Virus Central Support - messages #156522

Virus Central Support

Messages

Prospero Blocks

Hot Searches

NASA

Chat Center

Get smart...
Topic: about computer security.

Board Folders

	Virus Questions 4914 msgs in 671 dscns Latest: Nov-16
	Alerts & News 1630 msgs in 255 dscns Latest: Nov-13
	Anti-Malware S... 2295 msgs in 259 dscns Latest: Nov-20
	Spyware & Adware 2479 msgs in 333 dscns Latest: Nov-16
	Member Experie... 1434 msgs in 193 dscns Latest: Nov-13
	Hoaxes & Myths 113 msgs in 17 dscns Latest: Nov-13
	McAfee 436 msgs in 80 dscns Latest: Aug-31
	Security ... 1951 msgs in 218 dscns Latest: Sep-3
	Wandering Thou... 1056 msgs in 124 dscns Latest: Aug-24
	Norton / Symantec 5386 msgs in 587 dscns Latest: Nov-11

Message Area

To list

New

Virus Questions

think I'm infected

Create Poll

Print Discussion

#1 of 18 Posted Nov-3 11:37 AM

From Nick Posts 323 Last Nov-13
To All [Msg # 156522.1 ]

Think I got hit last night. On boot up i get this:

vbAccelerator SGrid II Control
run-time error "0"

MalwareBytes Anti-Malware
run-time error '440'
automation error

and when running add/remove I get the following:

rundll32.exe is trying to run set 1c.tmp

set 1c.tmp is trying to access IKernel.exe

set 1c.tmp is trying to access the Service Control Manager

Sounds like at the ver least, rundll32.exe has been compromised.

I attach hijackthislog.txt

P.S. A few hours later, got Malware Bytes to run again (had to reinstall and NOT connect to the internet, so it was a May version of the program). It found backdoor.bot in c:\windows\rundll32.exe. Comodo said that rundll32.exe was redirecting (my word) to TMP files with various names. Which means to me that I can't just delete rundll32.exe and expect the infection to be over. I would think that this program is rewriting executables as needed from some file buried deep in the guts of my hard drive.

N

Attachments
	Name: hijackthislog.txt	Size: 15 K

Edited Nov-3 by Nick

Options

#2 of 18 Posted Nov-4 2:37 AM

From Iain Noble Posts 8 Last Nov-21
To Nick [Msg # 156522.2 156522.1 ]

http://ezinearticles.com/?How-to-Fix-Rundll32.exe?&id=913723

Options

#3 of 18 Posted Nov-4 1:26 PM

From Nick Posts 323 Last Nov-13
To Iain Noble [Msg # 156522.3 156522.2 ]

Ian,

That was helpful, but I think I need an online malware detector. Think worm/trojan. Changed firewalls and in expert mode (Outpost) found, among other things, a keylogger. So I think I'm totally screwed here.

N

Options

#4 of 18 Posted Nov-4 6:10 PM

From Irwin Posts 1139 Last Nov-20
To Nick [Msg # 156522.4 156522.1 ]

Nick,

Sorry you got hit.

I don't have enough hands on experience with current malware to help you quickly remove it over the web, so unless others are willing to spend the time, you're basically down to throwing cleaners at it -- MBAM, Super AntiSpyware, free cleaners from AV vendors such as McAfee, TrendMicro and Sunbelt, etc.

With MBAM, you can try downloading the latest def files and install it manually (if having the system not connected to the internet is the only way you could get MBAM to run).

Other options would be to send the system to someone who cleans them, or nuke and reinstall.

iK© Without OzWin v2.33

Options

#5 of 18 Posted Nov-4 7:18 PM

From Steven Stern / Sysop Posts 30 Last Nov-21
To Irwin [Msg # 156522.5 156522.4 ]

Save data, format, and reinstall is probably a lot faster than attempting to clean this system.

Steve

Options

#6 of 18 Posted Nov-5 1:19 AM

From Nick Posts 323 Last Nov-13
To Irwin [Msg # 156522.6 156522.4 ]

Irwin,

Thanks... I think (make that hope) I've cleaned it out. MBAM was ineffective as it was hijaacked too. I solved that issue by uninstalling it and reinstalling from a backup while offline. Removed the dirty rundll32 and replaced it (There were redirects all over the place for all kinds of stuff... lots of backdoors in or rather through the firewall. Had to uninstall the firewall (and while at it, changed firewalls) and start from scratch there. Ran Housecall, MS Security Essentials, a program called 10bit Security 360... some manual deletes... files calling others, a keylogger too.

Just finished complete scan with MBAM, MS Security Essentials, 10Bit Security360 and my everyday anti-virus, antivir and I think I'm good.

Fearful though after going through this, but Gibson says there are NOW no backdoor ports... hope so, as that is the main fear.

Thought I was going to have to wipe it and start from scratch (never fun with a Thinkpad).

N

Options

#7 of 18 Posted Nov-5 1:23 AM

From Nick Posts 323 Last Nov-13
To Steven Stern / Sysop [Msg # 156522.7 156522.5 ]

Steve,

That was my last stand option... think I'm ok now, but who knows?

Is there one online program that works properly. Couldn't get panda or sophos to work (in the midst of the mess, as ActiveX at that time wouldn't initialize... This thing did a good job of hijaacking programs and system files.

Prefetch??? What does that folder do? As one of the baddies was hiding out in there and I wondered if it also rewrote some of the PF files to do the redirecting stuff?

N

Edited Nov-5 by Nick

Options

#8 of 18 Posted Nov-5 9:19 AM

From John Crea - WUGNET Posts 39 Last Nov-20
To Nick [Msg # 156522.8 156522.6 ]

Nick

If you had used something like Acronis or Ghost to image the harddrive back when it was uninfected, wipe and restore (even on a ThinkPad) should take less than 1hr - had to do that a while back with my wife's ThinkPad and it really was a breeze and it retained all her installed software/settings/etc/ms updates from the day the image was created

John

Options

#9 of 18 Posted Nov-5 12:16 PM

From Hugh Wyn Griffith WUGNET Posts 140 Last Nov-20
To John Crea - WUGNET [Msg # 156522.9 156522.8 ]

AMOI -- does the Thinkpad have the hidden recovery partition like so many PC's these days? If so can you make an image that includes it too?

Hugh

Options

#10 of 18 Posted Nov-5 4:37 PM

From John Crea - WUGNET Posts 39 Last Nov-20
To Hugh Wyn Griffith WUGNET [Msg # 156522.10 156522.9 ]

Hugh

As I recall, yes, TIHome image of the entire harddrive also included that 'hidden' recovery partition

John - WUGNET

Options

#11 of 18 Posted Nov-5 5:40 PM

From Hugh Wyn Griffith WUGNET Posts 140 Last Nov-20
To John Crea - WUGNET [Msg # 156522.11 156522.10 ]