Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ernel32.dll infection, ran Dr. Web twice but it stops halfway


  • This topic is locked This topic is locked
12 replies to this topic

#1 1pinkbutterfly

1pinkbutterfly

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 10:53 AM

I started noticing that all my Google searches were taking me to totally different places two days ago. Before that it was just getting slower and slower. My boys play on Roblox a lot. They also, unbeknownst to me, like to search for video game cheats. Then when I tried opening MS Word or Excel it gave me a EULA agreement to use the program. These are licensed programs!

So I came here and read everything I could about what to do thinking I could fix this without bothering anybody. Ha! Yeah, I know, silly end user.

I read about Dr. Web's CureItAll program and saved that to my desktop. I restarted my laptop (Compaq Presario C700, 32 bit, Vista) in safe mode and then ran the Dr. Web program.

The first express scan and it found three Trojans, one of them was named ernel32.dll. Then when it was finished I unchecked the "Heuristic analysis" and did the complete scan. The first three hours it ran pretty quickly, I checked it about 8'ish last night. It wasn't done so I went to bed about 12. When I woke in the morning (3am) it was still running, sort of. I sat and watched it and it looked like it had totally stopped. I read that it would take a long time but really? Oh, the topic I was reading is topic 331775 if that helps at all.

I closed everything, restarted the computer, and redid the scan. Same thing, it would do the easy scan quickly and then get hung up on the complete scan.
So, then, I went and found rkill and tried running that. It would not open. I then tried downloading the program to my desktop. Nothing happened. But I tried and tried and after several tries got it to download.

I restarted my laptop in the safemode. I instantly ran all the versions of rkill. Each time the log didn't have any processes that it started. I started Dr. Web's program and the same thing happened. But this time it went quickly through the express scan and only found the ernel32.dll but not the other two. Then I did the complete scan and it only got halfway through and just hung there, for two hours! I redid the whole thing, restart then rkill then Dr. Web. Same thing happened, it gets stuck.

Any suggestions? I need this computer to plan lessons for my students and to write my books. I am stuck in the water and the summer is halfway through. Yes, that is panic you hear in my words. I can't afford to get this fixed at Best Buy or some place right now. Can anybody help me out? If it means anything my birthday is coming up soon. Thought I'd try the pity card. Thank you for any advice, suggestions, etc. you can provide.

Jackie

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 17 July 2010 - 03:36 PM

Hi Jackie.. Let's see if we can get these logs.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe


alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dkaod7

dkaod7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 04:34 PM

Hi 1pinkbuttefly,

I had the exact same ernel32.dll trojan click hijacker problem today. To resolve I downloaded Combofix and ran it after booting in safe mode.

I needed to drag and drop the following (from a text file called CFSript.txt) onto the ComboFix.exe before running it.
Rootkit::
C:\WINDOWS\SYSTEM32\ERNEL32.DLL


Here's the link fr the download:
http://www.bleepingcomputer.com/download/anti-virus/combofix


Here's the link on how to use it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Hope this helps.

Note: I tried, to no avail, to fix it with Malwarebytes, but somehow ernel32.dll kept coming back. In fact initially Malwarebytes (mbam.exe) was not being recognized when trying to run it. After renaming mbam.exe it ran and found the ernel32.exe, but somehow the trojan hijacker kept coming back after the reboot. Fortunately ComboFix did the job.

Let me know if this works.

Thanks, Dan

Edited by dkaod7, 17 July 2010 - 05:14 PM.


#4 1pinkbutterfly

1pinkbutterfly
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 06:52 PM

Boopme, this thing is persnickety! I tried downloading Malware Bytes from the first link but the Yahoo page opened. Same thing happened when I tried to download from the second page. Now I did try downloading Malware Bytes to my desktop earlier, and renamed it zztoy.exe before hitting save. I did download it twice now and both times the program won't open. I even tried right clicking and running as the admin to no avail. I am smart enough to run rkill every time I reboot now though. I saved the results, too.

If I can't download/run Malware what else can I do? Thank you! :thumbsup:

Edited by 1pinkbutterfly, 17 July 2010 - 06:58 PM.


#5 1pinkbutterfly

1pinkbutterfly
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 07:08 PM

Oops, so sorry. Windows Defender was on. I didn't even know such a program exists. I will try downloading Malware again now.

#6 dkaod7

dkaod7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 07:12 PM

Jackie,

I would restart your PC in safe mode. To do this keep pressing F8 during boot, then select safe mode when the option is shown. Then try running Malwarebytes. Again, Malwarebytes did not get rid of ernel32.dll; still had the Trojan click hijacker even though Malware found it and said it supposedly removed it.

ComboFix worked after running it in safe mode. ComboFix was new to me and I'm glad it was smart enough to removed it. The quickest way to tell if the Trojan has been removed is to look in Windows\system32 folder; if Ernel32.dll is still there, you still have the virus.

Hope this helps.

#7 1pinkbutterfly

1pinkbutterfly
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 07:14 PM

Well, even after turning off Windows Defender I still can't get Malware to turn on after downloading. It looks likes it open and then something stops it and shuts it down. I even downloaded the program without changing the name and that didn't work either.

Thank you!

#8 1pinkbutterfly

1pinkbutterfly
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 07:16 PM

dkaod7, thank you for trying to help. Are you aware that all over this site it says not to run Combo fix unless a moderator tells you to? It shows that you are a new member and boopme is a moderator. Could you please clarify your position on this board?

#9 dkaod7

dkaod7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 17 July 2010 - 07:55 PM

Jackie,

I just became a member, since I thought I could help someone with the same virus. Just trying to help. Was not aware that this msg board was stating not to to run ComboFix.... yikes.

But for whatever reason, ComboFix appears to have gotten rid of Ernel32.dll.

Have you tried renaming mbam.exe (malwarebytes pgm) or tried rebooting in safe mode and then try running Malwarebytes?

Let me know how things are going. This is the worse virus I've even seen.

Dan

Edited by dkaod7, 17 July 2010 - 07:56 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:58 PM

Posted 17 July 2010 - 08:28 PM

Hello, There is most likely a rootkit infection here. We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
We may very well run ComboFix,but it will be with suppervision as is forum policy.
Let me know if that went well.


@dkaod7
While as mention by 1pinkbutterfly, we appreciate you were trying to help and that you are new here,but we do not allow the use of ComboFix un attende, note the blue text above this forum. where it may have worked for youand we are pleased it has the potential to completely shut down a PC.
Please read these topics for future reference.

Rootkit Removal, Please read before proceeding!

How do I get help? Who is helping me?, What advice can be given in this forum

Edited by boopme, 17 July 2010 - 08:34 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 1pinkbutterfly

1pinkbutterfly
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 18 July 2010 - 01:19 PM

Boopme,

I finally was able to get Malwarebytes to run after downloading it to my husband's computer, along with updates, saving to a pen drive and then installing on my laptop. It found 9 Trojans and 5 viruses! We immediately rebooted.

Then I came back here to see what to do next.

I downloaded ATF Cleaner to my desktop. I tried several times to download SuperAntiSpyware. Each time it starts to download, opens another IE window that says it cannot display the webpage. Seems like I'm not completely free and clear of this thing. I will now go to the rootkit infection link you sent me and do steps 6 - 9. I will post here when I've finished posting the DDS log in the new topic to let you know I've completed that step.

Do you stick with me or do I get a new person? If I get a new person, thank you so much for your help getting me this far!

#12 1pinkbutterfly

1pinkbutterfly
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 18 July 2010 - 04:18 PM

Uploaded all three GMER files and created new post at 5:12pm EST. Thank you!

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:58 PM

Posted 18 July 2010 - 04:44 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/332724/ernel32-9-trojans-and-5-viruses/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users