vundo and Worm.Win32.zlob dissaster

down_loaded · Jul 13, 2008

All help is welcome and needed!!! I've read and done what I could of the READ ME FIRST. I.E. made files visible, startup normal, deleted malware etc in add-remove programs (none found) and run ccleaner. I've down loaded, SUPERAntiSpyware, SpyBot - Search & Destroy, Malwarebytes Anti-Malware, combofix.exe and mgtools, all on my healthy computer and installed them on the infected laptop. I've only managed to run superantispyware (free addition), SmithfraudFix, and fixvundo. All other scanning programs don't run from the desktop of the infected computer. In fact the are visible but won't load or run. The user accounts have also been changed. When I try to long onto the servers for any spyware/antivirus website I'm redirected to some popup, so I can't get the correct updates. Superantispyware did give me back the task manager (which was dissabled), and the home page of IE. To clairfy; Spybot, Malwarebytes,combofix, sdfix, mbam-setup & sdsetup will not load or run in normal or safemode. Once I got my task manager back I was abel to identify at least one of the problems....Worm.Win32.Zlob, and SASW found the Vundo. Please point me in the right direction, I'm ready to reformat!!!

TimW · Jul 14, 2008

Are you saying that exe files will not run? What happens with ComboFix....did you rename it? MGTools.exe -> what happens when trying to run it?

Did you try a system restore? What happens with that? Without logs we can not tell what is happening.

down_loaded · Jul 14, 2008

Tim,
thanx for getting back to me!! I only have the logs for the smitfraudfix. I wasn't able to run ComboFix or MGTools. I downloaded them to a clean comuter then to jumpdrive, then to corrupted computers desktop. They are on the desttop but not loaded and will not run. It will run other .exe files just not anti-spyware etc. SASW ran but I didn't get a log. I have tried to update/download from the corupted computer but am always redirect to another website/popup. I don't know where to get hijack this log. Do you want me to rename the above files and try them? ????thanx again for the help!!!

TimW · Jul 14, 2008

Yes, I want you to rename combofix as instructed in the Read and Run First....I also want you to put MGTools on the C: dirve ...not the desktop.-> C:\MGTools.exe and try running it again. Try doing all this in safe mode.

down_loaded · Sep 9, 2008

Tim,
I know it's been a while however, I've got two other jobs and this one isn't paying anything now. Anyway, I've run the MG Tools program and attached the hijackthis file. I also changed the name of the Combofix program and ran it, and attached the file (combofix) also. I think I'm "clean" but I would very much appreciate a second look. Should I now go back and reset, and toggle system restore? Before I forget thank you!!

TimW · Sep 10, 2008

You need to attach the entire MGLogs.zip ....

In the mean time, you have gotten more infected.

Let's start with this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: {9fa5eb75-907e-e008-de64-df44a9b0dda1} - {1add0b9a-44fd-46ed-800e-e70957be5af9} - C:\WINDOWS\system32\uuynrc.dll
O4 - HKLM\..\Run: [0c324ab2] rundll32.exe "C:\WINDOWS\system32\brmnpukf.dll",b
Click to expand...

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Drivers::
clbdriver

File::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\eswa.exe
C:\WINDOWS\Sys91.exe
C:\WINDOWS\system32\uuynrc.dll
C:\WINDOWS\system32\brmnpukf.dll

Folder::
C:\WINDOWS\system32\mlJAtTkj

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1add0b9a-44fd-46ed-800e-e70957be5af9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0c324ab2"=-
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

Log in or Sign up

vundo and Worm.Win32.zlob dissaster

down_loaded Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

down_loaded Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

down_loaded Private E-2

Attached Files:

ComboFix.txt

hijackthis.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member