Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clean-up after MBAM removed Trojan.Agent and Trojan.Vundo.H


  • This topic is locked This topic is locked
9 replies to this topic

#1 cav175

cav175

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 09 May 2009 - 02:19 AM

Hi,

Could someone please help me to clean up my machine after MBAM removed Trojan.Agent and Trojan.Vundo.H? MBAM looks like it worked but suspiciously there's a file that was deleted that returned by itself.

1. Removed Trojan.Agent using MBAM.

Malwarebytes' Anti-Malware 1.35
Database version: 1915
Windows 5.1.2600 Service Pack 3
18/04/2009 11:27:45 PM
Scan type: Full Scan (C:\|)
Objects scanned: 142863
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcayulecugofu (Trojan.Agent) -> Delete on reboot.
Files Infected:
C:\WINDOWS\unilobakamodeta.dll (Trojan.Agent) -> Delete on reboot.


2. Updated MBAM


Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 3
18/04/2009 11:56:36 PM
Scan type: Quick Scan
Objects scanned: 71077
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dkblmn.dll -> Not selected for removal.

Files Infected:
C:\WINDOWS\dkblmn.dll (Trojan.Vundo.H) -> Delete on reboot.

.. must have forgotten to tick remove ...


19/04/2009 12:00:58 AM
Scan type: Quick Scan
Objects scanned: 71163
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dkblmn.dll -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\dkblmn.dll (Trojan.Vundo.H) -> Delete on reboot.


3. Looked in C:\WINDOWS and both deleted file were gone. dkblmn.dll was in c:\avenger directory (MBAM must have done that) so I deleted it.

4. After a while, C:\WINDOWS\dkblmn.dll reappeared and I checked my registry and found that the infected registry data item (LSA\Notification Packages) was there. I can't manually delete dkblmn.dll using a normal delete.

5. MBAM shows as clean


Malwarebytes' Anti-Malware 1.36
Database version: 2057
Windows 5.1.2600 Service Pack 3

29/04/2009 7:19:31 PM
mbam-log-2009-04-29 (19-19-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153086
Time elapsed: 50 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 14 May 2009 - 09:50 AM

Hi,

Sorry for the delay in responding. Please do this:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#3 cav175

cav175
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 15 May 2009 - 10:07 AM

Hi Superbird,

Thanks for looking into this for me. I ran Kaspersky Online Scanner and it didn't report any problems. Any other scans I should run?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 15, 2009 11:18:39
Records in database: 2179210
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 70812
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:24:18

No malware has been detected. The scan area is clean.

The selected area was scanned.



#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 15 May 2009 - 10:34 AM

What are the problems exactly?

but suspiciously there's a file that was deleted that returned by itself.

Which file do you mean?

#5 cav175

cav175
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 16 May 2009 - 03:35 AM

Hi Superbird,

When I noticed my machine slowing down, I ran MBAM. It removed Trojan.Agent. On a later scan, MBAM then found Trojan.Vundo.H.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dkblmn.dll -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\dkblmn.dll (Trojan.Vundo.H) -> Delete on reboot.

After rebooting, dkblmn.dll wasn't in c:\windows any more. It was in c:\avenger\ (I think MBAM put it there). I deleted dkblmn.dll. After a few hours, I had a look in c:\windows and dkblmn.dll was there again. I checked the registry and the registry entry that MBAM said it deleted (LSA/Notification Packages) was there.

MBAM doesn't indicate a problem with c:\windows\dkblmn.dll when I run scans now. I'm guessing either my machine is not fully clean or I visited the same web site that I got the initial infection from. I'm looking for some help to make sure my machine is fully clean.

I had a read on this forum that I can send suspicious files to http://www.virustotal.com/. I submitted c:\WINDOWS\dkblmn.dll and several antiviruses said that dkblmn.dll is infected.

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 Trojan.Win32.Hiloti!IK
AhnLab-V3 5.0.0.2 2009.05.15 -
AntiVir 7.9.0.168 2009.05.15 TR/Agent.cfuy
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.15 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 BHO.IRP
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 Trojan.Agent.cfuy
ClamAV 0.94.1 2009.05.15 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.15 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 Trojan.Win32.Hiloti
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 -
McAfee 5616 2009.05.15 Hiloti.gen
McAfee+Artemis 5616 2009.05.15 Hiloti.gen
McAfee-GW-Edition 6.7.6 2009.05.15 Trojan.Agent.cfuy
Microsoft 1.4602 2009.05.16 Trojan:Win32/Hiloti.gen!A
NOD32 4080 2009.05.15 a variant of Win32/Kryptik.MT
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 Suspicious file
PCTools 4.4.2.0 2009.05.15 -
Prevx 3.0 2009.05.16 Medium Risk Malware
Rising 21.29.51.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 Trojan-Win32/Hiloti.gen!A
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.15 -

So it seems like Symantec (which I'm using) and Kaspersky (which I just ran) seem to think that the file is OK but AVG and Microsoft think the file is a problem. Should I download AVG and give that a try?

Edited by cav175, 16 May 2009 - 03:59 AM.


#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 May 2009 - 03:50 AM

Hi,

Ah okay, it's clear to me now. :thumbsup:

I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Give them a link to this topic.

Good luck. :flowers:

#7 cav175

cav175
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 16 May 2009 - 04:44 AM

Thanks for your time Superbird.

I've created a new topic in the HijackThis section here.

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 16 May 2009 - 04:48 AM

Ok, that's good. :thumbsup:

I will inform a moderator to close this topic.

#9 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 16 May 2009 - 06:41 AM

As requested, thank you superbird.

Topic closed.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,110 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:30 AM

Posted 16 May 2009 - 06:06 PM

Hello cav175,

A few additional notes here. Hello,

Now that you have posted an HJT topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users