SAS, windows XP and virtumonde conflict

Darkseid · December 28, 2008

SAS detected 121 problems, including trojans (Virtumonde). I clicked to quarantine/remove them all, then it asked me to reboot. When the system rebooted it could not start up Windows normally at all. It would either tell me or I would get a black blank screen. But safe mode works (but doesn't give me internet access). I cannot access SAS in safemode either. But it kept popping up with system 32 errors when in safe mode. I tried system restores but while they removed SAS the other problems continued, and fixing this is out of my league.

Is there a way to use SAS effectively without causing issues with Windows XP? Is it the removal of Virtumonde that somehow messes with the registy which in turn causes Windows to fail to start. I don't know exactly where the problem lies.

Everything else I have isn't working against Virtumonde and missed things SAS picked up.

Any help is greatly appreciated!

lazark · February 1, 2009

i have the exact same problem. if you've figured out how to solve it , please post.

otherwise, i guess this is just a bump.

thanks

lazark · February 1, 2009

and if it helps you help me, here's the log file:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 01/31/2009 at 07:52 PM

Application Version : 4.25.1012

Core Rules Database Version : 3738

Trace Rules Database Version: 1707

Scan type : Complete Scan

Total Scan Time : 00:51:01

Memory items scanned : 602

Memory threats detected : 3

Registry items scanned : 5498

Registry threats detected : 77

File items scanned : 22838

File threats detected : 18

Adware.Vundo/Variant-AdobeFake

C:\WINDOWS\SYSTEM32\HVUARL.DLL

HKLM\Software\Classes\CLSID\{2858bad6-8c22-4655-a974-921887bd8cb8}

HKCR\CLSID\{2858BAD6-8C22-4655-A974-921887BD8CB8}

HKCR\CLSID\{2858BAD6-8C22-4655-A974-921887BD8CB8}\inprocserver32

HKCR\CLSID\{2858BAD6-8C22-4655-A974-921887BD8CB8}\inprocserver32#ThreadingModel

C:\WINDOWS\SYSTEM32\FOVPFPGR.DLL

C:\WINDOWS\SYSTEM32\OLHKTSTN.DLL

C:\WINDOWS\SYSTEM32\PARGWY.DLL

C:\WINDOWS\SYSTEM32\RPDRKFUG.DLL

C:\WINDOWS\SYSTEM32\UVLJCKRP.DLL

Trojan.Downloader-NewJuan/VM

C:\WINDOWS\SYSTEM32\PPHRFS.DLL

Trojan.Vundo-Variant/Packed-GEN

C:\WINDOWS\SYSTEM32\DDCCRKCY.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{739D8074-E857-4DE0-8064-71115F3A4D3B}

HKCR\CLSID\{739D8074-E857-4DE0-8064-71115F3A4D3B}

HKCR\CLSID\{739D8074-E857-4DE0-8064-71115F3A4D3B}\InprocServer32

HKCR\CLSID\{739D8074-E857-4DE0-8064-71115F3A4D3B}\InprocServer32#ThreadingModel

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{739D8074-E857-4DE0-8064-71115F3A4D3B}

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\PMNKKAQJ.DLL

HKLM\Software\Classes\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61}

HKCR\CLSID\{C9C42510-9B21-41C1-9DCD-8382A2D07C61}

HKCR\CLSID\{C9C42510-9B21-41C1-9DCD-8382A2D07C61}\inprocserver32

HKCR\CLSID\{C9C42510-9B21-41C1-9DCD-8382A2D07C61}\inprocserver32#ThreadingModel

C:\WINDOWS\SYSTEM32\IEHELPER.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{933E7167-F302-48C8-A4E9-19C4D4C15B3B}

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61}

HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Malware.LocusSoftware Inc/BestSellerAntivirus

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}

Adware.Vundo Variant

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5BF49A2-94F3-42BD-F434-3604812C8955}

C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP4\A0002181.DLL

Adware.Vundo Variant/Rel

HKLM\SOFTWARE\Microsoft\FCOVM

HKLM\SOFTWARE\Microsoft\RemoveRP

HKLM\SOFTWARE\Microsoft\MS Juan

HKLM\SOFTWARE\Microsoft\MS Juan#RID

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\trojan-phisher-sinowal

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\trojan-phisher-sinowal#LU

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\trojan-phisher-sinowal#CT

HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\trojan-phisher-sinowal#LT

HKLM\SOFTWARE\Microsoft\MS Juan\metajuan

HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL

HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN

HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg

HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\profiling4

HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\superjuan

HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY

HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT

HKLM\SOFTWARE\Microsoft\contim

HKLM\SOFTWARE\Microsoft\contim#SysShell

HKLM\SOFTWARE\Microsoft\MS Track System

HKLM\SOFTWARE\Microsoft\MS Track System#Uid

HKLM\SOFTWARE\Microsoft\MS Track System#Click1

HKLM\SOFTWARE\Microsoft\MS Track System#Uqs

HKLM\SOFTWARE\Microsoft\rdfa

HKLM\SOFTWARE\Microsoft\rdfa#F

HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace

HKLM\Software\Microsoft\D8DC1437

HKLM\Software\Microsoft\D8DC1437#d8dc1437

HKLM\Software\Microsoft\D8DC1437#Version

HKLM\Software\Microsoft\D8DC1437#d8dcb9b7

HKLM\Software\Microsoft\D8DC1437#d8dcd052

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\CS41275

HKU\S-1-5-21-2515699666-69994545-943733920-1006\Software\Microsoft\FIAS4018

Trojan.Unknown Origin

C:\MYWYXNGK.EXE

C:\OKPOMQ.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP3\A0000083.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP3\A0000084.EXE

Rootkit.TDSServ/Fake

C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP3\A0002052.SYS

Rootkit.TDSServ-Trace

C:\WINDOWS\SYSTEM32\TDSSKKAI.LOG

C:\WINDOWS\SYSTEM32\TDSSMTVD.DAT

Sign In

SAS, windows XP and virtumonde conflict

Recommended Posts

Darkseid

Share this post

Link to post

Share on other sites

lazark

Share this post

Link to post

Share on other sites

lazark

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Activity