Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryp_Vundo-24 and others - Can't run mb scan or HJT


  • Please log in to reply
6 replies to this topic

#1 Mike79

Mike79

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 30 August 2009 - 02:06 AM

On Friday night, Trend Micro OfficeScan detected several viruses on my machine: It "quarantined" TROJ_VIRANTIX.BF, PAK_Generic.001, TROJ_AGENT.AVUI, and Mal_FakeAV-9. It also detected Cryp_Vundo-24, but that "passed a potential security risk."
TROJ_FAKEAVAL.LF, Mal_FakeAV-9 and Cryp_Vundo-24 were still detected several times after the initial incident. Please see the log at the end of this post.

Here are the effects (that I know about):
1.) I was getting a nag to do something with a fake "antivirus or antispyware program." I deleted C:\blyuwrjl.exe (I think) to resolve that issue.
2.) Every time a program is executed, I get the message: "The application or DLL C:/WINDOWS/System32/nizmoyo.dll is not a valid windows image."
3.) I am unable to scan with Malwarebytes, Spybot, or Ad-aware. The programs exit after a few seconds.
4.) I am redirected to antispyware sites when I try to use Internet explorer. (I'm temporarily using firefox).
5.) An "Iexplore.exe" process is running even though an IE window is not open. I kill it but it restarts after a while.

Renaming mbam.exe enabled me get into Malwarebytes. However it still exits, a few seconds after the scan starts. I tried renaming the program to winlogon.exe but that did not resolve the issue. Safe mode also did not help.

I have been up for almost 24 hours trying to resolve this... Eventually, I gave up trying to run mb from the infected machine. I slaved the drive in another machine and scanned w Malware bytes. It quarantined Trojan.Dropper ( 6 cases) and Rogue.Agent (2 cases). I pasted the log at the end of this post.
I put the drive back in the original machine and booted off of it. The machine is apparently still infected. I have all 3 issues listed above and I am still unable to run a mb scan when I boot off of the drive.

I tried to run HijackThis (Nothing happens). Renaming the exe did not help. I would be very grateful if anyone can assist me. I hope I can resolve
it instead of formatting.

Malware Bytes Scan (when slaving the drive in another machine)
D:\Documents and Settings\troy_b1\Local Settings\Temp\UAC7a25.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\xdqrivm[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\zwjkbb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\agqqerbspt[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\emxtqjit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\fyblb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\UACtappamdibg.dll (Rogue.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\UAC8f0d.tmp (Rogue.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:48 PM

Posted 30 August 2009 - 02:32 AM

Hello Mike79,

Please see this --> http://www.bleepingcomputer.com/forums/ind...st&p=190227

You need to get & run a couple of reports, DDS & a log from RootRepeal and then make a New Topic in the HJT-Malware removal sub-forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

and make very clear where you have the infected HD.
If you must, rename DDS & the rootrepeal utilities to unique names, like bravo & tango, for example.
The DDS & RootRepeal logs will be most helpful.
Do not post those here.

The presence of a TDSS/UAC rootkit is preventing MBAM from running, and it must be dealt with first.

Do this to close any rogue (fake alert) window & repeat as needed:
Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Mike79

Mike79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 30 August 2009 - 03:52 AM

I ran DDS.scr. I closed many DLL windows when the script was ran. I hope these were executed by the script itself. Anyway, after closing all windows and
waiting 10 minutes, a log file does not pop up even though the cmd window is still open (running the script). On subsequent attempts to run the script, the cmd window just closes when I am done closing the Dll windows. Unfortunately, renaming the script did not help in this case.

Rootrepeal closed during the scan, so I did not get a log file. On subsequent attempts, Nothing happens when I execute rootrepeal. I tried to rename and had same results.

**I did see several "invisible to windows" entries for UAC* right before the rootrepeal window closed.

Thank your for your time!

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:48 PM

Posted 30 August 2009 - 10:36 AM

What is the Windows version/edition? What antivirus program is installed?
See if you can get to "Safe mode with Networking" and there, do & run the required reports, per my earlier note.

Reboot system, and start tapping & re-tap F8 function key. At Advanced Bootup Options, select Safe mode with Networking
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 Mike79

Mike79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 30 August 2009 - 12:05 PM

I am using Windows XP Pro (w SP 3).
I just tried in safe mode and had same results (Both apps terminate while running even though I renamed).

#6 Mike79

Mike79
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 30 August 2009 - 12:38 PM

I have Trend Micro, Malwarebytes, Spybot, Ad-aware, and AVG Antirootkit installed. I originally had trend only installed. When I encountered this issue, I installed everything else hoping to resolve it.

Your antivirus question got me thinging , about what is running when I run these two tools...
I am able to get rootrepeal to run in safe mode without quitting if I do the following: Msconfig, selective startup, with no processes and only some critical microsoft sevices. I will try DDL after rootrepeal is done and then post logs as you suggested.
However, I am wondering if the logs will not give you all of the info you need when I disable services and processes...

The only services that are running:

DCOM Server Process Launcher
Event Log
Logical Disk Manager
Logical Disk Manager Administrative Service
Plug and Play
Remote Procedure Call (RPC) Locator
Remote Procedure Call (RPC)
Windows Audio
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions.

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:48 PM

Posted 30 August 2009 - 03:44 PM

Comments:
If this already had TrendMicro AV, then adding on AVG is not advised. Having 2 active AV apps will lead to deadly-embrace-type conflicts.
If this is a business pc (as I believe you indicated), a pave/wipe & clean install of Windows is the usual way to go. It is the fastest method of getting pc back in operation.

Wish you well.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users