Jump to content

"MS Juan" & "MS Track System" registry entries keep coming back


jainag

Recommended Posts

Hi,

I had a attack of the Virtumonde virus/malware. Using a few of the available options (software from various forums), I seem to have cleaned up quite a bit. However, I am not able to get rid of the "MS Juan" and "MS Track System" registry entries. They keep coming back even after getting removed by MBAM.

Here is the MBAM log. I will post the Panda and Hijack this log as I get them.

Thanks for your help.

==============

MBAM Log

==============

Malwarebytes' Anti-Malware 1.31

Database version: 1528

Windows 5.1.2600 Service Pack 2

12/22/2008 2:29:50 AM

mbam-log-2008-12-22 (02-29-50).txt

Scan type: Quick Scan

Objects scanned: 75317

Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi,

Here is the Panda and hijackthis logs

****************

Panda log below

NOTE:

1) the ms juan and ms track system were marked as "medium danger level" and could not be disinfected online. There were 7 other low level items that could not be deleted without a paid version - these were not deleted.

2) There were 7 malware entries which could be cleaned online and I had panda software clean it. These are the "JS/Downloader.NOE" items listed below

3) The 7 suspect files below were sent to them for analysis and were not deleted by me (the "Lop SD" file was an analysis tool I installed to get rid of this malware from my PC)

****************

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-22 11:42:16

PROTECTIONS: 1

MALWARE: 15

SUSPECTS: 7

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Enterprise 8.0.0.912 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms juan

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system

00035722 adware/comet Adware No 0 Yes No c:\windows\inf\dm.pnf

00035722 adware/comet Adware No 0 Yes No c:\windows\inf\dm.inf

00035864 Application/MyWebSearch HackTools No 0 Yes No C:\Documents and Settings\bhanu\Desktop\CursorManiaFFSetup2.0.4.17.exe

00268264 Application/MyWebSearch HackTools No 0 Yes No C:\Program Files\Uninstall My Web Search.dll

00288440 Application/MyWebSearch HackTools No 0 Yes No C:\RECYCLER\S-1-5-21-2127671913-413525482-1935738769-1011\Dc55.exe

00335088 Adware/VirusBurst Adware No 0 Yes No C:\QUARANTINE\tmp26.tmp.Vir

00515709 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[VaaaaaaaBaa.class]

00515710 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[baaaaa.class]

00515711 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[baaaaBaa.class]

00516819 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[Dex.class]

00516820 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[Dvnny.class]

00516821 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[Dux.class]

00516823 JS/Downloader.NOE Virus/Trojan No 0 Yes No C:\Documents and Settings\divya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-22615d4f-372ef620.zip[Dix.class]

00519333 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP807\A0188326.exe

00519333 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP809\A0188508.exe

04384357 Adware/VirusRemover2008 Adware No 0 Yes No C:\Documents and Settings\jainag\Local Settings\Temp\winsinstall.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No C:\WINDOWS\System32\dqzlne.dll

No C:\WINDOWS\system32\dqzlne.dll

No C:\Lop SD\catchme.exe

No C:\WINDOWS\SYSTEM32\dqzlne.dll

No C:\WINDOWS\SYSTEM32\hliupfca.dll

No C:\WINDOWS\SYSTEM32\opnlMeDv.dll

No C:\WINDOWS\SYSTEM32\xxywXrSK.dll

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

*******************

hijackthis.log

*******************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:07:37 PM, on 12/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\System32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\jainag\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\LxrSII1s.exe

C:\Documents and Settings\jainag\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = steelweb.lz.att.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.att.com

O1 - Hosts: 135.47.49.13 ids.ims.att.com

O1 - Hosts: 135.37.81.134 www.e-access.att.com

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "D:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "D:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [mmtask] "D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "D:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [sB Audigy 2 Startup Menu] /L:ENG

O4 - HKCU\..\Run: [LxrAutorun] C:\Documents and Settings\jainag\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/40.11/uploader2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182821346296

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ahdweb.webmeeting.att.com/client/webex/ieatgpc.cab

O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: dqzlne.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe

--

End of file - 9886 bytes

Link to post
Share on other sites

Hi.

Open open notepad and copy and paste in the following:

MD "%USERPROFILE%"\desktop\malware
xcopy C:\WINDOWS\System32\dqzlne.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy C:\WINDOWS\SYSTEM32\hliupfca.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy C:\WINDOWS\SYSTEM32\opnlMeDv.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /yxcopy C:\WINDOWS\SYSTEM32\xxywXrSK.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /y
Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and attach that zipped file here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

Link to post
Share on other sites

Hi

Thanks for your instructions.... here is the latest run on MBAM

===========

Malwarebytes' Anti-Malware 1.31

Database version: 1534

Windows 5.1.2600 Service Pack 2

12/23/2008 12:13:46 AM

mbam-log-2008-12-23 (00-13-46).txt

Scan type: Quick Scan

Objects scanned: 76756

Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\opnlMeDv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\xxywXrSK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

Here is some more info that might be useful...

1) after the last run of MBAM, the xxywXrSK.dll & opnlMeDv.dll files were successfully cleaned up by MBAM. However, the MS Juan and MS Track virus kept coming back upon every subsequent run of MBAM.

2) Looking at the logs from Panda, there were 2 other suspicious files hliupfca.dll & dqzlne.dll - so I decided to try to delete them

3) was able to delete hliupfea.dll without any problem. But dqzlne.dll proved harder.

4) I looked up for instances of dqzlne.dll in the registry and found 3 places where it was located.

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

- HKEY_CLASSES_ROOT\CLSID\{f24fde75-252f-4a1d-bcf2-24d1495a3ee6}\InprocServer32

- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f24fde75-252f-4a1d-bcf2-24d1495a3ee6}\InprocServer32

3) I could not change/delete the last 2 items. On the first entry, I changed the name of the dqzlne.dll entry to something else and rebooted the PC. Now I was able to delete the dqzlne.dll from the system32 directory.

4) On all subsequent reboots of the PC and many multiple runs of MBAM, I have not noticed any other instance of MS Juan and MS Track malware.

The above info is just FYI to you where dqzlne.dll seems to be the source on my PC. I am more than willing to restore the dqzlne.dll file and change the registry entry back to enable you or MBAM to do the official honors of cleaning up the PC officially.

Hope fully the above helps debugging a bit and maybe helps somebody else - especially if MBAM is able to pick up this info and delete when this malware when MBAM is run.

Let me know if you want me to do anything.

Thanks for all your help.

Link to post
Share on other sites

here we go...

I changed the entry in the registry file to refer to the dqzlne.dll and put back the file in the system32 dir

looks like the latest MBAM build picked up these entries files.... and deleted them.

subsequent scans did not pick up these files. Also the registry was cleaned of the CSLID entries. However the entry below was not cleaned (but is not a big deal)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Let me know if yu need anything else.

thanks for your help.

===========

Malwarebytes' Anti-Malware 1.31

Database version: 1537

Windows 5.1.2600 Service Pack 2

12/23/2008 3:29:19 PM

mbam-log-2008-12-23 (15-29-19).txt

Scan type: Quick Scan

Objects scanned: 76845

Time elapsed: 7 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f24fde75-252f-4a1d-bcf2-24d1495a3ee6} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f24fde75-252f-4a1d-bcf2-24d1495a3ee6} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\dqzlne.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.