Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Vundo.IQ


  • Please log in to reply
27 replies to this topic

#16 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 27 November 2009 - 09:21 PM

Hi Arrgghh ( I sound like s pirate :thumbsup: ) take a look at this System that freezes after loading mup.sys while booting
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

BC AdBot (Login to Remove)

 


#17 BillyM148

BillyM148

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 28 November 2009 - 02:04 AM

Okay.. Hi guys. Any update on removing Vundo.IQ? I became infected with it 11/26 or 11/27. ComboFix doesn't remove it (Usually fixes all my problems). Malwarebytes doesn't find/remove it (first time MWB has let me down). AVG finds it, but doesn't remove it even though it says it does.

So yeah, I'm having the same problem has in these previous posts and replies and can't find any other useful information on Vundo.IQ besides this forum. Is this a new variant or something? It's really annoying me. Let's get this thing figured out.

#18 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 28 November 2009 - 11:05 PM

Well boop, still no luck. Although, Dr. Web did find some new stuff, but, Google is still being hijacked.

Process in memory: C:\WINDOWS\system32\rundll32.exe:164;;BackDoor.Tdss.565;Eradicated.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
nircmd.exe;C:\DOCUME~1\Crapster\LOCALS~1\Temp;Tool.NirCmd.1;Incurable.Moved.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1328;Cured.;
Flash_Disinfector.exe\nircmd.exe;C:\Documents and Settings\Crapster\Desktop\Flash_Disinfector.exe;Tool.NirCmd.1;;
Flash_Disinfector.exe;C:\Documents and Settings\Crapster\Desktop;Archive contains infected objects;Moved.;
Flash_Disinfector[1].exe\nircmd.exe;C:\Documents and Settings\Crapster\Local Settings\Temporary Internet Files\Content.IE5\X5264MLG\Flash_Disinfector[1].exe;Tool.NirCmd.1;;
Flash_Disinfector[1].exe;C:\Documents and Settings\Crapster\Local Settings\Temporary Internet Files\Content.IE5\X5264MLG;Archive contains infected objects;Moved.;
A0006655.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15;Tool.Prockill;Incurable.Moved.;
A0006656.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15;Tool.ShutDown.14;Incurable.Moved.;
A0006657.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15;Program.SrvAny;Incurable.Moved.;
A0006658.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15;Tool.Prockill;Incurable.Moved.;
A0006701.exe\nircmd.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15\A0006701.exe;Tool.NirCmd.1;;
A0006701.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15;Archive contains infected objects;Moved.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1328;Cured.;

MWB found one sort of new thing as well:
Malwarebytes' Anti-Malware 1.41
Database version: 3245
Windows 5.1.2600 Service Pack 3

11/27/2009 8:35:15 PM
mbam-log-2009-11-27 (20-35-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171891
Time elapsed: 1 hour(s), 25 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0003036.exe (Trojan.FakeAlert) -> No action taken.
---I did delete this item myself.

And SAS found 44 tracking cookies, no big surprise there.

#19 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 29 November 2009 - 09:08 PM

OK that one is in system restore.. Do this,,, Update rerun MBAM and tell me how it's running... Post last MBAM log.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#20 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 01 December 2009 - 08:38 PM

Well Boop, the short answer is that no this did not fix the problem.

Here's the MWB log before I ran disk clean up:

Malwarebytes' Anti-Malware 1.41
Database version: 3270
Windows 5.1.2600 Service Pack 3

12/1/2009 7:11:51 PM
mbam-log-2009-12-01 (19-11-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167680
Time elapsed: 1 hour(s), 21 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15\A0006702.exe (Trojan.FakeAlert) -> No action taken.


I manually deleted the file you see above, then I created a new Restore Point, ran disk cleanup, and deleted all but the most recent restore point.

Below is the MWB log after the above actions:

Malwarebytes' Anti-Malware 1.41
Database version: 3270
Windows 5.1.2600 Service Pack 3

12/1/2009 7:30:41 PM
mbam-log-2009-12-01 (19-30-41).txt

Scan type: Quick Scan
Objects scanned: 114057
Time elapsed: 10 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I checked Google after all of the above, and, SURPRISE, it's still being hijacked :thumbsup: This is one pesky bug.

#21 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 01 December 2009 - 09:38 PM

It's this TDDS type infection, sometimes they won't die.
By the way when they are this serious I think it only fair to say some advice,especially if ypu do financials on here..
About this backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



These will be the next cleaning steps.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Norman Malware Cleaner

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#22 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 December 2009 - 10:06 AM

Ugh. Thanks for the advice about the identity thing Boop.

I mainly use this PC for writing and gmail and stupid stuff like that, but I'll be careful about not using it for anything sensitive.

I'm about to do the steps you suggested.

#23 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 02 December 2009 - 12:19 PM

OK good....
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#24 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 December 2009 - 01:13 PM

Hey Boop. I have to admit that I'm feeling defeated. I did run the Root Repeal and Norman, but they were unsuccessful, and, as of yesterday, there's a new symptom. Once I've opened IE I start to get random messages telling me it can't find http:// (insert strange alien tongue) and to make sure I've typed the address correctly. When I x out or click OK it opens a new window of IE. This happened 12 times while I've been writing this message to you.

Below are the logs you asked for:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/02 09:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA118A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\$avg\$chjw\b3463521-24fb-44af-87e5-8a0d1e50f8f9
Status: Size mismatch (API: 2397576, Raw: 2204280)

Path: c:\$avg\$chjw\f91eb490-1660-407a-8d23-9f616b8cd5a7
Status: Size mismatch (API: 2124560, Raw: 2029936)

Path: C:\Documents and Settings\Crapster\Recent\~DF85C0.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Crapster\Recent\~WRS{032CE583-819D-4844-93AE-ED1968761E78}.tmp
Status: Locked to the Windows API!

==EOF==

Norman Malware Cleaner
Version 1.5.0.5
Copyright 1990 - 2009, Norman ASA. Built 2009/12/02 01:16:17

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/12/02 01:16:17, Variants: 4438427

Scan started: 02/12/2009 09:59:46

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: LAW-CCRAPSTE\Crapster

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""


Scanning running processes and process memory...

Number of processes/threads found: 4577
Number of processes/threads scanned: 4577
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 16m 16s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Crapster\Desktop\SmitfraudFix\SmitfraudFix\Policies.exe (Infected with W32/Malware.JNZQ)
Deleted file

C:\Documents and Settings\Crapster\Desktop\SmitfraudFix\SmitfraudFix\SmiUpdate.exe (Infected with W32/Suspicious_Gen2.AGVP)
Deleted file

C:\Documents and Settings\Crapster\DoctorWeb\Quarantine\A0006656.exe (Infected with W32/Suspicious_Gen2.SYZ)
Deleted file

C:\Documents and Settings\Crapster\DoctorWeb\Quarantine\restart.exe (Infected with W32/Suspicious_Gen2.SYZ)
Deleted file

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0007788.exe (Infected with W32/Malware.JNZQ)
Deleted file

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0007789.exe (Infected with W32/Suspicious_Gen2.AGVP)
Deleted file

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0007790.exe (Infected with W32/Suspicious_Gen2.SYZ)
Deleted file

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18\A0007791.exe (Infected with W32/Suspicious_Gen2.SYZ)
Deleted file

Scanning: F:\*.*


Running post-scan cleanup routine:

Number of files found: 59630
Number of archives unpacked: 0
Number of files scanned: 59602
Number of files not scanned: 28
Number of files skipped due to exclude list: 0
Number of infected files found: 8
Number of infected files repaired/deleted: 8
Number of infections removed: 8
Total scanning time: 1h 21m 15s


So, here's a crazy little problem. How do I take files off the infected PC and put them on a flash drive without infecting the flash drive and then reinfecting the reformatted system with the flash drive when I try to put the files back onto the PC?

#25 BillyM148

BillyM148

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 02 December 2009 - 02:23 PM

Just so you guys know, I've been following this threat too. I have the same problem with google being hijacked. Nothing will remedy the problem. MWB doesn't find it, AVG finds it but doesn't remove it when it says it does. Norman found W32/Smalldoor and smalltroj. Combofix doesn't fix it. This is too weird.

First Vundo.IQ was found infecting the files csrss.exe and even infecting avgcsrvx.exe
Now it has spread to MOM.exe (the catalyst control center from ATI.) And also spread to TimounterMonitor.exe, which belongs to Acronis TrueImage, a backup utility by Acronis.

I've never had this big of a problem.

Edited by BillyM148, 02 December 2009 - 02:27 PM.


#26 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 02 December 2009 - 03:11 PM

Ok ,I agree this is a mess. We have a couple choices when things are this bad.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.
Read.. When Should I Format, How Should I Reinstall
I have move pointers on reformatting.


Or we can move this to the HJT forum and they will dig it out. Downside is they are swamped and it'll be about a week. If you want that I willl give you thse instructions.


Now why do you want to put the quarantined files onto your flash drive. They cannot harm any thing there. We can clen the Flash drive with Flash_Disinfector if you want to.
The ones in system restore we need to eliminate. Run the Create a New Restore Point instructions from earlier.

Now, we have a desktop and internet so please try running an Online scan first.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#27 Arghhh!

Arghhh!
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 December 2009 - 10:41 AM

Hey Boop.

I wasn't actually asking about saving quarantined files, but rather, music and pictures that are on the infected machine. You see, I'm a little bit leary about connecting a clean flash drive to the infected machine and taking the music and pics off because I'm afraid that the infection will sneak over onto the flash drive as soon as I plug it in. Then once that flash drive is infected, how can I reallly be sure it's clean before I plug it into the freshly reformatted machine? I'd have to plug the flash drive into another machine to disinfect it, and then I'd be infecting that machine as soon as I plugged the flash drive in. If I try to clean the flash drive while it's connected to the infected machine, I have no confidence that the flash drive will stay clean long enough for me to take it out of the computer. In short, this bug has made me paranoid. All I can think is maybe I could compress the files somehow and email them to myself. But there's 4 GB's of music alone! Anyways. Thanks for your help Boop.

#28 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:58 AM

Posted 03 December 2009 - 01:16 PM

Hey ,I hear ya...
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.


Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users