Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty, nasty kokemabo.dll infection


  • This topic is locked This topic is locked
84 replies to this topic

#1 im4kingdom

im4kingdom

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 30 September 2011 - 10:55 PM

Hello,

A box keeps coming up and if you hit any key it goes to another box and has kept moving throught our .exe files. It all relates to a kokemabo.dll file. We cannot even get into a blue screen on safe mode now. Just the box keeps coming up before anything else. I have to unplug the computer to turn it off. Our Cd-rom has gradually stopped working and I wonder if it might be related. I thought this problem was quarantined in the past. I used the Trend Micro Rescue Disk on USB to boot into the system from USB and when it scanned it said there were no infections. Yet, when it boots up after the scan the infection is still there. I know some things about a computer but not enough. If you could help it would be greatly appreciated! Thank you in advance for your consideration.

Sincerely,
im4kingdom

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 05 October 2011 - 11:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421347 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 05 October 2011 - 11:52 PM

To my first post (to perhaps further clarify the problem and actions taken) I will add that the problem started about two years ago when doing research on the internet. I clicked on a site that downloaded a serious virus that took over our antivirus - which at the time was AVGfree. So a computer friend of ours took it and tried to fix it. He used the (at the time) new antivirus from Microsoft that I can't remember the name of. It helped. After we got the computer back I reinstalled AVG and it picked up the rest (or so I thought) and quarantined it. Fast forward, we had AVG on it again. Suddenly, and we don't know how this happened, we just rebooted and here the problem was ( as I recall). A box appeared that looked genuine that I had to exit out of. Well, ever since the other virus (I had to quarantine the kokemabo.dll) a box always popped up when the windows screen booted up (Windows XP Pro, 32 bit, service pack 3, I think) that said it couldn't find kokemabo.dll and so I just exited out of the box. Thus, I thought this was the same box. Turns out it wasn't and any key you hit on the keyboard just caused it to go into another file, but each file ended with .exe which is why I believe it has infected our operating system. The only way to turn off the computer is to literally pull the plug. That and the fact that no windows show up anymore - even in safe mode - just a black screen with the words SAFE MODE in the usual places and that stinkin' box (virus). I cannot seem to get it to pull up anything anymore. We have another friend who is the IT manager at a huge law firm and she wants us to replace the cd drive, I believe because we need to reinstall the Operating System so she can run MalwareBytes. I'm nervous about that as I read of others who lost the use of their CD drive when infected with the kokemabo.dll virus and we have lost ours during this too. So, I am afraid that purchasing a new one will be for naught. I recently discovered that Trend Micro has a REscue Disk that has it's own operating system that you can get the computer to boot up from a USB drive first. I tried that and it came up clean!!! It didn't even catch the virus at all!!! (Oh, by the way, when the AVG was running scans in the past there were always some files that it said were locked and it never checked into. Just in case that matters. Perhaps that is why the program isn't catching this one.) At any rate, is there something else we can try. Because of the circumstances I don't know of any way to run the DDS or Gmer scans on it. Thank you in advance for your consideration of our horrible problem. I don't mind waiting. We have no other choice at this point, although I keep looking for one. : )

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:41 AM

Posted 09 October 2011 - 08:08 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

I can't promise anything at this stage as the infection seems to be advanced.

We can try and boot the system using a Linux system which bypasses Windows. This can give us some options.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#5 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 09 October 2011 - 09:37 AM

Thank you so much for a reply, m0le. The only problem is that, as I mentioned earlier, the CD has slowly become inoperable. It tries to open but won't and now won't even play the disc that is still in it. I believe that this is due to the virus as another person mentioned that the same thing happened to their computer. Can we do this strictly with a USB drive? I know that the computer will boot from the USB drive. Thank you again for your time and attention.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:41 AM

Posted 09 October 2011 - 04:50 PM

It can be done. It often fails. I'm sorry I didn't realise the CD drive was so damaged.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/rst.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#7 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 10 October 2011 - 07:37 PM

I will try this if not tonight then tomorrow. Thank you sooooooooooo Much!!!!

#8 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 10 October 2011 - 09:55 PM

I was able to follow the instructions up until I had to open the sdb1. It just wasn't there. Only files that say sda1, sda2, sda3 were there when I expanded the mnt. Fortunately, because you had given me instructions that I could use from the ethernet connection I was able to download the rst.sh and still get the log. I hope that it is attached... Please let me know if I need to do something else.Attached File  enum.log   6.68KB   3 downloads

Thank you so very, very, very much!

Im4kingdom

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:41 AM

Posted 11 October 2011 - 07:45 PM

Nice work. We have a lifeline.

Let's see if there is an available registry backup we can use to help get your computer booting properly
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 1951
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#10 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 11 October 2011 - 09:32 PM

Thank you again!

When I expanded the mnt, the sdb1 wasn't there so I went online from the sick computer again (through the new os) and downloaded the rst.sh again. So, before I try to boot up to windows I am adding the restore.log now and will add another reply after I check to see if windows boots.

Attached File  restore.log   133bytes   2 downloads

#11 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 11 October 2011 - 09:43 PM

Well the bad news is that it still has the same problem. A completely black screen (when booting to normal windows) with a box in it. But, now I can tell you exactly what the box says before I unplug the computer.

In the box, the upper blue line says "services.exe - Bad Image", Then in the grey part of the box it has a red circle with an "x" in it. The wording in the grey box says, "The application or DLL c:\windows\system32\kokemabo.dll is not a valid Windows image. Please check this against your installation diskette." Then a button that says "OK" and in the far right of the blue bar button with an "x" on it.

It looks legit until you press a button or any key on the keyboard and it goes to another box that affects another part of the .exe files.

Hope this helps...


P.S. This reply was typed from the good computer. The reply above was typed from the sick computer through the usb's OS.

Edited by im4kingdom, 11 October 2011 - 09:45 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:41 AM

Posted 12 October 2011 - 04:02 PM

Let's try again with an earlier restore point

Let's see if there is an available registry backup we can use to help get your computer booting properly
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 1940
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#13 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 12 October 2011 - 06:43 PM

Thank you for your help!

Following are the logs that were generated. (It generated an enum log for some reason so I had to do it again.)

Attached File  enum.log   6.68KB   3 downloads


Attached File  restore.log   133bytes   3 downloads

Next I will try to boot from Windows.

#14 im4kingdom

im4kingdom
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 12 October 2011 - 06:58 PM

When loading the windows a blue screen appeared that had Windows XP insignia in the upper right corner. In the lighter blue screen underneath that it said:

"Checking file system on C:
The type of the file system is NTFS.
The volume is dirty.

CHKDSK is verifying files (stage 1 of 3)...
file verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Deleting index entry avgcchff.dat in index $I30 of file 149055.
Deleting index entry avgcchmf.dat in index $I30 of file 149055."

There was a lot more but it loaded so quickly that I lost it from there because it started rebooting again.

Then, guess what? Oh yes it did. It loaded up the same black screen and box as it did before.

So close.

Please direct me as to the next move.

Thank you so much for your extreme patience!!

Sincerely,
im4kingdom



P.S. Query: Will we be able to get our files back? Would it help to download malwarebytes or some other serious virus remover and run it from xpud?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:41 AM

Posted 13 October 2011 - 07:57 PM

Will we be able to get our files back?


We can do that from xPUD

Would it help to download malwarebytes or some other serious virus remover and run it from xpud?


MBAM won't run on Linux. Almost nothing will, so if we can't find the problem we are stuck.


We will try one more time to restore to an earlier time before we try something different.

Let's see if there is an available registry backup we can use to help get your computer booting properly
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 1936
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users