WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Vundo Removal Help
Started by
sagiter
, May 07 2008 09:24 AM
36 replies to this topic
#31
sagiter
-
- Authentic Member
-
- 36 posts
Authentic Member
Posted 21 May 2008 - 03:17 PM
Register to Remove
#32
Noviciate
-
- Visiting Fellow
-
- 2,907 posts
Retired WTT Teacher
Posted 21 May 2008 - 04:36 PM
I'll install the genuine app onto a VM and see what shows up. It is possible that malware is trying to mimic legitimate software, but i'll not know more until i've had a play.
Death to the salad eaters!
#33
Noviciate
-
- Visiting Fellow
-
- 2,907 posts
Retired WTT Teacher
Posted 22 May 2008 - 01:12 PM
I've installed the uTorrent application and get the same two folders as were created on your machine, but not the other files. This doesn't unfortunately get us any further as it's possible that malware is using an old trick of creating file sharing folders in the hope of spreading itself this way.
I need you to scan that file again at Jottis as the file I scanned is not flagged by any AV. This could either be because the file you have is different to mine, or it could be that the AV companies have updated their definitions after inspecting the file.
As well as posting the results as before, I need the upper part of the screen as well, which contains the following four pieces of info:
File:
Status:
MD5
Packers detected:
I need you to scan that file again at Jottis as the file I scanned is not flagged by any AV. This could either be because the file you have is different to mine, or it could be that the AV companies have updated their definitions after inspecting the file.
As well as posting the results as before, I need the upper part of the screen as well, which contains the following four pieces of info:
File:
Status:
MD5
Packers detected:
Death to the salad eaters!
#34
sagiter
-
- Authentic Member
-
- 36 posts
Authentic Member
Posted 22 May 2008 - 01:19 PM
File: uTorrent.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: ae9630191876d67772d36c4d973361e8
Packers detected: -
Scan taken on 22 May 2008 19:17:57 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Generic7.NWA
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found W32.W.Downloader.fb
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/DLoader.FMND
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
#35
Noviciate
-
- Visiting Fellow
-
- 2,907 posts
Retired WTT Teacher
Posted 22 May 2008 - 01:53 PM
Two different files entirely - nice! I'd like you to do the following please:
Right click an empty area of your Desktop and from the menu that appears click New > Compressed (zipped) Folder - the default name will be fine.
Cut and paste the following file(s) into this folder:
F:\Program Files\uTorrent
F:\Documents and Settings\Owner\Application Data\uTorrent
F:\WINDOWS\system32\xwusuhzh.exe
F:\WINDOWS\system32\hljwugsf.bin
Once you have done this, open the folder, if it isn't already, and click File > Add a Password...
Enter infected (all lower case) into the Password: textbox, confirm it in the box underneath, and then click OK.
If they are too big to email in one go, just send them individually. I'll PM the email address to send them too - thanks.
Is the PC behaving itself now?
Right click an empty area of your Desktop and from the menu that appears click New > Compressed (zipped) Folder - the default name will be fine.
Cut and paste the following file(s) into this folder:
F:\Program Files\uTorrent
F:\Documents and Settings\Owner\Application Data\uTorrent
F:\WINDOWS\system32\xwusuhzh.exe
F:\WINDOWS\system32\hljwugsf.bin
Once you have done this, open the folder, if it isn't already, and click File > Add a Password...
Enter infected (all lower case) into the Password: textbox, confirm it in the box underneath, and then click OK.
If they are too big to email in one go, just send them individually. I'll PM the email address to send them too - thanks.
Is the PC behaving itself now?
Death to the salad eaters!
#36
sagiter
-
- Authentic Member
-
- 36 posts
Authentic Member
Posted 22 May 2008 - 02:19 PM
I cannot locate this file:
F:\WINDOWS\system32\xwusuhzh.exe
I will email all else momentarily.
The computer seems fine right now.
Edited by sagiter, 22 May 2008 - 02:29 PM.
#37
Noviciate
-
- Visiting Fellow
-
- 2,907 posts
Retired WTT Teacher
Posted 22 May 2008 - 04:21 PM
OK, got the files thanks. As long as the PC is behaving itself, i'd not worry too much - just keep an eye on it and try to avoid dodgy links.
I don't think that the PC was reinfected by a usb device, simply because there was no sign of this particular malware in your earlier logs. If it was the same cause, i'd expect the same slime to be dropped. It could have been a simple drive by download or something sent via instant messaging that caused the problems, but I don't really know.
As long as you've got rid of the two folders and the other file, that should be the last of it. Run the PC as before for a couple of days and then complete the last of the instructions given earlier to have CF tidyup after itself and flush System restore.
Death to the salad eaters!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
