Author Topic: win32 podnuha-bj (rtk) please help  (Read 14121 times)

0 Members and 1 Guest are viewing this topic.

mtb75cgb80

  • Guest
win32 podnuha-bj (rtk) please help
« on: September 15, 2008, 12:20:03 PM »
avast found this virus but it can't remove it. i need help on how to.. please help

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: win32 podnuha-bj (rtk) please help
« Reply #1 on: September 15, 2008, 01:24:52 PM »
What virus, what file and location, what reason, I think you are getting the picture we need more information.

What Operating System are you using ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Why couldn't it be removed ?

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #2 on: September 15, 2008, 02:59:16 PM »
ok im usein windows xp. i get a window that says server busy & tell me to switch. avast warning that i need to abort connection but that malware is already on my cumputer. i have been through the reboot thing 2 times an i did delete & move to chest. it gives me an error 42060. i think its in my internet explorer it pops up with web sites.

half ofthe file name i got is    inetppui.com/lib/3077/143e7ef9ac09f431b10129426dab94d/silent.dll.bak


Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: win32 podnuha-bj (rtk) please help
« Reply #3 on: September 15, 2008, 03:06:45 PM »
The detection isn't on your system as this was intercepted and detected by the web shield and the only option you will be given is to abort the connection, dropping the download of the malicious file.

The web shield filters http port 80 traffic (normal browsing of the net) and it scans that content before it is saved to your browser cache (temporary internet files) and then displayed by your browser. This effectively blocks it getting on to your system.

So it is likely that there is an undetected or hidden process on your system that is trying to download other malware.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Run one and report the findings before running the other.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #4 on: September 15, 2008, 03:24:19 PM »
now its showing   file name   c\documents & settings\compaq owner\local settings\tempo
malware name is win32podnuha-bj    malware type rootkit             vps version 080914-0 09/14/2008

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #5 on: September 15, 2008, 04:23:00 PM »
im also getting cannot processc documents & settings\compaq owner\local settings\temp internet files\content.le5\ta5crks3\silent.dll[2].bak\[upx] file.. & because it is being used by another process.  after i try to move it to the chest...

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: win32 podnuha-bj (rtk) please help
« Reply #6 on: September 15, 2008, 05:09:15 PM »
Empty your Temporary Internet files using IE, run the other programs I mentioned as it looks like there are other elements to this on your system.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #7 on: September 15, 2008, 05:59:31 PM »
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/15/2008 at 07:45 AM

Application Version : 4.21.1004

Core Rules Database Version : 3566
Trace Rules Database Version: 1554

Scan type       : Complete Scan
Total Scan Time : 00:58:36

Memory items scanned      : 503
Memory threats detected   : 4
Registry items scanned    : 5516
Registry threats detected : 30
File items scanned        : 20184
File threats detected     : 52

Trojan.Vundo-Variant/Small-GEN
   C:\WINDOWS\SYSTEM32\JKKJAWWU.DLL
   C:\WINDOWS\SYSTEM32\JKKJAWWU.DLL
   C:\WINDOWS\SYSTEM32\LJJYPHFG.DLL

Adware.Vundo Variant/Resident
   C:\WINDOWS\SYSTEM32\QOMCAXWX.DLL
   C:\WINDOWS\SYSTEM32\QOMCAXWX.DLL

Adware.AdSponsor/ISM-GetPack
   C:\PROGRAM FILES\GETPACK\GETPACK21.EXE
   C:\PROGRAM FILES\GETPACK\GETPACK21.EXE
   [GetPack21] C:\PROGRAM FILES\GETPACK\GETPACK21.EXE

Trojan.Downloader-CREW
   C:\WINDOWS\SYSTEM32\RYAUYHXL.DLL
   C:\WINDOWS\SYSTEM32\RYAUYHXL.DLL
   HKLM\Software\Classes\CLSID\{01807D47-C937-4847-9760-BE63780B6C34}
   HKCR\CLSID\{01807D47-C937-4847-9760-BE63780B6C34}
   HKCR\CLSID\{01807D47-C937-4847-9760-BE63780B6C34}\InprocServer32
   HKCR\CLSID\{01807D47-C937-4847-9760-BE63780B6C34}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01807D47-C937-4847-9760-BE63780B6C34}
   C:\WINDOWS\SYSTEM32\GDVDISED.DLL

Adware.AdSponsor/ISM-GetModule
   [GetModule23] C:\PROGRAM FILES\GETMODULE\GETMODULE23.EXE
   C:\PROGRAM FILES\GETMODULE\GETMODULE23.EXE

Trojan.Vundo-Variant/NextGen
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BC5E68A-EDAE-4F12-BE0E-A548DCC388D3}
   HKCR\CLSID\{1BC5E68A-EDAE-4F12-BE0E-A548DCC388D3}
   HKCR\CLSID\{1BC5E68A-EDAE-4F12-BE0E-A548DCC388D3}\InprocServer32
   HKCR\CLSID\{1BC5E68A-EDAE-4F12-BE0E-A548DCC388D3}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7336D32-62F7-43B5-8B8C-3963C72CA498}
   HKCR\CLSID\{D7336D32-62F7-43B5-8B8C-3963C72CA498}
   HKCR\CLSID\{D7336D32-62F7-43B5-8B8C-3963C72CA498}\InprocServer32
   HKCR\CLSID\{D7336D32-62F7-43B5-8B8C-3963C72CA498}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{D7336D32-62F7-43B5-8B8C-3963C72CA498}
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkJawwU

Trojan.Vundo-Variant/NextGen-Six
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f13c481d-9627-4871-9ab4-cceb290a8b80}
   HKCR\CLSID\{F13C481D-9627-4871-9AB4-CCEB290A8B80}
   HKCR\CLSID\{F13C481D-9627-4871-9AB4-CCEB290A8B80}\InprocServer32
   HKCR\CLSID\{F13C481D-9627-4871-9AB4-CCEB290A8B80}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\ZXNQIP.DLL

Adware.Tracking Cookie
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ar.atwola[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.addynamix[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cache.trafficmp[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@xiti[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.googleadservices[3].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.vlzserver[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.revsci[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.googleadservices[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stopzilla[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tracking.dsmmadvantage[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atwola[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@eas.apm.emediate[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@clickbank[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@smartadserver[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media6degrees[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adserver.adtechus[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.googleadservices[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluestreak[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@at.atwola[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tagiq.clickforensics[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.stopzilla[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adtrafficdriver[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@toplist[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.googleadservices[4].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.googleadservices[5].txt

Trojan.DNSChanger-Codec
   HKU\S-1-5-21-416308895-2433930753-3315868822-1009\Software\GetModule
   HKU\S-1-5-21-416308895-2433930753-3315868822-1009\Software\GetPack
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck#UninstallString

Adware.AdSponsor/ISM
   C:\Program Files\GetModule\dicik.gz
   C:\Program Files\GetModule\kwdik.gz
   C:\Program Files\GetModule\ozadik.gz
   C:\Program Files\GetModule
   C:\Program Files\GetPack\dictame.gz
   C:\Program Files\GetPack\trgtame.gz
   C:\Program Files\GetPack
   C:\Program Files\iCheck\iCheck.exe
   C:\Program Files\iCheck\Uninstall.exe
   C:\Program Files\iCheck

Adware.Vundo Variant/Rel
   HKLM\SOFTWARE\Microsoft\aoprndtws
   HKLM\SOFTWARE\Microsoft\FCOVM
   HKLM\SOFTWARE\Microsoft\RemoveRP
   HKU\S-1-5-21-416308895-2433930753-3315868822-1009\Software\Microsoft\rdfa

Adware.CouponBar
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP67\A0010176.DLL
   C:\WINDOWS\COUPONBARIE.DLL

wyrmrider

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #8 on: September 15, 2008, 06:16:40 PM »
slowed it down a bit
with MBAB you have to put a check next to any hits then click REMOVE CHECKED- a backup will be made
post the log
then go to the stickie at the top of this forum read and follow the instructions and post a hijack this (after the MBAM scan

good work       
after looking at the HJT
we may want to run:
a boot time avast scan  to check again for rootits and see if anything has been "unhidden"
VUNDOFIX http://vundofix.atribune.org/  (but get the MBAM and boot time avst FIRST)
HPFIX     (to doublecheck for rootkits with the built in GMER root kit tool)   
EDIT that's SDFIX http://www.bleepingcomputer.com/forums/topic131299.html     


We're using VUNDOfix for the obvious reason  for latest variants
SD FIX for the other items and as a double check for rootkits

actually I hope both of these come up clean and that MBAM gets anything missed by SAS and Avast
« Last Edit: September 15, 2008, 08:26:02 PM by wyrmrider »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: win32 podnuha-bj (rtk) please help
« Reply #9 on: September 15, 2008, 07:28:05 PM »
I take it that you allowed SAS to quarantine the detections, etc. if not do that.

The tracking cookies aren't a security issue more a minor privacy one, I normally don't even bother scanning for them.

Much of the other stuff is adware, but the most serious ones are any relating to Vundo and the DNS changer stuff could be responsible for redirects to unsavoury sites, etc.

So SAS would appear to have done a good job so far.

What is your firewall ?
As that may not be providing enough protection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jtaylor83

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #10 on: September 15, 2008, 09:33:37 PM »
I agree. Haven't you tried Comodo Pro?

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #11 on: September 16, 2008, 03:27:14 AM »
Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 3

9/15/2008 4:50:08 PM
mbam-log-2008-09-15 (16-50-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 101440
Time elapsed: 1 hour(s), 16 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ywadnfwe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\oukahong.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a45450d1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bma767634d (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb4562 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1379 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga5442 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc3961 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VnrBlock20 (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\VnrBlock (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ywadnfwe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ewfndawy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oukahong.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP67\A0010176.dll (Adware.Coupons) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP74\A0011339.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP74\A0011589.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP76\A0011668.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP76\A0011670.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\CouponBarIE.dll (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuordaes.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgkrrduu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lusmif.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndbxvmyg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oukahong.dll_old (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vczqvl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xhybvbng.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysnhiker.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BMa767634d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMa767634d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #12 on: September 16, 2008, 03:36:34 AM »
I'm getting an error loading c windows\system32\oukahong.dll it says that it could not be found... & I'm not sure what you want me to do next. I'm just don't know much about this kind of stuff.. i thank you for all the help you guys are giving me & being patient with me.

mtb75cgb80

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #13 on: September 16, 2008, 03:44:13 AM »
i just have window firewall rite now.. i have zonealarm on my laptops. but i just had my desktop restored it was slower than a turtle. & comodo i had to on laptop before an it mess up then i couldn't get it to delete it so im scared to reinstall it again.. but i do like the new websites you have giving me so im going to put it on all of my computers.

Jtaylor83

  • Guest
Re: win32 podnuha-bj (rtk) please help
« Reply #14 on: September 16, 2008, 03:53:37 AM »
Download HiJackThis and post a log here.