Username:    Password:    Remember me     
Google
 

Forums


Malwareteks :: Forums :: Malware Support :: Resolved Malware Threads
 
<< Previous thread | Next thread >>
[RESOLVED] Vundo and possibly others...?
Go to page  1 [2]
Moderators: ShadowPuterDude, tayspen, D3m3nt3d, Brandon, Neal, jholland1964, TurcoLoco, Windsor, JeanInMontana, RatHat, MrCharlie, evilfantasy
This thread is now closed
Author Post
dreamr
Sat Aug 12 2006, 04:42PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok...

But the BitDefender log didn't change to a TXT file by simply changing the extention. So I opened the HTML and viewed the source and saved it as a TXT file, but that just means it's lots of HTML coding and such. But...oh well...lol.


1155415345_17_FT327_activescan812.txt
1155415345_17_FT327_bitdefender8122006.txt
Back to top
jholland1964
Sat Aug 12 2006, 05:13PM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Let me just say here...I am TOTALLY embarrassed that I TOTALLY messed up these fixes!!! I cannot believe I judged those logs clean. I need to get my glasses fixed!!! Sorry Dreamr, a complete and total failure on my part!!!

Thank heavens there is somebody here who REALLY knows that he is doing!!!!

[ Edited Sat Aug 12 2006, 05:14PM ]
Back to top
ShadowPuterDude
Sat Aug 12 2006, 05:47PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Install CounterSpy, update the definitions and exit Counter Spy.

Your BitDefender log is clean. Panda ActiveScan reports infected Registry Keys.

Boot to Safe Mode and delete the following:
c:\windows\didduid.ini
c:\windows\uniq
C:\Documents and Settings\Owner\Application Data\Lycos
c:\windows\cdmxtras

Empty the Recycle Bin and then run CCleaner.

Run a full system scan with CounterSpy and save the log.

Reboot to Normal Mode.

Now run a full system scan with CounterSpy and save the log.

Post both the logs. Make sure to tell me which one is which.

@Judy, you didn't miss anything. It wasn't there to be seen because it was disabled by MsConfig. Which doesn't always show up in HJT.

[ Edited Sat Aug 12 2006, 05:48PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Sat Aug 12 2006, 09:08PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok...here ya go...


1155431316_17_FT327_counterspysafemode1.txt
1155431316_17_FT327_counterspynormalmode1.txt
Back to top
ShadowPuterDude
Sat Aug 12 2006, 11:07PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.
REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\software\magnet\handlers\kazaa]
[-HKEY_LOCAL_MACHINE\software\sharman networks ltd]
[-HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\{38C76428-6C9C-4CC6-B747-3AB6A4770225}]
[-HKEY_CLASSES_ROOT\interface\{04a38f6b-006f-4247-ba4c-02a139d5531c}]
[-HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1]
[-HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx]
[-HKEY_CLASSES_ROOT\typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0}]
[-HKEY_CURRENT_USER\Software\AWS]
[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main bandrest]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main BandRest Never]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mswspl]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MyWay]
[-HKEY_LOCAL_MACHINE\SOFTWARE\General]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WhenUSearch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WhenUSearch SlowInfoCache]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WhenUSearch Changed 0]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\msbb]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\msbb SlowInfoCache]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\msbb Changed 0]
[-HKEY_CURRENT_USER\Software\Coding Workshop]
Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    c:\documents and settings\owner\application data\microsoft\internet explorer\quick launch\launch kazaa.lnk
    C:\Documents and Settings\Owner\Desktop\Desktop Junk\More Stuff\Desktop Stuff\kazaa_setup.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\2luc5mx3.default\Cache\E82AEC90d01
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

How is your computer running?

[ Edited Sat Aug 12 2006, 11:08PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Sat Aug 12 2006, 11:29PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok. That is done. And I did NOT get that "PendingFileRenameOperations" prompt this time.

It seems to be running fine.
Back to top
ShadowPuterDude
Sun Aug 13 2006, 12:20AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
OK, go ahead and post a fresh HijackThis log. Sometimes when you remove one piece of malware it allows something else to show.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Sun Aug 13 2006, 12:38AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
I have a question. I notice a few programs on my HJT log that I don't use and at least one that I don't see. Like the "TizzleTalk" one. That was something that I downloaded AGES ago and just tried it out and then deleted it. I don't even see that folder in my program files, but the program is still showing up on my HJT log. Same thing goes for "DUMeter." Any idea why?


Here ya go...


1155443913_17_FT327_hijackthis81301.txt

[ Edited Sun Aug 13 2006, 01:12AM ]
Back to top
jholland1964
Sun Aug 13 2006, 01:20AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
Maybe you need to Enable the Viewing of Hidden Files and Folders.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Hopefully this will help you find these files.
Back to top
dreamr
Sun Aug 13 2006, 01:32AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Nope, I had done that wayyyy back in the beginning, because that's one of the steps in that stickied thread of things to do before asking for help. lol

I also just did a search for *tizzle*.* and it didn't come up with anything.

[ Edited Sun Aug 13 2006, 01:36AM ]
Back to top
ShadowPuterDude
Sun Aug 13 2006, 09:15AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
There are many program that don't fully uninstall. They leave orphaned folders and files behind; even worse they leave orphaned registry entries behind.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:
O4 - HKLM\..\Run: [TizzleTalk] C:\Program Files\TizzleTalk\TizzleTalk.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

That will remove the entries for TizzleTalk and DU Meter. Anything else?

You HijackThis log is clean.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Sun Aug 13 2006, 09:55AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Well, some of the programs that I've downloaded and used this week are trials and such. So should I uninstall them all? Or keep some? Or...?

And thanks so much for all of your help, guys!
Back to top
jholland1964
Sun Aug 13 2006, 11:33AM
Dances with Malware

Registered Member #10
Joined: Sun May 28 2006, 12:36AM
Posts: 22
Thanked 0 times in 0 posts
I they are free trials good for just a couple weeks unless purchased then go ahead and uninstall them, remember the key word is UNINSTALL, don't just delete.
Back to top
dreamr
Thu Aug 17 2006, 03:16AM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Ok, I uninstalled a couple of them. I've downloaded and installed soooo many this past week that I honestly don't know what all I've installed. lol

Btw, sorry for the delay, but I've been a bit busy the past couple of days. Blah.

I do have at least one more question, though. Sometimes, when I start up my computer, it loads several tray icons...and then sometimes when I start up my computer, it doesn't. Like, the volume icon, my anti-virus program icon, etc.

For instance, I just restarted my comp and the only icon that is down there is for my internet connection. Any idea why sometimes the other icons are there and sometimes they aren't? *Confused*...

[ Edited Thu Aug 17 2006, 04:05AM ]
Back to top
ShadowPuterDude
Fri Aug 18 2006, 07:56AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
You can unistall CounterSpy, Ewido Anti-malware, and Spy Sweeper; if you installed any of these per our instructions.

You can remove any specialty tools like: Pocket Killbox, SmitRem, SmitfraudFix, VundoFix, CWS Shedder & about:Buster; If they were downloaded and used.

CCLeaner you should keep. This is a useful tool to clean all teh temp files offf your computer and you should run it periodically.

The lack of icons in the systray could just be caused by too many programs trying to load at windows start. Sometimes a program will load and another will start loading before the firsst one is finished.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Fri Aug 18 2006, 11:19PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Well...is there a way to stop that from happening?? 'Cause I kinda like my icons...especially the volume one. lol

And thanks!
Back to top
ShadowPuterDude
Fri Aug 18 2006, 11:49PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Provide a new HijackThis log and I take a look at what all is loading at system start.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Tue Aug 22 2006, 11:10PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Here ya go...


1156302628_17_FT327_hijackthis8222006.txt
Back to top
ShadowPuterDude
Wed Aug 23 2006, 06:07PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Uninstall Microsoft Windows Anti-Spyware.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Install Service Pack 2, run Windows Update and bring your OS current.

[ Edited Wed Aug 23 2006, 06:08PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
dreamr
Wed Aug 23 2006, 09:51PM
Registered Member #17
Joined: Wed Aug 09 2006, 10:56PM
Posts: 33
Thanked 0 times in 0 posts
Is there anywhere I could get a direct link to the download page? Because back when Judy mentioned installing SP2, I looked for it on the Microsoft site and came up with about a billion different 'updates' or whatever. lol
Back to top
ShadowPuterDude
Thu Aug 24 2006, 12:32AM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
This is the complete SP2.

http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en

Ignore that it says for IT Professionals and Developers, it's the full offline Service Pack.

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
Go to page  1 [2]  

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System

< ASAP Member Sites | Privacy Policy | Infected? | Want to Help? | Software Piracy | Malware Complaints | About Us | Contact Us | Terms of Service >

Copyright 2006-2009 MalwareTeks
This site is powered by e107, which is released under the terms of the GNU GPL License.


Banner