Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Trojan.Vundo


  • Please log in to reply
9 replies to this topic

#1 swampwaterkl

swampwaterkl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 30 August 2010 - 03:09 PM

I read some post you have for Trojan.Vundo and have fixed one PC following your guidlines. Thanks for the post. I'm having an issue with another computer I have. I followed the same guidlines but the pc has a bad memory leak after I ran MBAM and rebooted. Also I cannot reboot back into safe mode to run SAS, the computer freezes while loading the drivers and then restarts. I have a feeling MBAM started something else when it ran the scan and found Trojan.Vundo and MyWebSearch and MyFunWeb. if you can help me please leave me a link to start a post for this. Just started using Bleeping Computer so I need some direction.

PC Specs:
Gateway 710S
512 MB RAM
3.2 Ghz CPU P4
Windows XP Pro SP3

No words can express what this means to me.
Thanks in advance!
Shane

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 30 August 2010 - 03:22 PM

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.
  • Click the Preferences button.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.
After SAS ...Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 swampwaterkl

swampwaterkl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 30 August 2010 - 04:12 PM

MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4510

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/30/2010 4:05:14 PM
mbam-log-2010-08-30 (16-05-14).txt

Scan type: Quick scan
Objects scanned: 141594
Time elapsed: 36 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Next step please?
Thanks Shane

#4 swampwaterkl

swampwaterkl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 30 August 2010 - 06:31 PM

Thought this might help you, the orginal MBAM log before today.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4447

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/18/2010 7:30:44 PM
mbam-log-2010-08-18 (19-30-44).txt

Scan type: Quick scan
Objects scanned: 142641
Time elapsed: 10 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dd469a88-316c-441d-b712-783d9b9a6707} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d28cd14c-50be-4cfa-951e-b37f25da3472} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{288c5f13-7e52-4ada-a32e-f5bf9d125f99} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{288c5f13-7e52-4ada-a32e-f5bf9d125f99} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 30 August 2010 - 07:48 PM

Thanks for those. Can we run SAS in safe mode yet?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 swampwaterkl

swampwaterkl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 31 August 2010 - 12:23 AM

Before the SAS log I ran ATF Cleaner and it remove almost 32MBs of info.

Next I ran the SAS in Safe Mode this time and this is what I got.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2010 at 10:35 PM

Application Version : 4.42.1000

Core Rules Database Version : 5384
Trace Rules Database Version: 3197

Scan type : Complete Scan
Total Scan Time : 02:15:32

Memory items scanned : 231
Memory threats detected : 0
Registry items scanned : 9476
Registry threats detected : 0
File items scanned : 40987
File threats detected : 0

Please let me know what the next step is. It seems to be running better but I may need a day to overlook. The main issue was the page file would shoot up to almost 1 GB and PC would freeze or go extremely slow. It would stay like that almost all day. The page file right now is 512 and responsive. Originally I never ran ATF Cleaner before today so that is why it found something and not the other MBAM and SAS scans which I had ran before. Oh this PC is supposed to go to sleep in 45 minutes but it never would. If it goes to sleep like normal than something is working in our favor.

Thanks Shane
Have a great day!

#7 swampwaterkl

swampwaterkl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 31 August 2010 - 12:27 AM

The orginal SAS log in case.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/19/2010 at 07:49 PM

Application Version : 4.41.1000

Core Rules Database Version : 5384
Trace Rules Database Version: 3197

Scan type : Quick Scan
Total Scan Time : 00:42:49

Memory items scanned : 633
Memory threats detected : 0
Registry items scanned : 1947
Registry threats detected : 8
File items scanned : 11337
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt

Adware.180solutions/ZangoSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#{DECEAAA2-370A-49BB-9362-68C3A58DDC62}

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\IHHKJ.INI

Thanks Shane

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 31 August 2010 - 09:00 AM

We are in good shape. Let's do an online scan.
Please avoid those registry cleaners.. they really do more harm then good.

ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 swampwaterkl

swampwaterkl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 31 August 2010 - 04:51 PM

ESET scon log

C:\My Games\Weave Words\packmake.exe probably a variant of Win32/Agent.IJEJMQU trojan cleaned by deleting - quarantined
C:\Program Files\MSConfig CleanUp\MSConfigCleanUp.exe probably unknown NewHeur_PE virus deleted - quarantined
C:\WINDOWS\system32\ihhkj.bak1 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\WINDOWS\system32\ihhkj.bak2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined



MBAM scan log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4517

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/31/2010 4:44:28 PM
mbam-log-2010-08-31 (16-44-28).txt

Scan type: Quick scan
Objects scanned: 142348
Time elapsed: 11 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I was going to tell you page file will still going up but I see you sent instructions for ESET and MBAM so here is the info you requested. Please let me know what is the next step.

Thanks Shane

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:16 AM

Posted 31 August 2010 - 10:29 PM

We should also update SAS. it may be enough to find more.

Core Rules Database Version : 5384
Trace Rules Database Version: 3197

Now at
Core Rules Database Version : 5438
Trace Rules Database Version: 3250

Also lets do a rootkit scan as I suspect one.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users