Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Vundo.IQ


  • Please log in to reply
27 replies to this topic

#1 Arghhh!

Arghhh!

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 24 November 2009 - 11:23 AM

:thumbsup: Hi Forum

Okay, a week ago I managed to get my computer infected with AntiVirus System Pro. That was a hoot and a half. I tried many things, including downloading PC Doctor (and paying for the full version of it) and downloading MalwareBytes. I tried to run both of these and had no success. MalwareBytes simply would not run, no way, no how, not even in safe mode. PC Doctor told me it needed to restart the PC and when the PC had reloaded, AVSP had renamed PC Doctor. Ugh. Of course my internet was hijacked by AVSP so I couldn't search through forums to my hearts content, but I did manage to see enough cached pages from Google to look through and terminate certain processes in task manager so that AVG 9.0 free edition was able to find and remove stuff that eventually allowed PC Doctor to run and remove stuff and things seemed pretty much back to normal. A couple days passed and my internet started getting hijacked again. No annoying pop-ups this time, and my internet was being hijacked to different web sites (ones other than viagra and adult.com) but it was definitely still being hijacked to random sites not of my choosing.

I looked through some forums and downloaded and ran Smitfraudfix and ATF-Cleaner. This fixed the hijacking problem for a few days, but it has returned. AVG runs and finds Trojan Horse Vundo.IQ at "C:\WINDOWS\system32\csrss.exe (836):\memory_00270000" and "C:\WINDOWS\system32\csrss.exe (836) AVG tells me it needs to reboot to remove these problems, and when I do reboot, my internet is still hijacked and the instances of Trojan Horse Vundo are not in AVG's virus vault. I don't know if Vundo and my hijacked internet are related or not, I don't know if Vundo and the hijacked internet are related to last week's AntiVirus System Pro disaster, and I don't know what to do to permanently eliminate all this very frustrating and reoccuring BS.

Thanks for any help anyone might have.

BC AdBot (Login to Remove)

 


#2 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 24 November 2009 - 11:53 AM

I just wanted to add, my internet is specifically hijacked when I do a search using Google and try to go to one of the search results. I seem to be able to search using dogpile.com okay. So far at least. Maybe it's something wrong with Google and my PC??

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 24 November 2009 - 12:21 PM

Hello and welcome.. First I will move this from XP to Am I Infected as you are.

Lets try something and see if we can get a log.
Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post back the MBAM,SAS and Smitfraud logs,please.
The Smitfraud report can be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 24 November 2009 - 05:24 PM

Hello helpful angel Beepo

So Rkill ran successfully.

I ran Malware Bytes and it found a registry entry. Unfortunately I shut down MWB before it made a log of the entry, or something, but it didn't make a log of the entry, but I did go into regedit and delete what it had found. The path from what I can remember of it was HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/EXT/ and then I believe it was settings.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/24/2009 at 02:43 PM

Application Version : 4.31.1000

Core Rules Database Version : 4308
Trace Rules Database Version: 2173

Scan type : Complete Scan
Total Scan Time : 01:22:26

Memory items scanned : 446
Memory threats detected : 0
Registry items scanned : 6134
Registry threats detected : 0
File items scanned : 22994
File threats detected : 30

Adware.Tracking Cookie
C:\Documents and Settings\Crapster\Cookies\crapster@lfstmedia[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@imrworldwide[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@fastclick[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@bs.serving-sys[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@counter.surfcounters[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@at.atwola[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@serving-sys[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@www.googleadservices[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@insightexpressai[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@specificmedia[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@statcounter[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@atdmt[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@xiti[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@doubleclick[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@zedo[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@tacoda[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@a1.interclick[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@ads.pointroll[1].txt
C:\Documents and Settings\Crapster\Cookies\crapster@pointroll[2].txt
C:\Documents and Settings\Crapster\Cookies\crapster@collective-media[1].txt



SmitFraudFix v2.424

Scan done at 15:47:42.28, Tue 11/24/2009
Run from C:\Documents and Settings\Crapster\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

Description: Dell Wireless 1370 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2AABBDE6-EAC4-45D9-8C8B-E87736FCA645}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2AABBDE6-EAC4-45D9-8C8B-E87736FCA645}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2AABBDE6-EAC4-45D9-8C8B-E87736FCA645}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


I can once again look at Google's search results. I am hoping this time it's permanent. Thank you so much for your help.

#5 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 24 November 2009 - 08:32 PM

:thumbsup: Surely the emoticon has tipped you off. The internet hijacking has returned. Still with Google search results, dogpile still works.

All that's happened between now and when Google was working properly is that my computer went into standby mode. Do I need to redo passwords or maybe downgrade to IE6 and then upgrade again to IE7? Is it hiding in my flash drive or an old system restore point?? Seriously frustrated at this point.

I do appreciate your help though.

#6 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 24 November 2009 - 08:44 PM

I don't know if this added bit of info will be helpful, but, when I do a Google search and click on a link, it attempts to go, but then, you how google has a small google symbol in the address bar as do some other sites?, well, all of a sudden a strange little symbol, kind of like a stylized 2 or something will appear in the address bar. It has a normal looking address after it, though not the address of the link I was trying to go to, and then that symbol will go away and several other addresses will come in and out of the address bar till it finally settles on one and that's where I end up. Google Russian roulette.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 24 November 2009 - 09:22 PM

Oh it most definately can be in a flash drive. You will need to run this on it and any PC it connected to.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Now just part 1 of S!Ri's SmitfraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 25 November 2009 - 11:21 AM

Good morning beep

I ran flash disinfect last night. Then this morning I ran MWB. It didn't find anything, but that's probably because AVG was running simultaneously and had already found Trojan Horse Vundo.IQ again in "C:\WINDOWS\system32\csrss.exe (832):\memory_00270000" and "C:\WINDOWS\system32\csrss.exe (832) as well as several tracking cookies. I'm sure AVG will want to reboot to eliminate them, but I'm afraid they'll do their disappearing trick from its vault again and I'll be left where I started.

Malwarebytes' Anti-Malware 1.41
Database version: 3230
Windows 5.1.2600 Service Pack 3

11/25/2009 9:56:55 AM
mbam-log-2009-11-25 (09-56-55).txt

Scan type: Quick Scan
Objects scanned: 114017
Time elapsed: 20 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SmitFraudFix v2.424

Scan done at 10:07:13.71, Wed 11/25/2009
Run from C:\Documents and Settings\Crapster\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Crapster


C:\DOCUME~1\Crapster\LOCALS~1\Temp


C:\Documents and Settings\Crapster\Application Data


Start Menu


C:\DOCUME~1\Crapster\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Dell Wireless 1370 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2AABBDE6-EAC4-45D9-8C8B-E87736FCA645}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2AABBDE6-EAC4-45D9-8C8B-E87736FCA645}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2AABBDE6-EAC4-45D9-8C8B-E87736FCA645}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End

As of right now, I can use Google normally. This is almost enough to make you say, it's alright, I can live without Google. I can learn to use Bing. Almost enough, but not quite.

Thanks again for all your help beep.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 25 November 2009 - 04:28 PM

Hello let's check the Goog with one more tool/
Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 25 November 2009 - 11:27 PM

Hello Boop (sorry I kept getting it wrong)

GooredFix by jpshortstuff (26.11.09.1)
Log created at 22:22 on 25/11/2009 (Crapster)
Firefox version [Unable to determine]

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{BC6EA653-D571-468D-9FD3-B0B15203D599} -> Success!
Deleting C:\Documents and Settings\Crapster\Local Settings\Application Data\{BC6EA653-D571-468D-9FD3-B0B15203D599} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [16:01 01/04/2009]

-=E.O.F=-

Well, in between my last post to you, Google started getting hijacked again. All I had done between then and now was check my gmail, post this to you, and test out Google, then I left for work and the computer went into standby mode after the AVG scan finished. I came home from work and woke up my computer, the results from AVG's scan were still up, and Google was again being hijacked.

Have a good Thanksgiving boop.

#11 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 25 November 2009 - 11:30 PM

Side note, the Trojan Virus Vundo.IQ instances escaped from the vault while the computer was in standby mode.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 26 November 2009 - 11:36 AM

OK, one last try before we move this to HJT.. Update MBAM and SAS.. Download and install DRweB below. Then Disconnect from the web and unplud the Inernet cable from PC. Run these three again ,, then reconnect,'

relax and enjoy the familt while scanning,

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 madasalorry

madasalorry

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 26 November 2009 - 07:12 PM

Hi AGH + Boop

Been following this thread for couple of days from London. My situation:

Dell D630 running XP SP2.

I got V.IQ on saturday 11/21

Reinstalled twice.

almost indentical logs from AVG - ram reading @ 002*0000 [***] etc

Has jumped to desktop while using for transfer of D/L fixes for laptop infection. (On Girlfriends Mac FFS!)
After reading posts haven't followed further steps as awaiting outcome.


What we know:


It HiJ's connection & sec (means disconnection)
Few people have it (See below)
Gets pregressively more destructive with each attempt to remove it (In my case yes > Pop-up fake sec alert> scans>ID as CSRSS.exe>regscan and removal>FAIL> reinstall> recovery disks and tools>FAIL, until...Reinstall...FAIL>boot say caution:hard disk may be infected ith virus.
Me - even considering a Mac (then knowing costs!)

Questions in no order;

a> Is this a 21 days> new variant (Very few posts found)
b> Has anyone noticed anyone else talking about this
c> Where does it reside if it can survive 2x format+reinstall
d> WTF can i do to get my machine back

Apprciate your chat. really got nothing to add but will be tryig various steps in Bg - this is most coherent chat about this i have found in 4 days search and fddle with machine!

MAAL

Edited by madasalorry, 26 November 2009 - 07:18 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 AM

Posted 26 November 2009 - 09:52 PM

@ madasalorry, Hello
Did you Format before install?

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 27 November 2009 - 07:53 PM

Hey Boop,

Okay, well, Safe Mode is not happening. I get to the screen where I can choose Safe Mode, then I choose for it to start XP. It attempts to do this and begins to run through a screen and a half of multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\system32\Drivers\etc... It gets stuck, however, at multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\system32\Drivers\Mup.sys consistently. I tried it several times and also tried Safe Mode with Networking, all with the same result and the same sticking point. I'm not sure if this is a result of the virus or simply something going on with my OS. I will however be disconnecting from the internet and doing the things you suggested, but in Normal mode.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users