Jump to content

bug killing explorer.exe


Recommended Posts

hello all,

i am currently running a scan with your software to try to rid myself of whatever my problem is. All I know is that whatever this thing is, it prevents explorer.exe from running. Or it lets it run for about 10 seconds then kills it, then it restarts, then it kills it, over and over again. I have always had terrible luck in teh past cleaning up infections so I am hoping your software combined with your forum expertise will let me be successful this time.

I am in the middle of a scan right now that has detected 33 infected objects so far.

This is my company laptop unfortunately and they only have an enterprise McAfee anti virus installed. It found 4 files last night when I ran. Unfortunately whatever this bug is looks like it shut down McAfee last night before it installed itself. I hate these stupid things.

I was surfing some sports blogs and clicked on what looked like an innocent link and bam, popups galore. Let me know what you guys need to see to help me work through this.

I appreciate it.

Link to post
Share on other sites

Greetings wolraht, and welcome to the forum. I'm sorry you had to visit us under such dire circumstances, but we should be able to help you out. Most likely what you've got is an infection known as Vundo also known as Virtumonde. You're in luck because Malwarebytes' is very efficient at removing this type, and many other types of difficult infections. Once your scan completes, have it remove what it finds and reboot if necessary, once that is complete please read the instructions here:

http://www.malwarebytes.org/forums/index.php?showtopic=2936

and post your logs in a new topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

I hope I was helpful. Good luck and safe surfing.

Link to post
Share on other sites

ok, here is my MalwareBytes log from the first scan I did. It was the Vundo trojan and so far it looks like its all clean, at least, my computer is running good again.

Malwarebytes' Anti-Malware 1.31

Database version: 1535

Windows 5.1.2600 Service Pack 2

12/23/2008 7:45:32 AM

mbam-log-2008-12-23 (07-45-32).txt

Scan type: Quick Scan

Objects scanned: 72280

Time elapsed: 40 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 14

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjdskcu (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrhhevv -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhhevv -> Delete on reboot.

Folders Infected:

C:\Documents and Settings\du402c\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\VvEhhRqr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\VvEhhRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Local Settings\Temporary Internet Files\Content.IE5\90DH1N9T\CAN1FQWD (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Should I delete everything in the quaranten folder?

Does this look like its all good to you experts?

Link to post
Share on other sites

Yes, Vundo is very tenacious and is updated/modified frequently to avoid detection, but it is also one of Malwarebytes' primary targets. Malwarebytes' is essentially a software designed to remove the types of current threats that your typical antivirus and antispyware software might miss, and it's very good at what it does and is updated very frequently, often multiple times a day.

Link to post
Share on other sites

Most of them are probably cookies (Panda always flags them even though they're harmless, and typically numerous) and some could be traces that are rendered harmless by what Malwarebytes' already removed, like registry entries that point to malicious files that have already been deleted, but of course it is possible that some of them are active infections that Malwarebytes' didn't catch. In fact, one of the main reasons we have users scan with Panda and the others is so that more common infections that Malwarebytes' isn't designed to detect can get removed before an expert jumps in to start removing any nasty leftovers and more difficult infections. Like I explained before, Malwarebytes' is designed to remove the stuff that your typical antivirus (including Panda) would normally miss. We just want to get you as clean as possible before the manual malware removal process begins.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.