3 replies to this topic

[Wyrd Arcanum]

Hello, I'm new to this forum and tried for the first time your anti malware program in the hopes I could get rid of a VERY nasty problem.

The root cause seems to be a file called audiode.dll, and it was found in the windows\system32 folder on my husbands computer. I've been fighting with this file for almost a month now to no avail. I can't get rid of it.

So far for malware and antivirus removal, these programs can identify the problem but have been completely ineffective:
Spybot: Search and destroy
Spyhunter 3
Bit Defender
Kaspersky Anti Virus
Panda Security
Ad Aware (lavasoft)
Malware Bytes
File Assassin

There are a number of registry keys that resist removal of any kind, along with the file itself. This file ended up on my husbands computer via the pop up advertisements from PALTALK (just so you know), I was sitting next to him when it happened. Unfortunately, we were both hit with these fake antivirus programs at the same time, and I dealt with the problem on my computer first. I am wondering if that time interval is what caused the removal to have issues on his computer but not mine. I had to manually remove most of what got onto my system, which meant hours and hours of hunting through the registry etcetera.

I wish I could remember WTF I did to get audiode.dll OFF my system, because now, nothing I can do will get it off my husbands computer.

Any suggestions? This thing is seriously unfriendly. It likes to prevent automatic updates, prevent IE7 from opening at all, blocks the pop3 mail server (dos), prevents the running of "msconfig" and just about any other program it feels like.

Other noted behaviours:
Spybot: search and destroy, and Bit Defender cannot "see" the file in normal mode, only in safe mode. Spyhunter 3 spots it most of the time in normal mode, but every time in safe mode as well.

I do not want to format his computer. I want to destroy this thing.

Oh, it has been identified by different scanners as having a different name.

Vadagune
Vundo
Podahune

and all sorts of other names.

I need to go bang my head on my desk for a while.

[Wyrd Arcanum]

MalwareBytes Log:

Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 2

3/28/2009 1:26:04 PM
mbam-log-2009-03-28 (13-26-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 163064
Time elapsed: 24 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0a13ffed-4be3-44ac-a629-b047a5cb0863} (Trojan.Downloader) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0a13ffed-4be3-44ac-a629-b047a5cb0863} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a13ffed-4be3-44ac-a629-b047a5cb0863} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\audiode.dll (Trojan.Downloader) -> Delete on reboot.




NONE of the "delete on reboot" keys were deleted, nor was audiode.dll

[GT500]

Please follow these instructions (skipping any steps you are unable to complete) for posting in our Malware Removal - HijackThis Logs forum. If you cannot follow any of those steps, then please create a new topic in that forum explaining what happened when you tried to run each of the tools in the instructions, and the expert who helps you will be able to suggest steps to take to get the tools working.

[Wyrd Arcanum]

GT500, on Mar 29 2009, 04:35 PM, said:

Please follow these instructions (skipping any steps you are unable to complete) for posting in our Malware Removal - HijackThis Logs forum. If you cannot follow any of those steps, then please create a new topic in that forum explaining what happened when you tried to run each of the tools in the instructions, and the expert who helps you will be able to suggest steps to take to get the tools working.

Done.