Jump to content

Recommended Posts

I was unable to use the Panda security scan because my browser keeps crashing, but here are the MBAM and HijackThis logs..

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 3

12/7/2008 4:15:49 AM

mbam-log-2008-12-07 (04-15-49).txt

Scan type: Full Scan (C:\|)

Objects scanned: 101493

Time elapsed: 22 minute(s), 30 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 4

Registry Keys Infected: 18

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 4

Files Infected: 20

Memory Processes Infected:

C:\Program Files\GetModule\GetModule31.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\pmnmkIBt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ubhvbqku.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\opnmJDWM.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ouhlxt.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnmjdwm (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8052fbe4-c578-403b-80ee-061ea8bd8063} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{8052fbe4-c578-403b-80ee-061ea8bd8063} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af0e4b9c-dd2c-404f-a722-8d79284428ed} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{af0e4b9c-dd2c-404f-a722-8d79284428ed} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8052fbe4-c578-403b-80ee-061ea8bd8063} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af0e4b9c-dd2c-404f-a722-8d79284428ed} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4d74915 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule31 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnmkibt -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnmkibt -> Delete on reboot.

Folders Infected:

C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\opnmJDWM.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\pmnmkIBt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\tBIkmnmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tBIkmnmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ouhlxt.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ubhvbqku.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ukqbvhbu.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Local Settings\Temporary Internet Files\Content.IE5\CBN36OPL\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pdvniade.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\GetModule\GetModule31.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\gadcom\purasi.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\GetModule\losi.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\asmith\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wpv961228549770.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yayaWoMD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:32:20 AM, on 12/7/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

Link to post
Share on other sites

I used this trick "JohnD2 said that renamed two files 'spcffwl.dll' and 'kjzna1562565.exe' in C:\Documents and Settings\<myusername>\Application Data\Google"

to renamed the files. I'm still getting the pop-up that's trying to get me to install Perfect Defender 2009, but I can now search the internet and was able to run the Panda Security scan. Still waiting to here for a permanent solution. I haven't deleted those files, just renamed them.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-07 16:17:21

PROTECTIONS: 1

MALWARE: 20

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Symantec Antivirus Corporate Edition 10.1 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@trafficmp[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Tech\Cookies\tech@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Tech\Cookies\tech@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\linda\Cookies\linda@atdmt[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\linda\Cookies\linda@fastclick[2].txt

00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Tech\Cookies\tech@fastclick[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\linda\Cookies\linda@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Tech\Cookies\tech@tribalfusion[2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@azjmp[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@ad.yieldmanager[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Tech\Cookies\tech@apmebf[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@bs.serving-sys[2].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@advertising[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@ads.pointroll[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@realmedia[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@questionmarket[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Tech\Cookies\tech@adrevolver[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\linda\Cookies\linda@adrevolver[2].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@adrevolver[1].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@go[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@target[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\asmith\Cookies\asmith@atwola[1].txt

00456116 Adware/Antivirus2009 Adware No 0 Yes No C:\Documents and Settings\asmith\Local Settings\Temporary Internet Files\Content.IE5\6Z2N2HIB\freescan[1].htm

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location Y

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description Y

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Hey :angry: - was wondering if you could tell me how you found the files and how you go about renaming them? I know nothing about this and don't want to muck it up but my browsers (IE and Firefox) keep crashing - thanks for any help!

"JohnD2 said that renamed two files 'spcffwl.dll' and 'kjzna1562565.exe' in C:\Documents and Settings\<myusername>\Application Data\Google"

Find those two files then just right click and rename them. I just added 'test'. I still get the pop-up, but I can use IE without it crashing. I'd just say be careful, because I don't think this is a permanent fix. I'm still waiting for someone to help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.