Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection that prevents running of utils and normal startup


  • Please log in to reply
7 replies to this topic

#1 mikthefish

mikthefish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 28 August 2009 - 11:17 PM

Hello all. I'm a newbie here and came across this site after hours of troubleshooting an infection.

Hoping that one of you kind folks can help me clean this off so as to preclude a lengthy rebuild. I have a good amount of computer experience and have all my data backed up on a now-disconnected USB drive.

I have an XP SP3 computer that apparently got infected at 9am this morning. My Symantec AnitVirus Corporate Edition v10 seemed to catch some of it (I can see that the quarantine was updated at that time), but the computer started to misbehave and then BSODed at 9:15am. I booted into safe mode and started poking around and tried to remediatevia a combo of SAV, AdAware and manual effort, as I have done during other virus infections on other PCs.

- searched and found all files created between 9-9:15am
- moved all the obvious files to a separate folder and set with list-only NTFS rights
~.exe
blyuwrjl.exe
fyblb.exe
jukazena.dll
kayujada.dll
melusume.dll
osps.exe
pvewnn.exe
sawopuyu.dll
tepidike.dll
- saw that my previous System Restore point had probably been infected, removed those files as well
- removed references to jukazena.dll and tepidike.dll in HKLM\software\microsoft\windows\currentversion\run

When I booted into normal mode, I was unable to login and quickly got a message about SERVICES.EXE terminating unexpectedly with error -1073741819 and a countdown to restart. So back to Safe Mode....

When I went to run SAV and AdAware in Safe Mode, both exhibited the same behavior: the scans would start and then dissapear, the processes disappearing from Task Manager as well. In addition, the NTFS permissions on the .exes for SAV and AdAware were modified to prevent subsequent running. I know enough to reset the permissions, but this trend of killing the scan and resetting the NTFS permissions happened as a tried other utilities such as Malwarebyte's Anti-Malware HijackThis and SDFix.

Digging deeper, I found that while in Safe Mode, I only had base OS processes running (I even disabled WMI and the Crypt services) but that the reference to jukazena.dll in the \Run regkey came back 5 sec after deletion. So figuring the virus had its hooks in Explorer, I dug through the Explorer extenstions and Browser Help Objects and deleted a suspicious entry, but to no avail, the \Run entry kept getting reinstated after deletion.

So I went surfing and found my way here. I tried to run both DDS.SCR and RootRepeal, but they were both killed within 10sec of starting their scans. I killed explorer and same results, so now I fear this infection is deep inside XP.

I would appreciate any help anyone can provide, as a full rebuild is never enjoyable and I don't want to let the bastards win!

thanx,
MikTheFish

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:48 PM

Posted 29 August 2009 - 10:36 AM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 mikthefish

mikthefish
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 29 August 2009 - 10:57 AM

Thanx garmanma for replying and putting this in the right forum.

RSIT started to run but then got killed before completing and the .exe NTFS permissions were reset, just as with all the other utils I have been trying to use. I set NTFS Deny permissions for SYSTEM to prevent resetting, but no good.


mikthefish

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:48 PM

Posted 29 August 2009 - 05:51 PM

Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If Runscanner did not work, then reply back here.

Edited by garmanma, 29 August 2009 - 05:58 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 guitrman1

guitrman1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 30 August 2009 - 02:36 AM

im havin the same problem. run scanner didnt work. nothing works. looks like format time ladies and gents. I bid thee farewell...

:thumbsup: :flowers:

#6 mikthefish

mikthefish
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 30 August 2009 - 07:20 AM

runscanner got killed during step 4 and permissions reset to the .exe

arrrrgh

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:48 PM

Posted 30 August 2009 - 06:42 PM

Give OTListit a try:
http://oldtimer.geekstogo.com/OTL.exe
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 mikthefish

mikthefish
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 09 September 2009 - 07:35 PM

no success

I have run Sysinternals' Process Explorer and found some suspicious handles attached to Winlogon and Explorer processes, they are listed as Mutant BaseNamedObjects and called "ligvyomatemevah" and "pegenuhuhe". I searched the registry but didn't find any values/fields related.

Do you know of a way to find root kits manually? as all the scanners seem to be getting killed when looking for this bastard.

thanx,
mikthefish




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users