Can't get rid of the pop ups!

Question

Chewie123 0 Newbie Poster

15 Years Ago

Somehow I got something on my computer that gives me pop ups. I've followed all the steps in the sticky posted on the forum and it's made it a bit better but the problem still pursues. Now, however, the windows that pop up come up blank and my computer isn't as bogged down by the stuff running in the background.

Here's the Malware log:

Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 2

1/2/2009 10:23:12 AM
mbam-log-2009-01-02 (10-23-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173138
Time elapsed: 1 hour(s), 25 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 16
Registry Values Infected: 19
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\luvobeze.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\opnopQjK.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\roruhore.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hagatogo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kkksnt.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{631abac9-998c-4af1-862b-409435488b1a} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{631abac9-998c-4af1-862b-409435488b1a} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25f8e9c3-ab91-4e52-89d8-d063aa3be777} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{25f8e9c3-ab91-4e52-89d8-d063aa3be777} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6bad1129-04b5-43f6-b835-301018befcd6} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6bad1129-04b5-43f6-b835-301018befcd6} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{631abac9-998c-4af1-862b-409435488b1a} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25f8e9c3-ab91-4e52-89d8-d063aa3be777} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04f20fe7 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dopirunuvo (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletecookie (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletesol (Backdoor.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnopqjk -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\roruhore.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\roruhore.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\roruhore.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnopqjk -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\opnopQjK.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\KjQponpo.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\KjQponpo.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\luvobeze.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ezebovul.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\remowoka.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\akowomer.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\svbdfvge.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\egvfdbvs.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hagatogo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tojowebo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\roruhore.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\kkksnt.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\rasesnet.tmp (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\gxiocoxd.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\xnwskqnt.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C5QN4XAR\kbp41256[1] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{734E7E5F-609F-4A46-BB43-4FADB4CF01CD}\RP684\A0091765.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\opnmJbBS.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\ccuepgkt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yvhdojlc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qqenhd.dll (Trojan.Vundo) -> No action taken.

It says no action taken but this is from before I deleted it so I'm pretty sure it's all taken care of.

I ran ESET after this and it found nothing. I've also run it through AVG, Norton Corporate and nothing's come up. When I run it through a Prevx scan it picks up 28 files, but I'm not sure if they're false positives. Here are the files it picked up:

C:/WINDOWS/system32/PSS02982.DLL
C:/WINDOWS/system32/PSS02983.DLL
C:/WINDOWS/system32/PSS02984.DLL
C:/WINDOWS/system32/PSS02985.DLL
C:/WINDOWS/system32/PSS02986.DLL
C:/WINDOWS/system32/PSS02987.DLL
C:/WINDOWS/system32/PSS02988.DLL
C:/WINDOWS/system32/PSS02989.DLL
C:/WINDOWS/system32/PSS0298A.DLL
C:/WINDOWS/system32/PSS0298B.DLL
C:/WINDOWS/system32/PSS0298C.DLL

C:/WINDOWS/system32/PSR02965.DLL

C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS02986.DLL
C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS02987.DLL
C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS02988.DLL
C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS02989.DLL
C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS0298A.DLL
C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS02966.DLL
C:/WINDOWS/system32/spool/PRTPROCS/W32X86/PSS0298B.DLL

C:/WINDOWS/system32/vupeteho.dll
C:/WINDOWS/system32/roruhore.dll.tmp
C:/WINDOWS/system32/tojowebo.dll.tmp
C:/WINDOWS/system32/hagtogo.dll.tmp
C:/WINDOWS/system32/wenihubi.dll
C:/WINDOWS/system32/habemoya.dll
C:/WINDOWS/system32/dlipiuhj.dll
C:/WINDOWS/system32/zfykhr.dll
C:/WINDOWS/system32/vegilizi.dll

Thanks guys.

windows-virus

2 Contributors
4 Replies
185 Views
11 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by jholland1964

jholland1964 650 Posting Expert

15 Years Ago

We need to see a log of MBA-M AFTER fixes have been completed. Also a full system scan log of HJT also completed after a reboot following MBA-M.
Judy

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Chewie123 0 Newbie Poster · Answer 1 · 2009-01-03T06:13:50+00:00

I will rerun it and see if it picks up anything.

Chewie123 0 Newbie Poster · Answer 2 · 2009-01-03T07:32:43+00:00

Here's the updated log. There are still pop ups even after the scan.

Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 2

1/2/2009 8:25:47 PM
mbam-log-2009-01-02 (20-25-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175121
Time elapsed: 1 hour(s), 10 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vegilizi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dujiyera.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\habemoya.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\depawehe.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25f8e9c3-ab91-4e52-89d8-d063aa3be777} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25f8e9c3-ab91-4e52-89d8-d063aa3be777} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25f8e9c3-ab91-4e52-89d8-d063aa3be777} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04f20fe7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dopirunuvo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm07c13c7b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vegilizi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\vegilizi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vegilizi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\depawehe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\depawehe.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dujiyera.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\areyijud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fihasine.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enisahif.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wenihubi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\depawehe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\habemoya.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vegilizi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\fzedegwi.default\Cache\63F1AE75d01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{734E7E5F-609F-4A46-BB43-4FADB4CF01CD}\RP685\A0091779.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{734E7E5F-609F-4A46-BB43-4FADB4CF01CD}\RP685\A0091780.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{734E7E5F-609F-4A46-BB43-4FADB4CF01CD}\RP685\A0091781.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roruhore.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vupeteho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hagatogo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tojowebo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

Thanks guys.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 3 · 2009-01-03T07:40:53+00:00

Hopefully, you rebooted the computer. Next run HiJackThis on a full system scan. Save the log and post it here.
Judy