Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro and PC Anti Spyware 2010


  • Please log in to reply
3 replies to this topic

#1 Stevei58

Stevei58

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 13 September 2009 - 05:13 AM

Hi,

I was recently hit with Windows Police Pro and PC Anti Spyware 2010 viruses. Malware Bytes was ineffective as it would exit after 6 seconds. Initially ComboFix would not run. Tonight I renamed it and ran it in Safe mode, and it appears to have removed most of the problems. I am still somewhat concerned, as Windows Defender reported two trojans at startup: Win32/Vundo.gen!G and Win32/Vundo.gen!BL. After two unsuccessful attempts by Windows Defender to remove the trojans, I started a Malware Bytes full scan. It is running now and has already detected 8 infected objects.

My machine is a Dell Dimension 5100, and I am running Windows XP, Media Center Edition, Version 2002, Service Pack 3.

I would appreciate any advice you have on how to proceed.

Thanks,
Steve

Edited by The weatherman, 13 September 2009 - 07:05 AM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 13 September 2009 - 05:36 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Could you please post your Malwarebytes scan log? It can be found under the "Logs" tab of the Malwarebytes program.
Computer Pro

#3 Stevei58

Stevei58
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 13 September 2009 - 07:23 PM

Thanks for responding. I have subscribed to the topic, and here is the Malwarebytes scan log. Please let me know if you would like the ComboFix log as well.

Malwarebytes' Anti-Malware 1.41
Database version: 2788
Windows 5.1.2600 Service Pack 3

9/13/2009 1:46:56 PM
mbam-log-2009-09-13 (13-46-56).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 290540
Time elapsed: 8 hour(s), 49 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sohojire.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7ed9788f-6120-4886-9eb6-cb25b808c480} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{02e92efc-402b-434e-b098-b78e75d3b58c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mtnxvnstrxorirmu (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PC_AntiSpyware2010 (Rogue.PC_AntiSpyware2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veyozibiy (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{7ed9788f-6120-4886-9eb6-cb25b808c480} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lufutuvuv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sohojire.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sohojire.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\sohojire.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Sara Iaccheo\Local Settings\Temp\58.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\dplecxs.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rohebiyi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxdnhynmwm.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxqosnwtqn.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACeeqoyjxwkb.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtrslytpxug.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwiatawkemv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Rogue.PC_AntiSpyware2010) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rotscxptdlrtqd.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kewiwizo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tulomuwa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fomubozu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\mtnxvnstrxorirmu.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 AM

Posted 13 September 2009 - 07:45 PM

After you made sure that you rebooted, please rerun a Malwarebytes Quick Scan.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users