Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Malware


  • Please log in to reply
6 replies to this topic

#1 _Silk_

_Silk_

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 21 December 2008 - 08:27 PM

Had this problem first appear yesterday and have been working ever since to get rid of it.

When the virus first appeared the first thing that happened was I got a screen VERY similar to the infamous 'Antivirus 2008' malware. So I killed that screen as quickly as possible but naturally that wasn't enough.
My next step was to go and download Malwarebytes anti-malware program but I soon found that all useful site that I would try to go to (such as here etc, nb/ on a different comp now) were redirected to your typical 'dowload this anti-virus!!!' site.

So I restarted (supposedly in safe more but I missed my F8 timing :thumbsup:) and after logging in got a 'userinit.exe failed to initialize' error and explorer wouldn't load. I got it up throught the task Manager>New task, but then just went back to safe mode anyway. Meanwhile, got out my external HDD with a copy of mbam setup on it.

Logging in in safe mode got the same userinit.exe error, and once I got expolrer back I got the same error but instead of userinit it was rundll32 that failed to initailze.

Starting to worry I tried to install mbam. Nothing. Double clicked the install icon, got the 'loading in background' cursor for about a second, then nothing.



After some vigirous searching on the web for solution I'm still stumped. Tried and failed is VundoFix and ATF cleaner. Even tried Ad-aware but to no avail. The most useful thing I've found is that renaming the mbam install file I was able to install it. However the same 'nothingness' occurs when trying to run it (and the renameing trick didn't work a second time).

Never have I been so stumpped by a virus and frustratingly I'm about 90% sure that mbam will get it - if only I could run the dam thing!!

Oh, and the newest symptom is that the system locks up on the login screen (unless I'm in safe mode). :flowers:

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:00 AM

Posted 21 December 2008 - 09:49 PM

If mbam won't install

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.

Edited by garmanma, 21 December 2008 - 09:51 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 _Silk_

_Silk_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 22 December 2008 - 01:54 AM

I tired that to no avail but at your suggestion I optimistically tried again and this time it worked. A few scans and a couple of hours later the problem was gone! (or at least it looks that way - I'm always suspicious after these things...)

So thank you very much!

#4 _Silk_

_Silk_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 23 December 2008 - 03:05 AM

Actually, no I was wrong. All is not fine.

Malwarebytes did pick up the bulk of my problems but I am still getting consistent pop-up adds, and lockups at the login screen.
Running scans like Ad-aware, AVG, and mbam all pick up some results, but it never seems to stick on restart. Either that or they're simply not picking up the source.

This thing is driving me nuts!!

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:00 AM

Posted 23 December 2008 - 09:40 AM

Please reboot your computer and update Malwarebytes. This time do a FULL scan and post the new log here For us to look at
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 _Silk_

_Silk_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 24 December 2008 - 08:16 AM

The update kept failing (no connection or firewall error - both of which I checked) so I found a manual update, which didn't work cause - lo and behold - my core app wasn't the latest version.
So fixed that, update the databases, ran a scan. It picked up a few more things than before and a few things to delete on reboot (which failed cause I had to rename the mbam.exe and it couldn't find it :thumbsup:. However it did seem get rid of enough stuff to allow it work when I changed the name back, so I ran in again.)

So as far it seems to have gotten rid of the lot. However I've been fooled once already, so here's the log as requested (this is of the second scan):

Malwarebytes' Anti-Malware 1.31
Database version: 1526
Windows 5.1.2600 Service Pack 2

25/12/2008 12:01:31 AM
mbam-log-2008-12-25 (00-01-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160987
Time elapsed: 19 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSSkfkl.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSovba.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSStnyh.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSurkv.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSrydc.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS533f.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6835.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS6cc9.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS70e0.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7554.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7bcd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSqrdd.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxnpr.dll (Rootkit.Agent) -> Delete on reboot.



Like I say, its appears to have gone, and also, its Christmas - so no rush on this one! Enjoy your Christmas and thanks alot!

Edited by _Silk_, 24 December 2008 - 08:17 AM.


#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:00 AM

Posted 24 December 2008 - 01:23 PM

You need to REBOOT the computer for Mbam to finish
Then update Malwarebytes. This time do a FULL scan and post the new log here
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users