Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IerMeramkel Antibibus


  • Please log in to reply
8 replies to this topic

#1 John H Nolen

John H Nolen

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta,GA
  • Local time:08:35 AM

Posted 06 February 2014 - 04:49 PM

I am trying to help a friend with a Win Vista laptop infected with IerMeramkel Antibibus. I found where it is on her computer and deleted it. I have run scans with Spy Bot, Malware Bites and Sophos. When the computer was started the next day, IerMeramkel Antibibus had returned with an exe file , roupybl.exe. I can not find much about this malware on the internet. Has any one had a problem like this? If you did, how did you fix it?

Edit: Moved topic from Windows XP to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:35 PM

Posted 06 February 2014 - 07:55 PM

Hello -

ESET notes it as a version of a variant of Win32/Kryptik.BUHQ .

 

I'd like you to scan your machine with ESET OnlineScan
1.Hold down Control and click HERE to open ESET OnlineScan in a new window.

Check "YES, I accept the Terms of Use." and read How to Temporarily Disable your Firewall
2.Click the ESET Online Scanner button.

3.NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

3 - 1.Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
5 - 2.Double click on the ESET Online Scanner icon on your desktop. 

4.Check "YES, I accept the Terms of Use."
 5.Click the Start button.
 6.Accept any security warnings from your browser.
 7.Under scan settings, check "Scan Archives" and "Remove found threats"
8.Click Advanced settings and select the following:

Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology

9.ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (3 hours is not unusual)
10.When the scan completes, click List Threats
11.Click Export, and save the file to your desktop using a unique name, such as ESETScan.
- Include the contents of this report in your next reply.
12.Click the Back button.
13.Click the Finish button[/list]

NOTE:Sometimes if ESET finds no infections it will not create a log.
* If you lose the log it can be found at C:\Program Files\ESET\EsetOnlineScanner\log.txt
* If no infections are found then just tell me -

 

Now -

Please download and run RKill by Grinler.
A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

 

Important: Do not reboot your computer until you complete the next step.

 

This is to clean up:

Please download AdwCleaner by Xplode and save to your Desktop.
NOTE : Please close or save all work, as the computer will be Rebooted
Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button. (only once)
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. 
If you see any which you do not want removed, remove the check mark next to it. 
Next: Click on the Clean button (only once) to remove the selected items. 
You will receive a message telling you that all programs will be close so that the infections can be removed. 
Click on OK, and then OK again to confirm the Auto reboot.
When cleaning process is complete a log (AdwCleaner[S0].txt ) of what was removed will be on your desktop. 
Please copy and the paste this log in your next post.

A copy of all logfiles are also saved in the C:\AdwCleaner folder which was created when running the tool.



#3 John H Nolen

John H Nolen
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta,GA
  • Local time:08:35 AM

Posted 07 February 2014 - 11:45 AM

This computer belongs to a travel agent. The only way we can get it to work is to shut it down and start it in safe mode. Can I use the steps you have listed in safe mode?



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:35 PM

Posted 07 February 2014 - 03:37 PM

Hi -

First - This will run in Safe or Normal Modes.

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If the tool does not run from any of the links provided, please let me know.

NOTE - If normal mode still doesn't work, you can run the tool from safe mode.

When the scan is done Notepad will open with RKill log.
Post it in your next reply.
NOTE. RKill.txt log will also be present on your desktop.

 

 

We hope this will halt the infection long enough for a Normal Mode scan with RKill.

So now reboot and try RKill again, and try the directions for ESET online Scanner (in Normal Mode)



#5 John H Nolen

John H Nolen
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta,GA
  • Local time:08:35 AM

Posted 10 February 2014 - 06:08 AM

Thank you very much for the info. Because of the bad weather in Atlanta, I have been unable to go to my friend's house. When I get a chance, I will run the scans you have recommended.

 

JN



#6 John H Nolen

John H Nolen
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta,GA
  • Local time:08:35 AM

Posted 10 February 2014 - 04:43 PM

I have located the malware by looking in the startup section of  (msconfig). It was in hidden files, App data/roaming. I have deleted all of the files twice. When I ran RKILL, it did not show the IerMeramkel Antibibus exe files. When I tried to download and install AdwCleaner, I had 4 programs installed that I did not recognize. I never saw AdwCleaner. I have uninstalled all of the programs that were installed. What did I do wrong? Her computer is up and running again.

 

JN



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:35 PM

Posted 11 February 2014 - 04:01 AM

Her computer is up and running again.

From this quote it seems you did nothing wrong.

RKill may not show the actual infection, but it may show other actions.

 

Are you able to Copy and Paste any logs yet ??

 

Can you run this program so I can see any progress -

 

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.



#8 John H Nolen

John H Nolen
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta,GA
  • Local time:08:35 AM

Posted 11 February 2014 - 02:55 PM

We are having an ice storm in Atlanta and unable to go to my friend's house. When I do, I will try what you have recommended. Thank you.

 

JN



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:35 PM

Posted 11 February 2014 - 04:18 PM

Hi -

Sorry for your weather, but we do not get those problems here.

 

The last few weeks here, it has been around 30°C to 40°C most days.

 

Just tell us when you can continue - -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users