Major Virus Infection

Hewlett-packard Compaq nx9030 notebook
August 7, 2009 at 17:36:09
Specs: Windows XP
Okay, I am opening this thread on behalf of my sister, who posted here earlier today. I'm opening a new thread, because I think her old one was not very clear.

Her computer is infected with some huge virus and several areas have been affected:

- No mouse control -- cursor simply stays in the middle of the screen
- No internet connection
- Networks do not show up -- Network Connections folder is completely empty
- Cannot start in safe mode
- USB ports are being read; so things like flash drives don't work
- the standby button on the standby/shutdown/restart menu is faded out.

She tried reinstalling the driver for the mouse, but a dialogue box (from the virus) opened up and said that "automatic installer" cannot be run. After that all of the files in the Synaptic folder were changed to have a "modify" date of today.

As per previous suggestions, we've disabled System Restore.

We've already run numerous scans using
- SUPER Anti-Spyware
- Malwarebytes
- Avast -- including a boot scan

We've also run:
- CCleaner -- wiped free space, also checked for registry issues
- ATF cleaner, with all options checked.

In CCleaner, we found the a file called "advanced virus protection" in the startup section.

It's pretty impossible to run any other scanners, like Spyware Doctor or AVG, since they require an internet connection, which she doesn't have.

Earlier, she hadn't been able to run taskmanager, but for some reason it works now. Her wallpaper had been changed too, but it's back to normal now.

Any ideas as to what to do? A lot of the scanners that we are using aren't really finding anything anymore, but her computer is still obviously infected.

It's so annoying, but the virus always seems to be one step ahead, disabling all the things that we try to do to fix it. Even not having mouse control is SO ANNOYING.

If anyone could help, I'd really appreciate it!
Thanks a lot~!



See More: Major Virus Infection

Report •


#1
August 7, 2009 at 19:05:48
Here are the MalwareBytes Logs for

Aug. 6th:

Malwarebytes' Anti-Malware 1.36
Database version: 2002
Windows 5.1.2600 Service Pack 3

8/6/2009 9:56:23 PM
mbam-log-2009-08-06 (21-56-23).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 39561
Time elapsed: 22 hour(s), 50 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\duzirasa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tumiwipe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\husinobe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\giyeniyo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5d4d0e7f-d809-4c6e-87f8-82e8b2e0a937} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5d4d0e7f-d809-4c6e-87f8-82e8b2e0a937} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5d4d0e7f-d809-4c6e-87f8-82e8b2e0a937} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fidizenesa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmc3559bfa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\duzirasa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\giyeniyo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\giyeniyo.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\husinobe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\duzirasa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tumiwipe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\giyeniyo.dll (Trojan.Vundo.H) -> Delete on reboot.


Report •

#2
August 7, 2009 at 19:05:59
And August 7th (Today)

Malwarebytes' Anti-Malware 1.36
Database version: 2002
Windows 5.1.2600 Service Pack 3

8/7/2009 11:12:08 AM
mbam-log-2009-08-07 (11-12-08).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 117902
Time elapsed: 47 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msupdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\msupdate.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Report •

#3
August 7, 2009 at 19:20:58
Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Put it all the way to High

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
August 7, 2009 at 19:46:18
thanks~
i'll burn the program to a CD and give them to my sis, then post up the results as soon as the scans are done.

thanks again for your help!


Report •

#5
August 7, 2009 at 23:18:01
you may also want to run trojan remover:
http://www.simplysup.com/tremover/d...
it will remove any trojans you may have and is a quick scan.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#6
August 8, 2009 at 00:51:18
Alright, here is the link to the logfile on rapidshare:
http://rapidshare.com/files/2650146...

it's surprisingly huge, for a text file? 62MB...hope that's normal...

again, thanks for your help!


Report •

#7
August 8, 2009 at 17:04:54
We've been trying to reinstall the drivers for various devices, since in device manager there are a lot of things (like network adapters, mouse, audio) that have little yellow question marks.

however, we keep getting messages that say "failed to uninstall the device. the device may be required to boot up the computer"... how can a mouse driver be required to boot up the system?


Report •


Ask Question