Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police/AV2010 Infection


  • Please log in to reply
10 replies to this topic

#1 jeff___H

jeff___H

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 22 October 2009 - 02:59 PM

I got the dreaded Windows Police Pro/AntiVirus 2010 Vundo trojan on my home pc a few days ago. I was able to zap most of it using Combofix (which I have used in the past successfully), but am still having issues. My main problems now are:

* Administrator permissions appear to have been altered
* Internet Explorer will load, but gets the same error every time i attempt to open it
* Unable to run exe files.
* desktop background blue screen

OS is Windows XP Pro.

I have MBAM, SAS, HJT and ComboFix loaded, but the virus corrupted the installed programs. When I go to re-install them, I get Permissions Denied errors. When I attempt to update online, or download from the internet, I get the following error message, followed by an Error 1321 Windows Installer error.

The instruction at "0xd5556b4c" referenced memory at "0xd5556b4c". The memory could not be "written".

I attempted to change Security settings in Windows Data Execution Prptection, but the problem persists.

The Windows Police Pro and AV 2010 appear to have been removed from the registry OK, but there is still a reference somewhere to sisa.exe, and I get two RUNDLL errors on startup; one for vezipoyo.dll and one about system32\zumidiba.dll.

I also manually ended a process in TaskManager called 64711625.exe. Windows DEP flashed on next re-boot, stating that it had ended that process. But the other problems still persist.

I am still able to access my email via Outlook Express, and my chat programs connect with no problems (Yahoo, Yahoo Widgets, AIM).

I can post screencaps and logs from another pc at home if necessary.

Thanks for any help!

Edited by jeff___H, 22 October 2009 - 02:59 PM.


BC AdBot (Login to Remove)

 


#2 jeff___H

jeff___H
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 23 October 2009 - 05:26 PM

I've been reading other topics with people having similar problems. I am still able to boot up and run. I booted up in Normal Mode as Administrator and attempted to do fresh installs of MBAM and SAS using renamed exe files downloaded to a flash drive. I am still not able to get MBAM to install properly. I got the following error:

Unable to execute file:
C:\ProgramFiles\MalwareBytes\mbam.exe
Create process failed; Code 2
The system cannot find the file specified.


The mbam.exe is left out of the install, thus i cannot re-name it and run it that way.


SAS still comes up with a DEP 1321 window. I clicked the Ignore option, and I can complete the install, but I am unable to run it.

I was able to run RootRepeal (renamed rootyTooty.pif). This is the log from it:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/10/23 17:28
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7245000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADFE000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootytooty.pif.sys
Image Path: C:\WINDOWS\system32\drivers\rootytooty.pif.sys
Address: 0xB4EB8000	Size: 49152	File Visible: No	Signed: -
Status: -

SSDT
-------------------
#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89c72109

==EOF==

And also ran HJT. Here is that log:

[code=auto:0]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:49 PM, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Lexar Media Inc\USB Card Reader Driver v2.2(M)\Disk_Monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
J:\Documents\Downloads\my pc stuff\rootyTooty.pif
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

EDIT:Removed HT log not to be posted in this forum

Edited by boopme, 23 October 2009 - 11:18 PM.


#3 jeff___H

jeff___H
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 23 October 2009 - 10:29 PM

Was finally able to get MBAM to run. I performed a quickscan, then a full scan.

Quickscan log:

[]Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/23/2009 7:02:07 PM
mbam-log-2009-10-23 (19-02-07).txt

Scan type: Quick Scan
Objects scanned: 96274
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\fuzewupu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{52801079-fa30-4b01-bfdd-232aa23e9cb8} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wowegabon (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64711625 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{52801079-fa30-4b01-bfdd-232aa23e9cb8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jegopamog (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yezafative (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fuzewupu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fuzewupu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\64711625 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\fuzewupu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\64711625\64711625.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yunukino.dll (Trojan.Vundo) -> Quarantined and deleted successfully.[/code]

Full scan log:

]Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/23/2009 11:11:54 PM
mbam-log-2009-10-23 (23-11-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 199998
Time elapsed: 2 hour(s), 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wowegabon (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)[/code]

Edited by boopme, 23 October 2009 - 11:19 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:07 AM

Posted 23 October 2009 - 11:41 PM

Hello. I removed the HJT (not permitted here).
I did not see the telltale Police or AV Pro entrires in that log.
Did you reboot after theMBAM scan as needed?

MBAM needs to be updated.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Lets' upload this (sisa.exe) file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.



Are the two RUNDLL errors something like...

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found"
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jeff___H

jeff___H
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 24 October 2009 - 10:21 AM

Hello. I removed the HJT (not permitted here).
I did not see the telltale Police or AV Pro entrires in that log.
Did you reboot after theMBAM scan as needed?

MBAM needs to be updated.
...



As stated in my original post, I ran Combofix almost immediately (but prior to coming here), which removed some Windows Police Pro and AV2010 files from my registry.

My apologies for posting the HJT log.

I was able to sun Super AntiSpyware on the infected machine last night as well, and it found another handful of infected registry keys.

I have rebooted after each scan. I am still getting the following error each time I attempt to access the internet via IE:

The instruction at "0xd5556b4c" referenced memory at "0xd5556b4c". The memory could not be "written".

This is followed my a Windows DEP message shutting down IE. Thus I have been unable to download updates directly to the infected machine.

The RUNDLL errors seem to be gone after running MBAM - I have not seen any recurrence in my last three reboots.

I followed the provided instructions for displaying hidden files, but am still not able to connect to the internet with the infected machine. Same error:

The instruction at "0xd5556b4c" referenced memory at "0xd5556b4c". The memory could not be "written".

This is followed my a Windows DEP message that shuts down IE. Thus I am unable to run an online scan.

#6 jeff___H

jeff___H
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 25 October 2009 - 08:02 AM

Finally got to to where I could do an online update of MBAM on the infected machine. Ran a QuickScan a few minutes ago. Here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3029
Windows 5.1.2600 Service Pack 3

10/25/2009 8:43:56 AM
mbam-log-2009-10-25 (08-43-56).txt

Scan type: Quick Scan
Objects scanned: 110451
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\kbdnet.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\kbdnet.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ldvx.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\vyiy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdnet.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lebazote.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lihemeyu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rawutebe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sefudowu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ruzejiti.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zadahipo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Re-started after the scan. I am happy to say that I am making this post from the machine that has been infected! I'd love to know which one of the nasties it was that was holding IE hostage all this time. I was also able to run Windows update and install the latest patches. Now to find a more effective front-line defense against a further attack!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:07 AM

Posted 25 October 2009 - 04:08 PM

Hello , I was missing for a day. I think it was the rogue Security tool

Glad to sse such good progress. I feel we should do these next and see what may be left.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 jeff___H

jeff___H
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 25 October 2009 - 04:36 PM

I followed the instructions on using SuperAntiSpyware and ATF Cleaner in Safe Mode yesterday after finding another user thread topic here of someone having similar problems. I think this is what finally freed things up enough to be able to do some online updates.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:07 AM

Posted 25 October 2009 - 06:06 PM

OK good, Just wanted it to be run. Sorry I am playing catch up. PLease update and rerun MBAM. I think if it shows clean we are.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jeff___H

jeff___H
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philly Burbs
  • Local time:01:07 AM

Posted 26 October 2009 - 05:15 PM

It's cool - I understand you guys are probably slammed constantly.

Here's a log from a quick scan taken this morning:

Malwarebytes' Anti-Malware 1.41
Database version: 3034
Windows 5.1.2600 Service Pack 3

10/26/2009 7:16:27 AM
mbam-log-2009-10-26 (07-16-27).txt

Scan type: Quick Scan
Objects scanned: 115881
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I followed that up by running a full scan:

Malwarebytes' Anti-Malware 1.41
Database version: 3034
Windows 5.1.2600 Service Pack 3

10/26/2009 5:50:34 PM
mbam-log-2009-10-26 (17-50-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221110
Time elapsed: 1 hour(s), 25 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\rhjdpc.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\05447222\05447222.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jeff\ntuser.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jeff\Application Data\lizkavd.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jeff\Application Data\seres.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jeff\Application Data\svcst.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\jeff\Start Menu\Programs\Startup\scandisk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\ntuser.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\Windows Police Pro.exe.vir (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\calc.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gironodi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\godisida.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\goradoja.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hukodiva.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\j80brds.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kiwesudu.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\luhuvoso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\marutida.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nogejefo.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tegidimu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vezipoyo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vusiwumi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zumidiba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{86696136-E812-4657-83A8-E638A5CAB3E3}\RP3\A0000448.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{86696136-E812-4657-83A8-E638A5CAB3E3}\RP3\A0000450.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{86696136-E812-4657-83A8-E638A5CAB3E3}\RP4\A0000681.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

The log timestamp disparity is due to me letting the full scan run while I was at work. I completed it a few minutes ago.

Edited by jeff___H, 26 October 2009 - 05:20 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:07 AM

Posted 26 October 2009 - 09:29 PM

Hello let's do this as I don't like that it actually came back after ComboFix.

Run a different ARK.. Sophos Anti-rootkit
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Full scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users