I've never run into a problem that stumped me like this one has. I spent a few hours at my friend's store Wednesday and thought it was a System Guard 2009 infection. But the computer would not allow me access. The only way in was Safe Mode and once in, AVG was crippled and the system would not clear the infection.
I then tried what I thought was a utility to remove System Guard 2009, that I had downloaded before going there, and ended up installing Spyware Doctor. It comes without any virus data and must be updated to run. Not an easy task in Safe Mode with a virus problem on the system. I ran the System Guard 2009 removal tool I had brought along without success and ended up removing it via the uninstall option in the program. Still no joy. Ended up bringing the box home, pulled the drive and slaved it to my system and ran Avast! Removed 20 odd trojans and .dll's with Avast and also ran Malwarebytes and removed another 19 items (Vunudo and it's variants were the primary infections, but there were many other trojan downloaders). Installed Spyware Doctor on my system and found that there was no option to scan anything but the computer it is installed on and not any of the USB connected or slaved drives. Removed it from my system. Running Avast again found 3 more problems in the System Restore files and removed them.
I reinstalled the drive in it's box and tried to start it, but the result was the same. It's set to boot to the desktop, but flashes the Welcome screen and then his wallpaper and then back to the welcome screen after a few long moments and then presents him with his profile name to click. Clicking that brings a quick log-in and then it logs out without getting past the Welcome screen.
My plan is to reinstall the drive and start in Safe Mode and maybe do a System Restore back to the middle of March, before he noticed problems, but am reluctant because of all the trojans and other infections I removed and not knowing when they got onboard. Otherwise, I suppose that the best course might be to try and manually remove any registry entries and other files related to this nasty. But I can't be sure what the real problem is and that is the main roadblock to getting the system clean.
The SR files were scanned with Avast when I had the drive slaved to my machine and most of the infections were found there. Of course they were copies of the infections that were on the system, stored in each restore point since the problem began.
Just tried booting to Safe Mode and now it's exibiting the same behavior in Safe Mode. Won't log into his profile or Administrator. Now it doesn't even flash his wallpaper, but just cycles from starting to saving settings and then logging off.
I did some more poking around with the drive slaved to my system and found a file in the guys Documents & Settings folder "GoToAssist_phone__317_en.exe" that I didn't like the look of and Googled it. It's part of a trojan so I renamed it and then went into the drive's System Restore folder and ran a Spybot S&D scan that turned up another .ini nasty so I deleted the entire restore point. I was going to run scans on all the restore points, but that would be tedious to say the least. The more I poke around, the more it looks like the worst of this started on or about April 1st, so I'm thinking of manually deleting all restore points manually, or at least all back to April first. Any reason why I shouldn't do this ?? I don't expect that it will clear the infection, but should clear any old traces of infections still remaining. I'm at a loss as to what to do next.
Thoughts ?? Thanks in advance.
Here are the 2 malwarebytes logs I got one on the 15th & one on the 16th.
Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2
4/15/2009 4:21:47 PM
mbam-log-2009-04-15 (16-21-47).txt
Scan type: Quick Scan
Objects scanned: 53984
Time elapsed: 1 hour(s), 36 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\202FJYKU\srm_free_setup[1].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\202FJYKU\srm_free_setup[2].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\7WQ82LP7\promo[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\7WQ82LP7\srm_free_setup[2].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{5240FF09-BB26-4FF2-8F99-4FB419FD4C4D}\RP136\A0009503.exe (Trojan.Agent) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1919\A0278968.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1919\A0279962.exe (Trojan.Katusha) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286024.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286026.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286028.exe (Rogue.MalwareRemover2009) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286029.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\WINDOWS\promo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
g:\WINDOWS\msa.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
g:\WINDOWS\msb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\userinit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\hudwirpt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\lijueu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\pgggia.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\naqqdfng.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2
4/16/2009 6:59:52 PM
mbam-log-2009-04-16 (18-59-52).txt
Scan type: Quick Scan
Objects scanned: 54114
Time elapsed: 4 hour(s), 22 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Edited by Doc Watson, 17 April 2009 - 04:16 PM.