Virus/trojan problem

majnus

Hello,

Last friday i left my desk for like 15 minutes and when i came back, out of nowhere some "malware doctors" appeared, installed itself, and like 10 trojans with it. I have no idea where did it come from. Last thing i did before i left was updating the CS4 suite, but i don't think that has anything to do with it.

Now, I got rid of this "doctor" thing, but i can't seem to delete the trojans - they're creating themselves in c:\documents and settings\username\local settings\temp, and their names are random numbers, like 878.exe or 9692468.exe, etc.
After deleting them, after a minute they're back! Found the registry keys responsible for running them, but same things happens - after deleting them, they're just coming back! Autostart from msconfig - same thing, after disabling they're back on again...

Another one is "winlogon.exe", which obviously i can't delete, or clean (was thinking about swapping it for the clean one, but can't get into DOS)

What can I do?? I'm using Sophos, and there is a sonicwall firewall at the server. How come anything managed to come in through that?? Seems like they're just useless antiviruses...

I tried to run MS-DOS and do some work there, but unfortunatelly there is no possibility running MS-DOS at all, i can't believe microsoft didn't make it possible to run it, sooooo laaameeeeeeeeeee

I'm on WinXP SP3, all win updates up to date, Sophos always up to date, Firefox v 3.6.8.

heeeeeelp pleaseee

aidan_walsh

Have you tried running these tools? If not try them and post the resulting logs.

majnus

Yea, i do have the Malwarebytes' one, but didn't save the log last time so scanning again now, will post the log in a while, but i'm posting the screenshot from sophos below

1. The memory - I have no clue what that is, can't get rid of it
2. Winlogon, don't know how to fix it
3 & 4. The number at the end of the file - after deleting those, new random-number-named files are created...

majnus

This is the log from "quick-scan":

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/08/2010 11:22:15
mbam-log-2010-08-23 (11-22-15).txt

Scan type: Quick scan
Objects scanned: 22491
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Worm.Autorun.B) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Worm.Autorun.B) -> No action taken.

majnus

Ok, so here what i did:

Deleted all the viruses registry keys (HKLM\Software\microsoft\windows\currentversion\run), disabled it from the msconfig autorun, then "killed" the trojans processess from task manager, then cleared the c:\documents and settings\username\local settings\temp.

Then I copied clean "winlogon.exe", and since i have no access to ms-dos, downloaded ubuntu, installed on my USB flash for one-time use (no installation on HD required), runned Ubuntu, swapped "winlogon.exe", reboot, went into windows, and VOILA!

So far it seems ok, except one thing - firefox suddenly opened new tab with some strange website, i guess that how it all started, so the root of all evil is still here, just need to find it now, somehow...

ASJ112

Whatever USB key you used on the PC in the first place was infected. You need to format that.

The fact that Firefox is still opening up a random website shows you are still infected too.

majnus

Yea, it was still infected... i have updated the Malwarebytes and then it suddenly found over 80 threats, so i deleted them all, except two of them which wouldn't delete:

C:\WINDOWS\system32\Drivers\ntndis.sys
and
C:\WINDOWS\system32\ntdll.dll

so i copied clean ones from different PC, and replaced them under Ubuntu, and it's perfect now, either Sophos or Malwarebytes can't find anything anymore!

And the reason was, as ASJ112 said, infected USB key..

Thanks!