Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware/spybot won't run, IEXPLORE.exe opening at random and undeletable files.


  • This topic is locked This topic is locked
4 replies to this topic

#1 omgitswill

omgitswill

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 19 February 2009 - 07:02 PM

I've gotten an infection today, and although I was able to remove most of it (crypts.dll, reader_s were two of the files, along with a whole mess of random filename dlls and tmps) by just going in to safe mode and deleting those new files and regeditting the appropriate entries. Runscanner helped a lot with that. I sorted by modified date and compared to a machine next to me (and just use good judgment) . I also had to reenable task manager, folder options and regedit. Just trying to give a little background in case it's useful. On to the problems!

1) Some programs won't open (HJT runs, runscanner runs, Ccleaner runs, malware bytes won't install, spyware won't install, tried running combofix but it wouldn't run either. Firefox will open but I'm hesitant to open it for very long (I'm typing this on the second PC). That is my first problem. I don't know if changing the file names on spybot will help or not, but I didn't try.

2) IExplore.exe keeps opening at random intervals. I can kill the process, but it's obviously running on its own.

3) userinit.exe is a different filesize and has a new modified date (119kb and right when the infection happened). I checked it vs the second PC to notice the problem but I'm very hesitant to start messing with system files so I came to you guys to hopefully get some advice.

4) There is a file with the name __c00F3D91.dat which is undeletable and identifies as a winlogon notify issue in hjt. It is also undeletable in safe mode on the administrator account.

5)ntdll64.dll located in doc&settings/user/local settings/temp alog with a .tmp file. Neither could be deleted in safe mode on a separate account.

6) Windows firewall says it is being controlled by group settings and refuses to turn on. I had it off when the infection occured and read in one of your many readme/FAQ stickies that I should turn it on.

I'm running windows XP pro sp2 but I'm certain the problem is that I haven't updated in ages so that's a new priority for me (like most in my position, I assume). I'm not sure what to do right now, but I hope somebody here does =) Thanks for reading!

edit: oh and thanks for the great site! very great thing you're doing here.

Edited by omgitswill, 19 February 2009 - 07:03 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 19 February 2009 - 07:14 PM

Hi, If Spybot's Teatimer is running,it should be disabled for most of these scans. I suspect a TDSS infecton at work here.

Some types of malware will disable Malwarebytes (MBAM) and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..

***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.


If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 omgitswill

omgitswill
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 19 February 2009 - 07:33 PM

None of that worked =( Teatimer is not running.

alright, new problem. I restarted and basically everything went to hell. I assume I did something wrong, but I've many times since doing any major "fixing" and I'm reasonably sure I was safe to begin with. All I tried to do the last time I loaded up was run programs and scan around looking for things. New things I've found using runscanner:


ntdll64 located at C:\DocumentsandSettings\MyUsername\LocalSettings\Temp\ntdll64.dll has 2 registry entries in winsock2.

Background Intelligent Transfer Service has some issues. Basically the registry keys at HKLM/ BITS has an image path. I'm making an assumption here so correct me if I'm wrong but its current value is %fystemRoot%\system32\svchost.exe -k netsvcs Shouldn't that read %systemRoot% ? Upon attempting to change the value I receive the following error: Cannot edit ImagePath: Error writing the value's new contents.


second edit: I loaded up the administrator account, and most of everything came back. IEXPLORE.EXE was open 4 or 5 times, and an internet explorer window even opened when I went to open my computer (or some other folder opening I did). None of the renaming has worked in here or in safe mode. reader_s is back. So I'm a little sad now, and I anxiously await your (or anybody nice enough to read of my plight) advice =)

Edited by omgitswill, 19 February 2009 - 07:59 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 19 February 2009 - 08:26 PM

Hi, judging from what you can not do and the files in the Pm (were malware)...
We need to run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then

go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and

post that complete log.

Let me know it it went OK !
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 19 February 2009 - 09:30 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users