iceman
2010-06-08 07:09:11 UTC
After the quick and deep scan using Vipre, I assumed the registry was still damaged, as various things didn't work as they should (ex. minimizing windows). I then decided to restore my PC to an earlier date before the infection. That seemed to work for a few hours. Then they spontaneously returned on one occasion of me opening IE8. I learned that the trojans/viruses may have had their links to the system broken and they were most likely lurking.
This time I downloaded Malwarebytes and scanned my PC. It pulled up a huge laundry list and quarantined the malware. Thinking there was more, I turned off restore points (the trojans deleted them the 2nd time around anyways), put my PC in safe mode, and deep scanned with Malwarebytes. I'll post my logs from these scans below.
Stuff from Vipre...
- Explorer.32.Hijacker - HKEY_USERS\S-1-5-21-343818398-1532298954-725345543-1004\Software\XML -1
- Packed.Win32.Tdss.s(v) - C:\DOCUMENTS AND SETTINGS\SHANE\APPLICATION DATA\7112cc4b.exe - C:\DOCUMENTS AND SETTINGS\SHANE\LOCAL SETTINGS\TEMP\Vwj.exe - C:\WINDOWS\SYSTEM32\ernel32.dll (clean failed)
- VirTool.Win32.Obfuscator.hg!b(v) - C:\DOCUMENTS AND SETTINGS\SHANE\LOCAL SETTINGS\TEMP\Ucfo.exe
I did a scan today with Vipre and it found... "Trojan.Win32.Generic.pak!cobra" - C:\DOCUMENTS AND SETTINGS\Shane\LOCAL SETTINGS\Temp\gkxk.exe
Many of the trojans that I've gotten since my first scan are repeat offenders, especially the Explorer32.Hijacker. What follows is one that I've seen many times... "Trojan.Win32.Generic!BT" - C:\DOCUMENTS AND SETTINGS\Shane\LOCAL SETTINGS\Temp\sucvdadx.exe
The only symptom I'm seeing now is memory leaking. I'm very sure there is malware still on my PC that niether McAfee, Vipre, or Malwarebytes is picking up. Nearly every process steadily gains memory usage over time, whether its all of the svchost.exe's running, Yahoo Messenger, iTunesHelper, it doesn't matter.
If any more details are needed, let me know please!
I know I made a bunch of mistakes on the way, but this is the first time I've had to deal with this. I'm pretty careful with my PC, as I built it myself back in 08', yet I'm learning as go along with this. Any help is most appreciated.
Logs from Malwarebytes...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4174
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/7/2010 12:28:00 AM
mbam-log-2010-06-07 (00-28-00).txt
Scan type: Quick scan
Objects scanned: 145267
Time elapsed: 13 minute(s), 16 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
C:\WINDOWS\Vpisaa.exe (Trojan.Fraudpack) -> Unloaded process successfully.
C:\Documents and Settings\Shane\Local Settings\Temp\Vwl.exe (Trojan.Fraudpack) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsgyrgmw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsgyrgmw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security C