Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified Malware


  • This topic is locked This topic is locked
6 replies to this topic

#1 Joawpa

Joawpa

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 23 April 2008 - 11:33 AM

This malware shuts down explorer.exe 5 to 10 seconds after I open file explorer or any related process. I can't seem to install a virus scanner. Kaspersky Online reported no infections, while Bitdefender Online reported multiple, and is unable to delete some. Explorer.exe can be reinitialized anytime via Task Manager => New Task.

Right now Spybot's Teatimer has the culprit dlls on an endless denied loop, but no difference. The dlls run through a startup process called MSServer, which masks itself as a rundll32 function. The dlls cannot be deleted through explorer and anytime the service is disabled, it's immediately restored.

Attached are the main.txt, extra.txt, AVG8 failed install log, and kaspersky log.

Help appreciated.

Attached Files


Edited by Joawpa, 23 April 2008 - 11:36 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 AM

Posted 25 April 2008 - 12:48 PM

Hello Joawpa,

Welcome to Bleeping Computer :blink:

This is going to sound strange to you, as it's doing its job, but I need for you to turn Tea Timer OFF for these fixes. As much as it stops the bad things from happening, it also stops us from making the required changes to fix it. :thumbsup:

So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {084BD04A-F0A9-4A07-B78B-63E0E48A551A} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4C3FB66F-4409-44A1-92C0-05D52932D229} - C:\Windows\system32\ljJBtsQK.dll
O2 - BHO: (no name) - {580EFEA8-0640-4DF5-9318-2E57AEFE7D46} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E36F99B0-E19D-461F-92F8-B7E72B32F261} - (no file)
O2 - BHO: (no name) - {E5D50C7B-AB52-48B4-A0A0-4E2A9F990A9F} - (no file)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opnonmmM.dll,#1


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Joawpa

Joawpa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 April 2008 - 04:02 PM

Hi tea,

Thanks for the help. I believe the infection was cleared, but that's for you to decide. Logs attached.

The three R0 selections you asked me to delete, what were they needed for?

A number of files and folders were created on my C:\ drive as a result of running combo, dss, and hijack. Can I remove them if all's clear?

O, and which malware was this exactly, and why was I unable to remove it through the typical means? What preventative measures can I take in the future (esp. with regard to Teatimer and Kaspersky Proactive Scan/RegGuard)?

Thanks so much again,
Joawpa

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 AM

Posted 26 April 2008 - 12:12 AM

Hello,

Just a little bitty second please.....one more trace to remove:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\Windows\system32\opnonmmM.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Still running well? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Joawpa

Joawpa
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 26 April 2008 - 12:30 AM

Everything's running superb. I see it did miss that one last trace, but the logs show it's gone now.

Both are attached.

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 AM

Posted 26 April 2008 - 12:48 AM

Hello,

Tres magnifique!! :thumbsup:

combo, dss, and hijack. Can I remove them if all's clear?

Yes you can, and please include the dolder ComboFix created, C:\Qoobox as well.

You had an infection we lovingly ( :blink: ) call Vundo, short for Virtumonde. This stuff is pretty nasty these days and refuses to go quietly when told to. Add to that you were running Tea Timer, which does not like change whether good or bad, and you get a stubborn bunch of files. Don't forget to re enable it, if you haven't already. :wacko:

Now on to the stuff I gotta tell you............

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.


In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 AM

Posted 29 April 2008 - 12:19 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users