Multiple Malwares

Discussion in 'Malware Help (A Specialist Will Reply)' started by Sublimity, Apr 11, 2009.

  1. Sublimity

    Sublimity Private E-2

    Thanks in advance for any help! Because of an error somewhere along the way, I was only allowed to run SAS and MGtools. After running SAS, creating the log file and restarting, I get the same three error messages every time a program opens. For example, when I try to open malwarebytes Antimalware it says:

    mbam.exe - Bad Image (this is the title of the error box)
    "The application of Dll globalroot\systemroot\system32\UACulyrjbib.dll is not a valid Windows image. Please check this against your installation diskette."

    Following this, two more error boxes with the same title say the same thing except UACulryjbib.dll is replaced with UACqyinpfhw.dll and UACvkdpcobl.dll. I am able to open all other programs with no problem after the three error boxes pop up, however I was unable to run both mbam or combofix.

    Problems from the malware started about three weeks ago. The first sign of any infection was from music playing in the background even though no media player was open. After doing some research I found this was caused by the iexplore.exe trojan. I ran every suggested antivirus with no luck. I would find iexplore.exe running in taskmanager, once i stopped it, it would show right back up within ten minutes. About a week after this I started to randomly hear the sound that plays when a link is clicked online, and when my screen saver came on it would turn off after about ten minutes as if the mouse or a button had been pressed. Finally, as of about four days ago, A LOT of pop ups would randomly occur. I dont know if this was initiated by going to certain websites or if it was random, but the pop ups would open through internet explorer even though I use opera.

    I was unable to follow the step that allows hidden files to be shown. The "Folder Options" choice was not under the Tools menu, nor could I find it by going through Control Panel.

    Now after running SAS and MGtools, I have not found iexplore.exe in task manager. However like I said before, any time the computer is restarted or after any program is opened the three error boxes mentioned above come up.
     

    Attached Files:

    Last edited: Apr 11, 2009
    Sublimity, Apr 11, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I've never seen anything like this.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now you must use windows explorer to find and delete:
    C:\windows\system32\niteriyu.dll
    C:\WINDOWS\system32\fijuzuku.dll
    C:\WINDOWS\system32\rupolefa.dll
    C:\WINDOWS\omosokupugebudax.dll
    C:\DOCUME~1\Derrick\LOCALS~1\\Temp\\winlognn.exe
    C:\WINDOWS\Blonilab.dll

    And most important, you need to clean out both of these folders ( they are full of malware exe files)
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Derrick\Local Settings\Temp\

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Apr 13, 2009
    #2
  3. Sublimity

    Sublimity Private E-2

    Wow, I had no idea it was this bad off. Thanks for your help!

    I did get the success message. When I tried to delete the files listed at the end, none of them could be found except omosokupugebudax.dll. When I tried to delete it, both in safe mode and normal mode, it would not let me because it was "protected or being used by another program." Also, and I'm not sure if this was supposed to be fixed just yet, but the same three error messages previously stated still pop up anytime any program on the computer is opened.
     

    Attached Files:

    Sublimity, Apr 14, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Still more to do:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    You didnt mention as to whether or not you could run ComboFix. We may need to use it so please tell me if it runs or not.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run CCleaner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Apr 18, 2009
    #4
  5. Sublimity

    Sublimity Private E-2

    Unfortunately, Combo fix will not run

    I did recieve a success message.

    I have no idea how but the malware has gotten worse. I can now only use my computer when it is in safe mode. When I try to use it normally, it either freezes up all together at the log in screen or will log in and work for a little while then a blue screen will flash and the computer will restart. The few times it actually worked, I noticed I now have a file named "Derrick.exe" as well as one other file that consists of random letters that runs in the background when the computer is not in safe mode.
     

    Attached Files:

    Sublimity, Apr 30, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Definitely not worse...but still present.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * Avenger
    * C:\MGlogs.zip
     
    TimW, Apr 30, 2009
    #6
  7. Sublimity

    Sublimity Private E-2

    Thanks again for your help so far!
     

    Attached Files:

    Sublimity, May 1, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are getting there.

    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Please reboot into normal mode.

    Now see if you can run ComboFIx and attach the log if you can.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger,txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 4, 2009
    #8
  9. Sublimity

    Sublimity Private E-2

    Well it worked great at first. I was able to reboot in normal mode, and none of the error boxes popped up. I tried running combofix, which was working, however I had forgot to close bitdefender. I tried bringing up task manager so I could close bitdefender and the blue screen came up and restarted the computer. Now every time I try to start in normal mode it will work for a few minutes and the blue screen comes up again.

    So, is it ok to run combofix in safe mode?
     
    Sublimity, May 4, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to right click My Computer / properties / advanced / startup and recovery and uncheck the box to auto restart. Then when you get a BSOD, you can tell us exactly what the error message is....all of it.

    And I suggest that you uninstall BitDefender until we resolve these issues.
     
    TimW, May 4, 2009
    #10
  11. Sublimity

    Sublimity Private E-2

    Ok, I got combofix to work after a few tries of restarting windows. I had to start it in safe mode, then restart in normal mode for it to work. Otherwise it would go straight to the blue screen while trying to log in, go to the blue screen after a few minutes after windows started, or windows would start and freeze up all together. I only got the blue screen a few times after combofix ran, which read:

    "A problem has been detected and windows has been shutdown to prevent damage to your computer.

    If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

    Check to be sure you have adequate disk space. If a driver is identicfied in the stop message, disable the driver or check for updates. Try changing video adapter.

    Check for any BIOS updates. Disable BIOS memory options such as caching or shadowing. (Then it went on to tell me how to restart in safe mode if needed)

    Technical Information:
    ***STOP: 0x0000008E (0x0000005, 0x805A385E, OxA8237CAC, 0x00000000)

    Beginning dumnp of physical memory
    Physical memory dump complete"

    So now after running everything and creating all logs, Windows logs in very slow. Everything seems to run normal until I input my password to login, then it stays on the login screen for about five minutes then loads windows. Sometimes the sound will not work, sometimes it will. Windows seems to run fine after logging in.
     

    Attached Files:

    Sublimity, May 4, 2009
    #11
  12. Sublimity

    Sublimity Private E-2

    I spoke too soon, I get the blue screen every time now. Sometimes it comes up as soon as I log onto windows, sometimes it takes a few minutes.

    It seems like the third set of numbers/letters inside the paranthesis changes with every blue screen. I only remembered to write it down once however (sorry) so the 0xA8237CAC was replaced with 0xA00A1CAC.
     
    Sublimity, May 5, 2009
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You will need to get your system stable before we can continue with the malware removal. I suggest you post in the software forum. We can resume this once you are back up and running normally.
     
    TimW, May 9, 2009
    #13
  14. Sublimity

    Sublimity Private E-2

    Alright, everything seems to be working fine now. What's our next step?
     
    Sublimity, May 16, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are back to a stable system, then you need to re-run the scans and attach the logs.
     
    TimW, May 18, 2009
    #15
  16. Sublimity

    Sublimity Private E-2

    When running the getlogs.bat file, towards the end a hijack this error message came up and said "out of memory" so I am unsure if the logs will be 100%
     

    Attached Files:

    Sublimity, Jul 7, 2009
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Serious infections. Please get me the MBAM and ComboFix logs.
     
    TimW, Jul 7, 2009
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now I am going to give you a fix.....which you need to do:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
31908b8a
protect

File::
C:\WINDOWS\system32\11.tmp   
C:\WINDOWS\system32\12.tmp       
C:\WINDOWS\system32\17.tmp    
C:\WINDOWS\system32\2.tmp        
C:\WINDOWS\system32\22.tmp        
C:\WINDOWS\system32\24.tmp        
C:\WINDOWS\system32\26.tmp      
C:\WINDOWS\system32\2b.tmp       
C:\WINDOWS\system32\5.tmp       
C:\WINDOWS\system32\6.tmp         
C:\WINDOWS\system32\7.tmp         
C:\WINDOWS\system32\83.tmp       
C:\WINDOWS\system32\85.tmp       
C:\WINDOWS\system32\a.tmp        
C:\WINDOWS\system32\c.tmp      
C:\WINDOWS\system32\d.tmp         
C:\WINDOWS\system32\f.tmp        
C:\WINDOWS\system32\drivers\31908b8a.sys
C:\WINDOWS\system32\drivers\protect.sys
C:\Documents and Settings\Derrick\reader_s.exe
C:\DOCUME~1\Derrick\LOCALS~1\Temp\b.exe
C:\-1080011078
C:\fdvjfx.exe
C:\gklrwl.exe 
C:\tcburi.exe
C:\WINDOWS\sysguard.exe
C:\DOCUME~1\Derrick\LOCALS~1\Temp\_A00F73ACF490.exe
C:\WINDOWS\010112010146118114.dat
C:\WINDOWS\0101120101464849.dat
C:\WINDOWS\934fdfg34fgjf23
C:\DOCUME~1\Derrick\LOCALS~1\Temp\z7uzb.exe
C:\WINDOWS\system32\12.tmp.exe
C:\WINDOWS\system32\resdll.dll
C:\WINDOWS\system32\txwyrnbs.dll
C:\WINDOWS\system32\wiawow32.sys
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe

Folder::
C:\Program Files\Protection System
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Then make sure these folders are empty:
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Derrick\Local Settings\Temp\

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
    MBAM
    Make sure you tell me how things are working now!
     
    TimW, Jul 7, 2009
    #18
  19. Sublimity

    Sublimity Private E-2

    I received a success message after making the fixME.reg file, however I cant use combofix...

    After dropping the file I made into combofix.exe, nothing happens. I've tried restarting Windows and it will start combofix, but an error message pops up saying it is not safe to use, combofix has been tampered with, download a fresh copy of the program. It then deletes combofix for me. I tried downloading a fresh copy and it gives me the same problem as before. I've even tried deleting combofix, restarting windows, then downloaded a fresh copy and it still does not work.
     
    Sublimity, Jul 8, 2009
    #19
  20. Sublimity

    Sublimity Private E-2

    I just tried downloading combofix again but named it CF.exe

    Doing this allowed combofix to start, but I received the same error message saying combofix had been compromised. At the bottom it said I may be infected with a patch virus called "Virut"

    Also, when trying to use safe mode, it freezes when it tries to load MUP.sys

    MBAM also does not work
     
    Sublimity, Jul 8, 2009
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    IMPORTANT NOTE: Some if not many, of your Windows system files are infected. And many other non-Windows files could also be infected. Even if we attempt to fix these problems (which may not be easy to do unless you have an original Windows XP SP3 bootable CD), your system may be unreliable and untrustworthy.You may need to reinstall this system.

    Your logs show that your Windows Operating system files have become infected and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

    The safest thing for you to do is backup your personal data immediately since your PC could possible become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected.

    Once you backup, you need to perform a total reinstall of Windows and all other necessary software. DO NOT reinstall from any executable files you backed up because they are most likely infected.
     
    TimW, Jul 11, 2009
    #21
  22. Sublimity

    Sublimity Private E-2

    Alright, I reformatted everything and ran all the software that was posted in the sticky. I didnt find anything, but just to make sure I'm gonna post the logs here for peace of mind.

    Also, if I really am infection free, what do you suggest to be the best anti-virus program out there? I've done my research but it seems to come down to personal opinion, and since you've helped me out a lot so far I'm just going to download what you suggest.

    Thanks again!
     

    Attached Files:

    Sublimity, Jul 13, 2009
    #22
  23. Sublimity

    Sublimity Private E-2

    Annndd ComboFix log...
     

    Attached Files:

    Sublimity, Jul 13, 2009
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you are clean....as to AV programs...it is more what suits your system and that you keep all of your protection updated.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Jul 16, 2009
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds