Vundo infection - sticky completed

Discussion in 'Malware Help (A Specialist Will Reply)' started by jwnewsom, Aug 7, 2009.

  1. jwnewsom

    jwnewsom Private E-2

    XP SP3 symantec endpoint protection 11

    I got Blue screens periodically during the various scans. At one point I thought I wouldn't be able to get the logs off. Drivers noted in blue screens were tcpsys.sys and netbt.sys

    Logs attached.
     

    Attached Files:

    jwnewsom, Aug 7, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need the requested log from ComboFix. Did you have a problem running it? If yes exactly what happened and did you shutdown ALL of Symantec before trying to run it?

    Also are you still having problems after running our cleaning procedure?
     
    chaslang, Aug 9, 2009
    #2
  3. jwnewsom

    jwnewsom Private E-2

    I was not able to obtain a log from Combofix. I disabled autoprotect (or whatever that is called under endpoint protection) before running it. Combofix ran up to stage 16, followed by a blue screen.

    After a lot of effort (many restarts, trying safe mode etc) I got back up and simply skipped it and went on to root repeal, gathered logs and sent them.

    As of now, the workstation will not start. Error msg reads:

    "winlogon.exe - Unable to locate component. This application failed to start because ODBC32.dll was not found. Reinstalling the application may fix this problem"

    If Ok is clicked, this is followed by another dialog :

    User interface failure:

    The Login user interface DLL msgina.dll failed to load. Contact your administrator to replace the dll or restore the original dll."

    This message box has a button to restart, and no other options.
     
    Last edited: Aug 10, 2009
    jwnewsom, Aug 10, 2009
    #3
  4. jwnewsom

    jwnewsom Private E-2

    Update:

    I restored the missing dll files from the service pack files and was able to get back up. I restored the system and software registry hives from a restore point using the recovery console. I don't appear to have any more malware problems at this time. I'm running another SAS scan now to see if anything pops up.
     
    jwnewsom, Aug 10, 2009
    #4
  5. jwnewsom

    jwnewsom Private E-2

    Okay, SAS shows 1 infection named:

    Rootkit.Agent/Gen-Rustock on a driver file in system32. I'll wait for further instruction at this point.
     
    jwnewsom, Aug 10, 2009
    #5
  6. jwnewsom

    jwnewsom Private E-2

    I ran Combofix to completion. Attached log.
     

    Attached Files:

    jwnewsom, Aug 10, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the log that shows this.

    Do you know what the below folder is for?
    Code:
    2009-08-07 18:27 . 2009-08-07 18:28 -------- d-----w- C:\~ErdUserProfile.$$$
    Did you knowingly install the below?
    Radmin Server 3.3
    Radmin Viewer 3.1
     
    chaslang, Aug 13, 2009
    #7
  8. jwnewsom

    jwnewsom Private E-2

    >Rootkit.Agent/Gen-Rustock on a driver file in system32.
    >Please attach the log that shows this.

    I have attached that log. I removed the driver file referenced.

    >2009-08-07 18:27 . 2009-08-07 18:28 -------- d-----w- > >C:\~ErdUserProfile.$$$

    I'm not familiar with it. It appears to contain a few folders of user profile info, like favorites and an application data folder with nothing in them. I can remove it.

    Did you knowingly install the below?
    Radmin Server 3.3
    Radmin Viewer 3.1

    Yes, I use this product for remote administration. I run them on non-standard ports.
     
    jwnewsom, Aug 14, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything, but are you saying it is gone now anyway.


    >2009-08-07 18:27 . 2009-08-07 18:28 -------- d-----w- > >C:\~ErdUserProfile.$$$

    It is probably from Microsoft Diagnostics and Recovery Toolset, Formerly ERD Commmander 2005. See this: http://www.911cd.net/forums//index.php?showtopic=19676&st=27

    The only potention issue I see is in your RootRepeal log which showed the below locked file:

    Path: C:\WINDOWS\system32\drivers\ajt97d4.sys

    Are you still having problems? If so, exactly what are they.
     
    chaslang, Aug 16, 2009
    #9
  10. jwnewsom

    jwnewsom Private E-2

    >2009-08-07 18:27 . 2009-08-07 18:28 -------- d-----w- > >C:\~ErdUserProfile.$$$

    It is probably from Microsoft Diagnostics and Recovery Toolset, Formerly ERD Commmander 2005. See this: http://www.911cd.net/forums//index.php?showtopic=19676&st=27

    I recognize this now. I have the 2005 version of Winternals Admin Pack which includes this.


    The only potention issue I see is in your RootRepeal log which showed the below locked file:

    Path: C:\WINDOWS\system32\drivers\ajt97d4.sys

    Are you still having problems? If so, exactly what are they.[/QUOTE]

    I am not having trouble now, it seems to be clean. I'll try to locate and remove that driver file. Thank you for your help.
     
    jwnewsom, Aug 18, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 21, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds