bug killing explorer.exe

wolraht · December 23, 2008

hello all,

i am currently running a scan with your software to try to rid myself of whatever my problem is. All I know is that whatever this thing is, it prevents explorer.exe from running. Or it lets it run for about 10 seconds then kills it, then it restarts, then it kills it, over and over again. I have always had terrible luck in teh past cleaning up infections so I am hoping your software combined with your forum expertise will let me be successful this time.

I am in the middle of a scan right now that has detected 33 infected objects so far.

This is my company laptop unfortunately and they only have an enterprise McAfee anti virus installed. It found 4 files last night when I ran. Unfortunately whatever this bug is looks like it shut down McAfee last night before it installed itself. I hate these stupid things.

I was surfing some sports blogs and clicked on what looked like an innocent link and bam, popups galore. Let me know what you guys need to see to help me work through this.

I appreciate it.

exile360 · December 23, 2008

Greetings wolraht, and welcome to the forum. I'm sorry you had to visit us under such dire circumstances, but we should be able to help you out. Most likely what you've got is an infection known as Vundo also known as Virtumonde. You're in luck because Malwarebytes' is very efficient at removing this type, and many other types of difficult infections. Once your scan completes, have it remove what it finds and reboot if necessary, once that is complete please read the instructions here:

http://www.malwarebytes.org/forums/index.php?showtopic=2936

and post your logs in a new topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

I hope I was helpful. Good luck and safe surfing.

wolraht · December 23, 2008

ok, here is my MalwareBytes log from the first scan I did. It was the Vundo trojan and so far it looks like its all clean, at least, my computer is running good again.

Malwarebytes' Anti-Malware 1.31

Database version: 1535

Windows 5.1.2600 Service Pack 2

12/23/2008 7:45:32 AM

mbam-log-2008-12-23 (07-45-32).txt

Scan type: Quick Scan

Objects scanned: 72280

Time elapsed: 40 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 14

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjdskcu (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a959299e-bd3b-4dd8-82a0-c5ccc3c361ed} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrhhevv -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrhhevv -> Delete on reboot.

Folders Infected:

C:\Documents and Settings\du402c\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\rqRhhEvV.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\VvEhhRqr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\VvEhhRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ljJDSKCu.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\du402c\Local Settings\Temporary Internet Files\Content.IE5\90DH1N9T\CAN1FQWD (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iifddeDS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Should I delete everything in the quaranten folder?

Does this look like its all good to you experts?

wolraht · December 23, 2008

oop, didnt see your reply before i posted the log, i will post it in the other forum.

exile360 · December 23, 2008

No problem, most likely Malwarebytes' killed off all of the infections, but better safe than sorry so it's definately a good idea to go ahead and post the logs there so they can have a look and make sure.

wolraht · December 23, 2008

Its nice that Malewarebyte's looks like its working so well. the first thing i found was called something like, Vundokiller, and it didnt even find the infection.

exile360 · December 23, 2008

Yes, Vundo is very tenacious and is updated/modified frequently to avoid detection, but it is also one of Malwarebytes' primary targets. Malwarebytes' is essentially a software designed to remove the types of current threats that your typical antivirus and antispyware software might miss, and it's very good at what it does and is updated very frequently, often multiple times a day.

wolraht · December 23, 2008

very cool.

lemme ask you a question while the panda scan is running.

so far it has found 56 infected files. are those likely to be the files that are quarantined? or am i looking at more problems that malewarebytes didnt catch possibly?

exile360 · December 23, 2008

Most of them are probably cookies (Panda always flags them even though they're harmless, and typically numerous) and some could be traces that are rendered harmless by what Malwarebytes' already removed, like registry entries that point to malicious files that have already been deleted, but of course it is possible that some of them are active infections that Malwarebytes' didn't catch. In fact, one of the main reasons we have users scan with Panda and the others is so that more common infections that Malwarebytes' isn't designed to detect can get removed before an expert jumps in to start removing any nasty leftovers and more difficult infections. Like I explained before, Malwarebytes' is designed to remove the stuff that your typical antivirus (including Panda) would normally miss. We just want to get you as clean as possible before the manual malware removal process begins.

wolraht · December 23, 2008

cool thanks.

bug killing explorer.exe

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information