Earlier today, the computer rebooted itself and then began to chain reboot after the XP loading screen. It runs normally in safe mode, and at first it was popping up error messages saying that the task manager and registry are infected when I attempted to access either of them, and was not allowing antivirus or most anti-spyware programs to run. I ran Malwarebytes' Anti-Spyware and it found Trojan.Zlob.H and Trojan. Vundo.H.

I can now access the registry and taskmanager, but as the computer is still chainrebooting after the load screen, it cannot remove all of the files after reboot.



Malwarebytes' Anti-Malware 1.41
Database version: 2866
Windows 5.1.2600 Service Pack 3 (Safe Mode)

9/27/2009 5:29:20 PM
mbam-log-2009-09-27 (17-29-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160199
Time elapsed: 24 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\detujedu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\nuvanifi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fihiyota.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\du5lrvc.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d0f5770a-9831-4035-91a6-ccf60f380198} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wozamonib (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a249bc15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Zlob.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d0f5770a-9831-4035-91a6-ccf60f380198} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\supunever (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\detujedu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\detujedu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\detujedu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\du5lrvc.dll (Trojan.Zlob.H) -> No action taken.
C:\WINDOWS\system32\nuvanifi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fihiyota.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\drivers\Beep.SYS (Rootkit.Rustock) -> No action taken.

This post has been edited by dentedsanity: Sep 27 2009, 06:55 PM

Hello dentedsanity,

Did you let the program fix the items it found?

If not please update and run Malwarebytes again. This time:

• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Standard Registry box change it to All.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

So when you return please post

• MBAM log
• the two OTL logs - OTL.txt and Extras.txt

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.