Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safe Mode Disabled


  • Please log in to reply
20 replies to this topic

#1 emilsnake48

emilsnake48

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 January 2010 - 09:05 PM

My son's computer has been taken over by something that won't allow us to run ANY Anti-Malware, Virus, etc. programs. It won't allow Safe Mode startup and it won't allow a system restore point. Not sure what to do. Any suggestions?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,393 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:01 PM

Posted 09 January 2010 - 09:09 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 09 January 2010 - 09:40 PM

Hello, try starting here with RKill.... ( You may need to temporarily disable your AV first)

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#4 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 January 2010 - 12:48 PM

How do I disable AV?

#5 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 January 2010 - 12:52 PM

Sorry about the stupid question. I guess you meant Anti-Virus programs.

#6 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 10 January 2010 - 05:30 PM

Thanks for your help, boopme. The computer seems to be fine now, but I still can't do a Safe Mode startup. That could be a problem later on down the road. Also, I cannot do a system restore. I get a message that says "System Restore has been turned off by group policy. To turn on System Restore, contact your domain administrator."
.

Here is the log you requested.

Malwarebytes' Anti-Malware 1.44
Database version: 3537
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/10/2010 2:00:38 PM
mbam-log-2010-01-10 (14-00-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 341953
Time elapsed: 1 hour(s), 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 2
Registry Values Infected: 7
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\kohajawu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lowalama.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\viberisa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\helper32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d3720083-33e9-43d0-8256-d95c273bf378} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bevatusip (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d3720083-33e9-43d0-8256-d95c273bf378} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rifurizih (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: lowalama.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kohajawu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kohajawu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\kbdsock.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\kbdsock.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fahokipa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kohajawu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kopupavo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kudavano.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowalama.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vejorafa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\viberisa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wakatuha.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\waruvigu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiludubu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\eujbmv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\khkil.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\AndrewJ\Local Settings\Temporary Internet Files\Content.IE5\EH5JIM1N\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshlps.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xsr3yi7.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\qtelkjk.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HHG80AII\instRLS[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\system.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\123ef60f.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4066934676.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\476625800.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\AndrewJ\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guestss\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\AndrewJ\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guestss\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dfgdgdfgrgdgfdrdfs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by emilsnake48, 10 January 2010 - 05:39 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 10 January 2010 - 10:42 PM

Not stupid.. Did you reboot after MBAM it was needed?
We'll get the the rest.

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection.

Please download SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


FixPolicies
Download FixPolicies.exe,by Bill Castner, MS-MVP to your Desktop.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar. This will create a new folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
The active malware may revert these changes at your next startup. You can safely run the utility again.

How are things now?

Edited by boopme, 10 January 2010 - 10:46 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#8 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 11 January 2010 - 12:22 PM

Am I supposed to download SAS twice?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 11 January 2010 - 01:10 PM

Sorry ,no... I just used my pre written instructions so I didn't have to type it all again. So run the REPAIRS then installl ATF . Boot into safe mode,run ATF and SAS and post the SAS log
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#10 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 11 January 2010 - 02:11 PM

No problem. That's what I thought. I followed the instructions, but still can't boot into Safe Mode. SAS found numerous issues that MalwareBytes did not. Here's the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2010 at 10:44 AM

Application Version : 4.33.1000

Core Rules Database Version : 4465
Trace Rules Database Version: 2284

Scan type : Complete Scan
Total Scan Time : 00:27:49

Memory items scanned : 497
Memory threats detected : 0
Registry items scanned : 6149
Registry threats detected : 78
File items scanned : 20220
File threats detected : 59

Trojan.Agent/Gen
[ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\ZHXGOW.EXE
C:\WINDOWS\TEMP\ZHXGOW.EXE
[ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\ZHXGOW.EXE
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec

Rogue.Agent/Gen
HKU\.DEFAULT\SOFTWARE\AVSCAN
HKU\.DEFAULT\SOFTWARE\AVSCAN#knkd
HKU\.DEFAULT\SOFTWARE\AVSCAN#aazalirt
HKU\.DEFAULT\SOFTWARE\AVSCAN#skaaanret
HKU\.DEFAULT\SOFTWARE\AVSCAN#jungertab
HKU\.DEFAULT\SOFTWARE\AVSCAN#zibaglertz
HKU\.DEFAULT\SOFTWARE\AVSCAN#iddqdops
HKU\.DEFAULT\SOFTWARE\AVSCAN#ronitfst
HKU\.DEFAULT\SOFTWARE\AVSCAN#tobmygers
HKU\.DEFAULT\SOFTWARE\AVSCAN#jikglond
HKU\.DEFAULT\SOFTWARE\AVSCAN#tobykke
HKU\.DEFAULT\SOFTWARE\AVSCAN#klopnidret
HKU\.DEFAULT\SOFTWARE\AVSCAN#jiklagka
HKU\.DEFAULT\SOFTWARE\AVSCAN#salrtybek
HKU\.DEFAULT\SOFTWARE\AVSCAN#seeukluba
HKU\.DEFAULT\SOFTWARE\AVSCAN#jrjakdsd
HKU\.DEFAULT\SOFTWARE\AVSCAN#krkdkdkee
HKU\.DEFAULT\SOFTWARE\AVSCAN#dkewiizkjdks
HKU\.DEFAULT\SOFTWARE\AVSCAN#dkekkrkska
HKU\.DEFAULT\SOFTWARE\AVSCAN#rkaskssd
HKU\.DEFAULT\SOFTWARE\AVSCAN#kuruhccdsdd
HKU\.DEFAULT\SOFTWARE\AVSCAN#krujmmwlrra
HKU\.DEFAULT\SOFTWARE\AVSCAN#kkwknrbsggeg
HKU\.DEFAULT\SOFTWARE\AVSCAN#ktknamwerr
HKU\.DEFAULT\SOFTWARE\AVSCAN#iqmcnoeqz
HKU\.DEFAULT\SOFTWARE\AVSCAN#ienotas
HKU\.DEFAULT\SOFTWARE\AVSCAN#krkmahejdk
HKU\.DEFAULT\SOFTWARE\AVSCAN#otpeppggq
HKU\.DEFAULT\SOFTWARE\AVSCAN#krtawefg
HKU\.DEFAULT\SOFTWARE\AVSCAN#oranerkka
HKU\.DEFAULT\SOFTWARE\AVSCAN#kitiiwhaas
HKU\.DEFAULT\SOFTWARE\AVSCAN#otowjdseww
HKU\.DEFAULT\SOFTWARE\AVSCAN#otnnbektre
HKU\.DEFAULT\SOFTWARE\AVSCAN#oropbbsee
HKU\.DEFAULT\SOFTWARE\AVSCAN#irprokwks
HKU\.DEFAULT\SOFTWARE\AVSCAN#ooorjaas
HKU\.DEFAULT\SOFTWARE\AVSCAN#id
HKU\S-1-5-18\SOFTWARE\AVSCAN
HKU\S-1-5-18\SOFTWARE\AVSCAN#knkd
HKU\S-1-5-18\SOFTWARE\AVSCAN#aazalirt
HKU\S-1-5-18\SOFTWARE\AVSCAN#skaaanret
HKU\S-1-5-18\SOFTWARE\AVSCAN#jungertab
HKU\S-1-5-18\SOFTWARE\AVSCAN#zibaglertz
HKU\S-1-5-18\SOFTWARE\AVSCAN#iddqdops
HKU\S-1-5-18\SOFTWARE\AVSCAN#ronitfst
HKU\S-1-5-18\SOFTWARE\AVSCAN#tobmygers
HKU\S-1-5-18\SOFTWARE\AVSCAN#jikglond
HKU\S-1-5-18\SOFTWARE\AVSCAN#tobykke
HKU\S-1-5-18\SOFTWARE\AVSCAN#klopnidret
HKU\S-1-5-18\SOFTWARE\AVSCAN#jiklagka
HKU\S-1-5-18\SOFTWARE\AVSCAN#salrtybek
HKU\S-1-5-18\SOFTWARE\AVSCAN#seeukluba
HKU\S-1-5-18\SOFTWARE\AVSCAN#jrjakdsd
HKU\S-1-5-18\SOFTWARE\AVSCAN#krkdkdkee
HKU\S-1-5-18\SOFTWARE\AVSCAN#dkewiizkjdks
HKU\S-1-5-18\SOFTWARE\AVSCAN#dkekkrkska
HKU\S-1-5-18\SOFTWARE\AVSCAN#rkaskssd
HKU\S-1-5-18\SOFTWARE\AVSCAN#kuruhccdsdd
HKU\S-1-5-18\SOFTWARE\AVSCAN#krujmmwlrra
HKU\S-1-5-18\SOFTWARE\AVSCAN#kkwknrbsggeg
HKU\S-1-5-18\SOFTWARE\AVSCAN#ktknamwerr
HKU\S-1-5-18\SOFTWARE\AVSCAN#iqmcnoeqz
HKU\S-1-5-18\SOFTWARE\AVSCAN#ienotas
HKU\S-1-5-18\SOFTWARE\AVSCAN#krkmahejdk
HKU\S-1-5-18\SOFTWARE\AVSCAN#otpeppggq
HKU\S-1-5-18\SOFTWARE\AVSCAN#krtawefg
HKU\S-1-5-18\SOFTWARE\AVSCAN#oranerkka
HKU\S-1-5-18\SOFTWARE\AVSCAN#kitiiwhaas
HKU\S-1-5-18\SOFTWARE\AVSCAN#otowjdseww
HKU\S-1-5-18\SOFTWARE\AVSCAN#otnnbektre
HKU\S-1-5-18\SOFTWARE\AVSCAN#oropbbsee
HKU\S-1-5-18\SOFTWARE\AVSCAN#irprokwks
HKU\S-1-5-18\SOFTWARE\AVSCAN#ooorjaas
HKU\S-1-5-18\SOFTWARE\AVSCAN#id

Rogue.InternetSecurity2010
HKU\.DEFAULT\Software\IS2010
HKU\S-1-5-18\Software\IS2010
C:\Documents and Settings\AndrewJ\Desktop\Internet Security 2010.lnk

Adware.Tracking Cookie
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@interclick[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@zedo[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@questionmarket[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@collective-media[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@media6degrees[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@pointroll[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@doubleclick[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@tacoda[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@revsci[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@specificmedia[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@specificclick[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@invitemedia[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@advertising[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@atdmt[1].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@insightexpressai[2].txt
C:\Documents and Settings\AndrewJ\Local Settings\Temp\Cookies\andrewj@fastclick[1].txt
C:\Documents and Settings\Guestss\Cookies\guestss@advertising[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@realmedia[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@fastclick[2].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][2].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][1].txt
C:\Documents and Settings\Guestss\Cookies\guestss@hitbox[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@mediaplex[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@atdmt[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@uclick[1].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@mediapromoter[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@uclickgames[1].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][1].txt
C:\Documents and Settings\Guestss\Cookies\guestss@247realmedia[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@adbrite[1].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][1].txt
C:\Documents and Settings\Guestss\Cookies\guestss@serving-sys[2].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][1].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@insightexpressai[2].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@doubleclick[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@apmebf[2].txt
C:\Documents and Settings\Guestss\Cookies\guestss@interclick[1].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][1].txt
C:\Documents and Settings\Guestss\Cookies\guestss@tribalfusion[2].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][2].txt
C:\Documents and Settings\Guestss\Cookies\[email protected][1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@icityfind[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt

Trojan.Agent/Gen-SDRA
C:\WINDOWS\SYSTEM32\SDRA64.EXE

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 11 January 2010 - 04:41 PM

According to Threat Expert, some submissions of sdra64.exe are identified as a variant of the Virut family of malware by Symantec & McAfee but most are Zbot/Infostealer.Banker. As such that does not mean its a full blown infection especially if other indicators are not present. In any event I recommend investigating further for other virut related files as a precaution.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.[/i]
  • Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
(Thx to quietman7 for letting me swipe this)
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#12 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 12 January 2010 - 03:36 PM

Sorry I didn't get back sooner. My son tried to run the Kaspersky scan, but it locked up twice. I suspect maybe because the MalawareBytes program I purchased was not turned off. In the meantime, my son was on the computer earlier today and suddenly the screen went blue. He tried several times to reboot, but all he gets is a blue screen with the message "A problem has been detected and Windows has been shut down to prevent damage to your computer..."

And of course we can't boot into Safe Mode because that was previously disabled by the virus or whatever you call it.

Now what?

The message code looks like this.

PAGE_FAULT_IN_NONPAGED_AREA

***STOP: 0X00000050 (0XC9464269, 0X00000000, 0X8905B08C, 0X00000000)

Also, I was able to boot in debugger mode, but it crapped out again when I started messing around with restore points. Maybe it's time to reinstall Windows?

Edited by emilsnake48, 12 January 2010 - 10:39 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 13 January 2010 - 09:56 PM

Hello,there's not conclusive evidence here for me to confirm Virut. Tho the increasing difficulties make me thik so. So unless you would like some info on reformatiing then... You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#14 emilsnake48

emilsnake48
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 13 January 2010 - 10:29 PM

I think reformatting is probably the way to go at this point. We don't really have any data stored that we can't afford to lose anyway. I really appreciate your help so far. Please provide the reformatting instructions. Thanks, again. BTW, when I do a cold start on the computer, I'm able to do a normal boot, but eventually the blue screen appears....

Edited by emilsnake48, 13 January 2010 - 10:31 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,950 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 PM

Posted 13 January 2010 - 11:04 PM

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
VIRUT
Caution: If you are considering reformatting and backing up your data, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users