Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk


  1. Any ideas?

    My logfile is attached.

    Thanks!

    Looking at your logfile and range of objects detected and their listings then i believe that you are not infected and something is causing MBAM not to operate correctly on your PC.

    Possibly some form of software conflict or corrupted install but net result is the gremlins you are experiencing:(

    To rule out the latter please uninstall MBAM from your computer,reboot and then download a fresh copy of MBAM to install(Save this file to your desktop).

    Next disconnect yourself from the web and close any other applications you have running.

    Install MBAM and decline to update database when offered.

    Reboot and allow all applictions that would normaly be running to continue running.

    Connect to web then allow MBAM to update and then rescan your computer.

    Post back the scan log generated.


  2. Hi and welcome to MBAM support forums,

    It sounds like the AV software you used has probaly deleted a vital system operating file as part of its cleanup routine(quite possibly userinit.exe) which is currently being attacked by recent fake alert infections.

    If you have the OS install disk to hand then a repair install of the operating system is the best way forward to restore OS operations.

    If you get it sorted i would recommend you look at changing AV for one that dose'nt delete vital OS files if infected but disinfects/replaces them instead.


  3. Hi,

    Adware.SearchIt99, was caught being distributed with AD-Bundled Flash games install openly shared on the Gnutella network(P2P).The file that is being flagged is a tempory install file whic drops in <temps> but then is deleted after install is complete.

    Has blocking this file prevented you from getting your free games or just blocked the installation of the SearchIt99 BHO ?


  4. Ok use Rootrepeal to delete the Hidden service file by right clicking on its line and selecting delete.

    Reboot the system and see if AVG updates & PC can get onto this forum.

    Also can you run a fresh scan with Rootrepeal and post the output(Report) log generated.


  5. As suspected you have new variant of CLB driver.

    • Name: gaopdxcfqxblak.sys
      Image Path: C:\WINDOWS\system32\drivers\gaopdxcfqxblak.sys
      Address: 0xB6F50000 Size: 163840 File Visible: -
      Status: Hidden from Windows API!

    If possible i would like to see the infection files for further analysis.

    So please can you you use the file scan of RootRepeal this time.We are looking for all files with the same, simmillar name to the above driver.

    If you highlight each line and then right click(Copy file) and save to holding folder.Zip the folder and upload to a new topic here>>>

    http://www.malwarebytes.org/forums/index.php?showforum=55

    Please also can i see the output logs from RootRepeal for Files,Process's/Stealth Objects and Hidden Services.

    Thanks:)


  6. Ah so i am dooing something wrong.... well that explain a low detecting rate of SuperAntySpyware and MalwareBytes that are somewhat similar in terms of what they actualy do.

    Both are making their mark for rapid updating and abilities to rip out infections that traditional AV/AT/ASW are sucking at ;)

    I just dont understand why a-squared had so high detection rate...

    IIRC a2 have incorperated Ikarus AV engine into their engine recently

    In any case thanks for clarification, howerver im still a little bit concerned with low detection rate...

    Oh well, seams i will just have to make a mess of my virtual machine and see how it goes then :)

    Thats the best way to test these softwares in real life infection scenario if you have the capabilities to do so.

    May i suggest you go grab yourself some Vundo,Z-lob or fake alert trash current infections and then put MBAM head to head with a2 or any other software you care to throw into the equation.

    I already know the outcome and you will find out for yourself why MBAM is held in such high reguard by a lot of professionals as the star player in their toolkits for ripping current infections of pc's.


  7. Hi now i see whats going on.

    KASP PDM doing its job....pity KAV dose'nt know this particular Vundo signature.

    Ok the following is going to seem a little strange but go with me on it:)

    Disable KASP PDM(Realtime) and next reboot.

    This is going to let the Vundo file load into memory unhindered.

    Next run a scan with MBAM again.

    If it detects more Vundo files then allow it to delete and reboot the system.Now activate PDM again.

    or

    If MBAM finds no more Vundo files then start KASP PDM(realtime) again,reboot and post back your findings please.


  8. Hi ya Tom you are most welcome:)

    No RKU did'nt get chance to work its magic for us on this occaision.It was called for inorder to wipe the inside of the file on disk incase it was being watched over by its loaded module for self protection.

    FWIW looking back through the logs now I'm thinking that maybe MBAM had this infection covered from the off but a combination of events prevented it from making a sucessful cleanup in the first sitting.

    It is quite possible your first MBAM scan had it all detected but by booting back into safe mode it was unable to run its cleanup script for the then detected Vundo loaded memory modules >>>O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript would not run under safe mode ops.

    This caused the infection to persist and as soon as you went back in regular mode the infection restored itself to its former state but finally it all fell into place and MBAM came good ;)

    As far as testing the system to see if all is purged then there are more advanced tools that can be utilized to examine various parts of systems operations in more detail such as Autoruns,ProcessExplorer and RKU but for now if HJT shows clear and the PC is behaving it tends to be accepted that system has been purged.

    If you would like walkthrough then LMK and i will happily prepare information and do analysis with you:)


  9. Ok lets clearup the log a bit to see what is left active.

    Use Hijackthis to fixcheck the following>

    O2 - BHO: (no name) - {1452bc6e-5d8a-4552-974a-60c372b7e665} - C:\WINDOWS\system32\sidikeyu.dll (file missing)

    O4 - HKLM\..\Run: [CPMff729ced] Rundll32.exe "c:\windows\system32\bubopoyu.dll",a

    O4 - HKLM\..\Run: [papopemipu] Rundll32.exe "C:\WINDOWS\system32\jakejoki.dll",s

    O20 - AppInit_DLLs: jocutc.dll, c:\windows\system32\bubopoyu.dll,C:\WINDOWS\system32\visoboja.dll

    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bubopoyu.dll (file missing)

    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bubopoyu.dll (file missing)

    Reboot then generate a fresh HJT log for review.


  10. Ok Tom,first off thanks for the file upload,closer inspection confirms it as Vundo trojan variant.

    Next up when you are running in regular mode the active infection can also connect out and bring in new components(update) but at least we know what is behind the infection now.Just reviewing your HJT log amo:)

    Anychance of also posting the most recent MBAM log as well.


  11. Hi again,

    I've just tried to upload the file through attachments and have been presented with the message: "Upload failed. You are not permitted to upload this type of file"

    Thankyou so much for your help, it is much appreciated.

    Regards,

    Tom

    Ok Tom you will need to zip muyipigu.dll up to upload it.

    Next up we need to nuke it so will need to use a more powerful tool for the task.

    Ok here goes only use the following tool as directed as it s a very powerful tool capable of the some real neat tricks but also if misused capable of causing destruction too.

    http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar

    Extract and install RKU, On opening the software goto "Tools" tab and select wipe/copy file option.

    Check "wipe file" and use browse function to locate muyipigu.dll

    Once located use "Do operation" function.

    This is going to overwrite the file on disk with 0's.

    Reboot the PC, there will be errors generated as the load entry will still exist but it will be loading a corrupted file but this is easily fixed once pc is up and running.

    Use Hijackthis to now fixcheck the following entry's

    O4 - HKLM\..\Run: [papopemipu] Rundll32.exe "C:\WINDOWS\system32\wuholove.dll",s

    O20 - AppInit_DLLs: C:\WINDOWS\system32\muyipigu.dll

    Reboot and rescan with HiJackThis. Post a copy of the new log in your next post:)

    Going to be popping out for an hour now but will brb to assist:)


  12. Ok Tom well that certainly is our culprit that is causing most of the issue's.It is loaded into memory everytime a new software loads hence why things are crawling. The fact that it has been already uploaded to VT under a different name also is a clear indicator that it is a dubious file.

    First off i would like a sample of it so if you can upload it to a new topic over at this part of the forum>>>

    http://www.malwarebytes.org/forums/index.php?showforum=55

    Next up we need to nuke it so will need to use a more powerful tool for the task.

    Just preparing instructions so will brb and edit post to update ;)


  13. Ok thats great Tom the "error" message is because the file no longer exists on disk but the load entry remains in the registry.

    Have HiJackThis remove(FixCheck) the following entries only by placing a check(tick) in the box next to them.

    • R3 - Default URLSearchHook is missing
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
      O2 - BHO: (no name) - {1452bc6e-5d8a-4552-974a-60c372b7e665} - C:\WINDOWS\system32\nugedoka.dll (file missing)
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O4 - HKLM\..\Run: [papopemipu] Rundll32.exe "C:\WINDOWS\system32\wuholove.dll",s

    However there remains 1 more suspicious entry that certainly needs further investigation.

    O20 - AppInit_DLLs: C:\WINDOWS\system32\muyipigu.dll

    Please locate this file and upload it to Virustotal for malware checking.

    http://www.virustotal.com

    If it is flagged by any databases there,please give me a link to the VT generated report.

    Also if possible i would like you to copy the file to a holding folder for now.


  14. Hi and welcome to the Malwarebytes forums:)

    If the key is being restored then the system has an active infection in process.First point of call is start the ball rolling by doing the following>>>

    http://www.malwarebytes.org/forums/index.php?showtopic=9573

    Additional diagnostic tools& fix's might be required but if you can bear with us we will assist you in cleaning up the active infection on your pc and R&R should not be required.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.