*:Enabled:EXCEL"
"C:\\Program Files\\VERITAS\\Backup Exec\\NT\\DLO\\DLOChangeLogSvcu.exe"="C:\\Program Files\\VERITAS\\Backup Exec\\NT\\DLO\\DLOChangeLogSvcu.exe:*:Enabled:DLOChangeLogSvcu"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Disabled:lsass"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\dllhost.exe"="C:\\WINDOWS\\system32\\dllhost.exe:*:Enabled:dllhost"
"C:\\WINDOWS\\system32\\userinit.exe"="C:\\WINDOWS\\system32\\userinit.exe:*:Enabled:userinit"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:WINWORD"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\is-RPR37.tmp"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 22 Jan 2009 63,804 A.SH. --- "C:\WINDOWS\system32\bebufizu.dll"
Wed 21 Jan 2009 100,606 A.SH. --- "C:\WINDOWS\system32\bopoyufi.dll"
Thu 22 Jan 2009 134,382 A.SH. --- "C:\WINDOWS\system32\feyqag.dll"
Sun 28 Dec 2008 2,098 ..SH. --- "C:\WINDOWS\system32\gutimoze.exe"
Wed 21 Jan 2009 134,370 A.SH. --- "C:\WINDOWS\system32\hadfss.dll"
Mon 29 Sep 2008 61,126 A.SH. --- "C:\WINDOWS\system32\halojoge.dll.tmp"
--- 63,488 A.SH. --- "C:\WINDOWS\system32\hebitupi.dll"
Mon 19 Jan 2009 133,254 A.SH. --- "C:\WINDOWS\system32\hplzmm.dll"
Wed 21 Jan 2009 2,098 ..SH. --- "C:\WINDOWS\system32\juyarono.dll"
Tue 20 Jan 2009 134,313 A.SH. --- "C:\WINDOWS\system32\kudavori.dll"
Tue 30 Sep 2008 60,704 A.SH. --- "C:\WINDOWS\system32\lilomoku.dll.tmp"
Mon 12 Jan 2009 522 ..SH. --- "C:\WINDOWS\system32\lozawaku.exe"
Mon 29 Sep 2008 61,126 A.SH. --- "C:\WINDOWS\system32\mevozeha.dll.tmp"
Wed 21 Jan 2009 134,403 A.SH. --- "C:\WINDOWS\system32\nhkvpp.dll"
Mon 19 Jan 2009 133,254 A.SH. --- "C:\WINDOWS\system32\pisuvedi.dll"
Thu 22 Jan 2009 87,242 A.SH. --- "C:\WINDOWS\system32\pubufuhu.dll"
Tue 20 Jan 2009 134,313 A.SH. --- "C:\WINDOWS\system32\rldfvx.dll"
--- 63,804 A.SH. --- "C:\WINDOWS\system32\siduwoha.dll"
Thu 22 Jan 2009 134,382 A.SH. --- "C:\WINDOWS\system32\tobuvuzi.dll"
Mon 19 Jan 2009 87,241 A.SH. --- "C:\WINDOWS\system32\todolaze.dll"
Mon 29 Sep 2008 74,752 A.SH. --- "C:\WINDOWS\system32\tohuzeno.dll"
--- 63,755 A.SH. --- "C:\WINDOWS\system32\vafedewe.dll.tmp"
Tue 16 Sep 2008 74,752 A.SH. --- "C:\WINDOWS\system32\viyutoni.dll"
--- 63,804 A.SH. --- "C:\WINDOWS\system32\warurenu.dll"
Mon 29 Sep 2008 61,126 A.SH. --- "C:\WINDOWS\system32\yatodimi.dll.tmp"
Tue 20 Jan 2009 133,404 A.SH. --- "C:\WINDOWS\system32\ybcsqy.dll"
Thu 22 Jan 2009 101,554 A.SH. --- "C:\WINDOWS\system32\yudovehe.dll"
Wed 21 Jan 2009 134,403 A.SH. --- "C:\WINDOWS\system32\yurezasa.dll"
Tue 20 Jan 2009 133,404 A.SH. --- "C:\WINDOWS\system32\yusawafa.dll"
Tue 16 Sep 2008 62,629 A.SH. --- "C:\WINDOWS\system32\zegidedu.dll.tmp"
Wed 21 Jan 2009 134,370 A.SH. --- "C:\WINDOWS\system32\zukuzibi.dll"
--- 63,804 A.SH. --- "C:\WINDOWS\system32\zusanaha.dll"
Thu 8 Nov 2007 35,328 ...H. --- "C:\Documents and Settings\mrichards\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 8 Jul 2008 142,336 ...H. --- "C:\Documents and Settings\mrichards\Application Data\Microsoft\Word\~WRL1104.tmp"
Tue 17 Jun 2008 142,336 ...H. --- "C:\Documents and Settings\mrichards\Application Data\Microsoft\Word\~WRL2303.tmp"
Wed 16 Jul 2008 100,352 ...H. --- "C:\Documents and Settings\mrichards\Desktop\EHP\ES350\~WRL1367.tmp"
Wed 16 Jul 2008 100,352 ...H. --- "C:\Documents and Settings\mrichards\Desktop\EHP\ES350\~WRL1577.tmp"
Thu 6 Sep 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 6 Sep 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Thu 6 Sep 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Thu 6 Sep 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Thu 6 Sep 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 6 Sep 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:26 PM

Posted 22 January 2009 - 08:38 PM

Nice work. :thumbsup:

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Then update and rerun Malwarebytes... post its log. Thanks

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 duder55

duder55
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 23 January 2009 - 12:27 PM

F-Secure log:

Result: 18 malware found
Trojan-Downloader.Win32.Agent (virus)

* System

Trojan-Downloader.Win32.Agent.bcst (virus)

* C:\WINDOWS\SYSTEM32\PCLOAD.EXE

Trojan-Downloader.Win32.Agent.bdlh (virus)

* C:\WINDOWS\SYSTEM32\CHERT5-998.EXE

Trojan-Downloader.Win32.Agent.bdqo (virus)

* C:\WINDOWS\SYSTEM32\SENEKADTIWJENX.DLL

Trojan.Win32.Monder (virus)

* System

Trojan.Win32.Monder.apin (virus)

* C:\WINDOWS\TEMP\TMP1A9.EXE
* C:\WINDOWS\TEMP\TMPB.EXE
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\9LC01K8Q\PLDR8[1].HTM (Renamed)

Trojan.Win32.Small (virus)

* System

Trojan.Win32.Small.brl (virus)

* C:\WINDOWS\SYSTEM32\SENEKAHCLBPBDO.DLL

Trojan:W32/Vundo (virus)

* System

Trojan:W32/Vundo.GK (virus)

* C:\WINDOWS\TEMP\TMP24.EXE
* C:\WINDOWS\TEMP\TMP5.EXE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\IJB3MWF7\PLDR8[1].HTM (Renamed)
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8P88VM8J\PLDR8[1].HTM (Renamed)

Vundo.FBW (virus)

* C:\WINDOWS\SYSTEM32\OFOJAYIF.INI
* C:\WINDOWS\SYSTEM32\OKOWOPAH.INI
* C:\WINDOWS\SYSTEM32\UHUFUBUP.INI

Statistics
Scanned:

* Files: 34947
* System: 5293
* Not scanned: 13

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 15
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\MRICHARDS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\2008ARCHIVES.PST
* C:\DOCUMENTS AND SETTINGS\MRICHARDS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\2008ARCHIVES.PST
* C:\DOCUMENTS AND SETTINGS\MRICHARDS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\ARCHIVE(2).PST
* C:\DOCUMENTS AND SETTINGS\MRICHARDS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\ARCHIVE(2).PST
* C:\DOCUMENTS AND SETTINGS\MRICHARDS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST
* C:\DOCUMENTS AND SETTINGS\MRICHARDS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 2.8.8110, 2009-01-23
* F-Secure AVP: 7.0.171, 2009-01-23
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics



Then the new malwarebytes log:

Malwarebytes' Anti-Malware 1.30
Database version: 1408
Windows 5.1.2600 Service Pack 3

1/23/2009 11:23:42 AM
mbam-log-2009-01-23 (11-23-34).txt

Scan type: Quick Scan
Objects scanned: 65746
Time elapsed: 8 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fiyajofo.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\hevolofo.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58112d7-731d-4aab-b0e3-974016d9c996} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f58112d7-731d-4aab-b0e3-974016d9c996} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c1cefd9 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1f2fdc45 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ganekidizi (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\hevolofo.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\hevolofo.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fiyajofo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ofojayif.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hapowoko.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\okowopah.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pubufuhu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\uhufubup.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\warurenu.dll (Trojan.BHO.H) -> No action taken.
c:\WINDOWS\system32\hevolofo.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\zusanaha.dll (Trojan.Agent) -> No action taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users