Worst Virus I've Ever Seen

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jsmitchell54

Thread Starter
Joined
Feb 19, 2009
Messages
3
The first symptom was being unable to display pictures in IE7. The "display images" checkbox was unchecked so figured that would do it. Could then refresh and see pictures. Could even exit IE and get back in and see pictures. But upon reboot it didn't stay checked. Upgraded to IE8. Same problem. Made sure I had all Windows updates installed. Ran Malwarebytes several times. The software would reboot my computer randomly, rendering it useless, and things began getting even crazy.

All along the CPU was/is buzzing at 100%. The hourglass is constant. Task manager shows all this crazy randomly named files. Media center won't work. Updated video driver. Didn't help. Firefox wouldn't work until a while later. Shows images but unless in safe mode, pops up ads even with popup blocker installed. At some point the DEP files (Userinit, Windows logon, Task Manager) were being thwarted, forcing reboots.

Spybot found lots of stuff but didn't delete it. Booted in safe mode. Malwarebytes hung every time. Spybot took hours, gave a nice list, but upon reboot I could see in task manager all these files respawning. Downloaded the latest version of HiJackthis (2.02). Tried to create a log. Got this error each time:

An unexplained error has occurred at procedure: modMain_CheckOther4Item()
Error #6 - Overflow
Windows version: 7.0.5730.13
MSIE version: 7.0.5730.13
HijackThis version 2.02

HJT chugs through it (past the error), creates a massive number of entries, but I can't save them. Can't even cut and paste the test. The "save log" button never shows. I thought about saving everything to the Ignore list which I could edit, but I couldn't copy anything there. I tried an earlier version of HJT but it hung. Now what?

- Jeff
 

jsmitchell54

Thread Starter
Joined
Feb 19, 2009
Messages
3
I can't even run HJT is safe mode, so maybe the error is not related to the virus? I reinstalled it and it still failed. Then I ran the older version again. Zip. I tried running DDS, and that just hung forever. Below is the log I got from Spybot. Best I can do for now.

--- Report generated: 2009-02-19 15:58 ---
Zango: [SBI $97CF1A76] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
MyWay.MyWebSearch: [SBI $205CC8F2] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\FunWebProducts
Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $B067B5B7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools
ISearchTechnology.WinButler: [SBI $E7C36CB1] Executable (File, fixed)
C:\Documents and Settings\Dudeeli\Local Settings\Temp\removalfile.bat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf
Refpron: [SBI $F531BF62] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\m
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udno
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udws
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udaf
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udro
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udtd
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udma
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso
Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Win32.Joleee.K: [SBI $39C82568] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del
Win32.TDSS.rtk: [SBI $1C88479D] Settings (Directory, fixed)
C:\Documents and Settings\NetworkService\Application Data\twain_32\
Virtumonde: [SBI $FD08B4B7] Configuration file (File, fixed)
C:\WINDOWS\system32\WvuCbccf.ini2
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, fixed)
C:\WINDOWS\system32\WvuCbccf.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\yolnroby.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $1E12D746] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\Microsoft\fias4013
Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
C:\WINDOWS\Tasks\maftvunm.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
LinkSynergy: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Clickbank: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
WebTrends live: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
DoubleClick: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Right Media: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Statcounter: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
CasaleMedia: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
BurstMedia: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
FastClick: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Zedo: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
 

jsmitchell54

Thread Starter
Joined
Feb 19, 2009
Messages
3
I just got a call from Cablevision, my ISP, that complaints of spam were arising from my IP address. Obviously there's a spambot infection. I've since killed the net connection there and switched to another (really old) computer in the mean time.

I neglected to mention that the first suspicious error was for a file called hpqthb08.exe which is part of HP's Image Zone software. HP has since replaced that software so I uninstalled Image Zone early on and that didn't solve anything.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top