win32 malware gen

Viruses and worms
1

Help! like many others I have fallen victim to this win32 malware gen. It has taken over my pc and although I have tried to rid myself of it, being just a novice I must declare defeat.
I subscribe to Avast 5 which seems to be working properly but unable to defeat this Malware. I am running a boot time scan at this moment which I expect as ever will only reveal the afore said Virus. I will direct it to the chest which works but it doesn’t go away. prior to this current scan I was being blocked from accessing all programmes and the virus was trying to open what I assume to be bogus security software.
I have followed previous forum strings and tried to adapt the advice to cure my own problems but being a novice user I am weary of doing more damage when descriptions don’t exactly fit what I see on my own pc.
Current symptoms are: Can’t access Microsoft update, when connected to the net pc opens random sites, when searching will open altenate search engines without prompting,will not let me access any programmes.
Driving me mad.
I hope someone can take time to help.

2

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Clean your temporary files. You can use CleanUp, CCleaner or a deep one called Temp File Cleaner for that.

  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
    If avast does not detect it, you can try DrWeb CureIT! instead.

  3. It will be good if you download, install, update and run MBAM (or SUPERantispyware or even SpywareTerminator).
    If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

  6. Browser hijacking and problems with antivirus update could be managed in some scenarios by cleaning the hosts file (at C:\windows\system32\drivers\etc folder). The file does not have an extention, it’s simply hosts.
    The default file consists of a number of example lines preceded with # The only required line is
    127.0.0.1 localhost
    You can get a good replacement with HostsMan that keep it clean (avoid infections) and updated: http://www.abelhadigital.com

  7. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

  8. Use the immunization of SpywareBlaster.

  9. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

3

Nothing is possible at this point. After the boot time scan the virus will not let me access any thing. Every action is met with this message “The file rundll32exe is infected do you want to activate your anti virus software now”.

4

Hi lets try this first, if it fails go to Plan B

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

http://oldtimer.geekstogo.com/OTH/OTH_Main.gif

Then select Start OTL. OTL will now run

[*]Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
Select Scan.txt that you downloaded

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*]Click the Internet Explorer button, post these logs in your Virus Removal topic.

Plan B

Download Rkill from here : there are several flavours to choose from, if one does not work then try the next

Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Then run OTL as above

5

This will not be possible from the pc because as I stated the virus blocks every action I take. I am using my laptop to connect here. Even if I download via the laptop and try to install to the pc I will be blocked.

6

What you have is almost certainly a rogue program.I was reading posts in other forums from people having the same message about RunDLL32.exe being infected. One solution was to install and run Malwarebytes while in safe mode. If you can boot the affected machine into safe mode with networking, do that. You will need the networking to make sure MBAM is up to date. Then I would download Malwarebytes with the laptop, burn it onto a disc, and then use that disk in the affected machine to install MBAM. Hope it works.

7

If you have System restore enabled on the desktop then you could try to run it in Safe Mode (with command line)

  • here is the step by step

http://support.microsoft.com/kb/304449

if this possible, then see if there is a Restore option to take you back before problems started

Is a difficult situation that you have, but likely can be turned around

8

The two programmes are not exe files but apparent screensavers so they should bypass the malware

9

@Memphis T.

If you can, try bring recovery options back to essexboy’s hands - you can do this by reply to his post

This may save you yr operating system and you may be able to return yr computer to normal running

10

Essex boy
hi

the file “scan text” can’t load it from here! should I be able to? Im going to try and download your suggestions to a memory stick and load it on the pc in safe mode. should that work?

Forget that just seen the attachment.

12.32am. done as instructed but can’t post results cos the virus wont let me access the net. tried rkill in safe mode but something terminates it!.
hitting the sack now got an early start at work in the morning, but anyhow thanks for the help so far.

11

If you could copy the log to a USB and post from the other system I will devise a fix for you

12

Hi Essex Boy
from another Essex Boy, the current state of play is that I’ve mannaged to regain a lot of control over the machine,Virus Update, Windows Update and Web access and I am indeed working from the machine here, but Im not confident I’ve beaten the thing! so i’ve been working with your intructions and the Logs are posted here.

13

Once these are removed we will search for orphans. On completion of these runs can you let me know what problems remain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [cnisopst] C:\Documents and Settings\chris\Local Settings\Application Data\yiiyawmkx\uhwtfnatssd.exe File not found
O4 - HKCU..\Run: [{E0FF2C2E-CC14-5DD7-3171-98E333C97875}] C:\Documents and Settings\chris\Application Data\Visy\izpa.exe File not found
O4 - HKCU..\Run: [cnisopst] C:\Documents and Settings\chris\Local Settings\Application Data\yiiyawmkx\uhwtfnatssd.exe File not found
O4 - HKCU..\Run: [sxhcnfcx] C:\Documents and Settings\chris\Local Settings\Application Data\cqihmvcxv\ajrrbnptssd.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O27 - HKLM IFEO\ctfmon.exe: Debugger - C:\WINDOWS\system32\ctfmon_wz.exe File not found
[2010/07/11 12:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chris\Local Settings\Application Data\cqihmvcxv
[2010/06/20 00:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chris\Local Settings\Application Data\yiiyawmkx
[2010/05/15 15:56:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\lowsec
[2010/06/06 23:15:39 | 000,000,156 | ---- | M] () -- C:\WINDOWS\Twunk001.MTX
[2010/06/06 23:15:39 | 000,000,006 | ---- | M] () -- C:\WINDOWS\Twain001.Mtx
[2008/10/23 19:41:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\lkrkvifm
[2010/07/07 05:44:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chris\Application Data\Visy
[2010/07/06 22:39:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chris\Application Data\Ygba

:Files
C:\WINDOWS\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

14

HI Essex Boy
Thanks for all your help here. Posted is the latest OTL log.

15

Looks much better now - could you run MBAM please and let me know of any remaining problems

16

Hello again
ran Malwarebytes, see posted log, amazed at what its picked some of it I’ve obviously unwittingly invited in!

Could not get Update for MBAM due to error message; Updating 12007,0,winhttp send request

17

Some of them have been on your system for a while

Try this and then let me know if MBAM still gives the error

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

18

Hi

only box checked is auto select, tried to update again but got the same error message.

Im trying to see why I have no sound anymore also. I’ve made the normal checks, systems are enabled and shows drivers installed but as yet can’t see why pc’s gone silent. If my memory serves me right I lost it about the time I tried what turned out to be a bogus registry cleaner.

19

Lets reset your internet settings

@ECHO OFF reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f netsh int ip reset resetlog.txt
Next you will need to create the batch fix to do that copy and paste [b]ALL[/b] of the above in the quote box to a notepad file. Then in the text file go to [b]FILE > SAVE AS [/b] and in the dropdown box select [b]SAVE AS TYPE [/b] to[b] ALL FILES [/b] Then in the [b]FILE NAME [/b] box type [b]fix.bat[/b]

This will create a batch file
http://img524.imageshack.us/img524/9383/batmp6.jpg

Then run fix.bat by double clicking you may see a black box appear this is normal

Once done retry MBAM - if that should fail uninstall your current copy and re-download a fresh copy. If you still get a failure

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Im trying to see why I have no sound anymore also. I've made the normal checks, systems are enabled and shows drivers installed but as yet can't see why pc's gone silent. If my memory serves me right I lost it about the time I tried what turned out to be a bogus registry cleaner.
Ouch that could have taken anything out
20

Hi
I was hoping that we had this thing sorted but not so, pc has been running ok for about a week now then Thursday evening while on the net bloked a virus then Friday after avirus scan and restart I get the message on a blue screen that A problem is detected and Windows has been shut down to prevent damage.
Tech info; Stop 0x0000007E (0xc0000005, 0x8A86C963, 0xF78D68B4,0xF78D65B0)

Is this Virus related or do I have another problem. Tried restart in safe mode but does not work.