Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Infected even after reformat!


  • Please log in to reply
1 reply to this topic

#1 dialtone

dialtone

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 11 May 2009 - 01:41 AM

Hey all first time posting as I have always been able to figure this type of stuff myself but this promlem has me stumped. I had an infection on my previous install of XP with current windows updates and it was causing half my search links in google to be redirected and causing a ton of popups when I install a few different AV programs such as S&D, MalwareBytes, ect they wouldnt even open. I ended up getting them open by changing the program name (ex. mbam.exe to mbam1.exe) and ran some scans and found I had a ton of infections and the majority was for of Vundo.h. I contemplated going through the pain of finding and getting rid of all infections but i knew just running a fix through the AV wasn't going to cut the mustard as I did try once and of course it all was still there so seeing as my partition with xp only had about 10 gigs of downloads needed to be backed up I moved decided I would move them over to my external drive and reformat and start with a fresh install of XP and be clean and speedy again as this has always worked in the past if I came across something nasty a reformat/install has always been quicker than fighting each infection and having scar damage. Well anyways after the reformat/install of XP i was astonished to see that my browser was still being redirected and then i went and tried to install some AV programs and they still were unable to open and even this time when changing the name of the program they still wouldn't open. Now I have 1 main internal hd that is split into 3 partitions (one for vista which was preinstalled when i bought my rig, one 6gb for hp recover that was also preinstalled before purchase, then I created one approx 40gb for an xp install and dual boot) I also have 2 external hd that i store all my downloading on. I believe maybe this is the first virus I have encountered that has spread to the other drives and somehow (dont ask me how) is able to rerun even after a reformat which I dont get as I would assume it would have to be in the registry or startup to get itself going or when i plugged in the externals after install it scanned through the files with the autoplay and maybe got activated through that, either way im not sure and these are conspiracy theories im throwing out there and thats why ive come to seek professional help. Im going to include a hijackthis scan log and hoping someone can give me some ideas. Thanks guys.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:30 AM, on 5/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAB41BCE-C6D9-4E96-BD06-C8569D214ED7}: NameServer = 85.255.112.12,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.12,85.255.112.112
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.12,85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.12,85.255.112.112
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

--
End of file - 2940 bytes

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:56 PM

Posted 22 May 2009 - 06:57 AM

hi dialtone,

Your log is several days old. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users