Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I'm infected with a virus! Help!


  • Please log in to reply
10 replies to this topic

#1 magenta.opal

magenta.opal

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 March 2009 - 12:58 AM

I am sorry, but I have no idea how i should describe it.

This constantly keeps on popping up.
Spybot- Search&Destroy has detected an important registry entry that has been changed.
Category: System Startup global entry
Change: Value changed
Entry: CPM33cafc5b
Old data: Rundll32.exe "c:\windows\systems32\fenoyoyu.dll",a
New data: Rundll32.exe "c:\windows\systems32\kofidutu.dll",a
Allow change Deny Change

As well, regardless of which option I choose, it continues to pop up again and again. And when I run Webroot Spysweeper it detects nothing!!

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 08 March 2009 - 12:05 PM

Hello.

Seems like a continuous vundo changing file. Meaning the filename changes everytime at reboot or when you try to remove it.

Run MBAM and GMER please.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 magenta.opal

magenta.opal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 March 2009 - 12:57 PM

Thanks so much for responding!!
So after I ran Malwarebyte this is what I got:

Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600

3/8/2009 11:50:36 AM
mbam-log-2009-03-08 (11-50-36).txt

Scan type: Quick Scan
Objects scanned: 66786
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 10
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\puzominu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cjvmww.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dajidomu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sebowowa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zawaname.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hejafuvo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\binuvete.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{330e77cd-e203-455c-a615-bf0839377c4f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{330e77cd-e203-455c-a615-bf0839377c4f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26105148-70ea-4503-8198-fab20b6a6620} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{26105148-70ea-4503-8198-fab20b6a6620} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\30f9cfc7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\varonamula (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm33cafc5b (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sebowowa.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sebowowa.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zawaname.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\zawaname.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zawaname.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cjvmww.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bajobifa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afibojab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\puzominu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\unimozup.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reboyuti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ituyober.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hejafuvo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sebowowa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dajidomu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zawaname.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\binuvete.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lunegogu.dll_old (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\K5A3CHM3\d[1].htm (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\howibovu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dewukobe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yawikofe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vikuzeja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\juyadewi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 magenta.opal

magenta.opal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 March 2009 - 01:24 PM

For some reason when I open gmer, and after I click on the >>>, I can not find where the settings are??

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 08 March 2009 - 02:33 PM

Hello.

A lot of vundos were removed by MBAM. Some were scheduled to be moved on reboot. To confirm that please update MBAM again and run a Full Scan this time. Post the results once you are done.

For some reason when I open gmer, and after I click on the >>>, I can not find where the settings are??

What OS are you using? Don't worry about GMER right now, just run MBAM again.

With Regards,
Extremeboy

Edited by extremeboy, 08 March 2009 - 02:37 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 magenta.opal

magenta.opal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 March 2009 - 05:51 PM

Here are the results. Thanks again for helping me!!

Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600

3/8/2009 4:52:04 PM
mbam-log-2009-03-08 (16-52-04).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 165046
Time elapsed: 1 hour(s), 25 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP381\A0047187.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 08 March 2009 - 06:07 PM

Hello.

That looks a lot better, how's your computer running?

Please run SAS scan for me please. See if it detects anything..

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run SUPERAntiSpyware
We will run a scan with SuperAntiSpyware.
  • Download SUPERAntiSpyware to your desktop.
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation. Delete the installer after use.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download and unzip them from here.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive (or whatever drive your system is installed on).
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
  • Make sure everything has a checkmark next to it and click Next.
  • A notification will appear saying that "Quarantine and Removal is Complete". Click OK and then click the Finish button to return to the main menu.
  • If asked if you want to reboot, click Yes.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 magenta.opal

magenta.opal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 March 2009 - 08:20 PM

The computer is also running faster.So I ran the ATFCleaner. And then I did the SAS, that was a long scan, and it came up with a whole bunch of more stuff. Here are the results:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/08/2009 at 07:11 PM

Application Version : 4.25.1014

Core Rules Database Version : 3788
Trace Rules Database Version: 1745

Scan type : Complete Scan
Total Scan Time : 01:50:49

Memory items scanned : 464
Memory threats detected : 2
Registry items scanned : 5693
Registry threats detected : 0
File items scanned : 96289
File threats detected : 36

Adware.Vundo/Variant-ACE
C:\WINDOWS\SYSTEM32\OYPIPR.DLL
C:\WINDOWS\SYSTEM32\OYPIPR.DLL
C:\WINDOWS\SYSTEM32\ZQOWWP.DLL
C:\WINDOWS\SYSTEM32\ZQOWWP.DLL
C:\WINDOWS\SYSTEM32\ATGNGV.DLL
C:\WINDOWS\SYSTEM32\CWMGQA.DLL
C:\WINDOWS\SYSTEM32\FRVRHV.DLL
C:\WINDOWS\SYSTEM32\GEFXKH.DLL
C:\WINDOWS\SYSTEM32\GJCDGH.DLL
C:\WINDOWS\SYSTEM32\KUNBVR.DLL
C:\WINDOWS\SYSTEM32\NBSWWM.DLL
C:\WINDOWS\SYSTEM32\UGAVJA.DLL

Trojan.NewDotNet
C:\DOCUMENTS AND SETTINGS\JAMIE\DOCTORWEB\QUARANTINE\NDNUNINSTALL6_72.EXE

Adware.Vundo/Variant-StatsReader
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP380\A0047175.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047394.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047395.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047429.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047430.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047458.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047479.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047480.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5EB1BB8D-BD78-440A-9393-C074E4BE3608}\RP382\A0047495.DLL
C:\WINDOWS\SYSTEM32\VISUJOWO.DLL

Adware.Vundo Variant/ACE
C:\WINDOWS\SYSTEM32\DADIWEWA.DLL
C:\WINDOWS\SYSTEM32\FENOYOYU.DLL
C:\WINDOWS\SYSTEM32\FILOLOYE.DLL
C:\WINDOWS\SYSTEM32\GEZAZOMI.DLL
C:\WINDOWS\SYSTEM32\JAPIDAHU.DLL
C:\WINDOWS\SYSTEM32\KABIZAHE.DLL
C:\WINDOWS\SYSTEM32\KADIDIKA.DLL
C:\WINDOWS\SYSTEM32\KOFIDUTU.DLL
C:\WINDOWS\SYSTEM32\KOLUBAGU.DLL
C:\WINDOWS\SYSTEM32\RIMUWUKA.DLL
C:\WINDOWS\SYSTEM32\SEREHERA.DLL
C:\WINDOWS\SYSTEM32\VELUPEZE.DLL
C:\WINDOWS\SYSTEM32\YIVOZIZI.DLL
C:\WINDOWS\SYSTEM32\ZIJOKOMO.DLL
C:\WINDOWS\SYSTEM32\ZOBIRAWA.DLL

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 09 March 2009 - 02:57 PM

Hello.

Looks good. They were all mainly vundo files except a few that were restore points and other junk..

Let's run an online scan. Glad your computer is faster now :thumbsup:

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 magenta.opal

magenta.opal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 10 March 2009 - 12:54 AM

Hi,

So while I was disabling all the anti-virus/firewall/anti-malware on my computer as per that other linked forum, I saw that in SpyBot S&D under "Tools" > "System Startup" there were some files which appeared to be vundo files.

In example:
"Rundll32.exe "C:\WINDOWS\System32\hejafuvo.dll",s" as the command line, and "varonamula" as the value.

Anyways I thought that was important to note. So I disabled, Spybot S&D TeaTimer and also the Spysweeper shields and automatic load options and ran the Kaspersky Online Scanner.

Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 9, 2009
Operating System: Microsoft Windows XP Professional (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 09, 2009 20:56:02
Records in database: 1883538
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 94447
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 03:12:04


File name / Threat name / Threats count
C:\Documents and Settings\Jamie\.housecall6.6\Quarantine\mssys.com.bac_a02200 Infected: Trojan-Dropper.DOS.Rute 1
C:\Documents and Settings\Jamie\.housecall6.6\Quarantine\SHAgentNew.dll.bac_a02200 Infected: not-a-virus:AdWare.Win32.Sahat.a 1
C:\Documents and Settings\Jamie\DoctorWeb\Quarantine\ppqFA.tmp Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004202-154.dll Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004531-504.dll Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004644-784.dll Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004823-360.dll Infected: Trojan.Win32.Agent2.erm 1

The selected area was scanned.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 10 March 2009 - 12:08 PM

Hello.

That looks okay.

Please go to the following folders and delete EVERYTHING in that folder please.

C:\Documents and Settings\Jamie\.housecall6.6\Quarantine <- Delete Everything in this folder
C:\Documents and Settings\Jamie\DoctorWeb\Quarantine <- Delete Everything in this folder
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups <- You can delete those backups in those folders. The main ones are these:

C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004202-154.dll
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004531-504.dll
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004644-784.dll
C:\Documents and Settings\Jamie\My Documents\Applications\HJT\backups\backup-20090303-004823-360.dll


Now purge a system restore point.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbsup:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users