win32:malware-gen unable to run exe files

Hi all, this happened a few days ago and suddenly I am being greeted with popups from all over the place (I don’t know how I was infected, I only stream music on my laptop is all) from the likes of NexPlore and a host of others…I am now unable to run any exe files, as evidence from trying to download and install Malwarebytes and am having the exact same symptoms as the person in this thread here posted http://forum.avast.com/index.php?topic=49940.0

Avast! did find win32:malware-gen and moved it to the chest, however the popups and problem with the exe files still persist. A complete system scan using Avast! showed nothing unusual at all.

This is really frustrating…

Thanks all!

[font=Segoe UI]Step 1: Windows Disk Cleanup Utility ============

1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK

Step 2: avast! Boot Time Scan ============

1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan…
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1 Download Malwarebyes’ Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes’ Antimalware and Run Malwarebytes’ Antimalware checked
4 Malwabytes’ Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Root Repeal (RR) ============

1 Download RootRepeal here
2 Double click RootRepeal.exe to open RootRepeal GUI
3 Click on the Report tab at the bottom then click the Scan button
4 A dialog box will appear. Put a check beside:
[] [font=Segoe UI]Drivers
[
] [font=Segoe UI]Processes
[] [font=Segoe UI]SSDT
[
] [font=Segoe UI]Hidden Services

[font=Segoe UI]5 Click the OK button. A dialog box may appear, select all drives showing
6 Click OK to start the scan
7 A notepad text will appear. On the notepad window, click File>Save as… and save it on your desktop.
8 Go back here on your topic and start a reply. On the Reply window, click Additional Options
9 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)

Ok did as stated above, ran in to a few problems.

I am unable to download and install Malwarebytes (tried again after Avast boot scan and same error as before) I am attaching a screen cap of the error message. http://img340.imageshack.us/img340/773/malwarebytesscreencap.jpg

On the scan using RootRepeal I got an error saying “Error: Invalid PE Image Found!” whatever that means after install (screen cap http://img189.imageshack.us/i/rootrepealscreencap.jpg/ I went ahead and was able to scan though and have attached that text file of RootRepeal

Avast scan had no issues at scanning it seemed.

Rootrepeal log is scrambled.Try renaming mbam.exe, eg kkart.exe file found at C/program files/malwarebytes antimalware/mbam.exe, double click on renamed file

Its possible this file has been deleted by malware download it here and place it in the above location http://www.malwarebytes.org/forums/index.php?showtopic=29028

Malwarebytes log attached.
It asked for a reboot and I did so. Upon reboot windows is going crazy with sorts of errors saying “c:\WINDOWS\system32\bigohima.dll is not a valid .dll file”

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Automatic updates were set to download automatically, that being said I didn’t go with sp3 when it was released.
When I click on Windows Updates I right away get a warning dialog saying that says:

“The application or DLL c:\WINDOWS\system32\bigohima.dll is not a valid Windows image. Please check this against your Windows installation diskette”

When I go to the Windows Update site is is unable to download or tell what updates are available, and suggests I change settings so it can, I have changed the settings twice now and still the same outcome. (would having what I have have changed my Windows settings?) Screen cap here of what I am seeing at the Win Update site and have followed as said, it is an endless circle of the same however: http://img39.imageshack.us/img39/4628/windowsscreencapupdate.jpg

Secunia Online Software Inspector shows that Adobe Reader needs to be updated, I followed and downloaded the patch and it is unable to install.

You need to have the 3 services enabled:

Event Log Service:
http://www.theeldergeek.com/event_log.htm

Background Intelligent Transfer Service (BITS):
http://en.wikipedia.org/wiki/Background_Intelligent_Transfer_Service

How to configure and use Automatic Updates in Windows XP:
http://support.microsoft.com/kb/306525

Event Log-Enabled.
BITS-Enabled

Automatic Updates:

When I click on Automatic Updates I am getting a dialog that says “wupdamgr.exe- Bad Image” and then ““The application or DLL c:\WINDOWS\system32\bigohima.dll is not a valid Windows image. Please check this against your Windows installation diskette””

I don’t know what is going on here. I followed as you said and enabled it and was greeted by the same screen no less than 5x. I happened to pull up Windows Security center and found that they were checked as “off” there, so I chose “On” inside Windows security center. Then went ahead and did a Windows Update, it starts to scan, but then all the sudden cuts over and tells me that I need to have Win Updates, BITS and Event Log enabled. Checking, all are, including Windows Update in control panel. However, I have found that inside Windows security center, it is not. And when I turn them back on, they are turned off automatically it seems. Does that make sense? ( as if something is turning it off inside security center)

It isn’t allowing me to install any updates at all.

Hi

Installing a Service Pack on a heavily infected machine may be asking for trouble.

Do this instead, we’ll see what lurks beneath the surface.

Download OTL to your desktop.

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]Copy and paste the following bold text into the box under Custom Scan

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

I am attaching the text files as it exceeds 3 posts for just one log file and there are 2.

Hi

Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:OTL
O4 - HKLM..\Run: [demeveyoy] C:\WINDOWS\System32\godisida.DLL ()
O20 - AppInit_DLLs: (c:\windows\system32\bigohima.dll) - C:\WINDOWS\system32\bigohima.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\godisida.dll) - C:\WINDOWS\system32\godisida.dll ()
O21 - SSODL: kopowinos - {6429bb03-4934-4d1d-a1eb-080edc598413} - C:\WINDOWS\system32\bigohima.dll ()
O21 - SSODL: zulekehuh - {fd4bd20f-647b-427e-a6df-8ac99e0097a3} - C:\WINDOWS\system32\godisida.dll ()
O22 - SharedTaskScheduler: {6429bb03-4934-4d1d-a1eb-080edc598413} - jugezatag - C:\WINDOWS\system32\bigohima.dll ()
O22 - SharedTaskScheduler: {fd4bd20f-647b-427e-a6df-8ac99e0097a3} - kupuhivus - C:\WINDOWS\system32\godisida.dll ()
[2009/11/30 20:43:52 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\nihukote
[2009/11/30 20:00:00 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gvcxgroq.job
[2009/08/31 17:24:54 | 00,061,952 | -HS- | C] () -- C:\WINDOWS\System32\kedohugu.dll
[2009/08/31 17:24:54 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\tizuluke.dll
[2009/08/29 20:14:51 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\wakemoza.dll
[2009/08/29 20:14:51 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\jofagowo.dll
[2009/08/29 20:14:51 | 00,052,736 | ---- | C] () -- C:\WINDOWS\System32\zizesabo.dll
[2009/08/29 20:14:17 | 00,093,696 | ---- | C] () -- C:\WINDOWS\System32\bigohima.dll
[2009/08/29 20:14:17 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\sovaroda.dll
:Services

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""=-
:Files
 
:Commands
[emptytemp]
[Reboot]

Then click the Run Fix button at the top

[]Let the program run unhindered
[
]Please save the resulting log to be posted in your next reply.

Next,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with
[]OTL fix log
[
]combofix log
How’s the computer?

Thanks

Here is the log from OTL below, will post CoomboFix as soon as it is done

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\demeveyoy deleted successfully.
C:\WINDOWS\system32\godisida.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls:c:\windows\system32\bigohima.dll deleted successfully.
C:\WINDOWS\system32\bigohima.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls:c:\windows\system32\godisida.dll deleted successfully.
File C:\WINDOWS\system32\godisida.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kopowinos deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{6429bb03-4934-4d1d-a1eb-080edc598413}\ deleted successfully.
File C:\WINDOWS\system32\bigohima.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zulekehuh not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{fd4bd20f-647b-427e-a6df-8ac99e0097a3}\ not found.
File C:\WINDOWS\system32\godisida.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6429bb03-4934-4d1d-a1eb-080edc598413} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{6429bb03-4934-4d1d-a1eb-080edc598413}\ not found.
File C:\WINDOWS\system32\bigohima.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{fd4bd20f-647b-427e-a6df-8ac99e0097a3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{fd4bd20f-647b-427e-a6df-8ac99e0097a3}\ not found.
File C:\WINDOWS\system32\godisida.dll not found.
C:\WINDOWS\system32\nihukote moved successfully.
File C:\WINDOWS\tasks\gvcxgroq.job not found.
File C:\WINDOWS\System32\kedohugu.dll not found.
C:\WINDOWS\system32\tizuluke.dll moved successfully.
C:\WINDOWS\system32\wakemoza.dll moved successfully.
C:\WINDOWS\system32\jofagowo.dll moved successfully.
C:\WINDOWS\system32\zizesabo.dll moved successfully.
File C:\WINDOWS\System32\bigohima.dll not found.
C:\WINDOWS\system32\sovaroda.dll moved successfully.
========== SERVICES/DRIVERS ==========

OTL by OldTimer - Version 3.1.11.4 log created on 12012009_062658

Combo Fix log attached
Thank you very much it seems to be running a lot better now. One thing I did notice is after the reboot that the exe from Malwarebytes kept trying to download for some odd reason. Log attached below.

Hi kkart,

Did you rename MBAM to Dj6MNtMp0.exe?

The MBAM behavior might be the one registry line related to MBAM. We can remove it and see if that problem ceases.

Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:OTL
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\Dj6MNtMp0.exe (Malwarebytes Corporation)


Then click the Run Fix button at the top.

Next

You have some old java installed, please go to start> > control Panl > ADD/Remove Programs and uninstall this version only

Java 2 Runtime Environment, SE v1.4.2_03

I see evidence of P2P programs, Azureus/Vuze, but I don’t see them installed. Have you uninstalled them?

We have a bit more to do but I would like to know th status of the P2P program and if you renamed MBAM to the name noted above.

Thanks

Here is the log from OTL:

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Anti-Malware (reboot) deleted successfully.
C:\Program Files\Malwarebytes’ Anti-Malware\Dj6MNtMp0.exe moved successfully.

OTL by OldTimer - Version 3.1.11.4 log created on 12022009_081053

Old Java removed from add/remove programs. Yes Vuze is installed as I use to watch Indy TV shows.

Oldman, because he had an error sying MBAM.exe was missing, I told him to download it from mbam and replace it. The file is given a random name,so I think thats how it came to be renamed.

http://www.malwarebytes.org/forums/index.php?showtopic=29028

correct :slight_smile:

Hi kkart,

Sorry for the delay. I wasn’t on the forum yesterday.

Thanks for the answers guys. Along as you are aware of the perils of P2P programs. It’s not the programs but what can be donloaded with them, usually from an unknown source.

We have a wee little oops.

Open Windows Explorer (right click your Start button and click Explore.

Navigate to this folder C:_OTL\Moved Files\12022009_081053\Program Files\Malwarebytes’ Anti-Malware
[*]In the right hand panel, locate this file Dj6MNtMp0.exe
[*]Right click it and select copy
[*]Next, navigate to this folder C:\Program Files\Malwarebytes’ Anti-Malware
[*]Right click the folder and select paste

Open MBAM

[*]Click the Update tab
[*]Click Check for Updates
[*]If an update is found, it will download and install the latest version.
[*]The program will close to update and reopen.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

[b]Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Please go to Kaspersky website and perform an online antivirus scan.

[*]Read through the requirements and privacy statement and click on Accept button.
[*]It will start downloading and installing the scanner and virus definitions.
[*]You will be prompted to install an application from Kaspersky. Click Run.
[*]When the downloads have finished, click on Settings.
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button

[*]Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Archives
[*]Mail databases

[*]Click on My Computerr under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As
[*]Change the Files of type to Text file (.txt)
[*]Set the Save In to Desktop
[]click the Save button.
[
]Please post this log in your next reply.

Please post back wit the MBAM log and the Kaspersky log.

Thanks

Malwarebytes log below, starting KAV scan now…

Malwarebytes’ Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/4/2009 9:43:18 AM
mbam-log-2009-12-04 (09-43-18).txt

Scan type: Quick Scan
Objects scanned: 109376
Time elapsed: 15 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vasamuwi.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.