Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan


  • This topic is locked This topic is locked
11 replies to this topic

#1 Gorgatron

Gorgatron

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 March 2010 - 10:00 PM

Hello there, now and then reader first time poster. My Aunt recently complained that her laptop was "making funny noises" when she was trying to type and I responded that it was probably a virus or she dumped some liquid on the keyboard. Being reassured that there was never any water near the computer I asked to take a look at it. I found in her AVG virus database "Vundo.KE" in multiple entries along with some other titles like "generic torjan" and such. I'm not all that great with computer software or trying to repair them so I trun to you all here.

First off, the beeping only occurs when I use the keyboard on the laptop itself. I can type just fine using this logitec wireless keyboard/mouse combo. Second issue, I have attempted to run the GMER scan several times and have had the same results. That is a blue screen and a restart stating driver failure. I don't know how to set the computer to display the blue screen longer so I can nab the information.

I guess from here I will provide you with what I've managed to get so far and wait for some assistance on getting a GMER log for you all.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Tbalog at 19:42:30.07 on Mon 03/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.254 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\DOCUME~1\tbalog\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\tbalog\Desktop\virus fighting software\Defogger.exe
C:\Documents and Settings\tbalog\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Preload] c:\windows\RUNXMLPL.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b5cb0955-2a43-42f4-a44f-5c2bfc52e977}\Icon3E5562ED7.ico
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoPublishingWizard = 0 (0x0)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-28 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100104.004\naveng.sys [2010-1-5 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100104.004\navex15.sys [2010-1-5 1323568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-2-22 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-2-22 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-2-22 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-2-22 59776]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-03-01 01:50:30 0 ----a-w- c:\documents and settings\tbalog\defogger_reenable
2010-03-01 01:37:32 0 d-----w- c:\windows\system32\NtmsData
2010-03-01 01:10:40 0 d-----w- c:\program files\TrendMicro
2010-03-01 00:14:03 0 d-sha-r- C:\cmdcons
2010-03-01 00:11:51 98816 ----a-w- c:\windows\sed.exe
2010-03-01 00:11:51 77312 ----a-w- c:\windows\MBR.exe
2010-03-01 00:11:51 261632 ----a-w- c:\windows\PEV.exe
2010-03-01 00:11:51 161792 ----a-w- c:\windows\SWREG.exe
2010-02-28 23:28:31 0 d-----w- c:\windows\pss
2010-02-28 22:01:28 0 d-----w- C:\$AVG
2010-02-28 22:01:12 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-28 22:01:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-28 22:00:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-28 22:00:44 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-28 22:00:20 0 d-----w- c:\program files\AVG
2010-02-28 22:00:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-28 21:35:37 0 d-----w- c:\program files\Free Window Registry Repair
2010-02-18 20:19:14 0 d-----w- c:\windows\Security

==================== Find3M ====================

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 19:43:10.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 AM

Posted 06 March 2010 - 07:14 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer, a rootkit scanner

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 Gorgatron

Gorgatron
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 07 March 2010 - 09:09 PM

I'm here and currently fighting with GMER still. I'm unable to run the computer in safe mode thanks to w/e software her company put on the laptop. Clearly she doesn't have full administrative rights over this laptop. Thanks to that I have been trying to get the scan to complete and save... w/o any success which is highly aggravating to me. I have been able to get the scan to complete a few times but once I click on either save or copy it just freezes the computer. I have been trying this for well over 3 hours tonight and about another 2 or so the night before, when I realized I got a response.

At least it isn't going through the blue screen phase anymore and it seems to be running the scan faster. I have noticed another symptom, the beeping of the computer stems from what seems to be "stuck" keys. It's as if someone rested their hands on a key and it continues to count the stroke indefinitely (until I press a few keys on the laptop, which seems to open it up again for use). The keystrokes it registers are also not limited to a single key. I opened up word to see what keys were in use and it was everything from punctuation to numbers. It also seems to use the ctrl and alt buttons as it would open other features in word when I tested this.

Here's hoping I can get the scan to at least copy over and thanks for the welcome and in advance for the help. Though I wish I knew more about this stuff, still a greenhorn on these Trojan matters.

Seems I spoke too soon about the blue screen issues.

/sigh off to try again.

/edit "Me fail english, that's unpossible!"

Edited by Gorgatron, 07 March 2010 - 09:12 PM.


#4 Gorgatron

Gorgatron
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 08 March 2010 - 10:59 AM

After some 20+ attempts I finally managed to get it to copy over to the forums. I'm unable to save a hard copy of it as it just freezes the computer with every attempt. The symptoms are getting worse by the day, even after last night it took me around 4 or 5 restarts this morning just to get it up and going again. It was running everything from blue screens to just shutting down again (perhaps a mess up in the post?). I couldn't get it to boot from anything but "last known good configuration" under the F8 menu and even then it was hit or miss. Safe Mode wouldn't start (not that I can do anything in it anyway) and a normal boot wouldn't start it.








GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-08 08:58:49
Windows 5.1.2600 Service Pack 2
Running: hl90st8l.exe; Driver: C:\DOCUME~1\tbalog\LOCALS~1\Temp\kxtyipob.sys


---- System - GMER 1.0.15 ----

SSDT 872CAA98 ZwAlertResumeThread
SSDT 872D0A98 ZwAlertThread
SSDT 87341A88 ZwAllocateVirtualMemory
SSDT 875B6768 ZwConnectPort
SSDT 872B8A98 ZwCreateMutant
SSDT 87320A88 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA08E350]
SSDT 87337A98 ZwFreeVirtualMemory
SSDT 872BEA98 ZwImpersonateAnonymousToken
SSDT 872C4A98 ZwImpersonateThread
SSDT 876D2A70 ZwMapViewOfSection
SSDT 872B2A98 ZwOpenEvent
SSDT 8731AA98 ZwOpenProcessToken
SSDT 8734EA98 ZwOpenThreadToken
SSDT 872ACA88 ZwQueryValueKey
SSDT 87531738 ZwResumeThread
SSDT 87346A98 ZwSetContextThread
SSDT 87357A98 ZwSetInformationProcess
SSDT 872E4A98 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA08E580]
SSDT 872A6A98 ZwSuspendProcess
SSDT 872D8A98 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA9CE20B0]
SSDT 872DEA98 ZwTerminateThread
SSDT 87353A98 ZwUnmapViewOfSection
SSDT 8733DA88 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D2C 80504598 4 Bytes JMP 4006872B
.text ntkrnlpa.exe!ZwCallbackReturn + 2DCC 80504638 4 Bytes JMP C1AC8734

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A8345C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Edited by Gorgatron, 08 March 2010 - 11:06 AM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 AM

Posted 08 March 2010 - 01:30 PM

Gmer is clean unbelievably.


Can you run Rkill please

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now try MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#6 Gorgatron

Gorgatron
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 08 March 2010 - 08:56 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

3/8/2010 6:53:16 PM
mbam-log-2010-03-08 (18-53-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 205087
Time elapsed: 35 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-3550011993-947635804-818176903-1644\Dc1.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP270\A0114613.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP272\A0116939.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 AM

Posted 09 March 2010 - 07:22 PM

The remnants of TDSS in MBAM but nothing "live"

How are the symptoms on the PC?
Posted Image
m0le is a proud member of UNITE

#8 Gorgatron

Gorgatron
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 09 March 2010 - 10:53 PM

Keyboard still doesn't work properly. It seems like tab in combination with ctrl or alt is almost always in use as it opens all sorts of things itself and random characters always appear after a single keystroke. Otherwise, restarts are not so bad... if you can handle all the happy beeps from tab being used (no more blue screens so far). Can't thank you enough for the help so far! One small step in the right direction after almost a solid week of yelling at it (like it's going to do me or the computer any good).

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 AM

Posted 10 March 2010 - 06:03 PM

Some of these symptoms are leaning towards a hardware issue with the keyboard. It could be a software problem also.

Do you have a spare keyboard you can use to test?

If so, please uninstall any keyboard software and unplug your keyboard. Install the new one (or plug it in) and let me know if the problems are the same.

If not, it may be an idea to get hold of one just to check this.


There are, of course, TDSS rootkit traces on the PC which MBAM found so we should see what else may be left behind.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#10 Gorgatron

Gorgatron
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 11 March 2010 - 12:50 AM

No threats found...

I guess at this point I can try looking up some drivers for the laptop keyboard, is there a chance any of those could have been damanged? If not, I'm guessing someone got the keyboard wet and that's the reason it's acting this way. Good ol' fashon electrical shorts on the circuitboard!~

In answer to the extra keyboards, I have two sets of Logitech wireless keyboard/mouse combos I can test out on this laptop if needed. Only thing I'm not sure of is how to stop the use of the laptop keyboard. What I can say is that using this wireless that I'm using now doesn't recreate the problems that I get when trying to use the laptop keyboard. I'm not motivated enough to take this thing apart to see if there is a short on the keyboard so if I end up exahusting ideas here I will be returning it to her (at least in virus free condition).

Again, I can't thank you enough for the help you have provided here. This thing went from 1 step away from the edge of oblivion (at least in my eyes) back to a nearly normal working machine again.

Many thanks mOle. smile.gif

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 AM

Posted 11 March 2010 - 04:56 PM

You're welcome Gorgatron.

I will keep the topic open in case the keyboard issue doesn't completely deal with it. PM me after that thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 AM

Posted 15 March 2010 - 09:19 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users