I’m 80% sure my PC is infected with some virus or worm : the PC spontaneously comes out of stand-by (I’ve turned off all wake-on-X I could find, and it never did this in the past); when I run shutdown I’m now told rundll32.exe is not responding and I have to kill it; Process Explorer tells me rundll32.exe has a rundll target of weird DLLs like of ctqicwjx.dll or yayWQIaa.dll; finally I have LOTS of weirdly named files in system32:
Avast does not find any virus in the memory scan.
However, it has found several different viruses on my disk.
Win32:Trojan-gen {Other}
Win32:Obfuscated-FVB [trj]
I can’t seem to clean this infection.
Microsoft’s malware removal tool (windows-kb890830-v2.8.exe) seems to not want to run on my system.
I have Win2000 SP5.1 (an unofficial SP on top of SP4) which had worked flawlessly for years.
Scan taken on 01 Apr 2009 07:46:15 (GMT)
A-Squared
Found Trojan.Win32.Vundo!IK
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Virtumonde.AR.gen!Eldorado
F-Secure Anti-Virus
Found nothing
Ikarus
Found Trojan.Win32.Vundo
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found Trojan.Vundo.Gen!Pac.31
VBA32
Found nothing
Avast devs: do you want me to send some sample files?
Yes the weird file names are very Vundo/Virtumonde like.
If you can zip and password protect those files into one archive and send it to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
This will help avast detections - Once you have done that, try these two applications.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version. - 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
You can actually install MBAM from safe mode (but not SAS, without registry changes), running from safe mode makes these more effective at cleaning up and the reason I wanted you to send the samples to avast first.
The virus drops several files (of different size) in system32 (and makes multiple copies of each file, with random names).
I renamed them VIRUSi and stripped their extension (.dll, .ini, .tmp)
By the way, I’ve tried many things to clean up my mess.
Avast, AVG, a-squared, Spybot, VundoFix.
None of them worked so far. The problem is that the virus attaches itself several times with several names to all the major OS processes (LSASS, explorer, rundll32, …) and when the antivirus tries to clean the mess, it just hoses Windows, and I’m back to square one.
I’ll try what David suggested this evening.
Does Avast scan the registry? Because AFAIU, this virus adds several entries to RunOnce (or such) to reinfect the system on start-up. Spybot did find some suspicious registry entries but could not remove the virus from memory.
[*]Disable any script blocking protection
[*] Double click dds.scr to run the tool.
[*]When done, DDS.txt will open.
[*]Click Yes at the next prompt for Optional Scan.
[*]Save both reports to your desktop.
Please include the contents of the following in your next reply:
It looks like SUPERAntiSpyware was able to save the day.
As far as I can tell, all traces of Vundo are gone.
SAS left a few non-executable files (.ini, .ini2) in system32. I removed them manually.
I wouldn’t have removed anything as I would suggest you leave SAS installed and periodically run it (after updating signatures).
I would also suggest that you do as oldman suggests and run DDS, the fact that is is names as a screen saver seems to get past some malware on the hunt for things like SAS and MBAM. It is a legit analysis tool. As the initials DDS state it Doesn’t Do Squat, it is an analysis tool only the output requires manual analysis.
It’s a scan tool. It will produce a log far more detailed than HJT and similar to a combofix log. It will not remove anything. The .scr is to enable it run almost undetected by malware. It’s not a screensaver. It’s perfectly safe.
“Local Security Authentication Server”, generates the process responsible for authenticating users for the Winlogon service.
At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”
I don’t see any bad files in the log so if you are not experiencing any other problems, this can be cleared up with a reg fix.
First
Back up your registry with ERUNT
[]Download ERUNT from Here and save it to your desktop.
[*]Double click erunt-setup.exe to install the program
[*]Follow the prompts, and then uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
[*]Click No when you are prompted about creating an ERUNT entry in the startup folder.
[*]At the next screen, uncheck Show documentation and check Launch ERUNT
[*]If ERUNT doesn’t start by itself, launch it from the desktop shortcut.
[*]At the configuration screen, make sure all 3 checkboxes are checked
[]Click Ok to run the backup process
The program should notify you when it’s finished.
Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
Would anything have to be done with the c:\winnt\system32\yayWQIaa folder and any contents found in it as the folder name looks somewhat strange for a sub-folder of system32 ?
The reason I ask, is I have no sub-folder names so remotely obscure in the system32 folder.
