Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter #1
1. first received an error about an lsass file
2. then started having pop up ads continuing to pop up
3. then started having a folder called common folder with 2 files in it, helper.dll and helper.sig
4. attempted to run mcafee scan, but found nothing
5. downloaded and ran malware bytes anti-malware scan and found alot of issues. see log:
Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

12/14/2008 12:34:34 PM
mbam-log-2008-12-14 (12-34-34).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 154045
Time elapsed: 1 hour(s), 9 minute(s), 33 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 26
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 23

Memory Processes Infected:
C:\Program Files\GetModule\GetModule32.exe (Adware.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\kcwejsor.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tULdEVml.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\awtsTMDT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\eghhjw.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{00eb7fca-5313-45bb-b6b6-cfe88d80d5ac} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00eb7fca-5313-45bb-b6b6-cfe88d80d5ac} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{22a37070-aeb2-41d9-85f0-dbaa8a0a5c69} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{22a37070-aeb2-41d9-85f0-dbaa8a0a5c69} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtstmdt (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{00eb7fca-5313-45bb-b6b6-cfe88d80d5ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{22a37070-aeb2-41d9-85f0-dbaa8a0a5c69} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\10623306 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\getmodule32 (Adware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuldevml -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\tuldevml -> Delete on reboot.

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Application Data\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\eghhjw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tULdEVml.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lmVEdLUt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmVEdLUt.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtsTMDT.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kcwejsor.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rosjewck.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule32.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\~.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Local Settings\Temporary Internet Files\Content.IE5\0Y86E5O8\KB908531[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Local Settings\Temporary Internet Files\Content.IE5\29GTRDHL\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Local Settings\Temporary Internet Files\Content.IE5\29GTRDHL\divx[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Local Settings\Temporary Internet Files\Content.IE5\NHHX04L2\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv741229210935.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv971229156886.cpx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oxxnrhyq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Application Data\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Application Data\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tworek\Application Data\GetModule\ofadik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
6. Found this thread http://community.mcafee.com/showthread.php?t=226217 and followed their instructions. i was able to get rid of the 2 files, but the common folder still pops up on startup.
 

·
Registered
Joined
·
5,264 Posts

·
Registered
Joined
·
5,264 Posts
1 - 3 of 3 Posts
Status
Not open for further replies.
Top