Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Vundo virus(es?)/ Missing registry keys due to Spybot Search and destroy deleting/changing them.


  • This topic is locked This topic is locked
29 replies to this topic

#1 Marianna_

Marianna_

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 03 May 2009 - 05:05 PM

Hello.

My computer has been running slow lately so I decided to run a few programs that I thought might help me.
*I have windows XP home edition.

-AVG Free Edition 8.5
-CCleaner
-Spyware Blaster
-Eusing Free Registry Cleaner
-AusLogics Disk Defragmentor


I run Eusing and after it is done it always says something like this:

" Some registry keys or values will been created automatically even if they are removed by the software. So, you can not get 0 problems in the next scan"

I also downloaded Spybot Search and Destroy last night and as soon as I was done with the installation a pop up appeared at my task bar saying my computer was infected with trojans and other viruses.
It also changed my computer's wallpaper to a black background with "WARNING" flashing in a gray box in the middle of my screen. The gray box alsp said I have viruses and that my computer was in danger.

It also changed the look of my task bar from the skin I had to the standard gray task bar.

I tried to my background to my wallpaper and under properties>desktop and everything was grayed out. (I was able to change it back but only by right clicking the wallpaper)

I tried to use system restore to restore it to an earlier point I created but it would not work. To see if it worked at all I tried to create a restore point but that was not working either.

I also ran AVG last night and it said I had Trojans,tracking cookies, and something called Trojan.vundo?
So, after the scan was done it said I had 26 threats and that all were healed and moved to the virus vault.

But, since downloading spybot and running it, it has deleted some registry keys and/or values so now whenever I start up my computer there are usually 10-13 run command prompts open and they keep popping up along with a error message saying windows had an important key or value missing
something like this: "cmd.exe \c del"
Spybot also pops up a lot saying registry key deleted or value chaned. Accept changes or deny changes? I usually hit deny since it said registry/key values changed/deleted.
One of the pop ups says this since it's currently displayed on my computer:

Spybot-Search and Destroy has detected an important registry entry that has been changed.
Category: System start up user entry
Change:Value deleted
Entry:prnet
Old date: "C:\WINDOWS\system32\prnet.tmp"

AND/OR

This will also happen at log on/startup on: Spybot will run a scan over my computer but it will stop everything else from loading up (desktop icons, etc.) and it will be my normal background but spybot is the only thing running/working.
I try to push ctrl+alt+del but it says the administrator has disabled the task manager. Ok, well I am the administrator and it is the only account of this computer so I know it had to been the virus screwing around with it.


I figured it had done some editing and damage (I'm hoping it's all repairable) to other things as well and it did. My automatic updates keeps turning itself off. I turn it back on and about five minutes later it is off again.

Frustrated, I looked around the web while searching the virus(es) name and the other problems I was having.
I came across windows defender.
I went to the microsoft page and downloaded it but, it said it had an error while trying to find updates for it. I had to install the updates myself but I'm not sure if I did it correctly or not.

On the quick scan it said I had "Adware." I also downloaded Lavasoft AdAware because I read somewhere it might help? I'm not sure if these two things are connected with each other or not.
It also said I had more Trojan viruses but it only showed one. I noticed in AVG virus scan it said Trojan.downloader and Trojan.geneitc.13 (I'm not exactly sure what it said word for word but it was very similar to those)

I finished the quick scan and removed the viruses/adware.
After that I decided it would be better to do a full system scan.About three hours later it shows up with the adware crap again but also a virus called Trojan.Vundo. I removed it all but I'm not sure if the virus is really gone or hidden deep in my registry.

I searched the Vundo virus and that's what led me here.

I was reading the forums and it took me to a page about what to do before actually doing anything to my computer. (preparation guide for use before hijack this and Malware removing tools)

I could not complete step one. I downloaded Cobian Backup 8. Everything was going good but, at the end it gave me this so I was not able to create a backup.

" 5/3/2009 3:07:09 PM Creating or updating the archive "G:\C 2009-05-03 15;07;09.zip"
ERR 5/3/2009 3:11:45 PM Error while creating or updating the archive "G:\C 2009-05-03 15;07;09.zip": Cannot create file "G:\C 2009-05-03 15;07;09.zip". The system cannot find the path specified
5/3/2009 3:11:45 PM **** Backup for "Backup 1 5.3.09" ended. 0 file(s) were backed up. (Elapsed time: 0 hour(s), 4 minute(s), 35 second(s)) ****
ERR 5/3/2009 3:11:45 PM The backup contains 1 error(s)"

I did everything the way the step by step tutorial told me to but I do not know how to fix this error either.

The only thing that has been fixed so far was that I am able to create a restore point now.Which I did just in case I need it.

I also have Hijack this on my computer and have a log but I'm not sure if I should post it now so I will just wait until someone tells me to post it.

I forgot to add one thing- sometimes internet explorer will pop up. Not as an actual browser window but as an annoying pop up but it's blank, just a white screen. I do not use IE but I do use Mozilla FireFox.

Thanks in advance. :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 04 May 2009 - 07:02 AM

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 05 May 2009 - 04:26 AM

Alright I did the steps you told me too. But on Spybot's teatimer I could not find it? When I was running MBAM nothing from spybot popped up. But I noticed that the pop ups I have from spybot it is like they are on command to pop up every time. I took a few screen shots to help out I'm not sure if I should post them yet or not.

But here is the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2077
Windows 5.1.2600 Service Pack 2

5/5/2009 4:03:05 AM
mbam-log-2009-05-05 (04-03-05).txt

Scan type: Quick Scan
Objects scanned: 92003
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 22
Registry Values Infected: 14
Registry Data Items Infected: 11
Folders Infected: 7
Files Infected: 24

Memory Processes Infected:
C:\Documents and Settings\Marianna Mileji\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\piwuporo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\susopaya.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\fubatuzo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\genakoso.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\kinahoke.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0dca8549-9181-445b-b81e-d2ddf6ded695} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0dca8549-9181-445b-b81e-d2ddf6ded695} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0dca8549-9181-445b-b81e-d2ddf6ded695} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\HT (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IrisMon (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3049604f (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riboruwogu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm337a53d3 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidle (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb671 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd8575 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb5256 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd7873 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fubatuzo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fubatuzo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kinahoke.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Marianna Mileji\Application Data\Starware (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marianna Mileji\Application Data\Starware\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Installer (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Installer\bin (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper (Adware.Comet) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marianna Mileji\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\piwuporo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\oropuwip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vufurajo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ojarufuv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\genakoso.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\kinahoke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\susopaya.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\fubatuzo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Marianna Mileji\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ovfsthdjsxfpgenqnpofteravhtrtadqjgqfqp.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ovfsthygitfdsdvkailmoxbrpwathieiivsvar.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\toyutabo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marianna Mileji\Application Data\Starware\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marianna Mileji\Application Data\Starware\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper\Invader Zim.jpg (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Unist1.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Uninst2.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nulifuka.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Marianna Mileji\Desktop\Click to Find and Fix Errors.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.

Also a pop up came at the end saying it could not delete a couple of files? I took a screen shot of that as well. Again I'm not sure to post it but all the screen shots I have are still saved on my computer.
*I just looked at the screen shot with the MBAM pop up and it said it will delete on reboot. So everything was deleted. :thumbsup:
I was able to reboot successfully.

Edited by Marianna_, 05 May 2009 - 04:37 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 05 May 2009 - 07:02 AM

How to Enable/Disable TeaTimer
How to Uninstall Spybot S&D

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

IMPORTANT NOTE: One or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 05 May 2009 - 09:17 AM

I ran MBAM again and this is what I got:

Malwarebytes' Anti-Malware 1.36
Database version: 2077
Windows 5.1.2600 Service Pack 2

5/5/2009 8:11:10 AM
mbam-log-2009-05-05 (08-11-10).txt

Scan type: Quick Scan
Objects scanned: 91662
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I also clicked on the TDSSSERV rootkit link which took me to Prevx 3.0 and ran a scan on my computer.. It said I have 42 infected files on my computer.

On a different computer I changed all my important passwords. I am planning on changing my router's password as well.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 05 May 2009 - 09:59 AM

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.

When done reboot normally and launch Dr.WebCureIt again.
  • After the Express Scan finishes, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and under the "Scanning" tab, this time put a check in the box next to "Heuristic analysis", then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo to repeat the scan as you did previously.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the new log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 05 May 2009 - 04:27 PM

Ok barely 1/4 of the way through the scan my computer decides to reboot. I thought maybe it was something to do with hibernation? But it just decided to reboot itself and go into normal mode. The only thing that popped up was PrevX 3.0 telling me about the infections but it was the same pop up it had before.
The only thing that changed was my taskbar/skin. I use windows blinds to skin my taskbar and other displays. I changed it back to the skin I was using ealier this morning. But since the reboot it changed back to the normal windows gray theme.

I know I should do this again but in safe mode? Because I did it the way you told me to or in normal? I noticed 3 infected files so far before my computer decided to reboot.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 06 May 2009 - 08:01 AM

The first set of instructions was for scanning in safe mode. The second was for a rescan in normal mode. If you cannot complete a scan in normal mode, then just do it in safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 06 May 2009 - 08:41 PM

Alright well I was able to scan again in safe mode and complete the the scan.

dlhelper.dll;c:\windows\downloaded program files;Adware.Webcom;;
ovfsthwoibffmexcdxbdtibcrvmepqjtfhwnsu.sys;c:\windows\system32\drivers;BackDoor.Tdss.115;Deleted.;
dlhelper.dll;C:\WINDOWS\Downloaded Program Files;Adware.Webcom;;
fagometo.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod.1668;Deleted.;
luyemitu.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod.1668;Deleted.;
ovfsthpirjhpoycqouoiyqaxfdcnrcxierqspp.dll;C:\WINDOWS\SYSTEM32;BackDoor.Tdss.115;;
ovfsthpirjhpoycqouoiyqaxfdcnrcxierqspp.dll_old;C:\WINDOWS\SYSTEM32;BackDoor.Tdss.115;;
ovfsthwoibffmexcdxbdtibcrvmepqjtfhwnsu.sys;C:\WINDOWS\SYSTEM32\DRIVERS;BackDoor.Tdss.115;Deleted.;

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 06 May 2009 - 09:36 PM

How is your computer running now? Are there any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 07 May 2009 - 05:56 PM

It is running good. No more pop ups about the command run prompt popping up whenever I first log on. Spybot doesn't pop up either. I have access to my task manager and desktop properties back.
I should delete spybot though right?

But prevx 3.0 still keeps showing I am still infected. It used to be 43 infections and now it is down to 3 infections.

kusitozo.dll in c:\windows\system32\ High Risk Fraudulent Security Program

surferplugin.ocx in c:\windows\downloaded program files\ Medium Risk Malware

partypoker1.exe in c:\windows\ Medium Risk Malware

I'm guessing some file/program on my computer really isn't for my computer's protection but actually a virus?

And after the Dr.WebCureIt program runs Microsoft windows pop up saying

The system has recovered from a serious error.
A log of this error has been created.
Please tell Microsoft about this problem.

To see what data this error reports contains, click here.

I just usually click Send Error Report.

I clicked to see what the report says and it says something about an "Error signature." Then BCCode:
BCP4:

After both BCCode and BCP4 there is a long code of some kind.

Then it says this:

Reporting details
This error report includes: information regarding the condition of Microsoft Windows when the problem occurred, the operating system version and computer hardware in use, and the internet Protocol (IP) address of your computer.

We do not intentionally collect your name, address, email address or any other form of personally identifiable information. However, the error report may contain customer-specific information in the collected data files. While this information potentially be used to determine your identity, if present, it will not be used.

The data that we will collect will only be used to fix the program. If more information is available, we will tell you when you report the problem. This error report will be sent using a secure connection to a database with limited access and will not be used for marketing purposes.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 07 May 2009 - 08:50 PM

Please download OTMoveIt3 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt3.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe
partypoker1.exe

:Services

:Reg

:Files
C:\Windows\downloaded program files\surferplugin.ocx
C:\Windows\partypoker1.exe
C:\Windows\system32\kusitozo.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 09 May 2009 - 05:38 PM

This was before I rebooted.

========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: partypoker1.exe
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\downloaded program files\surferplugin.ocx unregistered successfully.
C:\Windows\downloaded program files\surferplugin.ocx moved successfully.
C:\Windows\partypoker1.exe moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\kusitozo.dll
C:\Windows\system32\kusitozo.dll NOT unregistered.
File move failed. C:\Windows\system32\kusitozo.dll scheduled to be moved on reboot.
========== COMMANDS ==========
C:\WINDOWS\Оracle moved successfully.
C:\Program Files\ѕystem32 moved successfully.
C:\Documents and Settings\Marianna Mileji\Application Data\ΑppPatch moved successfully.
File delete failed. C:\DOCUME~1\MARIAN~1\LOCALS~1\Temp\etilqs_jP1Bt00y2sQqvawZgGRi scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\Y3W7ZSHO\rom-world[1]. scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\P8KNTHWL\about2find[1]. scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\TMP0000009FBC277D7CCCF493B6 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Google Gears for Firefox\localserver.db scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Google Gears for Firefox\permissions.db scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_172523




On windows defender this popped up after I ran the program OTMoveit3:


Trojan:Win32/Vundo.gen!G


Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
file:
C:\WINDOWS\system32\kusitozo.dll


I have popups now but only two so far. But they both were about virus protection programs.


I also think it did something to Java? Because now this whole page is displayed odd.

EDIT:

Ok well I just rebooted and OTMOVEIT3 showed me a notepad of the saved log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: partypoker1.exe
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\downloaded program files\surferplugin.ocx unregistered successfully.
C:\Windows\downloaded program files\surferplugin.ocx moved successfully.
C:\Windows\partypoker1.exe moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\kusitozo.dll
C:\Windows\system32\kusitozo.dll NOT unregistered.
File move failed. C:\Windows\system32\kusitozo.dll scheduled to be moved on reboot.
========== COMMANDS ==========
C:\WINDOWS\Оracle moved successfully.
C:\Program Files\ѕystem32 moved successfully.
C:\Documents and Settings\Marianna Mileji\Application Data\ΑppPatch moved successfully.
File delete failed. C:\DOCUME~1\MARIAN~1\LOCALS~1\Temp\etilqs_jP1Bt00y2sQqvawZgGRi scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\Y3W7ZSHO\rom-world[1]. scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\P8KNTHWL\about2find[1]. scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\TMP0000009FBC277D7CCCF493B6 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Google Gears for Firefox\localserver.db scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Google Gears for Firefox\permissions.db scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_172523

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\Windows\system32\kusitozo.dll
C:\Windows\system32\kusitozo.dll NOT unregistered.
C:\Windows\system32\kusitozo.dll moved successfully.
File C:\DOCUME~1\MARIAN~1\LOCALS~1\Temp\etilqs_jP1Bt00y2sQqvawZgGRi not found!
File C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\Y3W7ZSHO\rom-world[1]. not found!
File C:\Documents and Settings\Marianna Mileji\Local Settings\Temporary Internet Files\Content.IE5\P8KNTHWL\about2find[1]. not found!
File C:\WINDOWS\temp\TMP0000009FBC277D7CCCF493B6 not found!
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Google Gears for Firefox\localserver.db moved successfully.
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Google Gears for Firefox\permissions.db moved successfully.
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Marianna Mileji\Local Settings\Application Data\Mozilla\Firefox\Profiles\rlw0803l.default\urlclassifier3.sqlite moved successfully.

Whenever the computer first started up this error message showed up

RUNDLL

Error loading c:\windows\system32\kusitozo.dll

The specified module could not be found.


A microsoft window also pops up saying they need more information about it. I just click send the information.

I don't see the pop ups anymore.

The page displays normally now.


But since the reboot, I ran prevx and it says I have a clean system but windows defender says I still have the vundo trojan virus that I posted above.
It says its a software but I'm not sure which one?
I choose to remove it via windows defender since it is the only thing that pops up with it, but I'm not sure if it removed it completely.

Also I have no idea on what it is causing this but I use windows blinds to skin my task bar and such and every time I reboot it goes back to the normal windows gray theme.

Edited by Marianna_, 09 May 2009 - 07:10 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:42 PM

Posted 10 May 2009 - 04:38 PM

Whenever the computer first started up this error message showed up


It's not unusual to receive such an error when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file (kusitozo.dll) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

But since the reboot, I ran prevx and it says I have a clean system but windows defender says I still have the vundo trojan virus that I posted above.

Did Defender provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Marianna_

Marianna_
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK,USA
  • Local time:03:42 PM

Posted 10 May 2009 - 07:56 PM

Alright I downloaded the Autoruns program.

At first I searched under the "Everything" tab and that's where I found four kusitozo.dll files.


But under the "Logon" tab there is only one.

Under the logon tab it has:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

CPM337a53d3 file not found c:\windows\system32\kusitozo.dll

This was the kusitozo.dll under the "logon" tab.


The other three also say file not found.


This is under the "Everything" tab.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
STS File not found c:\windows\system32\kusitozo.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SSODL File not found c:windows\system32\kusitozo.dll

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Appinit_Dlls
c:\windows\system32\kusitozo.dll File not found c:windows\system32\kusitozo.dll


I deleted all four files. So, I restarted my computer and the the same error came up.

I ran AutoRuns again and it found the same four kusitozo.dll files.
It's recreating the kusitozo.dll files?


But for the malware threats I ran a quick scan on MBAM and it said I have four infected objects.


Malwarebytes' Anti-Malware 1.36
Database version: 2077
Windows 5.1.2600 Service Pack 2

5/10/2009 7:47:33 PM
mbam-log-2009-05-10 (19-47-20).txt

Scan type: Quick Scan
Objects scanned: 91544
Time elapsed: 8 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\ovfsthfeorbnnmxpteqvpalecglxaalerntugk.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\ovfsthlog.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\ovfsthrolikfkddjcsdkeqbplipxiaaanccmaw.dat (Trojan.Agent) -> No action taken.


Windows defender said I had a virus called Trojan:Win32/Vundo.gen!G
I chose to remove it and defender has not popped up yet with anything about it.

But I am currently running a full system scan for drive C: on MBAM.
Ok I just checked MBAM again and it says the same thing as it did for a quick scan.

It has not said anything about the Trojan:Win32\Vundo.gen!G virus.

Edited:
So I chose to remove all and reboot and the error kusitozo.dll pop up was gone and I just ran another quick scan on MBAM and it said no malicious files detected. :thumbsup:

Edited by Marianna_, 11 May 2009 - 01:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users