Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytees won't install......


  • This topic is locked This topic is locked
11 replies to this topic

#1 Duracell

Duracell

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 29 October 2009 - 05:06 AM

I know that I have Vundo Trojan - (One Care) tried to install Malwarebytes last night but it will only run a few seconds and then vanish - I try to restart it and I get "trying to locaate mwbe.exe"...nothing. I searched here last night to get far enough to try to install that then saw the same error message that others were having and stopped.....I don't know how to "run" all the logs you'll need so you'll have to tell me how to do that too.....Windows XP Home, AVG 8.5 ( I think)

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 29 October 2009 - 10:21 AM

MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation coninues to fail in normal mode, try installing and scanning in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.[/color]

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. Others may delete the main mbam.exe executable file during installation or when attempting to perform a scan which results in various errors.

To resolve this, download and install Malwarebytes Anti-Malware on a non-infected computer.
  • After installation, open Windows Explorer and navigate to the C:\Program Files\Malwarebytes' Anti-Malware\ folder where mbam.exe is located.
  • Copy the mbam.exe file to the Desktop and rename it to wuauclt.exe or explorer.exe.
  • Save the renamed file to a usb flash drive or CD, then transfer to the infected computer.
    • Another option is to upload the file somewhere so you can download it later to the infected computer.
    • If you do not have access to another computer, ask a friend to email or upload a renamed mbam.exe for you and provide a link to download it.
  • Place the renamed mbam.exe in the C:\Program Files\Malwarebytes' Anti-Malware folder on the infected computer, then double-click on it to launch the program.
  • If that still did not work, then try changing the file extension. <- click this link if you do not see the file extension
    If using Windows Vista, refer to these instructions.
  • Right-click on the wuauclt.exe file, and change the .exe extension to .scr, .com, .pif, or .bat.
  • Double-click on wuauclt.scr (or whatever extension you renamed it) to launch the program.
  • Check for database definition updates through the program's interface.
  • Then perform a Quick Scan, check all items found for removal and reboot afterwards.
  • Failure to reboot will prevent MBAM from removing all the malware.
  • When done, click the Logs tab and copy/paste the contents of the report in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Duracell

Duracell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 29 October 2009 - 09:08 PM

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/29/2009 9:42:05 PM
mbam-log-2009-10-29 (21-42-05).txt

Scan type: Quick Scan
Objects scanned: 112058
Time elapsed: 11 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\hodaluho.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e0e3e17d-facd-42fb-95bc-26bba134680c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuvudahem (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{e0e3e17d-facd-42fb-95bc-26bba134680c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bopehikig (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\hodaluho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\hodaluho.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget (Adware.Admedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.Admedia) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\hodaluho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\huforupa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ligamosa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Then after rebooting to completely remove as it said to do:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/29/2009 9:56:43 PM
mbam-log-2009-10-29 (21-56-43).txt

Scan type: Quick Scan
Objects scanned: 111940
Time elapsed: 8 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Am I ok now - was it a backdoor one where I should be worried about the banking info?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 29 October 2009 - 09:57 PM

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version.
The database shows 2775. Last I checked it was 3054.

Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Your infection was related to Vundo which is a Trojan that infects a system with malicious Browser Helper Objects and .dll (Dynamic Link Library) modules attached to system files like Winlogonand Explorer.exe. The infection is responsible for launching unwanted pop ups, advertising for rogue antispyware programs, and downloading more malicious files which hampers system performance. Newer variants of Vundo typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a rogue security program which uses social engineering and scams to trick a user into spending money to buy a an application which claims to to fix it. The messages can mimic system messages so they appear as if they are generated by the Windows Operating System.

Vundo spreads via Internet Relay Chat, by visiting underground web pages, adult, gaming or pirated software sites, and by using peer-to-peer (P2P) file sharing programs which are a security risk that can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such sites may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The infection also spreads through emails containing links to websites that exploit your web browser’s security holes and by exploiting a vulnerability in older versions of Sun Java. When you click on a Vundo laced email link, Internet Explorer launches a site that stealthy installs the Trojan so that it can run every time you startup Windows and download more malicious files.

For more detail on how these types of rogue programs and infections install themselves, read:The problem with these types of infections is that they can download other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkit components which make it more difficult to remove. When a backdoor Trojan or rootkit is involved, the PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Duracell

Duracell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 30 October 2009 - 08:09 PM

Alright I updated and reran this morning - then this afternoon I found out that it had an update so I reran full scan again - then it told me to reboot....I did - then I guess I just want to make sure that the deletion on reboot worked so I did a quick scan and came up with the last log......now what.


Malwarebytes' Anti-Malware 1.41
Database version: 3059
Windows 5.1.2600 Service Pack 3

10/30/2009 5:21:38 PM
mbam-log-2009-10-30 (17-21-38).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 185286
Time elapsed: 1 hour(s), 34 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dikifaso.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\benayabi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dikifaso.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\benayabi.dll (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0059253.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0059268.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0059271.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mulumobu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tebudati.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fipigune.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dozufuye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fameyini.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yajulose.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yatukone.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nesefasa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3

10/30/2009 6:57:25 PM
mbam-log-2009-10-30 (18-57-25).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 184947
Time elapsed: 1 hour(s), 25 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bepesata.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c6f213a5-8d0d-452d-a88d-df22d6f55592} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuvudahem (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c6f213a5-8d0d-452d-a88d-df22d6f55592} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rujudamaj (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bepesata.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\bepesata.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bepesata.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\punehomi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 5.1.2600 Service Pack 3

10/30/2009 8:52:54 PM
mbam-log-2009-10-30 (20-52-54).txt

Scan type: Quick Scan
Objects scanned: 119364
Time elapsed: 11 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 31 October 2009 - 06:09 AM

Lets do another anti-malware scan to see if we find anything else that MBAM may have missed.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform your scans in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Duracell

Duracell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 31 October 2009 - 08:46 AM

Ok did both - (first one gave download warning but trusted I)

Super Anti - wouldn't let me start in safe mode -
Strange thing is - AVG popped up with Resident Shield saying throughout the scan

C:/WINDOWS/sys32/juetoja.dll as a Vundo Trojan



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/31/2009 at 09:29 AM

Application Version : 4.29.1004

Core Rules Database Version : 4216
Trace Rules Database Version: 2122

Scan type : Complete Scan
Total Scan Time : 00:45:36

Memory items scanned : 517
Memory threats detected : 0
Registry items scanned : 6188
Registry threats detected : 0
File items scanned : 24718
File threats detected : 53

Adware.Tracking Cookie
c:\documents and settings\lora\cookies\lora@avgtechnologies.112.2o7[1].txt
c:\documents and settings\lora\cookies\lora@atdmt[2].txt
c:\documents and settings\lora\cookies\lora@msnportal.112.2o7[1].txt
c:\documents and settings\lora\cookies\lora@serving-sys[2].txt
c:\documents and settings\lora\cookies\lora@www.mediatraffic[1].txt
c:\documents and settings\lora\cookies\lora@pointroll[2].txt
c:\documents and settings\lora\cookies\lora@adcentriconline[1].txt
c:\documents and settings\lora\cookies\lora@icityfind[1].txt
c:\documents and settings\lora\cookies\lora@statcounter[1].txt
c:\documents and settings\lora\cookies\lora@ads.bridgetrack[2].txt
c:\documents and settings\lora\cookies\lora@interclick[2].txt
c:\documents and settings\lora\cookies\lora@msnbc.112.2o7[1].txt
c:\documents and settings\lora\cookies\lora@vitamine.networldmedia[1].txt
c:\documents and settings\lora\cookies\lora@mediaplex[2].txt
c:\documents and settings\lora\cookies\lora@collective-media[2].txt
c:\documents and settings\lora\cookies\lora@fmimedia.infusionsoft[2].txt
c:\documents and settings\lora\cookies\lora@insightexpressai[2].txt
c:\documents and settings\lora\cookies\lora@hitbox[2].txt
c:\documents and settings\lora\cookies\lora@www.icityfind[1].txt
c:\documents and settings\lora\cookies\lora@media6degrees[1].txt
c:\documents and settings\lora\cookies\lora@imrworldwide[2].txt
c:\documents and settings\lora\cookies\lora@myroitracking[1].txt
c:\documents and settings\lora\cookies\lora@at.atwola[1].txt
c:\documents and settings\lora\cookies\lora@sales.liveperson[2].txt
c:\documents and settings\lora\cookies\lora@apmebf[1].txt
c:\documents and settings\lora\cookies\lora@mediatraffic[2].txt
c:\documents and settings\lora\cookies\lora@burstnet[1].txt
c:\documents and settings\lora\cookies\lora@ad.yieldmanager[1].txt
c:\documents and settings\lora\cookies\lora@trafficmp[1].txt
c:\documents and settings\lora\cookies\lora@microsoftwindows.112.2o7[1].txt
c:\documents and settings\lora\cookies\lora@ads.pointroll[1].txt
c:\documents and settings\lora\cookies\lora@revsci[2].txt
c:\documents and settings\lora\cookies\lora@zedo[2].txt
c:\documents and settings\lora\cookies\lora@surfaccuracy[1].txt
c:\documents and settings\lora\cookies\lora@realmedia[2].txt
c:\documents and settings\lora\cookies\lora@bs.serving-sys[2].txt
c:\documents and settings\lora\cookies\lora@clicksor[2].txt
c:\documents and settings\lora\cookies\lora@login.revenueloop[2].txt
c:\documents and settings\lora\cookies\lora@specificclick[2].txt
c:\documents and settings\lora\cookies\lora@doubleclick[1].txt
c:\documents and settings\lora\cookies\lora@ehg-speakeasy.hitbox[2].txt
c:\documents and settings\lora\cookies\lora@dmtracker[1].txt
c:\documents and settings\lora\cookies\lora@tacoda[1].txt
c:\documents and settings\lora\cookies\lora@247realmedia[1].txt
c:\documents and settings\lora\cookies\lora@oneclicktracker[1].txt
c:\documents and settings\lora\cookies\lora@ads.networldmedia[2].txt
c:\documents and settings\lora\cookies\lora@xiti[1].txt
c:\documents and settings\lora\cookies\lora@advertising[1].txt
c:\documents and settings\lora\cookies\lora@fastclick[1].txt
c:\documents and settings\lora\cookies\lora@tribalfusion[2].txt
c:\documents and settings\lora\cookies\lora@msnservices.112.2o7[1].txt

#8 Duracell

Duracell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 31 October 2009 - 09:05 AM

Continued from earlier post

Looked at Resident Shield - Under details
Process Name: C:\WINDOWS\system32\rundll.32exe
Process ID: 984
If that means anything to you......

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 31 October 2009 - 09:19 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other rootkits can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Duracell

Duracell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 31 October 2009 - 09:21 AM

Thanks for all of your help so far......have a great weekend.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:21 PM

Posted 31 October 2009 - 09:59 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:21 PM

Posted 31 October 2009 - 01:39 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/268281/vundo-quietman-referral/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users