Author Topic: win32 malware gen  (Read 32101 times)

0 Members and 1 Guest are viewing this topic.

Memphis.T

  • Guest
win32 malware gen
« on: July 11, 2010, 07:05:52 PM »
 Help! like many others I have fallen victim to this win32 malware gen. It has taken over my pc and although I have tried to rid myself of it, being just a novice I must declare defeat.
I subscribe to Avast 5 which seems to be working properly but unable to defeat this Malware. I am running a boot time scan at this moment which I expect as ever will only reveal the afore said Virus. I will direct it to the chest which works but it doesn't go away. prior to this current scan I was being blocked from accessing all programmes and the virus was trying to open what I assume to be bogus security software.
I have followed previous forum strings and tried to adapt the advice to cure my own problems but being a novice user I am weary of doing more damage when descriptions don't exactly fit what I see on my own pc.
Current symptoms are: Can't access Microsoft update, when connected to the net pc opens random sites, when searching will open altenate search engines without prompting,will not let me access any programmes.
Driving me mad.
I hope someone can take time to help.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: win32 malware gen
« Reply #1 on: July 11, 2010, 07:37:25 PM »
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Clean your temporary files. You can use CleanUpCCleaner or a deep one called Temp File Cleaner for that.

2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
If avast does not detect it, you can try DrWeb CureIT! instead.

3. It will be good if you download, install, update and run MBAM (or SUPERantispyware or even SpywareTerminator).
If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.

4. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

5. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

6. Browser hijacking and problems with antivirus update could be managed in some scenarios by cleaning the hosts file (at C:\windows\system32\drivers\etc folder). The file does not have an extention, it's simply hosts.
The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1       localhost
You can get a good replacement with HostsMan that keep it clean (avoid infections) and updated: http://www.abelhadigital.com

7. After you're clean, disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

8. Use the immunization of SpywareBlaster.

9. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
The best things in life are free.

Memphis.T

  • Guest
Re: win32 malware gen
« Reply #2 on: July 11, 2010, 11:45:34 PM »
Nothing is possible at this point. After the boot time scan the virus will not let me access any thing. Every action is met with this message "The file rundll32exe is infected do you want to activate your anti virus software now".

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32 malware gen
« Reply #3 on: July 11, 2010, 11:50:51 PM »
Hi lets try this first, if it fails go to Plan B

 Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL  to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.



Then select Start OTL. OTL will now run

  • Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
    Select Scan.txt that you downloaded

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Click the Internet Explorer button, post these logs in your Virus Removal topic.
Plan B

Download Rkill from here : there are several flavours to choose from, if one does not work then try the next

* rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
* rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
* rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif

Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Then run OTL as above

Memphis.T

  • Guest
Re: win32 malware gen
« Reply #4 on: July 12, 2010, 12:05:24 AM »
This will not be possible from the pc because as I stated the virus blocks every action I take. I am using my laptop to connect here. Even if I download via the laptop and try to install to the pc I will be blocked.

Dch48

  • Guest
Re: win32 malware gen
« Reply #5 on: July 12, 2010, 12:15:32 AM »
What you have is almost certainly a rogue program.I was reading posts in other forums from people having the same message about RunDLL32.exe being infected.  One solution was to install and run Malwarebytes while in safe mode. If you can boot the affected machine into safe mode with networking, do that.  You will need the networking to make sure MBAM is up to date. Then I would download Malwarebytes with the laptop, burn it onto a disc, and then use that disk in the affected machine to install MBAM.  Hope it works.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: win32 malware gen
« Reply #6 on: July 12, 2010, 01:15:09 AM »
If you have System restore enabled on the desktop then you could try to run it in Safe Mode  (with command line)
- here is the step by step

http://support.microsoft.com/kb/304449

if this possible, then see if there is a Restore option to take you back before problems started

Is a difficult situation that you have, but likely can be turned around
- have you tried Dr Web Live CD to boot into safe environment --   http://www.freedrweb.com/livecd/
« Last Edit: July 12, 2010, 01:16:47 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32 malware gen
« Reply #7 on: July 12, 2010, 08:59:00 PM »
The two programmes are not exe files but apparent screensavers so they should bypass the malware

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: win32 malware gen
« Reply #8 on: July 12, 2010, 11:25:01 PM »
@Memphis T.

If you can, try bring recovery options back to essexboy's hands - you can do this by reply to his post

This may save you yr operating system and you may be able to return yr computer to normal running
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Memphis.T

  • Guest
Re: win32 malware gen
« Reply #9 on: July 16, 2010, 12:04:01 AM »
Essex boy
hi

 the file "scan text" can't load it from here! should I be able to? Im going to try and download your suggestions to a memory stick and load it on the pc in safe mode. should that work?

Forget that just seen the attachment.

12.32am. done as instructed but can't post results cos the virus wont let me access the net. tried rkill in safe mode but something terminates it!.
hitting the sack now got an early start at work in the morning, but anyhow thanks for the help so far.
« Last Edit: July 16, 2010, 01:38:09 AM by Memphis.T »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32 malware gen
« Reply #10 on: July 16, 2010, 09:09:56 PM »
If you could copy the log to a USB and post from the other system I will devise a fix for you

Memphis.T

  • Guest
Re: win32 malware gen
« Reply #11 on: July 18, 2010, 01:58:45 PM »
Hi Essex Boy
from another Essex Boy, the current state of play is that I've mannaged to regain a lot of control over the machine,Virus Update, Windows Update and Web access and I am indeed working from the machine here, but Im not confident I've beaten the thing! so i've been working with your intructions and the Logs are posted here.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32 malware gen
« Reply #12 on: July 18, 2010, 02:35:28 PM »
Once these are removed we will search for orphans.  On completion of these runs can you let me know what problems remain 

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [cnisopst] C:\Documents and Settings\chris\Local Settings\Application Data\yiiyawmkx\uhwtfnatssd.exe File not found
O4 - HKCU..\Run: [{E0FF2C2E-CC14-5DD7-3171-98E333C97875}] C:\Documents and Settings\chris\Application Data\Visy\izpa.exe File not found
O4 - HKCU..\Run: [cnisopst] C:\Documents and Settings\chris\Local Settings\Application Data\yiiyawmkx\uhwtfnatssd.exe File not found
O4 - HKCU..\Run: [sxhcnfcx] C:\Documents and Settings\chris\Local Settings\Application Data\cqihmvcxv\ajrrbnptssd.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O27 - HKLM IFEO\ctfmon.exe: Debugger - C:\WINDOWS\system32\ctfmon_wz.exe File not found
[2010/07/11 12:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chris\Local Settings\Application Data\cqihmvcxv
[2010/06/20 00:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chris\Local Settings\Application Data\yiiyawmkx
[2010/05/15 15:56:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\lowsec
[2010/06/06 23:15:39 | 000,000,156 | ---- | M] () -- C:\WINDOWS\Twunk001.MTX
[2010/06/06 23:15:39 | 000,000,006 | ---- | M] () -- C:\WINDOWS\Twain001.Mtx
[2008/10/23 19:41:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\lkrkvifm
[2010/07/07 05:44:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chris\Application Data\Visy
[2010/07/06 22:39:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chris\Application Data\Ygba

:Files
C:\WINDOWS\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Memphis.T

  • Guest
Re: win32 malware gen
« Reply #13 on: July 18, 2010, 11:35:08 PM »
HI Essex Boy
Thanks for all your help here. Posted is the latest OTL log.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: win32 malware gen
« Reply #14 on: July 19, 2010, 12:02:44 AM »
Looks much better now - could you run MBAM please and let me know of any remaining problems