Results 1 to 10 of 10

Thread: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

  1. #1
    joems Guest

    Default ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    My computer somehow became infected today with the trojan.win32.pakes.mag virus. Zone Alarm tried "rename", "delete", and "delete on reboot", but none of these worked. Is there any way to remove this virus?

    Thanks for your help.

    Joems

    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    findley Guest

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus


    <blockquote><hr>Joems wrote:
    My computer somehow became infected today with the trojan.win32.pakes.mag virus. Zone Alarm tried &quot;rename&quot;, &quot;delete&quot;, and &quot;delete on reboot&quot;, but none of these worked. Is there any way to remove this virus?

    Thanks for your help.

    Joems

    Operating System:
    Windows XP Home Edition
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Internet Security Suite

    <hr></blockquote>Joems,
    For removal of trojan.win32.pakes.mag virus please see Guru fax's advice on cleaning your computer of malware at this link:http://forum.zonelabs.org/zonelabs/b...essage.id=3787
    Findley

  3. #3
    joems Guest

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Thanks Findley. You're a lifesaver.

    Malwarebytes was able to remove the virus. Actually, it found 28 files and/or registry keys related to the infection and deleted all of them.

    Zone Alarm wasn't able to remove the virus or any of its traces.

    So, my questions to the folks at Check Point are:
    1) Why didn't Zone Alarm prevent the infection? I had all protections turned on, and am using the latest version of the program.
    2) Why wasn't Zone Alarm able to remove the infection, once it had occurred?

    Joems

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Hi!first of all no antivirus can detect 100% of malware then infection can depend on many factors.- is that ZASS program control set to MAX and not to autolearn or turned OFF?- Did you install any software recently? Did you received warning by ZA about xyz wanting to do xyz? Did you allow it?- Are you running other security tool apart from ZASS (this is often the cause of failed cleaning and detection)- was the infection detected by MBAM only related to PAKES or also other elements like cookies or dead entried were identified?- was the malware really active? May be ZA blocked the infection but you don't know.Ensure your ZA is set to update every hour and set program control to HIGH.Only download and install software from trust sources, check before installingRemove any security tool apart from ZASS and if you need a second opinion only use solid tools like MBAM or SuperAntispyware.Finally, ZA staff does not monitor this forum we are all users here.If you want to contact ZA you need to write to www.zonealarm.com/tsform Hope this helpCheers,Fax

    Message Edited by fax on 12-09-2008 01:00 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    joems Guest

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Hi Guru,

    To answer your questions (my answers are in ALL-CAPS]

    - is that ZASS program control set to MAX and not to autolearn or turned OFF?
    IT'S IN AUTO-LEARN (1 DAY LEFT), BECAUSE I RECENTLY INSTALLED THE LATEST VERSION OF ZONE ALARM
    - Did you install any software recently? Did you received warning by ZA about xyz wanting to do xyz? Did you allow it?
    NO AND NO.
    - Are you running other security tool apart from ZASS (this is often the cause of failed cleaning and detection)
    NO
    - was the infection detected by MBAM only related to PAKES or also other elements like cookies or dead entried were identified?
    MBAM LOG FILE IS PASTED IN BELOW. I KNOW FOR CERTAIN THAT SEVERAL OF THE THESE FILES/TRACES APPEARED TODAY AFTER THE INFECTION, INCLUDING PRUNET AND MVWAPUGH. I KNOW THIS, BECAUSE IN MSCONFIG I COULD SEE STARUP ITEMS FOR THESE TWO PIECES OF MALWARE THAT WEREN'T THERE BEFORE.
    - was the malware really active? May be ZA blocked the infection but you don't know.
    IT WAS DEFINITELY ACTIVE. THE MALWARE MADE NEW BROWSER WINDOWS WITH ADS OPEN EVERY MINUTE OR SO.

    HERE'S THE MALWAREBYTES LOG FILE:

    Scan type: Quick Scan
    Objects scanned: 75152
    Time elapsed: 11 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 4
    Registry Keys Infected: 18
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 13

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\SYSTEM32\mvwapugh.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\WINDOWS\SYSTEM32\khfDvsQh.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\WINDOWS\SYSTEM32\wgikjn.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\WINDOWS\SYSTEM32\byXRlIcY.dll (Trojan.Vundo) -&gt; Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{250dc87d-a014-4734-a041-ed282a8b993b} (Trojan.Vundo.H) -&gt; Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{250dc87d-a014-4734-a041-ed282a8b993b} (Trojan.Vundo.H) -&gt; Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{5e168b5c-2f83-46a0-9ee3-2e3d5f27e4cd} (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{5e168b5c-2f83-46a0-9ee3-2e3d5f27e4cd} (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{250dc87d-a014-4734-a041-ed282a8b993b} (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5e168b5c-2f83-46a0-9ee3-2e3d5f27e4cd} (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxrlicy (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -&gt; Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -&gt; Data: c:\windows\system32\khfdvsqh -&gt; Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -&gt; Data: c:\windows\system32\khfdvsqh -&gt; Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\SYSTEM32\khfDvsQh.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\WINDOWS\SYSTEM32\hQsvDfhk.ini (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\hQsvDfhk.ini2 (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\fiqiclho.dll (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\byXRlIcY.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\WINDOWS\SYSTEM32\wgikjn.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\Documents and Settings\Joel\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -&gt; Quarantined and deleted successfully.
    C:\Documents and Settings\Joel\Local Settings\Temp\snapsnet.tmp (Trojan.Downloader) -&gt; Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\prunnet.exe (Trojan.Downloader) -&gt; Quarantined and deleted successfully.
    C:\WINDOWS\SYSTEM32\mvwapugh.dll (Trojan.Vundo.H) -&gt; Delete on reboot.
    C:\WINDOWS\SYSTEM32\hgupawvm.ini (Trojan.Vundo.H) -&gt; Quarantined and deleted successfully.
    C:\Documents and Settings\Joel\g2ax_customer_downloadhelper_win32_x 86.exe (Trojan.FakeAlert) -&gt; Quarantined and deleted successfully.
    C:\Documents and Settings\Joel\Local Settings\Temp\prun.tmp (Trojan.Downloader) -&gt; Quarantined and deleted successfully.

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Hi!ok, mystery solved.... you had the bad luck of getting infected while still on Autolearn.Autolearnwill allow unknown process to run and this is why your proactive defense in ZA did not warn you (was basically OFF). VUNDO variant are developed every day to evade detection so its essential to have OS firewall active to protect your system.You have basically been infected by VUNDO by browsing the web, but I find strange that no add-on or files have been installed by answering 'yes' to a pop-up or a yellow flag in IE. It usually get in via installation of free add-on or fake security tools.You should scan also with superantispyware and set ZA program control to MAX. Vundo may not be easy to remove. Probably it did not have the time to take over completely your system. Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    joems Guest

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Will do.

    Thanks again for your help.

    Joems

  8. #8
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    You're welcome!Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,291

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Hi!forgot to add: remove vundo related items from the list in ZA program control --&gt; programs.These may have been give automatic permission to act and connect in autolearn.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10
    findley Guest

    Default Re: ZoneAlarm can't remove trojan.win32.pakes.mag Virus

    Joems,
    Here's some additional information on vundo:
    &quot;The Vundo family of Trojans is one of the most common infections we find on user's computers. This infection can cause popups that include advertisements for rogue anti-spyware programs. Some common rogue antispyware programs that are advertised include WinFixer, SysProtect and WinAntiSpyware. Users are normally targeted by false positives, fake alerts, and warning of infections on their computer. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. This infection is normally detectable by users receiving popups when they use the Internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer.

    The Vundo infection has evolved over time to include harder and harder protection methods so that it cannot be easily removed. These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. ... &quot;
    excerpted from How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
    at this link: http://www.bleepingcomputer.com/malw...ndo-virtumonde

    Findley







    Message Edited by Findley on 12-09-2008 07:39 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •