Jump to content

started with I'm Infected but nothing will work


Recommended Posts

This virus was able to change my router name so I was afraid it would spread to other computers on network so unplugged it from network and downloaded all the necessary files and burned them to a disk. Upon trying to install or use the programs here are the prompts that came up.

Malware- Unable to execute file

C:\programfiles\malwarebytes'anti-malwar\mbam.exe

create process failed; code 2

The system cannot find the file specified

Avira- resource missing

rctext.dll

Defogger- Error unable to create log

GMER- this one will run for a while and then just shuts off

Here is a screen shot of what was on the screen

Please help...

gmer_print_scrn.rtf

Link to post
Share on other sites

Thank you in advance for your help but still isn't working. The Rkill only works for a second and then it starts again, I tried the other copies with the same effects. I was able to get malwarebytes to work but it will not update ran scan anyway and here is the log.

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Owner on 03/02/2010 at 7:05:20.

Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\HPZipm12.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe

Rkill completed on 03/02/2010 at 7:05:34.

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/2/2010 8:52:31 AM

mbam-log-2010-03-02 (08-52-31).txt

Scan type: Full Scan (C:\|)

Objects scanned: 225307

Time elapsed: 1 hour(s), 18 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 5

Registry Values Infected: 4

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 21

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\duhototu.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\pinofivu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\yadefato.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07852040-0d09-41df-a8f2-602e8ffad328} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{07852040-0d09-41df-a8f2-602e8ffad328} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{dfe42ccb-53bc-47a8-a467-7affeb1a8a7e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\najesimew (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{dfe42ccb-53bc-47a8-a467-7affeb1a8a7e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fakopipog (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fedayehese (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\pinofivu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\pinofivu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\duhototu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pinofivu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\vebikosi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yadefato.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\vjwmmsku.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UVBD6GDK\vzgomuf[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E85DA609-92A9-4FE9-880D-7EC83A879D5E}\RP728\A0054267.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E85DA609-92A9-4FE9-880D-7EC83A879D5E}\RP732\A0058455.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E85DA609-92A9-4FE9-880D-7EC83A879D5E}\RP732\A0058456.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E85DA609-92A9-4FE9-880D-7EC83A879D5E}\RP732\A0058457.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\duhototu.dll.tmp (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wenunika.dll.tmp (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\seagate.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yadefato.dll.tmp (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fuwoduke.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\kimuremo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rotirufe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\telonapi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yejedufi.dll (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\Owner\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I have not retried any of the other programs yet but this is what I have now.

Thank you again and please advise me to my next steps.

Tazman282

Link to post
Share on other sites

I have tried to update with no luck, I have tried rkill and then update with no luck. I downloaded the the updates and installed that but the virus is still here after Malware runs and quarantine's files. So I just don't know what else to do. Please help me out, thanks.

Link to post
Share on other sites

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly named EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the Quick scan report to the windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from:HERE

In the Combofix Guide at Bleeping Computer aka A guide and tutorial on using ComboFix

http://www.bleepingcomputer.com/combofix/h...se-combofix#use

Using ComboFix ->

I want you to rename Combofix.exe as you download it to rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

VERY IMPORTANT: Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Launch Combofix (rayman.exe) from the Run Line, as follows:

Navigate to Start --> Run, and copy/paste this command exactly as shown, then hit Enter:

"%userprofile%\desktop\rayman.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of ARKQ.txt. and C:\Combofix.txt in your next reply

Note: Do NOT mouseclick combofix's window while it is running. That may cause your system to stall/hang.

IMPORTANT:If you were not able to run Combofix (rayman.exe), or the run did not complete successfully, you can try launching it in safe mode from the run line.

To Boot into Safe Mode.

Windows 2000, XP:

1. Restart the computer

2. Watch the screen while it is black. After the BIOS memory check is done,

start tapping the F8 key. If done right, the Windows Advanced Options Menu will

appear.

3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take

several minutes

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.