Author Topic: win32:mal0b-x [cryp] (Read 15775 times)

JoeMcLaughlin · « **on:** October 25, 2009, 09:49:30 PM »

I have a virus on a desktop. Thanks to free on-line games and children that do not know any better for this virus. A friend suggested Avast so I am giving it a try. So far Avast is not doing very well to kill the virus I have. Avast finds it and I tell it to delete but it comes back after every re-boot. I am about 2 seconds away from nuking the hard drive and re-installing the POS Microsft operating system but I thought I would throw a post up in the forum first. to see if there is any hope.
Joe......

Pondus · « **Reply #1 on:** October 25, 2009, 10:00:30 PM »

See if this will help
http://www.digitalred.com/avast-boot-time.php

polonus · « **Reply #2 on:** October 25, 2009, 10:12:55 PM »

Hi JoeMcLaughlin,

Try this removal tool: http://www.virusexperts.org/wp-content/uploads/2009/09/Magania.bzmw_Trojan_Removal_virusexperts.org_.zip

polonus

JoeMcLaughlin · « **Reply #3 on:** October 25, 2009, 10:17:54 PM »

Quote from: Pondus on October 25, 2009, 10:00:30 PM

See if this will help
http://www.digitalred.com/avast-boot-time.php

I tried that. It looks like it works but when it finds the virus and gives me an option to delete, the PC locks up and will not respond.
Joe.......

JoeMcLaughlin · « **Reply #4 on:** October 25, 2009, 10:18:34 PM »

Quote from: polonus on October 25, 2009, 10:12:55 PM

Hi JoeMcLaughlin,

Try this removal tool: http://www.virusexperts.org/wp-content/uploads/2009/09/Magania.bzmw_Trojan_Removal_virusexperts.org_.zip

polonus

Downloaded, unzipped and ran both. Re-booting now to see how it worked;)
Joe.......

JoeMcLaughlin · « **Reply #5 on:** October 25, 2009, 10:24:03 PM »

Quote from: JoeMcLaughlin on October 25, 2009, 10:18:34 PM

Quote from: polonus on October 25, 2009, 10:12:55 PM
Hi JoeMcLaughlin,

Try this removal tool: http://www.virusexperts.org/wp-content/uploads/2009/09/Magania.bzmw_Trojan_Removal_virusexperts.org_.zip

polonus

Downloaded, unzipped and ran both. Re-booting now to see how it worked;)
Joe.......

Avast popped up a warning after the re-boot, it is still there.
Joe.......

polonus · « **Reply #6 on:** October 25, 2009, 10:35:12 PM »

Hi JoeMcLaughlin,

Someone will dive into your problem soon and propose a malware removal scheme,

polonus

essexboy · « **Reply #7 on:** October 25, 2009, 10:46:13 PM »

Hi lets see what you have first

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Check the box that says 64 bit
Under Additional Scans check the following:
Reg - Shell Spawning
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Under custom scans copy and paste the following
%systemroot%\*. /s /r

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

JoeMcLaughlin · « **Reply #8 on:** October 25, 2009, 10:55:39 PM »

Got it downloaded and just about ready to run. I do not see a 64 bit option.
Joe.......

essexboy · « **Reply #9 on:** October 25, 2009, 10:59:05 PM »

That wiill only appear if you have a 64 bit system

JoeMcLaughlin · « **Reply #10 on:** October 25, 2009, 11:13:19 PM »

Done: http://www.tripleateam.com/dirt/d/85555-1/OTS.Txt

Let me know if that format is right? I still have it open ands can change easily.
Joe........

JoeMcLaughlin · « **Reply #11 on:** October 25, 2009, 11:17:06 PM »

also, uploaded to mediashare:
http://www.mediafire.com/?sharekey=fb5dee297b0bfd3a1f8e0fff488e27e0e04e75f6e8ebb871

essexboy · « **Reply #12 on:** October 25, 2009, 11:28:06 PM »

Did you install a key logger on your system ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Processes - Safe List]
YY -> restorer64_a.exe -> C:\WINDOWS\System32\restorer64_a.exe
[Modules - Safe List]
YY -> ijejaxakuqejako.dll -> C:\WINDOWS\ijejaxakuqejako.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3b6e57bf-f6b9-4bc9-948b-c7ae92c29edd} [HKLM] -> C:\WINDOWS\System32\c_1ext.dll [Reg Error: Value error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Jdiqohovojamaze" -> C:\WINDOWS\ijejaxakuqejako.DLL [rundll32.exe "C:\WINDOWS\ijejaxakuqejako.dll",Startup]
YY -> "restorer64_a" -> C:\WINDOWS\System32\restorer64_a.exe [C:\WINDOWS\system32\restorer64_a.exe]
[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
YN -> regfile [merge] -> Reg Error: Key error.
YN -> txtfile [edit] -> Reg Error: Key error.
[Files/Folders - Created Within 30 Days]
NY -> AntivirusPro_2010 -> C:\AntivirusPro_2010
NY -> AntivirusPro_2010 -> C:\Program Files\AntivirusPro_2010
NY -> rundll22.exe -> C:\WINDOWS\rundll22.exe
[Files/Folders - Modified Within 30 Days]
NY -> oashdihasidhasuidhiasdhiashdiuasdhasd -> C:\Documents and Settings\Owner\oashdihasidhasuidhiasdhiashdiuasdhasd
NY -> Ojicomucetuhese.dat -> C:\WINDOWS\Ojicomucetuhese.dat
NY -> Ogazisohahoze.bin -> C:\WINDOWS\Ogazisohahoze.bin
NY -> umysilyz._dl -> C:\Program Files\Common Files\umysilyz._dl
NY -> ehaho._sy -> C:\WINDOWS\System32\ehaho._sy
NY -> opevykoq.db -> C:\Program Files\Common Files\opevykoq.db
NY -> idepaxi.vbs -> C:\WINDOWS\System32\idepaxi.vbs
NY -> ojyxul.dll -> C:\Program Files\Common Files\ojyxul.dll
NY -> ebilyq.scr -> C:\WINDOWS\ebilyq.scr
NY -> nyhuby.inf -> C:\Program Files\Common Files\nyhuby.inf
NY -> ocagovugyj.com -> C:\Documents and Settings\All Users\Application Data\ocagovugyj.com
NY -> ajiqadab.com -> C:\Documents and Settings\All Users\Application Data\ajiqadab.com
NY -> nuhugutyr.vbs -> C:\Program Files\Common Files\nuhugutyr.vbs
NY -> quhepahor.lib -> C:\WINDOWS\System32\quhepahor.lib
NY -> isabik.reg -> C:\Program Files\Common Files\isabik.reg
NY -> wapypum.com -> C:\WINDOWS\System32\wapypum.com
NY -> caxum.pif -> C:\Documents and Settings\All Users\Documents\caxum.pif
NY -> jupikuzavi.reg -> C:\WINDOWS\jupikuzavi.reg
NY -> xudipopiwo.bin -> C:\Documents and Settings\All Users\Application Data\xudipopiwo.bin
NY -> ugupako.bat -> C:\WINDOWS\ugupako.bat
NY -> meqybeno._dl -> C:\Program Files\Common Files\meqybeno._dl
NY -> edydanene.reg -> C:\Program Files\Common Files\edydanene.reg
NY -> hygipato.vbs -> C:\WINDOWS\hygipato.vbs
NY -> wirulekoga.reg -> C:\WINDOWS\wirulekoga.reg
NY -> mubegyp.lib -> C:\WINDOWS\System32\mubegyp.lib
NY -> aryzery.exe -> C:\Program Files\Common Files\aryzery.exe
NY -> jalyviku.sys -> C:\WINDOWS\System32\jalyviku.sys
NY -> qykady.com -> C:\WINDOWS\System32\qykady.com
NY -> apuzu.scr -> C:\Program Files\Common Files\apuzu.scr
NY -> fuzove.sys -> C:\Documents and Settings\All Users\Application Data\fuzove.sys
NY -> ruleqen.bat -> C:\WINDOWS\System32\ruleqen.bat
NY -> unumut.sys -> C:\WINDOWS\unumut.sys
NY -> yfepucolaf.dl -> C:\Program Files\Common Files\yfepucolaf.dl
NY -> ohasyfyr.ban -> C:\Documents and Settings\All Users\Application Data\ohasyfyr.ban
NY -> inojo.vbs -> C:\WINDOWS\System32\inojo.vbs
NY -> ewavoliz.pif -> C:\Documents and Settings\All Users\Application Data\ewavoliz.pif
NY -> wefehijyq.dll -> C:\WINDOWS\wefehijyq.dll
NY -> jugimotopi.inf -> C:\WINDOWS\jugimotopi.inf
NY -> uqudyxa.scr -> C:\WINDOWS\System32\uqudyxa.scr
NY -> ujehisum.bin -> C:\Documents and Settings\All Users\Application Data\ujehisum.bin
NY -> yvujihaqej.bat -> C:\Documents and Settings\All Users\Application Data\yvujihaqej.bat
NY -> restorer64_a.exe -> C:\WINDOWS\System32\restorer64_a.exe
NY -> rundll22.exe -> C:\WINDOWS\rundll22.exe
NY -> vpg_bcsb.ini -> C:\WINDOWS\vpg_bcsb.ini
[Files - No Company Name]
NY -> oashdihasidhasuidhiasdhiashdiuasdhasd -> C:\Documents and Settings\Owner\oashdihasidhasuidhiasdhiashdiuasdhasd
NY -> umysilyz._dl -> C:\Program Files\Common Files\umysilyz._dl
NY -> opevykoq.db -> C:\Program Files\Common Files\opevykoq.db
NY -> idepaxi.vbs -> C:\WINDOWS\System32\idepaxi.vbs
NY -> ojyxul.dll -> C:\Program Files\Common Files\ojyxul.dll
NY -> ebilyq.scr -> C:\WINDOWS\ebilyq.scr
NY -> nyhuby.inf -> C:\Program Files\Common Files\nyhuby.inf
NY -> ocagovugyj.com -> C:\Documents and Settings\All Users\Application Data\ocagovugyj.com
NY -> ajiqadab.com -> C:\Documents and Settings\All Users\Application Data\ajiqadab.com
NY -> nuhugutyr.vbs -> C:\Program Files\Common Files\nuhugutyr.vbs
NY -> quhepahor.lib -> C:\WINDOWS\System32\quhepahor.lib
NY -> isabik.reg -> C:\Program Files\Common Files\isabik.reg
NY -> wapypum.com -> C:\WINDOWS\System32\wapypum.com
NY -> caxum.pif -> C:\Documents and Settings\All Users\Documents\caxum.pif
NY -> ehaho._sy -> C:\WINDOWS\System32\ehaho._sy
NY -> xudipopiwo.bin -> C:\Documents and Settings\All Users\Application Data\xudipopiwo.bin
NY -> ugupako.bat -> C:\WINDOWS\ugupako.bat
NY -> meqybeno._dl -> C:\Program Files\Common Files\meqybeno._dl
NY -> edydanene.reg -> C:\Program Files\Common Files\edydanene.reg
NY -> jupikuzavi.reg -> C:\WINDOWS\jupikuzavi.reg
NY -> hygipato.vbs -> C:\WINDOWS\hygipato.vbs
NY -> wirulekoga.reg -> C:\WINDOWS\wirulekoga.reg
NY -> Security Tool.lnk -> C:\Documents and Settings\Owner\Desktop\Security Tool.lnk
NY -> mubegyp.lib -> C:\WINDOWS\System32\mubegyp.lib
NY -> jalyviku.sys -> C:\WINDOWS\System32\jalyviku.sys
NY -> qykady.com -> C:\WINDOWS\System32\qykady.com
NY -> apuzu.scr -> C:\Program Files\Common Files\apuzu.scr
NY -> fuzove.sys -> C:\Documents and Settings\All Users\Application Data\fuzove.sys
NY -> ruleqen.bat -> C:\WINDOWS\System32\ruleqen.bat
NY -> unumut.sys -> C:\WINDOWS\unumut.sys
NY -> yfepucolaf.dl -> C:\Program Files\Common Files\yfepucolaf.dl
NY -> ohasyfyr.ban -> C:\Documents and Settings\All Users\Application Data\ohasyfyr.ban
NY -> inojo.vbs -> C:\WINDOWS\System32\inojo.vbs
NY -> ewavoliz.pif -> C:\Documents and Settings\All Users\Application Data\ewavoliz.pif
NY -> wefehijyq.dll -> C:\WINDOWS\wefehijyq.dll
NY -> jugimotopi.inf -> C:\WINDOWS\jugimotopi.inf
NY -> aryzery.exe -> C:\Program Files\Common Files\aryzery.exe
NY -> uqudyxa.scr -> C:\WINDOWS\System32\uqudyxa.scr
NY -> ujehisum.bin -> C:\Documents and Settings\All Users\Application Data\ujehisum.bin
NY -> yvujihaqej.bat -> C:\Documents and Settings\All Users\Application Data\yvujihaqej.bat
NY -> Ogazisohahoze.bin -> C:\WINDOWS\Ogazisohahoze.bin
NY -> Ojicomucetuhese.dat -> C:\WINDOWS\Ojicomucetuhese.dat
NY -> restorer64_a.exe -> C:\WINDOWS\System32\restorer64_a.exe
NY -> vpg_bcsb.ini -> C:\WINDOWS\vpg_bcsb.ini
NY -> ijejaxakuqejako.dll -> C:\WINDOWS\ijejaxakuqejako.dll
[File - Lop Check]
NY -> 79964237 -> C:\Documents and Settings\All Users\Application Data\79964237
NY -> FunWebProducts -> C:\Documents and Settings\Edie\Application Data\FunWebProducts
[Empty Temp Folders]

The fix should only take a very short time during this you will lose your taskbar and it will ask for a reboot. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

JoeMcLaughlin · « **Reply #13 on:** October 25, 2009, 11:36:39 PM »

I never use this PC, it is a general PC that the family uses. You know myspace, gaming etc. My wife is a little irritated because she uses this PC t do her college work on;) Executing your fix now.
Joe.........

JoeMcLaughlin · « **Reply #14 on:** October 25, 2009, 11:50:00 PM »

OTS has been parsing registry list for a long time now, it looks like it is hung up?
Joe.......

Author Topic: win32:mal0b-x [cryp] (Read 15775 times)

JoeMcLaughlin

win32:mal0b-x [cryp]

Pondus

Re: win32:mal0b-x [cryp]

polonus

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

polonus

Re: win32:mal0b-x [cryp]

essexboy

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

essexboy

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

essexboy

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]

JoeMcLaughlin

Re: win32:mal0b-x [cryp]