Userndghelp Posted December 7, 2008 ID:38723 Share Posted December 7, 2008 I'm a new Malwarebytes user. Last night I discovered that my PC was infected with the Vundo Trojan. I think Windows Defender had actually tried to stop it, but unfortunately I didn't immediately recognize the screen as being from Windows Defender and hesitated to click as directed. The screen had a large Windows colored logo in the upper left corner and a large "2009" in the upper right; it looked different than anything I'd seen before, and I hesitated. It retrospect I think it may have been authentic (from Windows Defender), but if so, I didn't recognize it, didn't click, and may have lost my chance to stop the infection right then.I started getting numerous fake security popups, so started running scans to find out if the PC is infected. Avast runs resident, but it doesn't find anything. Spybot and Lavasoft AdAware don't either. I had used Malwarebytes once in the past, so I tried it. The initial run found numerous problems, but also had numerous errors. It kept bringing up grey box popups saying to notify the Malwarebytes of the error codes (could it have been running in developer mode?) There were exactly the same 2 two-digit codes on every popup, but of course I thought I'd remember them and didn't write them down. I know for certain that one of them was 09, but unfortunately I'm not certain about the other one (possibly 02).After that initial run finished I viewed the log and took the recommended actions, including rebooting. However, the problems have not completely gone away. I did a full scan, and numerous quick scans since. Malwarebytes says it will delete certain entries upon reboot, but once I reboot they are back again. Also, once I reboot something keeps turning "Automatic Updates" to "Off" in control panel Security.I downloaded an update from Malwarebytes this afternoon, and have run a couple quick scans since then, but the entries still don't go away. I've only done the one full scan (last night - it took approximately 2 hours).Can anyone tell me if this appears to be something the developers are already working on? Again, I'm a new user, and would greatly appreciate any help! Thanks! Link to post Share on other sites More sharing options...
Tigger93 Posted December 7, 2008 ID:38740 Share Posted December 7, 2008 Hello.Please read and follow the instructions provided here: Pre- HJT Post InstructionsWhen ready please post your logs here: Malware Removal - HijackThis LogsSomeone will be happy to assist you further with cleaning your system.During this scan and cleanup process you should not install any other software unless requested to do so. Link to post Share on other sites More sharing options...
Userndghelp Posted December 8, 2008 Author ID:38779 Share Posted December 8, 2008 Already had Spybot installed, so checked for updates. No updates found. Switched to Advanced Mode and looked at Resident TeaTimer setting - was not checked, so did not make any change or reboot. Ran Spybot scan. Found 2 infections. Removed all items and immunized.Had just downloaded a fresh copy of Malwarebytes' Anti-Malware yesterday, but downloaded it again by clicking on the Malwarebytes link in the above response. That sent me to Download.com to do the download (same place I got the fresh copy from yesterday). Did the install, making sure the checkmarks were there as directed. Did a Quick Scan, Show Results, Removed Selected. The resulting log is below:Malwarebytes' Anti-Malware 1.31Database version: 1472Windows 5.1.2600 Service Pack 312/7/2008 6:31:50 PMmbam-log-2008-12-07 (18-31-50).txtScan type: Quick ScanObjects scanned: 57405Time elapsed: 5 minute(s), 30 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 3Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\rayaluku.dll (Trojan.Vundo) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f34ad56d-c085-47d8-ad27-e77ee7217599} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f34ad56d-c085-47d8-ad27-e77ee7217599} (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jazedowajo (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\rayaluku.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\rayaluku.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\rayaluku.dll -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\rayaluku.dll (Trojan.Vundo) -> Delete on reboot.Will now work on running the scan from PandaActive. Link to post Share on other sites More sharing options...
Userndghelp Posted December 8, 2008 Author ID:38781 Share Posted December 8, 2008 Additional note: Have not yet restarted the machine, since the directions did not mention that, although the log results below indicate some items won't be deleted until startup. Will run the PandaActive Scan first, unless I receive different instructions. Link to post Share on other sites More sharing options...
Userndghelp Posted December 8, 2008 Author ID:38783 Share Posted December 8, 2008 Just downloaded Panda using the link in the above message. Installed, then tried to run a full scan. The scan failed with an error:"ActiveScan 2.0 Update: Update error", "Sorry, updating is incomplete due to an error. Please try again." I've tried multiple times, but keep getting same error. I'll try the other product (ESET Online) shortly. Link to post Share on other sites More sharing options...
exile360 Posted December 8, 2008 ID:38785 Share Posted December 8, 2008 No worries, if some of the scans won't run just do the ones you are able to and post the logs in a topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 as this is where they need the logs to help you out. Good luck and safe surfing. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now