DS7477 Posted January 17, 2009 ID:48587 Share Posted January 17, 2009 I've got a sudden infestation of malware. I;ve managed to get rid of most of it using spybot and Anti-Malware. However I have on last peice I cant remove. It keepcoming up on my virus software as mepavuhi.dll or mivububu.dll.This is the most recent log, can you help.Malwarebytes' Anti-Malware 1.33Database version: 1659Windows 5.1.2600 Service Pack 317/01/2009 15:27:33mbam-log-2009-01-17 (15-27-33).txtScan type: Full Scan (C:\|)Objects scanned: 170616Time elapsed: 1 hour(s), 47 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 3Registry Data Items Infected: 0Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP225\A0036709.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP225\A0036710.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP225\A0036711.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040844.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040845.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040846.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040853.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
DS7477 Posted January 17, 2009 Author ID:48600 Share Posted January 17, 2009 I've run ant malware again and there are values that it cant delete. These relate to vundo.h and funufozupa, not sure if this helps Link to post Share on other sites More sharing options...
Fatdcuk Posted January 17, 2009 ID:48611 Share Posted January 17, 2009 Hi DS7477 and welcome to the MBAM help forums.Please disable SpyBot Teatimer as it has a realtime guard for parts of the registry and will undo any attempted change's made by MBAM.Rescan with MBAM and post a fresh log. Link to post Share on other sites More sharing options...
DS7477 Posted January 17, 2009 Author ID:48621 Share Posted January 17, 2009 OK I did and then rebooted as requested. When it loaded up I got a message saying that C:\WINDOWS\system32\ketedoti.dll could not be found. I think it was one of the malware files. Also MBAM picked up more after closing team timer. Below is the new logTHere is definelty still and issue though I the virus software reacted the same when the PC started up.Thanks for your help on this.Malwarebytes' Anti-Malware 1.33Database version: 1659Windows 5.1.2600 Service Pack 317/01/2009 18:55:24mbam-log-2009-01-17 (18-55-24).txtScan type: Quick ScanObjects scanned: 56741Time elapsed: 4 minute(s), 2 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 4Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\ketedoti.dll (Trojan.Vundo.H) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8b245b0 (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\ketedoti.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\itodetek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Fatdcuk Posted January 17, 2009 ID:48623 Share Posted January 17, 2009 Which AV are you using and what files are they flagging as infected ? Link to post Share on other sites More sharing options...
DS7477 Posted January 17, 2009 Author ID:48628 Share Posted January 17, 2009 I'm using kaspersky the message I'm getting is 17/01/2009 18:59:36 C:\WINDOWS\system32\rundll32.exe Process is trying to inject module C:\WINDOWS\system32\mepavuhi.dll into all processes. This behavior is typical of some malicious programs.It seems to be trying to add itself to any/all of the start up programs. I've also just ran anti malware again and with 8 seconds it found the followingMalwarebytes' Anti-Malware 1.33Database version: 1659Windows 5.1.2600 Service Pack 317/01/2009 19:58:12mbam-log-2009-01-17 (19-58-07).txtScan type: Quick ScanObjects scanned: 2064Time elapsed: 9 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8b245b0 (Trojan.Vundo.H) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Fatdcuk Posted January 17, 2009 ID:48632 Share Posted January 17, 2009 Hi now i see whats going on.KASP PDM doing its job....pity KAV dose'nt know this particular Vundo signature.Ok the following is going to seem a little strange but go with me on it:)Disable KASP PDM(Realtime) and next reboot.This is going to let the Vundo file load into memory unhindered.Next run a scan with MBAM again.If it detects more Vundo files then allow it to delete and reboot the system.Now activate PDM again.orIf MBAM finds no more Vundo files then start KASP PDM(realtime) again,reboot and post back your findings please. Link to post Share on other sites More sharing options...
DS7477 Posted January 17, 2009 Author ID:48639 Share Posted January 17, 2009 Below is the log it seems to have worked below is the log, should I run anti malware again to make sure?Also can you advice on the best way to prevent it happening again. In my experience AV software dont seemt o stop malware of spyware.Malwarebytes' Anti-Malware 1.33Database version: 1659Windows 5.1.2600 Service Pack 317/01/2009 20:45:11mbam-log-2009-01-17 (20-45-11).txtScan type: Quick ScanObjects scanned: 57164Time elapsed: 3 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8b245b0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
YoKenny1 Posted January 17, 2009 ID:48648 Share Posted January 17, 2009 Do you have MBAM Resident protection enabled? Link to post Share on other sites More sharing options...
DS7477 Posted January 17, 2009 Author ID:48651 Share Posted January 17, 2009 No, is this part of the free version Link to post Share on other sites More sharing options...
YoKenny1 Posted January 17, 2009 ID:48660 Share Posted January 17, 2009 No, is this part of the free version It is part of the Fee version and well worth the money as it is a one time cost and contributes to a worthy cause. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 18, 2009 Root Admin ID:48663 Share Posted January 18, 2009 Hello and Welcome to Malwarebytes.org Please read and follow the instructions provided here: I'm infected - What do I do now?Someone will be happy to assist you further with cleaning your system if requiredDuring this scan and cleanup process you should not install any other software unless requested to do so.If you need assistance cleaning your system please post the requested information in the HJT forum not in the General forum. Thank you. Link to post Share on other sites More sharing options...
Recommended Posts