Jump to content

Not able to get rid of Torzan malware, please help.


malu

Recommended Posts

My laptop is infected with Torjan malware. Everytime I scan with MBAM, it detects and removes the malware but it seems to come back again and again. I think its not fully removed from my system, please help.

Also plz suggest me a good antivirus to download from internet which will protect my system.

Below is the copy of latest log file after scanning with MBAM.

=====================================================

Malwarebytes' Anti-Malware 1.31

Database version: 1460

Windows 5.1.2600 Service Pack 2

12/10/2008 8:15:56 AM

mbam-log-2008-12-10 (08-15-56).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 133584

Time elapsed: 58 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 14

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\opnkkhhg.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\hgojlc.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnkkhhg (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4178f32-b189-4294-b7a6-6221e9a21d01} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a4178f32-b189-4294-b7a6-6221e9a21d01} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7953559-6179-4f5a-98ad-879fb81a25a4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f7953559-6179-4f5a-98ad-879fb81a25a4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fccdcbqi -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\opnkkhhg.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\IQBcdccf.ini (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\IQBcdccf.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hgojlc.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\dfgnmdtb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XOXKKQRI\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0IS26FG7\CA9KEL5R (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NC1Q9VK6\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{44DD0982-143C-489C-A60E-76390C18B0C2}\RP199\A0059878.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{44DD0982-143C-489C-A60E-76390C18B0C2}\RP200\A0059911.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{44DD0982-143C-489C-A60E-76390C18B0C2}\RP200\A0059913.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{44DD0982-143C-489C-A60E-76390C18B0C2}\RP201\A0060933.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hello malu and welcome to Malwarebytes forums.

I'd urge you to not be without an antivirus program on this pc. If you do not have one, and cost is an issue, I'd suggest Avira AntiVir which is free for personal non-commercial use.

See about it at http://www.free-av.com

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

=

4. Start your MBAM. Click the Update tab. Press the "Check for Updates" button.

At this time, the current definitions are # 1483.

When done, click the Scanner tab.

Do a FULL Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.

=

5. Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

>

6. Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

I'll also need the MBAM report and the Dr.Web report, and the contents of Log.txt and Info.txt (from above).

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.