Computer Virus

RGD. · 04-15-2009, 06:30 AM

It's not the Conficker virus. It's either Antivirus 2009 or some variation of it. Restore very rarely works on these things.

Go here - and get the latest greatest and run the free version it.

Malwarebytes

A month or so ago I had it real bad and took two weeks working with the guy that developed that and with the Eset team. In the past I have just done a format - don't have the time now so I was determined to clean it. There is a previous post I made on it somewhere.

Here is one of my logs from when I had it - it will give you some of the file names to look for and delete:

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\sekuseva.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{ecb252fd-1b0f-4695-abbd-8a4930662488} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ecb252fd-1b0f-4695-abbd-8a4930662488} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayyappf (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm87154a51 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\javomanene (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sekuseva.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sekuseva.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\sekuseva.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SysWOW64\wilelazi.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\SysWOW64\sekuseva.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\awtsqoNg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkLedcD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnKbcBS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnnoopN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnlJcAr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxXPfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyApPF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lamahazi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Also on edit: When a window pops up - don't click to stop it. Go to your processes and stop the iexplore32 process.

Ron

04-15-2009, 06:30 AM	#14
RGD. God Like Status Join Date: Oct 2008 First Name: Ron Location: Alexandria, Virginia Posts: 971 Trading: (1)	Re: Computer Virus It's not the Conficker virus. It's either Antivirus 2009 or some variation of it. Restore very rarely works on these things. Go here - and get the latest greatest and run the free version it. Malwarebytes A month or so ago I had it real bad and took two weeks working with the guy that developed that and with the Eset team. In the past I have just done a format - don't have the time now so I was determined to clean it. There is a previous post I made on it somewhere. Here is one of my logs from when I had it - it will give you some of the file names to look for and delete: Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 10 Registry Values Infected: 4 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 12 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\sekuseva.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{ecb252fd-1b0f-4695-abbd-8a4930662488} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ecb252fd-1b0f-4695-abbd-8a4930662488} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayyappf (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm87154a51 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\javomanene (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sekuseva.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sekuseva.dll -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\sekuseva.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\SysWOW64\wilelazi.dll (Trojan.BHO.H) -> Delete on reboot. c:\WINDOWS\SysWOW64\sekuseva.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\system32\awtsqoNg.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jkkLedcD.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\opnKbcBS.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\opnnoopN.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pmnlJcAr.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xxyxXPfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yayyApPF.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lamahazi.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Also on edit: When a window pops up - don't click to stop it. Go to your processes and stop the iexplore32 process. Ron