Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojware.win32.rootkit.podnuha.~L@1604959 [Closed]

Started by gszamora , Jan 16 2009 09:11 PM

  • This topic is locked This topic is locked

#16
handhfan
Posted 21 February 2009 - 11:59 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
  • 0

Advertisements

#17
gszamora
Posted 21 February 2009 - 06:56 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here we go. Thank you again to all for your persistence and help!!!

Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.1.0
BCM V.92 56K Modem
BeTrapped! (remove only)
BlackBerry Desktop Software 4.2.1
BlackBerry Desktop Software 4.2.1
COMODO SafeSurf
Dell Laser Printer 1110 Software Uninstall
Dell Picture Studio - Dell Image Expert
DellSupport
Digital Line Detect
DirectX Media Runtime 5.1
Diskeeper Professional Edition
DVDSentry
Easy CD Creator 5 Basic
ERUNT 1.1j
Family Tree Maker 7.0
FUJIFILM FinePixViewer S Ver.2.0
Google Desktop
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Java™ 6 Update 11
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSN Music Assistant
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Paint Shop Pro 7
Picasa 3
PowerDVD
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Uninstall Startup Inspector
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Viewpoint Manager (Remove Only)
Wal-Mart Music Downloads Store
Windows Defender
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Internet Mail
  • 0

#18
handhfan
Posted 21 February 2009 - 07:00 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) JRE 6 Update 12.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u12-windows-i586-p.exe and select "Run as an Administrator.")

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java™ 6 Update 11
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Viewpoint Manager (Remove Only)

Please do an online scan with Kaspersky WebScanner

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply, along with a new HijackThis log.

  • 0

#19
gszamora
Posted 24 February 2009 - 05:40 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi!

Thanks again for your help! I was able to complete all steps up to the Kaspersky WebScanner. When I opened the Kaspersky page and it checked my computer's requirements before running the system, it said that I need to have a version of Java 1.5 or above. When I clicked on the link for Java detection, the result was that I had the latest version of Java installed. Kaspersky won't let me click on "Accept" and I can't run the scan.

Let me know and thanks again for your help!!

George
  • 0

#20
handhfan
Posted 24 February 2009 - 05:45 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#21
gszamora
Posted 24 February 2009 - 07:37 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I downloaded the AVP Tool and saved it to my desktop; however, when I reboot into SafeMode, the icon for AVT doesn't appear. In fact, I have about 20 icons on my desktop and when I reboot into SafeMode, only about 5 or 6 appear --- Internet Explorer, Combofix, and a few others. I also tried searching for the program using Start and "All programs" but nothing. I'm sorry. What next?

Thanks again for everything!

George
  • 0

#22
handhfan
Posted 24 February 2009 - 07:40 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Reboot into normal mode. Save AVP on the main drive (C:\) and not in a folder (for easy access).

Then try going back to Safe Mode. It should be located on the C:\ drive.
  • 0

#23
gszamora
Posted 24 February 2009 - 09:27 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi!!

Here's the latest log after downloading AVP Tool and running the scan; there was one rootkit which was I could not delete--the very last one on this list. Question----should I go back and do the Java download you'd previously suggested?

Thank you again!!

Scan
----
Scanned: 202713
Detected: 6
Untreated: 1
Start time: 2009-02-24 20:55
Duration: 01:21:03
Finish time: 2009-02-24 22:16


Detected
--------
Status Object
------ ------
deleted: Trojan program Rootkit.Win32.Podnuha.bhm File: C:\Program Files\Trend Micro\HijackThis\backups\backup-20090224-183111-739.dll//PE_Patch.UPX//UPX
deleted: Trojan program Rootkit.Win32.Podnuha.bhm File: C:\Program Files\Trend Micro\HijackThis\backups\backup-20090224-183111-876.dll//PE_Patch.UPX//UPX
deleted: Trojan program Trojan.Win32.BHO.ext File: C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_ypvuknro_.sys.zip/ypvuknro.sys
deleted: Trojan program Rootkit.Win32.Podnuha.bhm File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0000735.dll//PE_Patch.UPX//UPX
deleted: Trojan program Rootkit.Win32.Podnuha.bhm File: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0000736.dll//PE_Patch.UPX//UPX
detected: Trojan program Rootkit.Win32.Podnuha.bhm File: C:\WINDOWS\SYSTEM32\cewmdms.dll//PE_Patch.UPX//UPX


Events
------
Time Name Status Reason
---- ---- ------ ------
2009-02-24 20:55 Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Custom
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search Yes
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
  • 0

#24
handhfan
Posted 25 February 2009 - 10:45 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
You should have the latest already. :)

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log

  • 0

#25
handhfan
Posted 05 March 2009 - 06:13 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP