#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    4
    Rep Power
    0

    Antivirus disabled


    This is my first time here and after reading the sticky start here I put a search for this but it returned nothing. I hope this is the right spot. I can't install anything on the drive at the moment so am not sure what to do next.

    The problem is that one day a message popped up on my machine, said something about windows says my computer is infected by a virus, would I like to turn on my anti virus software. I already had AVG installed on my computer and didn't need to turn anything on so I figured it was a trick pop up window and closed it. A few seconds later it popped up on the screen again, so I then noticed the AVG icon wasn't in the tray in the lower right of the desktop. I tried to start it up by clicking on it's icon in the start menu and it said it was damaged and couldn't run. So I shut the computer off while trying to figure out what to do. I thought I would try and download another anti virus program and install it quickly but as soon as the computer was booted up the messages popped up again about windows desktop pc or something said the computer is infected with several viruses and may be stealing my passwords at that very moment. I then just pulled the plug worrying that if it was a virus I wanted to limit the possible damage to important data on my hard drives.

    I installed the hard drive in question as a slave drive with another known working hard drive with the same windows xp running on it, I then ran several anti virus programs ( Avira -- Avast --- along with Norton free trial to see if it could solve the problem, it didn't find anything either. ) Just for clarity, I didn't run them together, I installed one then tried it then shut it down then tried the next.

    I also tried several malware programs from download.com like - Malwarebytes - IObit security 360 - AdAware -Malware sweeper, which Adaware said was malware and wouldn't allow it to startup. None of them found anything except your average run of the mill stuff like cookies. I don't know what the next step should be, I'm afraid to boot up the drive in question until the problem is found. I'm running windows xp home edition SP2.

    One other question if anyone might be able to answer, I notice when all these programs run they say they are checking the registry on the root drive as it goes through the progression of the scans. I never saw it say anything about the registry on the drive in question when it got to it, since it is running as a slave drive in the system now. I'm not sure how that works. Does the drive with the operating system that is infected have to be booted up and running for the programs to find viruses in that drives registry? Thanks for any suggestions you might have.

    Thanks
  2. #2
  3. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,105
    Rep Power
    5049
    Have you tried booting the problem drive into Safe Mode and installing and running the programs from there?
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    4
    Rep Power
    0
    No, I wasn't sure if the virus, if that's what it is, could run in safe mode. I'll try that and see what happens.

    Thanks for the response
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    4
    Rep Power
    0
    Hiker, I tried booting into safe mode and installed and ran the programs from there. The malware programs found nothing but cookies, the anti virus program avast restarted and ran at boot up and found a few files in temporary internet explorer folders which I never use, so I'm not sure if they would have been any concern. The files were randomly named and listed like "A0091430.exe is infected by win32:Malware-Gen". I rebooted normally with the avast installed and the virus warnings are not popping up at the moment. I can't figure out why. And the AVG software is running in the lower screen again, I have no idea why it appears to be working. So I have two AV's running now, AVG and Avast. Not sure if they are suppose to be running at the same time.

    Even though it appears to be gone, since nothing was really caught and identified I'm not sure I feel safe running it. How can I be sure it's safe? Any ideas would be greatly appreciated if any one might know.

    Also does anyone know if XP would have a pop up window that says something like "windows desktop pc" and tells you a virus is stealing information like passwords from your computer? It happened so fast I can't recall exactly how it looked.
    Thanks
  8. #5
  9. They're coming to take me away

    Join Date
    Jan 2005
    Location
    Florida
    Posts
    5,105
    Rep Power
    5049
    If it appears to be running normally, run all the programs in the Sticky as before... post back with the logs as requested. Just because it may seem normal, doesn't mean it is.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2010
    Posts
    4
    Rep Power
    0
    Ok, I had trouble getting some stuff to run but eventually got the scans. The only one that didn't was the online scan, since I seem to have no internet connection now, not sure why. So I downloaded the software on another computer and transferred them to the problem drive. I did run scans with a couple of other Anti virus programs, they were able to connect for updates in safe mode, I don't know why some programs can and others can't though.

    The superantispyware program kept shutting down and getting a blue screen when it was checking the logical drive D so I unchecked it in the start area so it would only check drive C and then it ran fine, not sure what would cause that. After everything was done and I booted the problem drive up, a minute or so later the avast Anti virus displayed a warning that something had made some kind of contact and asked if I wanted to break the connection, so not knowing what else to do I quickly clicked yes and shut it back down not knowing if something was actually taking place. I am posting the logs that I have below.


    Malwarebytes' Anti-Malware 1.44
    Database version: 3573
    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 6.0.2900.2180

    1/15/2010 8:49:20 PM
    mbam-log-2010-01-15 (20-49-20).txt

    Scan type: Quick Scan
    Objects scanned: 102368
    Time elapsed: 3 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 2
    Registry Data Items Infected: 6
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\piufumed (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

    Files Infected:
    C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
    C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
    C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

    ------------------------------------------------------------------------------------------------------------------------------------------------------


    SUPERAntiSpyware Scan Log

    Generated 01/16/2010 at 02:47 PM

    Application Version : 4.33.1000

    Core Rules Database Version : 4446
    Trace Rules Database Version: 1978

    Scan type : Complete Scan
    Total Scan Time : 00:45:04

    Memory items scanned : 402
    Memory threats detected : 0
    Registry items scanned : 3576
    Registry threats detected : 37
    File items scanned : 17033
    File threats detected : 0

    Rogue.Agent/Gen
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#aazalirt
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#skaaanret
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#jungertab
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#zibaglertz
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#iddqdops
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#ronitfst
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#tobmygers
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#jikglond
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#tobykke
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#klopnidret
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#jiklagka
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#salrtybek
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#seeukluba
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#jrjakdsd
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#krkdkdkee
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#dkewiizkjdks
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#dkekkrkska
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#rkaskssd
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#kuruhccdsdd
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#krujmmwlrra
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#kkwknrbsggeg
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#ktknamwerr
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#iqmcnoeqz
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#ienotas
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#krkmahejdk
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#otpeppggq
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#krtawefg
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#oranerkka
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#kitiiwhaas
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#otowjdseww
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#otnnbektre
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#oropbbsee
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#irprokwks
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#ooorjaas
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#id
    HKU\S-1-5-21-515967899-362288127-682003330-1004\SOFTWARE\AVSCAN#ready

    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:19:35 PM, on 1/16/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Security\HiJackThis\HijackThis.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Multi-Media\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Security\Sygate\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Security\ALWILS~1\Avast4\ashDisp.exe
    O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\Security\SuperAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Security\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Security\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Security\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Security\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Security\Sygate\smc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 4254 bytes

    -----------------------------------------------------------------------------------------------------------------------------

IMN logo majestic logo threadwatch logo seochat tools logo