Infected Computer....

Systems

I worked on a computer yesterday that was infected pretty bad. Thought you might get a kick out of the Malwarebytes log. I give testiment to this program as it did an excellent job of cleaning up the computer, theres still issues, might still have to reformat

Malwarebytes' Anti-Malware 1.42

12/28/2009 10:39:52 PM

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 13
Registry Values Infected: 10
Registry Data Items Infected: 13
Folders Infected: 3
Files Infected: 42

Memory Processes Infected:
C:\WINDOWS\Temp\tempo-291968.tmp.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\diwunawo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\fuweyofa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\polapoho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dbbin.dll (Trojan.Goldun) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f338e0a0-d3b7-4df9-af4b-a8feb2464c2c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9bc9c69a-6384-4a7c-a4d3-f8c697f4253f} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DvidPL (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DvidPL (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\dbbin.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ESQULSERV.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Windows_MSI (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESQULserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows MSI (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jakuguvof (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{f338e0a0-d3b7-4df9-af4b-a8feb2464c2c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\suvimaley (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jliqosexasuxomod (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\bn (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\d1 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\d2 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\d3 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: diwunawo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: pobdmi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\cru629.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\cru629.dat -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.210,85.255.112.65 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca36886c-6d8a-491f-8e4c-6947b7902071}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,192.168.2.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce632e0d-adcf-4abf-8549-3154d82119d0}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,216.129.224.1 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\DvidPL (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Travis\Start Menu\Programs\DvidPL (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\addins\addins (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\buyenayo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\diwunawo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fuweyofa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hafedeku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kiyajeru.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kozezupo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kujonuva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\polapoho.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\viriteda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\pobdmi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\tempo-291968.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smyrp.dll (Password.Stealer) -> Quarantined and deleted successfully.
C:\blyuwrjl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\fyblb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\DvidPL\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winuid.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Rogue.PC_AntiSpyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stray.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\softwares.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uinput.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mirc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-291968.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\92.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9F.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Travis\Start Menu\Programs\DvidPL\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Travis\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dbbin.dll (Trojan.Goldun) -> Delete on reboot.
C:\WINDOWS\system32\dbbin.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msihost.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\z98a.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-291750.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\ogavilitaciwiman.dll (Trojan.Agent) -> Delete on reboot.
C:\xvhu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Polkersince85

I hope you washed your hands when you got through.

bigaudiofanatic

Well anti malware will help you just have to use it. Anti virus software will not protect you against this new threat. Luckily you were able to remove it all. Most malware can not be removed after a certain point.

bigaudiofanatic

That is what we call, cut your loss and clean out. It is not worth trying to remove something that has infected most of the computer. Better to start over.

Knucklehead

another good program to use thats free is "a squared" or "super anti spyware".

Sherardp

bigaudiofanatic wrote: »

That is what we call, cut your loss and clean out. It is not worth trying to remove something that has infected most of the computer. Better to start over.

+1 on this. I would'nt have bothered trying to remove any of it. After backing up pics, favorites, documents, etc. I would have formatted and been done with it in about 20 minutes.

Willow

If I read it right, tell Travis....to stop going to **** sites

Systems

Willow wrote: »

If I read it right, tell Travis....to stop going to **** sites

Yes, his Mom is going to be pissed anyway:) I did that scan mainly to show her. Am going to do a format, kinda the plan all along as soon as I saw all that...The computer is still "talking" to the net at an idle....

vlam

I've been troubleshooting more of these types of rootkit infected computer lately and the best way to handle them is the clean wipe of the OS and re-install. They are just very time consuming to troubleshoot and I don't even feel confident that it's totally gone after a couple hours of cleaning. Formatting the drive is the safest way to go.

Some of these are really nasty.

KrazyMofo24

Once you get the name of the spyware/virus you can google it, and most of the time there will be an article or forum that has either know of a certain tool that can remove it, or instructions on how to remove it. From there you can decide if you want to try it or not.