Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Application cannot be executed. The file *.* is infected.


  • This topic is locked This topic is locked
61 replies to this topic

#1 Kopf

Kopf

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 27 May 2010 - 12:26 PM

I tried to follow the prep guide, but both dds.scr and gmer.exe are being blocked by this malware.
Please assist!

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 28 May 2010 - 07:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run the following programs

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Then Combofix


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 May 2010 - 05:11 AM

Thank you very much for the assist! I realize that it's still important to check to make sure all Malware is gone, so I'm still here for further instructions.

RKill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Michael Schwartz on 05/29/2010 at 6:02:23.


Processes terminated by Rkill or while it was running:


C:\Users\Michael Schwartz\AppData\Local\yebhyqcrc\gcanugutssd.exe


Rkill completed on 05/29/2010 at 6:02:27.


comfix

I'm using Vista, so I got:
"Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP"
and several language variations thereof.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 29 May 2010 - 06:22 AM

Vista is compatible with Combofix so malware has messed with the running of the tool.

We need to go in a different way.

In order to resolve your problem we will need to to download a program called OTLPE. This program is quite large, at 292MB, so it will take a while to download. In order to get this program setup properly, please print out these instructions so you can follow them when you are at the computer we will be working on.

First

Please download ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Posted Image
m0le is a proud member of UNITE

#5 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 May 2010 - 07:02 AM

Downloading the OTLPE iso now.

Also, I checked the folder C:\...\yebhyqcrc and the file gcanugutssd.exe is still there. Did RKill do anything? When that computer was attacked, I unplugged it from the internet, and am currently using an older laptop for internet. So either it was reinstalled from something still on the computer, or Rkill didn't do anything, because it couldn't have redownloaded itself.
Nevermind, misread the log. Only terminated the process, not the file.

However,
There's also two rundll32.exe processes active. One under SYSTEM and one under my user name.


Edited by Kopf, 29 May 2010 - 07:05 AM.


#6 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 May 2010 - 08:44 PM

So the OTLPE.iso download is not working - it stops around 66%, and there's nothing wrong with my internet. I've attempted the download a few times today and it stops at the same spot each time...

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 30 May 2010 - 04:27 AM

The malware may be blocking the download. Can you download this on a clean computer?
Posted Image
m0le is a proud member of UNITE

#8 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 30 May 2010 - 08:20 AM

My attempts have been from a clean computer, and it stopped at ~66% again just now. Maybe I can substitute with combofix or gmer? The initial rogue malware that was preventing me from opening any executables has been silenced with rkill...

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 30 May 2010 - 11:21 AM

Okay, attempt to download Combofix and run it. I did think you'd said that you couldn't run it before though...
Posted Image
m0le is a proud member of UNITE

#10 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 30 May 2010 - 02:12 PM

Oops sorry, you're right, I completely forgot I tried it already and about that "incompatible message." And yeah the OTLPE.iso downloading is still stuck. I tried looking online for other otlpe download sites but all references are pointing to the geekstogo link...

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 30 May 2010 - 02:37 PM

Try this one smile.gif
Posted Image
m0le is a proud member of UNITE

#12 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 31 May 2010 - 09:41 PM

That link doesn't work either. I've tried both links several times on both laptops, and even had my roommate try the links on his. We both get to 182 MB / 65% and it stops downloading. If you already have the iso, could you upload it to a rapidshare/megaupload?

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 02 June 2010 - 08:33 AM

Hi kopf,

New instructions for OTLPE just out.

Please do this......
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Posted Image
m0le is a proud member of UNITE

#14 Kopf

Kopf
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 02 June 2010 - 12:24 PM

Got the reatogo-x-pe desktop.
So now when I double-click the OTLPE icon on the desktop, a "Browse for Folder" window pops up. What am I looking for?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 02 June 2010 - 02:33 PM

Browse for the WINDOWS folder and select it. That should set it to run. thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users