Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo and Svchast.exe problems [Moved]


  • Please log in to reply
27 replies to this topic

#1 mimory

mimory

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 20 August 2009 - 11:35 PM

Hi wonderful people at BleepingComputer.com,

I recently got a new virus on my WINDOWS XP laptop that said something about windows antivirus 2009. One of the processes associated with it is svchast.exe. I think I've also had some reminants of the Vundo virus somewhere as well.

I downloaded the DDS program and it won't run.
I downloaded the RootRepeal program and it started, but during the scan it suddenly quit and won't open again.

I had Malwarebytes (I thought it was corrupted so I uninstalled and redownloaded it but now the installer won't start) and have SuperAntispyware (which also won't start)

I tried changing my windows firewall settings from the control panel but it won't open.
The browser wouldn't even go where I wanted it to go for a while until I ended the IEXPLORE.exe process and now I'm here asking for your help.

Thanks

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:17 AM

Posted 21 August 2009 - 12:01 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 21 August 2009 - 12:13 AM

Ok, so I tried renaming the DDS program's extension to make it run but it still won't. While in the .pif format, I checked the properties and under Security, I see (and now this has nothing to do with DDS) four users, or I should say one user and three groups. Administrator (me), Administrators, SYSTEM, and Users. Is this normal or is my paranoia reaching new heights?

#4 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 21 August 2009 - 01:26 PM

***Update***

I am locked out of a lot of control panel functions including user accounts. Somehow the virus has removed my administrator privileges because when I tried to run a .msi file a box came up saying,
"The system administrator has set policies to prevent this installation"

#5 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 21 August 2009 - 03:21 PM

Ok, so after living in safe mode for a while I managed to delete a few files. UACinit.dll, desot.exe, and windowsantiviruspro.exe. After doing this, I was given a little more access to my computer. I rebooted into normal mode and was able to install malwarebytes but it won't run, I was given some more access to control panel stuff like display, and I was able to run dds.scr but it won't scan and just sits there with a little bit of text. As I wrote the previous sentance, windowsantivirus came back, but without the svchast.exe process (unless it is hidden from the task manager).

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:17 AM

Posted 21 August 2009 - 04:15 PM

Hello, please run the following in Normal Mode

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
~Blade


In your next reply, please include the following:
Sophos ARK log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 23 August 2009 - 05:21 PM

Hi Blade Zephon,

I can't start in normal mode anymore; I get a black screen with my mouse pointer. **UPDATE** I had just gone into normal mode for a second to use the internet before finding out most of the websites I wanted to visit were getting the "Connection interrupted" page. I found the UACinit.dll file again so i deleted it and I'm gonna try again while I wait for a reply**

PS Thanks for the help.

-M

Edited by mimory, 23 August 2009 - 05:26 PM.


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:17 AM

Posted 23 August 2009 - 06:40 PM

Hello mimory,

Try and run Sophos in Safe Mode. You might get a couple error messages, but I think that the program should still run. Let me know if it doesn't work.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 23 August 2009 - 08:12 PM

Hey Blade Zephon,

I installed the program in safe mode and ran it. I have two error messages,

The first was a FATAL ERROR that said I can't run a kernel driver in safe mode.
The second was a WARNING that I don't have access to the registry and that the
"Maximum number of secrets that may be stored in a single system has been exceeded."

-M

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:17 AM

Posted 23 August 2009 - 08:18 PM

Hello mimory,

You mentioned that Malwarebytes would install, but not run. I'd like you to try this to see if you can get it to run.

If you have problems getting MBAM to execute after installation, navigate to the folder MBAM installed to and rename mbam.exe to winlogon.exe. Then double click on the file you just renamed to launch the program. Once MBAM is running, make sure you've updated it and then run a FULL scan. Post the results of the scan in your next reply please.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 23 August 2009 - 08:32 PM

Hey Blade Zephon,

No luck with the rename of mbam.

-M

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:17 AM

Posted 23 August 2009 - 08:42 PM

With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

Since you mentioned that DDS will not run, below I have provided instructions for an alternate scanner whose logs you may post in your new thread instead of the DDS logs. If you are unable to run the scanner, you should not create a new topic but instead reply back here for further instruction.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 23 August 2009 - 08:50 PM

Hi BZ,

The program was able to run but closes just as it's about to finish. The weird thing is that the icon picture changes to the default application icon afterwards.

-M

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:17 AM

Posted 23 August 2009 - 08:57 PM

Darn it. Alright. . . try this. You can post this scan log in your new thread, don't post it here.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in your new thread:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 mimory

mimory
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 23 August 2009 - 09:11 PM

Hi BZ,

That one won't scan after the first window either. I opened one of the killed .exe files a few times really fast while watching the task manager and saw desot.exe pop up very quickly before disappearing.

The problem was that once I put that file, (which I found in C:\windows\system32) in the recycle bin to put it out of commission, none of my .exe files would open at all. They instead give me a message that I need to open the file with something. I right clicked an .exe file and tried run as... and after picking which user to run the file as I was told I can't run the program with safe mode. This happened even with files that I had opened in safe mode seconds before.

-M




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users