9 replies to this topic

[wolraht]

hello all,

i am currently running a scan with your software to try to rid myself of whatever my problem is. All I know is that whatever this thing is, it prevents explorer.exe from running. Or it lets it run for about 10 seconds then kills it, then it restarts, then it kills it, over and over again. I have always had terrible luck in teh past cleaning up infections so I am hoping your software combined with your forum expertise will let me be successful this time.

I am in the middle of a scan right now that has detected 33 infected objects so far.

This is my company laptop unfortunately and they only have an enterprise McAfee anti virus installed. It found 4 files last night when I ran. Unfortunately whatever this bug is looks like it shut down McAfee last night before it installed itself. I hate these stupid things.

I was surfing some sports blogs and clicked on what looked like an innocent link and bam, popups galore. Let me know what you guys need to see to help me work through this.

I appreciate it.

[exile360]

Greetings wolraht, and welcome to the forum. I'm sorry you had to visit us under such dire circumstances, but we should be able to help you out. Most likely what you've got is an infection known as Vundo also known as Virtumonde. You're in luck because Malwarebytes' is very efficient at removing this type, and many other types of difficult infections. Once your scan completes, have it remove what it finds and reboot if necessary, once that is complete please read the instructions here:
http://www.malwareby...?showtopic=2936

and post your logs in a new topic here:
http://www.malwareby...php?showforum=7



Please be sure not to install any software or use any removal/scanning tools exept those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.


I hope I was helpful. Good luck and safe surfing.

[wolraht]

ok, here is my MalwareBytes log from the first scan I did. It was the Vundo trojan and so far it looks like its all clean, at least, my computer is running good again.



Malwarebytes' Anti-Malware 1.31
Database version: 1535
Windows 5.1.2600 Service Pack 2

12/23/2008 7:45:32 AM
mbam-log-2008-12-23 (07-45-32).txt

Scan type: Quick Scan
Objects scanned: 72280
Time elapsed: 40 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjdskcu (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrhhevv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhhevv -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\du402c\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VvEhhRqr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VvEhhRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\du402c\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\du402c\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\du402c\Local Settings\Temporary Internet Files\Content.IE5\90DH1N9T\CAN1FQWD (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




Should I delete everything in the quaranten folder?

Does this look like its all good to you experts?

[wolraht]

oop, didnt see your reply before i posted the log, i will post it in the other forum.

[exile360]

No problem, most likely Malwarebytes' killed off all of the infections, but better safe than sorry so it's definately a good idea to go ahead and post the logs there so they can have a look and make sure.

[wolraht]

Its nice that Malewarebyte's looks like its working so well. the first thing i found was called something like, Vundokiller, and it didnt even find the infection.

[exile360]

Yes, Vundo is very tenacious and is updated/modified frequently to avoid detection, but it is also one of Malwarebytes' primary targets. Malwarebytes' is essentially a software designed to remove the types of current threats that your typical antivirus and antispyware software might miss, and it's very good at what it does and is updated very frequently, often multiple times a day.

[wolraht]

very cool.

lemme ask you a question while the panda scan is running.

so far it has found 56 infected files. are those likely to be the files that are quarantined? or am i looking at more problems that malewarebytes didnt catch possibly?

[exile360]

Most of them are probably cookies (Panda always flags them even though they're harmless, and typically numerous) and some could be traces that are rendered harmless by what Malwarebytes' already removed, like registry entries that point to malicious files that have already been deleted, but of course it is possible that some of them are active infections that Malwarebytes' didn't catch. In fact, one of the main reasons we have users scan with Panda and the others is so that more common infections that Malwarebytes' isn't designed to detect can get removed before an expert jumps in to start removing any nasty leftovers and more difficult infections. Like I explained before, Malwarebytes' is designed to remove the stuff that your typical antivirus (including Panda) would normally miss. We just want to get you as clean as possible before the manual malware removal process begins.

[wolraht]

cool thanks.