Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.vundo


  • This topic is locked This topic is locked
12 replies to this topic

#1 RRA

RRA

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 13 August 2009 - 07:48 AM

I have a computer that is infected with Trojan.Vundo, Symantic could not prvent or clean this.

I have run Malwarebytes then SDFix and still have an infection.

Here is the Malware log.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

8/13/2009 6:43:02 AM
mbam-log-2009-08-13 (06-43-02).txt

Scan type: Quick Scan
Objects scanned: 110679
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gftetxgb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qtsexxt.dll (Trojan.Vundo.H) -> Delete on reboot.

Edited by quietman7, 13 August 2009 - 07:54 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:26 PM

Posted 13 August 2009 - 07:55 AM

I edited your topic to remove your HijackThis log as they are not permitted in topics outside the HJT forum. The HJT Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the HJT forum if we cannot resolve the issue here or the infection keeps returning and we need to use more powerful tools.

Your Malwarebytes Anti-Malware log indicates you are using an older version of MBAM (v1.38) with with an outdated database. Please download and install the most current version (1.40) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Your database shows 2297. Last I checked it was 2615.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.

Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware[/color]
Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RRA

RRA
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 13 August 2009 - 01:04 PM

Thank you for your help, sorry about the HJT log. I updated Malwarebytes to the latest and the dbase to 2615. I ran a scan it found the usual 4 plus two more (backdoor.bot). I rebooted and ran rooter. Here is the report

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 4 Stepping 4, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:71 Go - Free:31 Go )
D:\ [CD_Rom]
.
Scan : 12:55.46
Path : C:\Documents and Settings\Allie's\Desktop\Rooter.exe
User : Allie's ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (588)
______ \??\C:\WINDOWS\system32\csrss.exe (636)
______ \??\C:\WINDOWS\system32\winlogon.exe (668)
______ C:\WINDOWS\system32\services.exe (712)
______ C:\WINDOWS\system32\lsass.exe (724)
______ C:\WINDOWS\system32\Ati2evxx.exe (1008)
______ C:\WINDOWS\system32\svchost.exe (1028)
______ C:\WINDOWS\system32\svchost.exe (1156)
______ C:\WINDOWS\System32\svchost.exe (1300)
______ C:\WINDOWS\system32\svchost.exe (1412)
______ C:\WINDOWS\system32\svchost.exe (1500)
______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (1680)
______ C:\WINDOWS\system32\spoolsv.exe (1952)
______ C:\WINDOWS\Explorer.EXE (512)
______ C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (432)
______ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (472)
______ C:\PROGRA~1\SYMANT~1\vptray.exe (516)
______ C:\WINDOWS\system32\ctfmon.exe (100)
______ C:\WINDOWS\system32\svchost.exe (1452)
______ C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (1520)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1540)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1796)
______ C:\Program Files\Symantec AntiVirus\DefWatch.exe (1616)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1664)
______ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (1848)
______ C:\WINDOWS\system32\svchost.exe (308)
______ C:\Program Files\Symantec AntiVirus\Rtvscan.exe (412)
______ C:\WINDOWS\system32\wscntfy.exe (2716)
______ C:\WINDOWS\System32\alg.exe (2932)
______ C:\Documents and Settings\Allie's\Desktop\Rooter.exe (3932)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:57544704)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:57576960 | Length:76528005120)
\Device\Harddisk0\Partition3 (Start_Offset:76585582080 | Length:3405265920)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Pareto UNS.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 12:56.14
.
C:\Rooter$\Rooter_1.txt - (13/08/2009 | 12:56.14)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:26 PM

Posted 13 August 2009 - 04:12 PM

Please post the results of your previous MBAM scans. I want to review what was detected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RRA

RRA
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 14 August 2009 - 07:11 AM

This is the first log I created.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

8/12/2009 10:33:31 PM
mbam-log-2009-08-12 (22-33-31).txt

Scan type: Quick Scan
Objects scanned: 110894
Time elapsed: 9 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 31
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 33
Files Infected: 45

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pxdgatjo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qtsexxt.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gftetxgb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000f8382-a4eb-443e-b8ac-5b8758860d5f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000f8382-a4eb-443e-b8ac-5b8758860d5f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{000f8382-a4eb-443e-b8ac-5b8758860d5f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cndualgi (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cndualgi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cndualgi (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\gary l. kurkjian\application data\Starware316 (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Manager (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Reference (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Screensavers (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensaversmarketingsitepager\images (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensaversmarketingsitepager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensaversmarketingsitepager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Weather (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
c:\program files\screensavers.com\SSSInst (Adware.Comet) -> Quarantined and deleted successfully.
c:\program files\screensavers.com\SSSInst\bin (Adware.Comet) -> Quarantined and deleted successfully.
c:\documents and settings\Allie's\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
c:\documents and settings\Allie's\application data\funwebproducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
c:\documents and settings\Allie's\application data\funwebproducts\Data\Allie's (Adware.MyWay) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\qtsexxt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pxdgatjo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\nbkoswd.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\documents and settings\gary l. kurkjian\application data\starware316\browsersearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\browsersearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\errorsearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\errorsearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\relatedsearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\relatedsearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensavers\ScreensaversOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensavers\ScreensaversOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensaversmarketingsitepager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensaversmarketingsitepager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\screensaversmarketingsitepager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\toolbarlogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\toolbarlogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\toolbarsearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\toolbarsearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\travelsearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\travelsearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\gary l. kurkjian\application data\starware316\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
c:\program files\screensavers.com\SSSInst\bin\iebyterange.xml (Adware.Comet) -> Quarantined and deleted successfully.
c:\program files\screensavers.com\SSSInst\bin\iebyterange.xml.backup (Adware.Comet) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
c:\documents and settings\Allie's\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:26 PM

Posted 14 August 2009 - 08:58 AM

Your Malwarebytes Anti-Malware log indicates you are using an older version of MBAM (v1.38) with with an outdated database. Please download and install the most current version (1.40) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Your database shows 2297. Last I checked it was 2622.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.

Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware[/color]

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 RRA

RRA
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 14 August 2009 - 11:03 AM

I thought I did all that already, my first post was with the malwarebytes 1.38 then you told me to upgrade and I followed all your recommendations, upgrading to 1.40 and a database of 2615. Scanned and rebooted then ran rooter. Then posted the report. Then you asked for previous malware logs. The only ones I have prior to that is the 1.38.

Please tell me what you are looking for an I'll post it. Do you want the first malware 1.4 l ran before the rooter? I'll post both before and after anyway, I hope that helps.

Confused
Rick

Edited by RRA, 14 August 2009 - 01:44 PM.


#8 RRA

RRA
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 14 August 2009 - 11:08 AM

Ok here is the first log from Malwarebytes 1.4 with dbase 2615

Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3

8/13/2009 12:45:44 PM
mbam-log-2009-08-13 (12-45-44).txt

Scan type: Quick Scan
Objects scanned: 115540
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gftetxgb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qtsexxt.dll (Trojan.Vundo.H) -> Delete on reboot.

#9 RRA

RRA
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 14 August 2009 - 11:23 AM

Here is the latest malware log

Malwarebytes' Anti-Malware 1.40
Database version: 2623
Windows 5.1.2600 Service Pack 3

8/14/2009 11:22:59 AM
mbam-log-2009-08-14 (11-22-59).txt

Scan type: Quick Scan
Objects scanned: 117486
Time elapsed: 13 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gftetxgb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1473eb32-7992-4f75-8eff-6194f818a50c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qtsexxt.dll (Trojan.Vundo.H) -> Delete on reboot.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:26 PM

Posted 14 August 2009 - 03:12 PM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check all the boxes.
    Posted Image
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select your primary system drive (usually C:), then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 RRA

RRA
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 14 August 2009 - 03:59 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/14 15:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0E15000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAE498000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sfc.SYS
Image Path: C:\WINDOWS\System32\Drivers\sfc.SYS
Address: 0xADEC3000 Size: 10272 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a1106d0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a12f230

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a31d2e8

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a105850

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a4aa950

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb1035690

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a131430

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a107b70

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a108490

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a2ae270

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a1076d0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a2b61d8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8a1472c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x8a0f9258

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a1600b8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a2ff590

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a48f548

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a1322b8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb10358e0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a105818

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a12f6d0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a4c21a8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a132280

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a2ff610

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a3d21a8

Stealth Objects
-------------------
Object: Hidden Module [Name: sfcfiles.dll]
Process: winlogon.exe (PID: 668) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: mssfc.dll]
Process: winlogon.exe (PID: 668) Address: 0x66700000 Size: 1622016

==EOF==

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:26 PM

Posted 14 August 2009 - 08:48 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:26 PM

Posted 16 August 2009 - 11:12 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/250066/trojanvundo/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users