Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have virus. Ran scans with 3 AVs. Nothing.


  • Please log in to reply
11 replies to this topic

#1 afunyun

afunyun

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 12 July 2009 - 06:36 PM

Ok, 15 hours spent at the computer trying to remove this god forsaken virus is long enough.

Soo... Hi all. I know I have a virus. It's exceedingly obvious. But what isn't exceedingly obvious is how to kick it out of my computer. I've run: McAfee, AVG, and avast and nothing can do anything. I've also run a registry scan through AVG and cleaned with a registry cleaner.

AVG Is the only thing to pick anything up, on its command line scan through safe mode. It has snagged Trojans: Generic13.ATPH and generic14.FD, as well as something called Downloader.Zlob_r.FF, and something else called Crypt.FKY

I'm also positive that there is another virus/malware that isn't being detected running things from behind the scenes and was the one that downloaded these other ones. It is a browser hijacker.

Whenever I start up windows (I have XP Home btw), I look into my running processes, and there has been anywhere in the range of 1-5 iexplore.exe processes running right on login, even though there aren't any windows for them. I can also hear the little clicks like a link being clicked in IE in the background through my speakers. The funny thing is that I don't use IE, I use Chrome.

There isn't any process I can see that is virus related though a while ago A.exe, B.exe, and C.exe were running before McAfee took them down.

I also shut down the explorer.exe process before I do anything because otherwise the comp freezes. I cannot use any Icons or the start bar even when it's running either.

I have tried everything within my limited knowledge on this subject to get rid of this and have so far failed. Can someone help me?

PS: When I search on google on ANY browser, if I click a link it first goes to some random ad site and I have to go back and click it again to get to the actual site.

PPS: I cannot run Hijackthis, MalwareBytes or anything anti spyware related it seems. I click, see the hourglass, and then can see the process in TaskManager, but the window does not open.

PPPS: VIRUSES. :thumbsup: :flowers:

Edited by afunyun, 12 July 2009 - 06:40 PM.


BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 12 July 2009 - 06:40 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 afunyun

afunyun
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 12 July 2009 - 06:44 PM

Alright I cannot open a window to extract or even see that file in its folder. Explorer crashes.

I will be trying in safe mode one moment.

#4 afunyun

afunyun
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 12 July 2009 - 07:01 PM

I got pwned into a blue screen with the following message:

I can't let you run that program, John...

...

Not really, the blue screen gave me


DRIVER_IRQL_NOT_LESS_OR_EQUAL


It's never done that before....

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 12 July 2009 - 07:04 PM

Rename this file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

to this:

winlogon.exe

Then double-click the file and see if Malwarebytes will run. If it does run a quick scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 afunyun

afunyun
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 12 July 2009 - 07:30 PM

Thank you, it runs now...

Here:


Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/12/2009 8:28:50 PM
mbam-log-2009-07-12 (20-28-45).txt

Scan type: Quick Scan
Objects scanned: 121837
Time elapsed: 12 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 4
Registry Data Items Infected: 10
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\jaduguyu.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\kiyuwalu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\lehebofi.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da828750-b2dc-44b2-927c-760508f3b320} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{da828750-b2dc-44b2-927c-760508f3b320} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{da828750-b2dc-44b2-927c-760508f3b320} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\DVDTool (Trojan.DNSChanger) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DVDTool (Trojan.DNSChanger) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm7f1a895d (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nujotabese (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jaduguyu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jaduguyu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kiyuwalu.dll -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.175,85.255.112.179 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.175,85.255.112.179 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.175,85.255.112.179 -> No action taken.

Folders Infected:
c:\documents and settings\Admin 0\Start Menu\Programs\DVDTool (Trojan.DNSChanger) -> No action taken.
C:\Program Files\DVDTool (Trojan.DNSChanger) -> No action taken.

Files Infected:
c:\WINDOWS\SYSTEM32\kiyuwalu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\lehebofi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\gurabimi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\jaduguyu.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\SYSTEM32\bozuneyi.dll (Trojan.Vundo.H) -> No action taken.
c:\documents and settings\Admin 0\start menu\Programs\DVDTool\Uninstall.lnk (Trojan.DNSChanger) -> No action taken.
c:\program files\DVDTool\Uninstall.exe (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\h@tkeysh@@k.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\Admin 0\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
c:\documents and settings\Admin 0\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\all users\start menu\Antivirus Scan.url (Trojan.Zlob) -> No action taken.
c:\documents and settings\all users\start menu\Online Spyware Test.url (Trojan.Zlob) -> No action taken.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> No action taken.


I didn't tell it to remove... should I?

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 12 July 2009 - 07:34 PM

Remove everything found. Then reboot, run the Malwarebytes scan again and remove everything found. Then try to run RootRepeal again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 afunyun

afunyun
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 July 2009 - 02:52 PM

OH noes!

Ok, sorry for waiting so long but... I did everything you said and I STILL can't run RootRepeal!! :|

It gives me a blue screen of death EVERY time, i've tried renaming, redownloading, everything I can think of. So I think this has resulted in the fact that everything is gone, except 3 things. 1: Some nasty virus thats hiding, 2: A trojan that is always re-installed by said nasty hiding virus, called Trojan.Agent by Malwarebytes', and 3: A rootkit that is ALSO being replaced everytime it is killed, either being replaced by agent or the hidden thing, it is called Rootkit.Tracer by Malwarebytes.

I have also figured out the original source of this and it goes by the name of MS Antivirus, the trojan scam one. (Tells you you have lots of infected thing but you really don't and if you don't buy the "cure" it infects you to bloody hell. :|


If you must know the Blue Screen error it gives me it is as written:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Edited by afunyun, 14 July 2009 - 02:54 PM.


#9 afunyun

afunyun
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 14 July 2009 - 03:35 PM

Also, I just looked and this was running:

Posted Image


Then, see that iexplore.exe? That randomly appears, running some audio. Many times there are as many as 15 of them running.

Posted Image

On top of that I also get a random "Google installer has encountered a problem and needs to close" error window popup every so often :|

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 14 July 2009 - 04:41 PM

Try using Process Explorer to kill the process and then scan with Malwarebytes as described here:

http://www.malwarebytes.org/forums/index.php?showtopic=17583
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 afunyun

afunyun
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 15 July 2009 - 01:30 AM

But see, thats the problem >:thumbsup:

Whenever I kill it, and I scan with anything including mbam, it detects a few things, tells me, I say remove, it says reboot, and then I do and it pops up later... Hence why I said something nasty is running the show from the background, which isn't being detected.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:05 AM

Posted 15 July 2009 - 02:11 AM

Have you tried running RootRepeal in Safe Mode?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users