Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tftp.msc / beforegllav infection


  • Please log in to reply
3 replies to this topic

#1 Zeromus-X

Zeromus-X

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 16 September 2009 - 11:51 AM

I'm a new poster here, but I'm a computer tech of 12 years and specialize in malware/spyware removal, and have made that my focus for about the past four years. I was doing some Google searching for a relatively new problem we're seeing and I wasn't coming up with much, until I saw someone helping a user here on the HijackThis forum. I wanted to mention we've seen this infection on three computers that have come in today alone:

The computers have all been running various versions of Windows Vista (one Basic, two Premium). Neither would boot into normal mode; they continually rebooted. In safe mode, Explorer wouldn't run. No desktop wallpaper. Running Combofix (renamed or not) would give the loading bar and nothing else. HijackThis would get about 80% through a scan and shut down. MBAM won't install, SAS can't install in safe mode. Unsure of what it was, I even ran a scanner for Virut, which rebooted the system.

From the command prompt there were a massive number of hidden .dll and .exe files in the System32 folder that shouldn't have been there, as well as a ton of .exe files in the Users/username/AppData/temp folder.

I made an image of the drive and started toying around. I managed to remove most of the .dll and .exe files in System32, but one of them (which had a random filename) wouldn't delete. I renamed it and rebooted, and deleted the now-renamed file. As soon as it was deleted, the computer rebooted automatically, but it was indeed gone. I then noticed this line in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell REG_SZ Explorer.exe rundll32.exe tftp.msc beforegllav

After removing everything after Explorer.exe, I was able to reboot (into safe mode still) and have Explorer open, but still couldn't run any other spyware-related software except for "rmvirut", which scans clean. Another quirk -- after HijackThis automatically closes, the permissions are changed so that I cannot run it or delete it (There's no "as administrator" button, only "Try Again").

HJT's StartupList feature shows the following:

Enumerating ShellServiceObjectDelayLoad items:

webCheck: c:\windows\system32\webcheck.dll
wonibipov: c:\windows\system32\voladeti.dll
katatihuv: c:\windows\system32\bweihafe.dll

None of these files are present in the System32 folder, however. There's nothing else of particular interest in the StartupList file.

I yanked the drive from the system and hooked it up as a slave in another system, and ran MBAM on the drive. Came up with zero infections. There doesn't appear to be any hidden files that weren't visible from the actual system (due to a rootkit, etc).

Has anyone had any luck with this or does anyone have any further suggestions beyond a reformat/reinstall or a parallel installation?

UPDATE: XP Protector 2008 folder in Users\username had a single .exe; this was deleted. Cleared out all temp folders and temporary internet file folders previous to all this.

UPDATE: Avira was suggested; this won't install. Installing to a flash drive and trying to run didn't help, either. Closes about halfway through install, and "Error executing program" when running off flash drive.

UPDATE: Booting to a Vista disc and dropping to a command prompt, there are several "ytas*" files. I deleted the five that were there, and rebooted into Safe mode. Still can't load ComboFix / HJT / etc.

UPDATE: CCleaner is about the only thing that will install. I installed it and ran a scan, and deleted any of the crap that came up. Ran a registry scan and it found lots of problems, but nothing of real significance whatsoever. Spybot and Malwarebytes both give an error Internal error: failed to expand shell folder constant "userappdata" and drop the installation. I did a Google search for this error which doesn't return much, but one Microsoft rep did post about removing the Recent key in User Shell Folders (which did nothing for me), and another just said to scan with SREng, which did scan successfully. I'll attach the log from that as soon as I get home.

Edited by Zeromus-X, 16 September 2009 - 05:07 PM.


BC AdBot (Login to Remove)

 


#2 Technoid

Technoid

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 16 September 2009 - 01:16 PM

I don't know if it helps, but I had a similar infection with the same registry entry and I used Free Avira to clean it. I had to download it on another computer and transfer it via flash drive along with the updates. Don't give the infected computer internet access. It downloads and installs all sorts of stuff.

#3 Zeromus-X

Zeromus-X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 16 September 2009 - 03:01 PM

Nah, no luck there either. I tried copying the archive to the infected computer and it looks like it installs but never does. I then installed it onto another system and attempted to copy the entire installed program over, but no-go on that one either.

Getting desperate, I even tried to run SDfix to see if I could get at least a scan off it, but it closes as soon as the blue command prompt screen appears.

Edited by Zeromus-X, 16 September 2009 - 03:19 PM.


#4 Zeromus-X

Zeromus-X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 September 2009 - 11:00 AM

No more ideas before I just give up on this?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users