Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help with an apparent Vundo attack


  • Please log in to reply
17 replies to this topic

#1 dsut56

dsut56

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 September 2009 - 12:25 AM

Hello.

I need help. I've had various virus hit my machine before, but mostly they did little harm and were fairly easy to remove with Malwarebytes and AVG. The attack that hit me today appears to be much worse.

This afternoon, my browser hung as I was downloading a file off a website. I had to kill IE7, but then it wouldn't run anymore. Before rebooting, I ran Malwarebytes and it returned the following log:

C:\WINDOWS\fsov8dnt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Douglas Sutherland\Start Menu\Programs\Startup\mhbupd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Douglas Sutherland\Local Settings\Temp\~TM6F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\~TM6F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Douglas Sutherland\Local Settings\Temporary Internet Files\Content.IE5\L3EUXZDU\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\L3EUXZDU\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Douglas Sutherland\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.

My hard drive now appears to be constantly active. I can give more details on the steps I have taken so far, but there appears to be a limit to the length of the post in this form.

What do I do now?

dsut56

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 22 September 2009 - 01:25 AM

Run another quick-scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 September 2009 - 10:16 AM

First a bit of additional information. When I ran the original Malwarebytes quick scan, it said to reboot to complete the removal process. When I did that, the PC hung and I had to do a forced shut down. After that, the PC hung whenever I booted normally. I booted into Safe Mode and ran a full Malwarebytes scan that returned the following:

Scan type: Full Scan (C:\|)
Objects scanned: 352107
Time elapsed: 2 hour(s), 16 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Files Infected:
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\mhbupd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Now my system seems to boot, but there is a lot of HD activity and IE and Firefox don't work in Normal mode. I also got an error message from Sygate Agent Firewall that it encountered a problem and had to close.

At your request, I just ran another Quick Scan from Normal mode. The scan showed no problems. I tried to update Malwarebytes, but that failed. The program is fairly up to date (program date: 9/10/09, database: 9/17/09), but something is corrupted with my Internet connectivity - at least in Normal mode. Previously I tried to do a System Restore, but it showed that all my Restore Points were gone.

Thanks, for your assistance.

dsut56

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 22 September 2009 - 04:06 PM

Right click on the C drive in Explorer and go Properties > Tools > Check Now (under Error Checking). Check both boxes then click "Start Now". A message will pop up saying that Error Checking will run after you restart the computer. Restart the computer and Error Checking will run automatically after the restart. After itís finished it will restart into Windows automatically. See if there is any improvement.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 September 2009 - 08:53 PM

I ran the error check, but it didn't seem to make things better. The system boots normally, but takes a long time (10 minutes or more to fully boot once I log in) and the HD appears to be constantly active for a very, very long time. Every operation I do on the machine takes a long time. Neither IE8 or Firefox work in Normal mode. Also, every time I boot, I now get a Sygate Agent Firewall error that says it has encountered a problem and needs to close. Inspite of this, the Sygate SMC.exe process appears to be running when I look at the Task Manager. DRWTSN32.EXE is also running in the Sygate tree.

Last night after the HD quieted down, I ran an AVG virus scan and it came back clean.

A couple of notes about other things that happened yesterday. When I first noticed that IE7 was not working, I noticed that IE8 was waiting to be installed from the Windows Automatic Update. I decided perhaps this would correct any problems with IE7 and restore function, so I let it upgrade. When I rebooted to finish the install, the window popped up saying that it was setting up my Personal Settings for the browser. Alas, when it finished booting into Windows, IE8 still didn't work. I also tried to run SB S&D, but it didn't seem to be working properly. I tried to uninstall it so I could reinstall it, but the uninstall file was missing, so the uninstall failed. Later I also tried to run Firefox to see if my problem was only with IE. It wanted to do an upgrade before it launched (I hadn't run it for a while) and the update failed. Now when I try to launch Firefox, it fails with an error message saying something about the current version not being compatible with some aspect of the program.

Currently, IE8 kind of works when I boot into Safe Mode with Networking. I can access my ISP, but when I try to log into my account, I get a popup window that says Internet Explorer has encountered a problem and needs to shut down. If I click Okay, it seems to just relaunch IE8 and bring me back to the opening screen. If I long in and ignore the error popup window, the browser seems to work and I'm able to log in and access my account, email, etc.

Obviously things are still quite messed up. Where do we go from here?

BTW, I'm, running Windows XP, SP3.

dsut56

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 22 September 2009 - 09:00 PM

A long boot time can be caused by a mapped network drive or printer that is no longer available.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 September 2009 - 09:12 PM

Okay, that is the least of my problems right now (the boot speed). How do we proceed to find out why IE isn't working and to figure out what is hitting the HD, and why my Sygate Firewall is crashing, but still showing up in the process list. Also, when I shut down, I now get an error saying that AXWIN Frame Window is not responding, End Now? I never saw that error before.

Thanks for the help!

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 22 September 2009 - 09:41 PM

Have a look in the Event Viewer for any errors that might be related to your problems.

To open the Event Viewer go to Start > Control Panel > Administrative Tools > Event Viewer. Alternately, go to Start > Run and type in "eventvwr.msc" (without the quotes) and press Enter.

Check in all the categories.

If you find an error that occurred at the time right-click on it and select properties. Copy the information in the window and post it back here.

How To Use the Event Viewer
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 September 2009 - 10:54 PM

I see tons of errors under the Application and System categories. They seem to have started around the time the virus hit.

I'll try to gather some of the information and post it tomorrow.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 22 September 2009 - 11:00 PM

You could also try this scan.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 30 September 2009 - 04:18 PM

Budapest,

I started to try you're latest advice. I downloaded the ATF Cleaner and the SuperAntiSpyware. I started to install the SuperAntiSpyware and I get an error message from the Windows Installer that says:

The system administrator has set policies to prevent this installation.

Have you seen this before and how do I get around it?

Thanks again for all your help.

Back to your earlier request to look at the Event Viewer, Around the time of the virus attack, here are some of the Application errors I saw :

Application catagory:

Event Type: Information
Event Source: SecurityCenter
Event Category: None
Event ID: 1801
Date: 09/21/09
Time: 3:42:28 PM
User: N/A
Computer: STUDY8300
Description:
The Windows Security Center Service has stopped.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: crypt32
Event Category: None
Event ID: 7
Date: 09/21/09
Time: 3:42:41 PM
User: N/A
Computer: STUDY8300
Description:
Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 09/21/09
Time: 3:44:52 PM
User: N/A
Computer: STUDY8300
Description:
Faulting application 9129837.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x00b7c001.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 39 31 32 ure 912
0018: 39 38 33 37 2e 65 78 65 9837.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
0040: 30 20 61 74 20 6f 66 66 0 at off
0048: 73 65 74 20 30 30 62 37 set 00b7
0050: 63 30 30 31 0d 0a c001..


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 09/21/09
Time: 4:04:30 PM
User: N/A
Computer: STUDY8300
Description:
Faulting application Ad-AwareAdmin.exe, version 8.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00d5c001.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 41 64 2d ure Ad-
0018: 41 77 61 72 65 41 64 6d AwareAdm
0020: 69 6e 2e 65 78 65 20 38 in.exe 8
0028: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
0040: 30 20 61 74 20 6f 66 66 0 at off
0048: 73 65 74 20 30 30 64 35 set 00d5
0050: 63 30 30 31 c001

Event Type: Information
Event Source: Creative Service for CDROM Access
Event Category: None
Event ID: 105
Date: 09/21/09
Time: 5:44:57 PM
User: N/A
Computer: STUDY8300
Description:
The service was started.

Event Type: Information
Event Source: IJPLMSVC
Event Category: None
Event ID: 1
Date: 09/21/09
Time: 5:44:57 PM
User: N/A
Computer: STUDY8300
Description:
The service is started.

Event Type: Information
Event Source: Bonjour Service
Event Category: None
Event ID: 1
Date: 09/21/09
Time: 5:44:58 PM
User: N/A
Computer: STUDY8300
Description:
The description for Event ID ( 1 ) in Source ( Bonjour Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mDNSResponder started
.

Event Type: Information
Event Source: WMDM PMSP Service
Event Category: None
Event ID: 105
Date: 09/21/09
Time: 5:44:58 PM
User: N/A
Computer: STUDY8300
Description:
The service was started.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 09/21/09
Time: 5:46:30 PM
User: N/A
Computer: STUDY8300
Description:
Faulting application Smc.exe, version 5.6.0.2808, faulting module unknown, version 0.0.0.0, fault address 0x019ec001.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 53 6d 63 ure Smc
0018: 2e 65 78 65 20 35 2e 36 .exe 5.6
0020: 2e 30 2e 32 38 30 38 20 .0.2808
0028: 69 6e 20 75 6e 6b 6e 6f in unkno
0030: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0038: 2e 30 20 61 74 20 6f 66 .0 at of
0040: 66 73 65 74 20 30 31 39 fset 019
0048: 65 63 30 30 31 ec001

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 09/21/09
Time: 6:18:11 PM
User: N/A
Computer: STUDY8300
Description:
Faulting application Smc.exe, version 5.6.0.2808, faulting module unknown, version 0.0.0.0, fault address 0x019ec001.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 53 6d 63 ure Smc
0018: 2e 65 78 65 20 35 2e 36 .exe 5.6
0020: 2e 30 2e 32 38 30 38 20 .0.2808
0028: 69 6e 20 75 6e 6b 6e 6f in unkno
0030: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0038: 2e 30 20 61 74 20 6f 66 .0 at of
0040: 66 73 65 74 20 30 31 39 fset 019
0048: 65 63 30 30 31 ec001

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 09/21/09
Time: 11:42:31 PM
User: NT AUTHORITY\SYSTEM
Computer: STUDY8300
Description:
Windows saved user STUDY8300\Douglas Sutherland registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 09/21/09
Time: 6:20:25 PM
User: N/A
Computer: STUDY8300
Description:
Faulting application motivesb.exe, version 5.6.7.42730, faulting module unknown, version 0.0.0.0, fault address 0x00c3c001.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 6f 74 ure mot
0018: 69 76 65 73 62 2e 65 78 ivesb.ex
0020: 65 20 35 2e 36 2e 37 2e e 5.6.7.
0028: 34 32 37 33 30 20 69 6e 42730 in
0030: 20 75 6e 6b 6e 6f 77 6e unknown
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 63 33 63 et 00c3c
0050: 30 30 31 0d 0a 001..
Event Type: Error
Event Source: Lavasoft Ad-Aware Service
Event Category: None
Event ID: 0
Date: 09/22/09
Time: 12:00:26 AM
User: N/A
Computer: STUDY8300
Description:
The description for Event ID ( 0 ) in Source ( Lavasoft Ad-Aware Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Failed to stop service.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 30 September 2009 - 04:33 PM

Those errors don't really point to anything conclusive. Try this scan:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 30 September 2009 - 11:11 PM

There were some Event errors under the Security category which I could post later if that would help, but I think your Dr.Web CureIt idea is better.

I downloaded it and started the Express Scan. It found a BackDoor.MaosBoot infection in the boot record. It indicated it might need to reboot to delete the files. It also said the old boot record wasn't saved and it asked if it could write a new standard boot record. I said yes. It restarted so fast I wasn't expecting it and it booted into Normal mode. I let it go and a window popped up saying something about new h/w or drivers or something had been installed and a reboot was needed to finish. I let it reboot, but Windows Update had updates ready and it installed this update before shutting down.

I rebooted into Safe Mode and ran CureIt again. This time, Express Scan said it found some suspicious things in the HOSTS file and asked to rewrite a default HOSTS file. I said yes. I then edited the Settings as instructed and started the Complete Scan as you instructed. It is running now.

I will post the results when it finishes or in the morning.

Thanks again!!

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 30 September 2009 - 11:15 PM

The scan can take a long time...
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 dsut56

dsut56
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 01 October 2009 - 10:23 AM

The CureIt Complete Scan ran overnight and finally finished this morning. I rebooted and it went into Normal mode before I could hit F8, so I let it go to see what would happen. It took a long time to finish booting completerly (I'm not sure if CureIt was still cleaning things up?) but when it finally came up, at first things were very slow (e.g. opening Windows Explorer took a while). I also noticed that there was still a lot of HD activity for quite a while. After 5 or 10 minutes, the HD quieted down and I tried opening IE8. It had not worked since the virus hit. It took awhile to launch, but it did come up. So things have greatly improved.

Here's the DrWeb log:

winvnc4.exe;c:\program files\realvnc\vnc4;Program.RemoteAdmin;Incurable.Moved.;
SBC_SST_Installer.exe/data100\data009;C:\Data1\Downloads\SBC\SBC_SST_Installer.exe/data100;Program.RemoteAdmin;;
data100;C:\Data1\Downloads\SBC;Archive contains infected objects;;
SBC_SST_Installer.exe;C:\Data1\Downloads\SBC;Archive contains infected objects;Moved.;
last.exe;C:\Documents and Settings\Douglas Sutherland\Local Settings\Temp;DDoS.Kardraw.origin;Incurable.Moved.;
last.exe;C:\Documents and Settings\HelpAssistant\Local Settings\Temp;DDoS.Kardraw.origin;Incurable.Moved.;
ud_agent_setup[1].exe/udagent02.cab\SRVANY.EXE;C:\Documents and Settings\Kevin Sutherland\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\ud_agent_setup[1].exe/u;Program.SrvAny;;
udagent02.cab;C:\Documents and Settings\Kevin Sutherland\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF;Archive contains infected objects;;
ud_agent_setup[1].exe;C:\Documents and Settings\Kevin Sutherland\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF;Archive contains infected objects;Moved.;
couponprinter.exe\data012;C:\Documents and Settings\Terry Sutherland\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data013;C:\Documents and Settings\Terry Sutherland\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data015;C:\Documents and Settings\Terry Sutherland\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data016;C:\Documents and Settings\Terry Sutherland\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe;C:\Documents and Settings\Terry Sutherland\Desktop;Container contains infected objects;Moved.;
npCouponPrinter.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Coupons.34;Incurable.Moved.;
winvnc4.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Invalid path to file ;
Dc2378.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2378.exe;Adware.Coupons.34;;
Dc2378.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2378.exe;Adware.Coupons.34;;
Dc2378.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2378.exe;Adware.Coupons.34;;
Dc2378.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2378.exe;Adware.Coupons.34;;
Dc2378.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2379.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2379.exe;Adware.Coupons.34;;
Dc2379.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2379.exe;Adware.Coupons.34;;
Dc2379.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2379.exe;Adware.Coupons.34;;
Dc2379.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2379.exe;Adware.Coupons.34;;
Dc2379.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2380.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2380.exe;Adware.Coupons.34;;
Dc2380.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2380.exe;Adware.Coupons.34;;
Dc2380.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2380.exe;Adware.Coupons.34;;
Dc2380.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2380.exe;Adware.Coupons.34;;
Dc2380.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2381.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2381.exe;Adware.Coupons.34;;
Dc2381.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2381.exe;Adware.Coupons.34;;
Dc2381.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2381.exe;Adware.Coupons.34;;
Dc2381.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2381.exe;Adware.Coupons.34;;
Dc2381.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2382.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2382.exe;Adware.Coupons.34;;
Dc2382.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2382.exe;Adware.Coupons.34;;
Dc2382.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2382.exe;Adware.Coupons.34;;
Dc2382.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2382.exe;Adware.Coupons.34;;
Dc2382.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2383.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2383.exe;Adware.Coupons.34;;
Dc2383.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2383.exe;Adware.Coupons.34;;
Dc2383.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2383.exe;Adware.Coupons.34;;
Dc2383.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2383.exe;Adware.Coupons.34;;
Dc2383.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2384.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2384.exe;Adware.Coupons.34;;
Dc2384.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2384.exe;Adware.Coupons.34;;
Dc2384.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2384.exe;Adware.Coupons.34;;
Dc2384.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2384.exe;Adware.Coupons.34;;
Dc2384.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2385.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2385.exe;Adware.Coupons.34;;
Dc2385.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2385.exe;Adware.Coupons.34;;
Dc2385.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2385.exe;Adware.Coupons.34;;
Dc2385.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2385.exe;Adware.Coupons.34;;
Dc2385.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2386.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2386.exe;Adware.Coupons.34;;
Dc2386.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2386.exe;Adware.Coupons.34;;
Dc2386.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2386.exe;Adware.Coupons.34;;
Dc2386.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2386.exe;Adware.Coupons.34;;
Dc2386.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2387.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2387.exe;Adware.Coupons.34;;
Dc2387.exe\data013;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2387.exe;Adware.Coupons.34;;
Dc2387.exe\data015;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2387.exe;Adware.Coupons.34;;
Dc2387.exe\data016;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2387.exe;Adware.Coupons.34;;
Dc2387.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
Dc2390.exe\data012;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007\Dc2390.exe;Adware.Coupons.34;;
Dc2390.exe;C:\RECYCLER\S-1-5-21-3390830384-2062662816-2431766257-1007;Container contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;
loader2.ocx;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.origin;Incurable.Moved.;
SBC_SST_Installer.exe/data100\data009;D:\Backups\Data1-04209\Data1\Downloads\SBC\SBC_SST_Installer.exe/data100;Program.RemoteAdmin;;
data100;D:\Backups\Data1-04209\Data1\Downloads\SBC;Archive contains infected objects;;
SBC_SST_Installer.exe;D:\Backups\Data1-04209\Data1\Downloads\SBC;Archive contains infected objects;Moved.;
SBC_SST_Installer.exe/data100\data009;D:\Backups\Data1-112806\Downloads\SBC\SBC_SST_Installer.exe/data100;Program.RemoteAdmin;;
data100;D:\Backups\Data1-112806\Downloads\SBC;Archive contains infected objects;;
SBC_SST_Installer.exe;D:\Backups\Data1-112806\Downloads\SBC;Archive contains infected objects;Moved.;
redirector.dll;D:\Office1Backups\Office1C020904\Program Files\Common Files\OE;Adware.Xupiter.origin;Incurable.Moved.;
00003258.DLL;D:\Office1Backups\Office1C020904\RECYCLED\NPROTECT;Adware.SmartShow.origin;Incurable.Moved.;
dgrafsw.exe\data045;D:\PlayRoomBackup\122703\Data1\Downloads\Screensavers\Desktop Graffiti\dgrafsw.exe;Adware.SaveNow;;
dgrafsw.exe;D:\PlayRoomBackup\122703\Data1\Downloads\Screensavers\Desktop Graffiti;Archive contains infected objects;Moved.;
simpgrst.exe\data016;D:\PlayRoomBackup\122703\Data1\Downloads\Simpsons Themes\simpgrst\simpgrst.exe;Adware.Gator;;
simpgrst.exe\data017;D:\PlayRoomBackup\122703\Data1\Downloads\Simpsons Themes\simpgrst\simpgrst.exe;Adware.NewDotNet;;
simpgrst.exe;D:\PlayRoomBackup\122703\Data1\Downloads\Simpsons Themes\simpgrst;Archive contains infected objects;Moved.;
desktopx200_public.exe/data102\{8437E50F-D7CD-4768-B0A9-0118D0D48754}.DXScript2;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\desktopx200_public.exe/data102;Trojan.DownLoader.588;;
data102;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX;Archive contains infected objects;;
desktopx200_public.exe/data132\{A70D3CC7-C119-4122-A715-52D61F774D40}.DXScript2;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\desktopx200_public.exe/data132;Trojan.DownLoader.588;;
data132;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX;Archive contains infected objects;;
desktopx200_public.exe;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX;Archive contains infected objects;Moved.;
desktopx200_public.exe/data102\{8437E50F-D7CD-4768-B0A9-0118D0D48754}.DXScript2;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\v199a\desktopx200_public.exe/data102;Trojan.DownLoader.588;;
data102;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\v199a;Archive contains infected objects;;
desktopx200_public.exe/data132\{A70D3CC7-C119-4122-A715-52D61F774D40}.DXScript2;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\v199a\desktopx200_public.exe/data132;Trojan.DownLoader.588;;
data132;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\v199a;Archive contains infected objects;;
desktopx200_public.exe;D:\PlayRoomBackup\122703\Data1\Downloads\Stardock\DesktopX\v199a;Archive contains infected objects;Moved.;
winxp2.exe\data008;D:\PlayRoomBackup\122703\Data1\Downloads\Themes\Windows XP Theme 2.0\winxp2.exe;Trojan.StartPage.48;;
winxp2.exe\data009;D:\PlayRoomBackup\122703\Data1\Downloads\Themes\Windows XP Theme 2.0\winxp2.exe;Trojan.StartPage.712;;
winxp2.exe\data027;D:\PlayRoomBackup\122703\Data1\Downloads\Themes\Windows XP Theme 2.0\winxp2.exe;Trojan.Click.70;;
winxp2.exe;D:\PlayRoomBackup\122703\Data1\Downloads\Themes\Windows XP Theme 2.0;Container contains infected objects;Moved.;

Where do we go from here?

Thank you so much!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users