Jump to content

virtumonde


Recommended Posts

I've got a sudden infestation of malware. I;ve managed to get rid of most of it using spybot and Anti-Malware. However I have on last peice I cant remove. It keepcoming up on my virus software as mepavuhi.dll or mivububu.dll.

This is the most recent log, can you help.

Malwarebytes' Anti-Malware 1.33

Database version: 1659

Windows 5.1.2600 Service Pack 3

17/01/2009 15:27:33

mbam-log-2009-01-17 (15-27-33).txt

Scan type: Full Scan (C:\|)

Objects scanned: 170616

Time elapsed: 1 hour(s), 47 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP225\A0036709.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP225\A0036710.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP225\A0036711.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040844.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040845.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040846.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP233\A0040853.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi DS7477 and welcome to the MBAM help forums.

Please disable SpyBot Teatimer as it has a realtime guard for parts of the registry and will undo any attempted change's made by MBAM.

Rescan with MBAM and post a fresh log.

Link to post
Share on other sites

OK I did and then rebooted as requested. When it loaded up I got a message saying that C:\WINDOWS\system32\ketedoti.dll could not be found. I think it was one of the malware files. Also MBAM picked up more after closing team timer. Below is the new log

THere is definelty still and issue though I the virus software reacted the same when the PC started up.

Thanks for your help on this.

Malwarebytes' Anti-Malware 1.33

Database version: 1659

Windows 5.1.2600 Service Pack 3

17/01/2009 18:55:24

mbam-log-2009-01-17 (18-55-24).txt

Scan type: Quick Scan

Objects scanned: 56741

Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\ketedoti.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8b245b0 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ketedoti.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\itodetek.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I'm using kaspersky the message I'm getting is

17/01/2009 18:59:36 C:\WINDOWS\system32\rundll32.exe Process is trying to inject module C:\WINDOWS\system32\mepavuhi.dll into all processes. This behavior is typical of some malicious programs.

It seems to be trying to add itself to any/all of the start up programs. I've also just ran anti malware again and with 8 seconds it found the following

Malwarebytes' Anti-Malware 1.33

Database version: 1659

Windows 5.1.2600 Service Pack 3

17/01/2009 19:58:12

mbam-log-2009-01-17 (19-58-07).txt

Scan type: Quick Scan

Objects scanned: 2064

Time elapsed: 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8b245b0 (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi now i see whats going on.

KASP PDM doing its job....pity KAV dose'nt know this particular Vundo signature.

Ok the following is going to seem a little strange but go with me on it:)

Disable KASP PDM(Realtime) and next reboot.

This is going to let the Vundo file load into memory unhindered.

Next run a scan with MBAM again.

If it detects more Vundo files then allow it to delete and reboot the system.Now activate PDM again.

or

If MBAM finds no more Vundo files then start KASP PDM(realtime) again,reboot and post back your findings please.

Link to post
Share on other sites

Below is the log it seems to have worked below is the log, should I run anti malware again to make sure?

Also can you advice on the best way to prevent it happening again. In my experience AV software dont seemt o stop malware of spyware.

Malwarebytes' Anti-Malware 1.33

Database version: 1659

Windows 5.1.2600 Service Pack 3

17/01/2009 20:45:11

mbam-log-2009-01-17 (20-45-11).txt

Scan type: Quick Scan

Objects scanned: 57164

Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f8adcbfa-b58c-4666-be2e-97edf7228790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funufozupa (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8b245b0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
No, is this part of the free version

It is part of the Fee version and well worth the money as it is a one time cost and contributes to a worthy cause.

Link to post
Share on other sites

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: I'm infected - What do I do now?

Someone will be happy to assist you further with cleaning your system if required

During this scan and cleanup process you should not install any other software unless requested to do so.

If you need assistance cleaning your system please post the requested information in the HJT forum not in the General forum.

Thank you.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.