A multitude of virus-created issues

Usually, between the tools I have and Google, I can get rid of any annoying malware that manages to find its way on to my system, but this is something that is completely boggling me. Earlier today I installed a game given to me by a friend who had not yet installed it himself and I noticed things slowing down even before the install process had really started copying files. I noticed a bunch of strange items in task manager so I aborted but it was too late and the system was already infected.

My system:

Windows XP Home SP 2


Current symptoms include:

(1) General slowness
(2) Resetting folder options so I cannot see file extensions or hidden files
(3) Access to Folder Options has been removed so I cannot change it to allow seeing extensions or hidden files
(4) When I try to log in to Windows it brings up a Windows login screen requiring username/password, defaulting to Administrator. When I enter the administrator password it tells me that it cannot log in due to some user settings, or something like that. This happens before the normal Welcome screen which I used to see (I have never needed to enter a password to log in). I am only able to access the system via Safe Mode (with and without networking).
(5) The following dll files present in /system32/: pmnLdccD.dll, fccdbBqQ.dll, gseb37dkjgfgf.dll, and lfgessru32.dll
(6) Up to 3 instances of iexplore.exe running as SYSTEM processes all the time regardless of whether or not I am using the browser
(7) 11 different instances of svchost.exe running (typically 4 or 5?)
(8) Csrssc.exe running on occasion
(9) The following file present in /system32/drivers/: ati1ubxx (unable to see extension, but it was created at the time of infection and cannot be removed)
(10) Unable to access any antivirus sites (I get page not found errors). This includes Semantec, Spybot, Lavasoft, and even Major Geeks. I even tried some lesser known sites and many of them were also blocked.
(11) Spybot is shut down before it even opens (worked fine last week)
(12) Combofix is shut down before it opens
(13) I am unable to access Regedit, even when logged on as administrator (tells me administrator has restricted my access)
(14) I am unable to install new programs, even when logged on as administrator (tells me administrator has set policies to prevent this)

What I've tried so far:

I am unable to run Spybot unfortunately as the virus seems to target it and prevents it from opening. Same goes for Combofix.

Hijack this still works though.

I have tried Killbox to get rid of the dll files but it says that they cannot be deleted. When I try to have them killed on reboot the process of shutting down is interrupted and Killbox informs me that some third party software has interfered.

I tried running AdAware, which detected a few trojans, but wasn't able to remove them.

At first I thought I had Vundo, so I downloaded a fix and ran it but it was unable to detect its presence. I have also fun SmitFraud remover, which did detect and (supposedly) remove the virus, but it keeps coming back.

I have opened up my hosts file, expecting to see the source of all of the blocked antivirus sites, but it's clean. I checked my registry to see if the virus changed the location of the real host file, but it did not. Since then the problem has progressed and has completely locked me out of the registry editor, even when logged on as administrator. Unfortunately I don't know anything about setting policies or priveledges so I am stuck.

I've attached my Hijack This log file as it is the only antivirus program I have that still seems to work. I can't even get to the websites to download the others from the readme, and even if I could I don't think my system will permit me to install them.

My apologies if I have left anything out. I've been working on this about 6 hours now without making any real progress so I'm a bit frazzeled. Any help would be appreciated.

 

UPDATE #1: Just managed to run AdAware again. It detected 5 registry entries for Virtumonde. Vundofix still fails to detect it though.

 

Feel free to close this out--got everything taken care of it seems.

For anyone else trying to solve their Vundo problems, Malwarebytes seems to be the key, but it doesn't get everything. Each of the following programs was able to find unique problems that the others did not detect, so I would suggest using all of them:

Malwarebytes
Spybot
SUPERAntiSpyware
Kaspersky's free online scanner

Had to scan at least twice with each one (they would pick up new problems even if scanned twice back to back).

I'm not sure exactly which variant I had, but it seemed to constantly keep re-installing two different versions of SmitFraud (one of them was the -C version).

The biggest hurdle was figuring out how the virus was blocking access to all anti-spyware websites (including this one) and preventing common anti-spyware programs from opening or even installing (ie Spybot and Malwarebytes). It created some plug and play process called TDSS or something that had to be removed. As soon as I did that and rebooted I was able to run all of the necessary tools and finally begin the removal process.

I hope this helps someone. I'm no expert, but if anyone is having similar symptoms feel free to email me and I'll try and detail what I did (plzkthx@optonline.net).

 

http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!
4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.