Fatdcuk
-
Content Count
20,723 -
Joined
Posts posted by Fatdcuk
-
-
Any ideas?
My logfile is attached.
Thanks!
Looking at your logfile and range of objects detected and their listings then i believe that you are not infected and something is causing MBAM not to operate correctly on your PC.
Possibly some form of software conflict or corrupted install but net result is the gremlins you are experiencing:(
To rule out the latter please uninstall MBAM from your computer,reboot and then download a fresh copy of MBAM to install(Save this file to your desktop).
Next disconnect yourself from the web and close any other applications you have running.
Install MBAM and decline to update database when offered.
Reboot and allow all applictions that would normaly be running to continue running.
Connect to web then allow MBAM to update and then rescan your computer.
Post back the scan log generated.
-
MBAM and AntiVir make for a extremely good dynamic duo
So another +1 for AntiVir/Avira
-
Hi and welcome to MBAM support forums,
It sounds like the AV software you used has probaly deleted a vital system operating file as part of its cleanup routine(quite possibly userinit.exe) which is currently being attacked by recent fake alert infections.
If you have the OS install disk to hand then a repair install of the operating system is the best way forward to restore OS operations.
If you get it sorted i would recommend you look at changing AV for one that dose'nt delete vital OS files if infected but disinfects/replaces them instead.
-
If you can check your IE- addons,do you have new toolbar and/or BHO added ?
-
Hi,
Adware.SearchIt99, was caught being distributed with AD-Bundled Flash games install openly shared on the Gnutella network(P2P).The file that is being flagged is a tempory install file whic drops in <temps> but then is deleted after install is complete.
Has blocking this file prevented you from getting your free games or just blocked the installation of the SearchIt99 BHO ?
-
Hi,
Can you please start a topic in the following HJT help forum>>>
http://www.malwarebytes.org/forums/index.php?showforum=7
Follow the instructions at the top of the page there and if possible post a HiJackThis log to your new topic there.
Also check MBAM for updates before scanning as many times a day new devs are put out on the wire.
-
Hi elorei,
If you locate the driver being flagged as Pakes and upload to Virustotal for 39 second opinions.
I believe the one i encountered 2 days ago was taking 9/39 flags @VT.
If it is being comfirmed then i know it is safe to have that malware driver removed.
-
Download IceSword>>>
http://majorgeeks.com/Icesword_d5199.html
When you have extracted and run IceSword.exe,you will see a Registry button/option in the lower left of the software main GUI.
Use this option to navigate to the offending keys and when your there,right click and select delete.
-
Ok use Rootrepeal to delete the Hidden service file by right clicking on its line and selecting delete.
Reboot the system and see if AVG updates & PC can get onto this forum.
Also can you run a fresh scan with Rootrepeal and post the output(Report) log generated.
-
As suspected you have new variant of CLB driver.
- Name: gaopdxcfqxblak.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxcfqxblak.sys
Address: 0xB6F50000 Size: 163840 File Visible: -
Status: Hidden from Windows API!
If possible i would like to see the infection files for further analysis.
So please can you you use the file scan of RootRepeal this time.We are looking for all files with the same, simmillar name to the above driver.
If you highlight each line and then right click(Copy file) and save to holding folder.Zip the folder and upload to a new topic here>>>
http://www.malwarebytes.org/forums/index.php?showforum=55
Please also can i see the output logs from RootRepeal for Files,Process's/Stealth Objects and Hidden Services.
Thanks:)
- Name: gaopdxcfqxblak.sys
-
Hi spt,
It is quite possibly CLB driver related infection from information you have supplied but just to check for sure
Can you download Rootrepeal>>>
http://rootrepeal.googlepages.com/
Run a scan and post back the output log generated.
-
Ah so i am dooing something wrong.... well that explain a low detecting rate of SuperAntySpyware and MalwareBytes that are somewhat similar in terms of what they actualy do.
Both are making their mark for rapid updating and abilities to rip out infections that traditional AV/AT/ASW are sucking at
I just dont understand why a-squared had so high detection rate...IIRC a2 have incorperated Ikarus AV engine into their engine recently
In any case thanks for clarification, howerver im still a little bit concerned with low detection rate...Oh well, seams i will just have to make a mess of my virtual machine and see how it goes then
Thats the best way to test these softwares in real life infection scenario if you have the capabilities to do so.
May i suggest you go grab yourself some Vundo,Z-lob or fake alert trash current infections and then put MBAM head to head with a2 or any other software you care to throw into the equation.
I already know the outcome and you will find out for yourself why MBAM is held in such high reguard by a lot of professionals as the star player in their toolkits for ripping current infections of pc's.
-
Hi now i see whats going on.
KASP PDM doing its job....pity KAV dose'nt know this particular Vundo signature.
Ok the following is going to seem a little strange but go with me on it:)
Disable KASP PDM(Realtime) and next reboot.
This is going to let the Vundo file load into memory unhindered.
Next run a scan with MBAM again.
If it detects more Vundo files then allow it to delete and reboot the system.Now activate PDM again.
or
If MBAM finds no more Vundo files then start KASP PDM(realtime) again,reboot and post back your findings please.
-
Which AV are you using and what files are they flagging as infected ?
-
Hi DS7477 and welcome to the MBAM help forums.
Please disable SpyBot Teatimer as it has a realtime guard for parts of the registry and will undo any attempted change's made by MBAM.
Rescan with MBAM and post a fresh log.
-
Hi ya Tom you are most welcome:)
No RKU did'nt get chance to work its magic for us on this occaision.It was called for inorder to wipe the inside of the file on disk incase it was being watched over by its loaded module for self protection.
FWIW looking back through the logs now I'm thinking that maybe MBAM had this infection covered from the off but a combination of events prevented it from making a sucessful cleanup in the first sitting.
It is quite possible your first MBAM scan had it all detected but by booting back into safe mode it was unable to run its cleanup script for the then detected Vundo loaded memory modules >>>O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript would not run under safe mode ops.
This caused the infection to persist and as soon as you went back in regular mode the infection restored itself to its former state but finally it all fell into place and MBAM came good
As far as testing the system to see if all is purged then there are more advanced tools that can be utilized to examine various parts of systems operations in more detail such as Autoruns,ProcessExplorer and RKU but for now if HJT shows clear and the PC is behaving it tends to be accepted that system has been purged.
If you would like walkthrough then LMK and i will happily prepare information and do analysis with you:)
-
Hi Tom,
Your HJT log is looking clean of Vundo entries now so that should be the errors sorted out:)
How is the computer behaving now ?
-
Ok lets clearup the log a bit to see what is left active.
Use Hijackthis to fixcheck the following>
O2 - BHO: (no name) - {1452bc6e-5d8a-4552-974a-60c372b7e665} - C:\WINDOWS\system32\sidikeyu.dll (file missing)
O4 - HKLM\..\Run: [CPMff729ced] Rundll32.exe "c:\windows\system32\bubopoyu.dll",a
O4 - HKLM\..\Run: [papopemipu] Rundll32.exe "C:\WINDOWS\system32\jakejoki.dll",s
O20 - AppInit_DLLs: jocutc.dll, c:\windows\system32\bubopoyu.dll,C:\WINDOWS\system32\visoboja.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bubopoyu.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bubopoyu.dll (file missing)
Reboot then generate a fresh HJT log for review.
-
Ok Tom,first off thanks for the file upload,closer inspection confirms it as Vundo trojan variant.
Next up when you are running in regular mode the active infection can also connect out and bring in new components(update) but at least we know what is behind the infection now.Just reviewing your HJT log amo:)
Anychance of also posting the most recent MBAM log as well.
-
Hi again,
I've just tried to upload the file through attachments and have been presented with the message: "Upload failed. You are not permitted to upload this type of file"
Thankyou so much for your help, it is much appreciated.
Regards,
Tom
Ok Tom you will need to zip muyipigu.dll up to upload it.
Next up we need to nuke it so will need to use a more powerful tool for the task.
Ok here goes only use the following tool as directed as it s a very powerful tool capable of the some real neat tricks but also if misused capable of causing destruction too.
http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar
Extract and install RKU, On opening the software goto "Tools" tab and select wipe/copy file option.
Check "wipe file" and use browse function to locate muyipigu.dll
Once located use "Do operation" function.
This is going to overwrite the file on disk with 0's.
Reboot the PC, there will be errors generated as the load entry will still exist but it will be loading a corrupted file but this is easily fixed once pc is up and running.
Use Hijackthis to now fixcheck the following entry's
O4 - HKLM\..\Run: [papopemipu] Rundll32.exe "C:\WINDOWS\system32\wuholove.dll",s
O20 - AppInit_DLLs: C:\WINDOWS\system32\muyipigu.dll
Reboot and rescan with HiJackThis. Post a copy of the new log in your next post:)
Going to be popping out for an hour now but will brb to assist:)
-
Ok Tom well that certainly is our culprit that is causing most of the issue's.It is loaded into memory everytime a new software loads hence why things are crawling. The fact that it has been already uploaded to VT under a different name also is a clear indicator that it is a dubious file.
First off i would like a sample of it so if you can upload it to a new topic over at this part of the forum>>>
http://www.malwarebytes.org/forums/index.php?showforum=55
Next up we need to nuke it so will need to use a more powerful tool for the task.
Just preparing instructions so will brb and edit post to update
-
Ok thats great Tom the "error" message is because the file no longer exists on disk but the load entry remains in the registry.
Have HiJackThis remove(FixCheck) the following entries only by placing a check(tick) in the box next to them.
- R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1452bc6e-5d8a-4552-974a-60c372b7e665} - C:\WINDOWS\system32\nugedoka.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [papopemipu] Rundll32.exe "C:\WINDOWS\system32\wuholove.dll",s
However there remains 1 more suspicious entry that certainly needs further investigation.
O20 - AppInit_DLLs: C:\WINDOWS\system32\muyipigu.dll
Please locate this file and upload it to Virustotal for malware checking.
If it is flagged by any databases there,please give me a link to the VT generated report.
Also if possible i would like you to copy the file to a holding folder for now.
- R3 - Default URLSearchHook is missing
-
Hi and welcome to the Malwarebytes forums:)
If the key is being restored then the system has an active infection in process.First point of call is start the ball rolling by doing the following>>>
http://www.malwarebytes.org/forums/index.php?showtopic=9573
Additional diagnostic tools& fix's might be required but if you can bear with us we will assist you in cleaning up the active infection on your pc and R&R should not be required.
MalWare Finding Files in Directories that Aren't There
in Malwarebytes for Windows Support Forum
Posted
Ok then something is conflicting along the way inorder to cause MBAM to generate these f/p's detections.
For now if you add them to the ignore list are they still detected when you rescan?