Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo PL, Vundo H Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 alan61

alan61

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 22 December 2009 - 05:51 AM

I've had minor infections in the past, usually solved by following the instructions of other fixed threads. This is a bad one and I really need help.

It started when I downloaded an episode of criminal minds over bit torrent that required a "content license" that turned out to be the Vundo Trojan. My google search results were being redirected to ad.yieldmanager.com and searchfindsite and AVG Free/Spybot Search & Destroy detected infections in the Windows/Temp/ directory but they kept coming back after being removed. I also tried Malwarebytes and Combofix, but the registry keys seem familiar enough to me. Two were out of place, but there must be more because I'm still having problems.

I can't boot to Safe Mode. Upon loading the DOS libraries, the system restarts. Also, Root Repeal crashes my computer when I try to run a report. Here is my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Heikkila at 1:50:51.25 on Tue 12/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1356 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Timmmoore\MCE 2005 STB Controller\MyTray.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Heikkila\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Gyubawegum] rundll32.exe "c:\windows\ecolasiw.dll",Startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\heikkila\startm~1\programs\startup\dialog~1.lnk - c:\program files\vcom\powerdesk\pddlghlp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mytray.lnk - c:\windows\installer\{685c742f-b837-42a7-80b5-98cf94f621ae}\_937674D7D019413DEF3F25.exe
IE: &Clean Traces
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167253860359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\heikkila\applic~1\mozilla\firefox\profiles\s5qqni60.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mytelus.com/new_homepage/
FF - component: c:\documents and settings\heikkila\application data\mozilla\firefox\profiles\s5qqni60.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B7C53EC5-DE16-49AE-BCEB-229BC10019B7} - c:\documents and settings\heikkila\local settings\application data\{B7C53EC5-DE16-49AE-BCEB-229BC10019B7}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-8 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-8 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-8 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-15 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-15 285392]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-11 12672]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R2 sbbotdi;sbbotdi;c:\progra~1\speedb~1\sbbotdi.sys [2007-11-26 35584]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-8-17 1589704]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 3xHybrid;Instant HDTV PCI service;c:\windows\system32\drivers\3xHybrid.sys [2007-1-10 826752]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-1-11 332928]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\lbeepke.sys --> c:\windows\system32\drivers\LBeepKE.sys [?]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AIO2;AIO2;c:\windows\system32\drivers\AIO2.SYS [2007-2-18 3946]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2003-11-11 22891]
S3 MSPANEL;AVC Panel Device;c:\windows\system32\drivers\mstapeo.sys [2005-4-24 49024]
S3 RTCore32;RTCore32;c:\program files\evga precision\RTCore32.sys [2005-5-25 4608]

=============== Created Last 30 ================

2009-12-21 18:39:49 120 ----a-w- c:\windows\Wwovun.dat
2009-12-21 18:39:49 0 ----a-w- c:\windows\Jkahobeyeyogom.bin
2009-12-21 17:32:14 1530 ----a-w- C:\Your PC Protector.lnk
2009-12-21 17:32:14 0 d-----w- C:\Your PC Protector
2009-12-21 16:31:08 0 d-----w- c:\program files\schtml
2009-12-21 16:27:15 36 ----a-w- c:\program files\skynet.dat
2009-12-21 16:27:08 56 ----a-w- c:\program files\wp4.dat
2009-12-21 16:27:08 3 ----a-w- c:\program files\wp3.dat
2009-12-21 16:27:00 0 d-----w- c:\program files\Your PC Protector
2009-12-21 08:39:22 0 d-----w- c:\program files\Trend Micro
2009-12-20 10:54:52 0 d-sha-r- C:\cmdcons
2009-12-20 10:51:43 98816 ----a-w- c:\windows\sed.exe
2009-12-20 10:51:43 77312 ----a-w- c:\windows\MBR.exe
2009-12-20 10:51:43 261632 ----a-w- c:\windows\PEV.exe
2009-12-20 10:51:43 161792 ----a-w- c:\windows\SWREG.exe
2009-12-19 07:43:38 0 d-----w- c:\documents and settings\heikkila\JScreenFix
2009-12-19 07:31:23 0 d-----w- C:\VundoFix Backups
2009-12-13 21:44:48 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-13 21:44:31 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-13 21:44:31 0 d-----w- c:\docume~1\heikkila\applic~1\SUPERAntiSpyware.com
2009-12-13 21:37:10 0 d-----w- c:\docume~1\heikkila\applic~1\Malwarebytes
2009-12-13 21:37:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-13 21:37:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-13 21:37:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 21:37:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-13 20:01:05 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure

==================== Find3M ====================

2009-12-21 16:27:14 9 ----a-w- c:\program files\nuar.old
2009-12-20 21:07:47 105344 ----a-w- c:\windows\system32\drivers\nvata.sys
2009-11-16 00:40:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-16 00:40:41 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-16 00:40:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2004-10-01 23:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-04-08 02:02:58 23 --sha-w- c:\windows\system32\ffbaf4_z.dll
2008-09-17 02:50:30 9392 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-07-08 12:52:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070820080709\index.dat

============= FINISH: 1:52:40.25 ===============

I attached the attach.txt file from DDS, but as I mentioned previously, Root Repeal does not run properly. I thank you for your time on this and I hope you have enough information to help me.

EDIT. The Vundo variant is incorrect in the title. It is actually VundoJE

Attached Files


Edited by alan61, 22 December 2009 - 05:32 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:41 AM

Posted 04 January 2010 - 07:09 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 alan61

alan61
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 04 January 2010 - 03:35 PM

Hi elise025,

Thank you for reviewing my case. After unsuccessfully booting to safe mode using the F8 boot options, I foolishly set Windows to "start in safe mode on next boot." Unfortunately, this locked me in a loop since this malware restarts the PC on every attempt to start in safe mode. As a result, I had to wipe a backup HDD and install Windows fresh. The infected hard drive is still connected and the data intact, only the drive letter changed (swapped c: with e:). I have run some diagnostics of the infected HDD from the clean HDD, but all of them have come up false. Is it even possible to uncover these threats without having the original, infected registry loaded with the OS?

Regardless, I will follow your instructions and see if the data on this drive can be saved. When I get home from work, I'll begin the process and post my logs ASAP.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:41 AM

Posted 04 January 2010 - 03:56 PM

Well, to get your infected drive booting again, its easier to just place a backup from boot.ini back, this will fix the reboot loop.

You can do this by booting in the newly installed windows, accessing the other drive and look for c:\windows\pss\boot.ini.backup

Copy boot.ini.backup to the drive root (in this case e:\), rename the boot.ini you will find there (e:\boot.ini) to boot.ini.old and rename boot.ini.backup to boot.ini
If you need more detailed instructions on this, please let me know!

It makes only sense to post logs from your infected drive. If you were not able to successfully get the original primary harddrive booting, just let me know, do not attempt to run the scans from the newly installed windows, that doesn't give me the data I need to see.

Edited by elise025, 04 January 2010 - 03:57 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 alan61

alan61
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 January 2010 - 04:12 AM

Hi Elise,

The boot.ini edit worked just fine. I reordered my drives in the BIOS and booted to the infected drive to run DDS and GMER. Well, DDS ran fine. But during the GMER scan the system would slow to a grind and the desktop froze during several attempts. I tried removing extra background programs and about 2 hours into one attempt the system rebooted (possibly crashed, but I wasn't watching the activity at the time.)

I've given it my best shot, but since this drive is part of a media center and doesn't contain a lot of irreplacable data, I don't think it deserves the expert time it would take to clean it. I have two other, larger drives too and already have a fresh OS running on one. I saved the really important data and needed a clean start.

Thanks for your time.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:41 AM

Posted 08 January 2010 - 07:01 AM

Okay, let me know if you have any more questions or if I can close this topic :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 alan61

alan61
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 January 2010 - 03:39 PM

Please close, thanks.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:41 AM

Posted 08 January 2010 - 03:40 PM

Topic closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users