Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Red circle with X...can't start in safe mode...odb.exe plus others


  • Please log in to reply
10 replies to this topic

#1 taperk600

taperk600

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 24 January 2009 - 02:52 PM

Well, I've been fighting with the virtumonde issue for about a month, but yesterday I got "taken over". Now on my laptop as I don't dare connect with desktop. Have the red circle with X that keeps popping up random virus alerts. Locked out of my task manager, can't restart in safe mode. Been using PC Tools spyware dr with antivirus....and (other than the issue correcting virtumonde) seemed to be keeping the computer safe. Any and all ideas where to head are appreciated !!!

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 24 January 2009 - 07:35 PM

Hello.

Seems you have some rouge and fake alert (also known as Zlob sometimes) infection. Let's see if Malwarebytes Anti-Malware can take care most of it. if not we will use another tool afterwards.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the log once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 taperk600

taperk600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 24 January 2009 - 08:58 PM

Thanks a lot !!! So far things seem better. Here's the log. Let me know if you recommend anything else that needs to be done.
Also, is PC Tools a decent program to be using or do you recommend something else ?

Thanks again !
Tom

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 3

1/24/2009 8:41:16 PM
mbam-log-2009-01-24 (20-41-16).txt

Scan type: Quick Scan
Objects scanned: 65751
Time elapsed: 12 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 22
Registry Values Infected: 16
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 166

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\juhiruma.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\loganoye.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kirenalo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bosesufe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yazeriza.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lztscz.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a30e0aed-1921-495c-b32e-1814c0901e5e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a30e0aed-1921-495c-b32e-1814c0901e5e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4458c-65ed-42f6-a73c-9a8a88775f18} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f0d4458c-65ed-42f6-a73c-9a8a88775f18} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a30e0aed-1921-495c-b32e-1814c0901e5e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{34e6f97c-34e0-4ce5-b92b-f83634bedc01} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\091986d4 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\letubagede (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm0a2ab548 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kirenalo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kirenalo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bosesufe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\bosesufe.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\bosesufe.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lztscz.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bajiyise.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esiyijab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dasakebe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ebekasad.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dovinabu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ubanivod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fagunake.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ekanugaf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fatenuva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avunetaf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hatasefa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afesatah.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hididofu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufodidih.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huzitala.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alatizuh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\juhiruma.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\amurihuj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\leheliyo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oyilehel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lelimafu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufamilel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lewiyidi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idiyiwel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\manuhavi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ivahunam.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mawuwaha.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahawuwam.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nisinupo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opunisin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nomajuzu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uzujamon.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuwudoku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ukoduwun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuzeroto.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\otorezun.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paselilu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulilesap.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pinafadi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idafanip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rafaweti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\itewafar.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rapepute.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\etupepar.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rigagine.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enigagir.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ronudozi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\izodunor.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temekatu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utakemet.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\toyoyavi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ivayoyot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\varayihe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehiyarav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wakosoli.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ilosokaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wayebomi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imobeyaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wobosoba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abosobow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yimazitu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utizamiy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yohefani.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inafehoy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yopalimi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imilapoy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zasulege.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\egelusaz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zefumiwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uwimufez.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zorivila.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aliviroz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loganoye.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kirenalo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bosesufe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yazeriza.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\bakedosu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bezayedo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\biniyogi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bubedena.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bufezeza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bufezika.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqolqi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deyagehu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dijoromo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dowewelu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dugigidu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dutimode.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\duvabova.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fehamito.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fetokuze.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fokitape.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\forukabe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuwofapi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gosotazo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gowajiwe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\habanuvo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hazafupe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hedosiko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hevolofo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hijirike.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hovolile.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iqdzis.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jelosonu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jigefuwi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jinorije.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lifuteza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lomokafu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\losevito.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luveseja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\magusivo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mepepivu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\momejigo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mosoraza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nevorefa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nizefipu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnmjkIa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nozahiti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nozigita.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nubazazi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pewafahu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psrqat.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pubegadi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reboyuti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\remowoka.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rigiwoti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sikafemu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sowesuno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\subalavi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tahidazu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tahuhabu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tijebevi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tutepega.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vagivoho.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vefukufe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wegahuwe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wejuwava.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wizunipo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gagekije.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yapowuwi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yetugayu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yezoyihu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lasobemo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lavufanu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yuvoniko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zanowapu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zasulege.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zayitala.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zigehuze.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zorirako.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zufomd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nadejafi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nagefipi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\naluwota.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUmLbxy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahawuwamn.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\vozobiya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tohuzeno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\savohofu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dozepiwa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\holiwaga.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zetoyago.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 24 January 2009 - 09:15 PM

Hello.

Ouch! That's alot of stuff.

Also, is PC Tools a decent program to be using or do you recommend something else ?

It's all a matter of personal prefrences. To tell you the truth, I never used it so i don't really know how it works so I don't have a strong opinion on either side. A good place to ask that question would be over here.

MBAM quarantined and removed alot but I don't think everything was removed or quarantined. What Operating system are you using?

Download and run MalwareBytes Anti-Malware(Full Scan)

Please download Malwarebytes Anti-Malware and save it to your desktop if you lost your copy and need to install it, otherwise skip the installation step and continue with the Full Scan.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Malwarebytes Anti-Malware log
-Answer to my question


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 taperk600

taperk600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 24 January 2009 - 09:40 PM

on this computer that is infected I have windows XP.
I will run full scan and post results when completed.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 24 January 2009 - 09:55 PM

Okay. Good, thanks for letting me know :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 taperk600

taperk600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 24 January 2009 - 10:31 PM

ok...ran full scan and picked up 2 more:

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 3

1/24/2009 10:30:27 PM
mbam-log-2009-01-24 (22-30-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 193571
Time elapsed: 47 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\basukavu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 25 January 2009 - 10:15 PM

Hello.

Before I leave I'll ask you a few questions. It seems MBAM did it's job :thumbsup:

How's your computer running so far? Do you still have the Red X and does Safe Mode and task manager work now? Tell me any symptoms of problems or issues you still have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 taperk600

taperk600
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 26 January 2009 - 10:21 PM

so far, so good...thanks a million !!
I did check on safe made.... starts real slow, but did come online. So I did another scan and that came up clean.
Task MNGR is working and no more pop-ups, fake alerts or Red X.
So........seems to be out of "ICU"......for now !!!
Should I do any house cleaning with the quarantined items or anything I should delete now that we are operating properly ?
Tom

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 AM

Posted 27 January 2009 - 03:26 PM

Hello.

Glad everything is good now. Yes we will do some house cleanup work after we run an online scan. Just to make sure if there's anything else that needs to be done. After that you can delete everything that was quarantined by MBAM.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with the Kaspersky log once it is complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Kroltz

Kroltz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:39 AM

Posted 02 February 2010 - 09:55 PM

Hey guys, this is my first post. I came across this site when I was struggling with Vundo.

To get rid of these I use a combination of three free virus scanners. and a little elbow grease, I didn't have register any of them but I think I will now.

1. Prevx 3.0 (Needs registration for removal) http://www.prevx.com/
2. Spyware doctor (Needs registration for removal) http://www.pctools.com/spyware-doctor/
3. AVG Internet security (free 30 day trial) http://free.avg.com/us-en/homepage

My system started running very slow. I think I got this Trojan from a bad copy of Ad aware.

I noticed through scanning I had a file named IPSEMEM.dll attaching itself to my running applications and background services.
I was able to use notepad and open this file and delete all of its contents and I re-saved it under the same name.
(The file was located in c:\Documents and settings\administrator\local settings\temp\IPsemem.dll)
I couldn't see this file in the dir but the scanner said it was there so I tried to just open it manually with note pad and it worked.

Prior to me deleting this file I was unable to start in safe mode then after I modified it I could get in. I used safe mode with command prompt.
I also searched for this file in the registry and found it pairing itself with another DLL called Nozigita.dll.
The scanners also pick that one up.

Make sure to delete all references to IPSEMEM.Dll in the registry also because it attaches itself to the win logon and runs at the password screen.

Now start safe mode and run Prevx, do this by using the CMD change your dir to c:\programfiles\prevx\ and then run the prevx.exe
The scanner will popup, do a scan and record all of the Trojan names along with the path name where they are located.

I loaded all of these files into EDIT and manually deleted their contents. I did this by going to the DIR the Trojans were located in and typing (For Example) EDIT NOZIGITA.DLL.

Some of them are write protected and wont let you delete them but we just want to wreak as much havoc on this little SOB as we can.
remember to not change the file name or the Trojan will probably just make another copy. Just kill its contents.

Here are some of the names you should look for in your system32 dir and in your registery.


Nozigita <---Seems to be the main
Zunifata <---Possible other main
Gipekuya
Nozigita
Romopifo
Nukatojo
Jakolara
Fafivolo
Puviveke
Wihafajo
Kisiwosi
Puviveke
Tiwawohi
Wihafajo
Hapowoko
Vidimofu
_iu14d2n.tmp


There were also some temporary files in my c:\documents and settings\Administrator\local settings\temp with the name of somthing like 0.06738347824.tmp delete those too they show'd up on the scan after I was poking around in the folder.

I did a search of my registry and deleted all strings that had those names in them. Also, don't forget to delete IPSEMEM from the reg also.

All and all this took me four days of trial and error to come up with this information. Anywho it worked and now im back to normal. This thing is tricky and its gonna through you for a few loops. After you get most of the Trojans files corrupted you will be able to delete them manually using the Notepad trick on the ones that usually attach them selves to the running processes.

I just hope this information can be of some use to some of you out there.

Edited by Kroltz, 02 February 2010 - 10:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users