Jump to content

McAfee Vundo Knockdown dragout


Recommended Posts

Older Me computer running windows xp home

Fully updated, patched and protected by McAfee Security Suite

Son downloads file from Limewire, computer loses internet and is in virtual lockup between McAfee and Vundo in normal mode, display adapter in troubleshooting mode in device manager

Computer is semi functional in safe mode but will lock up and lose desktop if give long enough

Normal mode is useless

Load basic tools and mcafee removal tool on a usb drive and transfer to infected computer in safe mode, unhinstall Mac and run removal tool

Boot into normal mode and computer acts like it's fixed

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:56:11 PM, on 4/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Documents and Settings\Owner\lsass.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Owner\lsass.exe

O4 - HKLM\..\Run: [c051d9ba] rundll32.exe "C:\WINDOWS\system32\eagsbtjr.dll",b

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1708537768-1580436667-1343024091-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O4 - HKUS\S-1-5-21-1708537768-1580436667-1343024091-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 4015 bytes

Malwarebytes' Anti-Malware 1.09

Database version: 532

Scan type: Full Scan (C:\|)

Objects scanned: 55536

Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 3

Registry Keys Infected: 18

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

C:\Documents and Settings\Owner\lsass.exe (Heuristic.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:

C:\WINDOWS\system32\eagsbtjr.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\xxyvw.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\yayxyxv.dll (Trojan.Conhook) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e50f7d-005c-482b-90d7-492ba0f50c10} (Trojan.Vundo) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{07e50f7d-005c-482b-90d7-492ba0f50c10} (Trojan.Vundo) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{91223de9-f8e6-4ffd-8889-be6784c18696} (Trojan.Conhook) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91223de9-f8e6-4ffd-8889-be6784c18696} (Trojan.Conhook) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxyxv (Trojan.Conhook) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{91223de9-f8e6-4ffd-8889-be6784c18696} (Trojan.Conhook) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSA Shellu (Heuristic.Reserved.Word.Exploit) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyvw.dll -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\eagsbtjr.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\rjtbsgae.ini (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\xxyvw.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\wvyxx.ini (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\wvyxx.ini2 (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\yayxyxv.dll (Trojan.Conhook) -> No action taken.

C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.

C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\tuvvspq.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\nnnlljk.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\qomnoli.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\ssqpqpq.dll (Trojan.Vundo) -> No action taken.

C:\Documents and Settings\Owner\lsass.exe (Heuristic.Reserved.Word.Exploit) -> No action taken.

C:\dllhost.exe (Heuristic.Reserved.Word.Exploit) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:36:01 PM, on 4/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: {35769c63-6f07-8329-e804-05978061668c} - {c8661608-7950-408e-9238-70f636c96753} - C:\WINDOWS\system32\xqtxvxpw.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [c051d9ba] rundll32.exe "C:\WINDOWS\system32\eagsbtjr.dll",b

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1708537768-1580436667-1343024091-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')

O4 - HKUS\S-1-5-21-1708537768-1580436667-1343024091-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 4131 bytes

Removing display adapter from device manager and rebooting fixes exclaimation problem

Windows firewall cannot turn on because the internet connect sharing service cannot be started since it's missing a dependency

Link to post
Share on other sites

I am a freshman over at MRU and I do a lot of maleware fixes for friends and clients and have used the MBAM for a few months

In this case I decided to document the fixes and try to understand the process better, that's why I used MBAM first, what I need help on, is have I screwed up some dependencies by not using vundofix or sdfix?

thank you

Link to post
Share on other sites

Well I don't want to steer you the wrong way as MRU has strict guidelines of when/why/how they want you to address fixing a computer.

You're probably better off asking that question over on their site so that you get an "approved" answer.

It could be a few things. MBAM will try to safely remove the malware but there are so many things that could be an issue on the system and it can not fix every thing that Malware might have done.

I would look in the Event Viewer and get the exact error message and then search online for it, and as said - check with MRU so that you're doing things the way they want you to.

I am a freshman over at MRU and I do a lot of maleware fixes for friends and clients and have used the MBAM for a few months

In this case I decided to document the fixes and try to understand the process better, that's why I used MBAM first, what I need help on, is have I screwed up some dependencies by not using vundofix or sdfix?

thank you

Link to post
Share on other sites

Thank you for the response, as a student I am expected to fix my own problems in a shadow log but not allowed to use advanced tools, understandably. This is a friends computer and I was afraid it might need combofix, I have run every tool I can including rootkit scanners and it's beginning to look like a shell error. AFAIK I am breaking no rules by posting a HJT log here as long as it's not mine.

The other tools found a few items, I was hoping if someone here more experienced in reading MBAM logs saw something critical they would advise.

thanks again

Link to post
Share on other sites

the first link didn't apply as I am getting the error that firewall, ics can not start because of missing service dependency?

I have already run the lspfix

Am currently running sfc /scannow

thanks will look at event viewer when that finishes

Link to post
Share on other sites

Well sfc /scannow is a LAST RESORT in my opinion but since you're already there

then make sure you re-install SP2 unless the CD was already a SP2 CD for XP

Then go to the Windows Update site and scan and download/install all the Critical Updates

and any of the other updates you may want.

Link to post
Share on other sites
Well sfc /scannow is a LAST RESORT in my opinion

when I had to manually associate .reg files with regedit32 my mind was decided, especially after running vundofix, atf and sdfix and then reganalyzer

I felt I gave it my best shot and have seen several similar problems where even sfc didn't fix it but a repair disk did

Link to post
Share on other sites

Windows updates went slick as glass, that's the first thing that has, I figured I would have to run windows as a repair disk.

I am not sure the order is as important as the end result,

google

TAVO1.DLL

and you will understand what I mean

I had a bad experience with MBAM overwritting a log the other day so I am saving immediately before removing

Link to post
Share on other sites
I had a bad experience with MBAM overwritting a log the other day so I am saving immediately before removing

Can you please post in the "General Malwarebytes' Anti-Malware Forum" with the details of your LOG issue.

If there is an issue with how logs are being managed then we need to know so that it can be corrected.

Thanks DaChew

Link to post
Share on other sites

That was an infection/corruption that I doubt you'll ever see on the internet, I had to run windows as a repair disk to start the disinfection and even get into a normal mode. Teatimer played a big role there. MBAM was instrumental in fixing that one.

thanks again

Link to post
Share on other sites
That was an infection/corruption that I doubt you'll ever see on the internet, I had to run windows as a repair disk to start the disinfection and even get into a normal mode. Teatimer played a big role there. MBAM was instrumental in fixing that one.

thanks again

I would not normally comment into a HJT thread, but this is not a normal circumstance. What do you mean the infection will never be seen on the net? Where did you get it? The Google search brings up plenty of hits that it is indeed all over the net. It is polymorphic and you haven't posted anything here that shows you actually removed it.

I don't mean to sound critical of your methods, I'm just pointing out the system in question could very well still be infected.

TeaTimer can interfere with the removal process also. It protects against registry changes and should be turned off for the duration of removal. I'm not clear on what you mean by TT played a big role?

Link to post
Share on other sites

The computer would boot to safe mode and then freeze in a matter of seconds, it all started with a file from limewire and a laptop, when some friends tried to fix it they spread the infection to 2 more computers and brought the laptop to me.

It wasn't too bad but I infected my own computer posting this log

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 03/25/2008 at 06:29 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412

Trace Rules Database Version: 1404

Scan type : Complete Scan

Total Scan Time : 01:15:35

Memory items scanned : 156

Memory threats detected : 0

Registry items scanned : 5743

Registry threats detected : 24

File items scanned : 12630

File threats detected : 18

Trojan.WinFixer

HKLM\Software\Classes\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}

HKCR\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}

HKCR\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}\InprocServer32

HKCR\CLSID\{3D8C5FEF-9DE0-457B-A06E-304D0F574D62}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\VTSTR.DLL

HKLM\Software\Classes\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}

HKCR\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}

HKCR\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}\InprocServer32

HKCR\CLSID\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\MLJJG.DLL

HKLM\Software\Classes\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}

HKCR\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}

HKCR\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}\InprocServer32

HKCR\CLSID\{C8913AD6-7AB9-477B-B220-44673CAD228B}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\DDABC.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{771EA8E4-5C79-4B4D-9B47-3C37C626CCE8}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8913AD6-7AB9-477B-B220-44673CAD228B}

Trojan.ZQuest

HKLM\Software\Classes\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}

HKCR\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}

HKCR\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}\InProcServer32

HKCR\CLSID\{3FFCBB20-7758-476D-E195-00350124181D}\InProcServer32#ThreadingModel

C:\PROGRAM FILES\INTERNET EXPLORER\LAVUHA.DLL

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}

HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}

HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}

HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}\InProcServer32

HKCR\CLSID\{BE3E45CB-BABD-481D-BA21-16240D8081BE}\InProcServer32#ThreadingModel

C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\FOHELO89104.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE3E45CB-BABD-481D-BA21-16240D8081BE}

Trojan.ZenoSearch

C:\WINDOWS\system32\msnav32.ax

RootKit.TnCore/Trace

C:\WINDOWS\system32\drivers\core.cache.dsk

Trojan.Downloader-CommandDesktop

C:\DOCUMENTS AND SETTINGS\PAUL THE PARTYMAN\DOCTORWEB\QUARANTINE\CMDINST.EXE

Trojan.Unclassifed/Loader-Suspicious

C:\EJAY\HIPHOP4_DEMO\EJAY\EJAY\LOADER.EXE

Trojan.Downloader-Gen/Svchost-Fake

C:\SYSTEM VOLUME INFORMATION\_RESTORE{67BBC2F1-2328-4819-BEC9-4623DBE7FD42}\RP266\A0068863.EXE

Adware.Vundo-Variant

C:\SYSTEM VOLUME INFORMATION\_RESTORE{67BBC2F1-2328-4819-BEC9-4623DBE7FD42}\RP266\A0068864.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{67BBC2F1-2328-4819-BEC9-4623DBE7FD42}\RP266\A0079220.DLL

Trojan.Downloader-Gen/MROFIN

C:\WINDOWS\MROFINU1000106.EXE

C:\WINDOWS\MROFINU1188.EXE

Adware.Vundo Variant/Rel

C:\WINDOWS\SYSTEM32\CBADD.INI

C:\WINDOWS\SYSTEM32\CBADD.INI2

Adware.Adservs

C:\WINDOWS\SYSTEM32\XTMP\V55API.EXE

Trojan.ZQuest-Installer

C:\WINDOWS\TK58.EXE

One of the other computers had malware already resident that had only been partially neutralized, when they tried to work on it, teatimer was resident and it corrupted the shell. After running repair disk I then ran my standard spectrum of fixes including rootkit scans, when I started getting null results I then went to windows updates figuring I was home free, it kept crashing, finally I had to run repair disk one more time.

In the hundreds of HJT threads I have read I haven't quite seen anything similar. I have seen many that were never finished.

And I am sure that few would even attempt what I did, but the bookkeeper was waiting to cut checks and hadn't backed up quickbooks so far this year.

Thank you for the interest Jean and I hope this clarifies my statement

Link to post
Share on other sites

No nothing is any clearer. You post a log that is over 2 weeks old showing well known malware. I really don't know what your purpose is. How did you infect your PC posting a log?

Link to post
Share on other sites
How did you infect your PC posting a log?

the infection executed off the usb drive when I opened the log to copy/paste, or at least that's when the little black dos box flashed and shortly thereafter the porn popups started

the computer that crashed had other infections and teatimer running when another infected usb drive was used to transfer fixes from the internet

I didn't worry about logs as I was having to fix 4 computers and disinfect 2 usb drives

Link to post
Share on other sites

I had read about flash_disinfector the week before and thought that would never happen to me.

The original computer had infected 2 external hard drives, the guy said it caught them and disinifected them

:P

Link to post
Share on other sites

using the latest manual definition update would seem to be an issue

Malwarebytes' Anti-Malware 1.11

Database version: 639

Scan type: Quick Scan

Objects scanned: 33100

Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\awtqnkhe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites
the infection executed off the usb drive when I opened the log to copy/paste, or at least that's when the little black dos box flashed and shortly thereafter the porn popups started

the computer that crashed had other infections and teatimer running when another infected usb drive was used to transfer fixes from the internet

I didn't worry about logs as I was having to fix 4 computers and disinfect 2 usb drives

Yikes. Now I get some of it. LOL I think I should move this topic into general PC help. I don't want anyone seeking help to think this is the normal way we do fixes. :P

Link to post
Share on other sites

What do you see as an issue? You have a vundo infection. My advice is begin a proper infection procedure. You say in your PM MBAM broke safe and normal mode? Safe and normal mode what? How is it broke? And no I will not delete the thread. If MBAM did indeed break something this is where Bruce and Marcin et al will need to get information. You need to give some clear concise information. Please.

Link to post
Share on other sites

when mbam detected and quaratined awtqnkhe.dll

and I rebooted to then run a hjt scan, the computer would not boot into normal mode and started a reboot loop

I then used F8, got to the advance choice screen, chose safe mode and it went almost directly into a normal mode boot?

Same loop all over

I might try running a repair disk when I get it back on line/connected to a monitor etc.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.