Vundo!grb trojan and agent.HRO issues

By nilamb
Mar 25, 2009
  1. I am getting messages from McAfee OAS that it has detected and attempted to remove instances of Vundo!grb Trojan malware (It finds the files C:\windows\system32\oyirukaf.ini and C:\windows\system32\uyabesub.ini as the problematic files).

    My symptoms are very similar to another user (SoraNagagino21) who reported it a couple of dayas back, e.g. pop up ads in Internet Explorer, and pop ups stating that i need updates and fixes from random companies, new browser windows popping up to result in "cannot find server" page.

    I also ran StopZilla scan and it found 8 instances of agent.HRO infection in the registry keys and removed it. But the infections were found again after I rebooted the machine after the removal.

    I am currently following the steps in "8-step Viruses/Spyware/Malware Preliminary Removal Instructions" and will attach the 3 logs to this post when the scanning is completed. I would appreciate if the experts can take a look at the logs and help me out in getting rid of this stubborn malware.

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Neil, we can't do anything until we have the logs.
  3. nilamb

    nilamb TS Rookie Topic Starter

    Sorry about the delay in posting the logs, Bobbye. Here are the 3 log files. Please suggest what should be my next step. Thank you very much for your help!
  4. nilamb

    nilamb TS Rookie Topic Starter

    Here are the logs. Somehow it did not attach during the last attempt.

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Neil, you are heavily infected. You have way too much loading at Startup and too many different connections. I am going to refer your logs to someone who is better able to handle them. Be patient while I ask.
  6. kritius

    kritius TS Guru Posts: 2,084


    What exactly is the laptop used for, is it a work laptop? and do you know all the Host file entires?

    I don't want to fix anything that will permanently wreck it on you.

    Did you also put the restrictions on Internet Explorer?
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you kritius.
  8. nilamb

    nilamb TS Rookie Topic Starter


    Sorry about the delayed response. I was in the middle of a move and did not see my messages until now.

    Yes, it is a work laptop and the hosts file entries as shown in hijackthis log are all legitimate and added by me.

    I did not put any restrictions on Internet Explorer and the browser could not open the home page during this infection. So could it be a case of the malware trying to hijack my browser's home page?

    Thanks for all your help, Kritius and Bobbye!

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...