Trojan.Vundo.h keeps coming back

[Mark B]

I have a computer that got infected with the vundo trojan and MBAM does not seem to be detecting the infected file nor does hijack this refer to it. File is named dofewisu.dll. NAV keeps popping up warnings that it contains Trojan.Vundo. The file is actively loaded both in normal and safe mode and programs do not seem to be able to remove it. NAV consistently finds it but is not able to clean or quarantine the file as it is actively loaded.

Here is the MBAM logfile before scan:

Malwarebytes' Anti-Malware 1.35

Database version: 1904

Windows 5.1.2600 Service Pack 2

3/29/2009 9:38:01 PM

mbam-log-2009-03-29 (21-37-56).txt

Scan type: Quick Scan

Objects scanned: 74508

Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a7a2145-b749-403f-9408-ee920300be6a} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{8a7a2145-b749-403f-9408-ee920300be6a} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jalajomope (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the MBAM post scan:

Malwarebytes' Anti-Malware 1.35

Database version: 1904

Windows 5.1.2600 Service Pack 2

3/29/2009 9:38:13 PM

mbam-log-2009-03-29 (21-38-13).txt

Scan type: Quick Scan

Objects scanned: 74508

Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a7a2145-b749-403f-9408-ee920300be6a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8a7a2145-b749-403f-9408-ee920300be6a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jalajomope (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

reboot and run hijack this and i get:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:44:26 PM, on 3/29/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Symantec\SAV8\DefWatch.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\Symantec\SAV8\vptray.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

K:\spyware cleaning\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ncsu.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O1 - Hosts: 82.98.235.133 browser-security.microsoft.com

O1 - Hosts: 82.98.235.133 url.adtrgt.com

O1 - Hosts: 82.98.235.133 best-click-scanner.info

O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com

O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com

O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com

O1 - Hosts: 82.98.235.133 onlinenotifyq.net

O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com

O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {8a7a2145-b749-403f-9408-ee920300be6a} - C:\WINDOWS\system32\mubakuni.dll (file missing)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [jalajomope] Rundll32.exe "C:\WINDOWS\system32\sosohipi.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165980627242

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167188091718

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\dofewisu.dll uitibf.dll c:\windows\system32\mimebiyo.dll

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe

O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--

End of file - 8274 bytes

I have cleaned/rebooted several times both in normal and safe mode, but cant get rid of the file. There is a command prompt window opening for a split second that I did not notice before, but I cant see what it is doing before it closes. If I try to run regedit manually it closes immediately both in normal and safe mode.

Any help would be appreciated. My next move was going to be to remove the drive and scan it (attached to a usb enclosure) to another computer, but I dont want to infect my only other working computer.

[miekiemoes]

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[Mark B]

I cant update MBAM as as soon as I try it tells me the firewall settings are wrong and closes MBAM. Is there a way to update it offline (say on a memory stick) and run it from there?

[miekiemoes]

Hi,

Ok, no worries.... Do next please..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: 82.98.235.133 browser-security.microsoft.com

O1 - Hosts: 82.98.235.133 url.adtrgt.com

O1 - Hosts: 82.98.235.133 best-click-scanner.info

O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com

O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com

O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com

O1 - Hosts: 82.98.235.133 onlinenotifyq.net

O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com

O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com

O2 - BHO: (no name) - {8a7a2145-b749-403f-9408-ee920300be6a} - C:\WINDOWS\system32\mubakuni.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [jalajomope] Rundll32.exe "C:\WINDOWS\system32\sosohipi.dll",s

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <== this is a resource hog

O20 - AppInit_DLLs: C:\WINDOWS\system32\dofewisu.dll uitibf.dll c:\windows\system32\mimebiyo.dll

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[Mark B]

Tried to remove the entries with HijackThis, but keep getting 3 of them comming back no matter what I do. Can run combofix as the trojan kills it right off.

Here are the 3 that keep coming back:

O2 - BHO: (no name) - {8a7a2145-b749-403f-9408-ee920300be6a} - C:\WINDOWS\system32\mubakuni.dll (file missing)

O4 - HKLM\..\Run: [jalajomope] Rundll32.exe "C:\WINDOWS\system32\sosohipi.dll",s

O20 - AppInit_DLLs: C:\WINDOWS\system32\dofewisu.dll uitibf.dll c:\windows\system32\mimebiyo.dll

NAV keeps detecting the dofewisu.dll as Vundo but cant clean or quarantine it.

[miekiemoes]

Hi,

Yes, I know they will come back.. that's why we need Combofix.

Did you disable your Antivirus? Please try to run Combofix again. If that doesn't work, try to run Combofix from Windows safe mode or rename Combofix.

Also make sure Combofix was launched from your desktop and not from anywhere else.

[Mark B]

I did disable NAV realtime monitor as per the instruction in the thread and windows firewall. I tried renaming it to comb-fix before copying it to the machine but it still got killed almost instantly. I have not tried in safe mode yet, but Im not hopefull. It killed MBAM updates in both normal and safe mode.

I have the install CD and I was thinking of booting into recovery mode and manually pulling the virus files. Will that work, or is embedded somewhere else that I cant get to? Is it possible to edit the registry files offline and replace them before bootup? Just throwing ideas out as the @#$@# trojan seems to have read the help manual.

Thanks,

[miekiemoes]

Hi,

How would you be able to delete the malware if you don't know what to delete?

That's why those logs (combofix) are needed. It's not needed to remove this malware from Windows Recovery console anyway, since it can be deleted easily manually. Problem here is not deleting, but knowing what to delete. What HijackThis shows is only a small part

Anyway, Can you try Combofix from Windows safe mode?

If that still doesn't work, then, Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

[Mark B]

Ill try safe mode and dds when i get home. I was reffering to the 3 dll files that keep getting put back into the registry every time i remove them with hijack this. Not sure if they are the only infected files or if there are more. All the other stuff stayed removed from the registry after I removed it. Ill post the logs tonight when I get back home

Thanks,

[miekiemoes]

Not sure if they are the only infected files or if there are more

There are more which won't display in HijackThis. Those are responsible for reloading/reinstalling the other ones.

I also suspect a malicious driver here as well...

[Mark B]

GRR what a pain in the *ss this is.

If combofix wont run from safe mode, is there a way to run the script directly from the recovery console? at least I can boot to that from the installation CD and avoid the virus.

[miekiemoes]

No, because I need to know what malware is there first. I can't write a script if I don't know what needs to be removed. Also, that script would be only to use with Combofix. So if Combofix won't run, then there's no point in writing a script for it either. We'll have to deal with everything manual then.

You're dealing with several different malware though..

Anyway, please run DDS.

[Mark B]

Will do as soon as i get home and post results. DDS is a .scr file correct? I thought it was kinda odd

[Mark B]

dofewisu.dll is the one that seems to be running all the time every time i start an app, NAV realtime scan goes nuts complaining about it being active. It will rack up 400 counts of seeing dofewisu.dll during one session of running MBAM. Not sure about the others, but they seem to be coming back also

[miekiemoes]

Yes, DDS is a scr file, that's why your AV or other scanner should be disabled since it may see this as suspicous.

The reason why DDS is a scr file is in case malware messes with exe and com extensions

Yes, I also know about the dll running all the time, thats because another dll is reloading it everytime again and in case you delete it, it will reinstall it again.

That's why we need the logs to see what other dlls are reloading it + I also have the feeling that the Sentinel Rootkit is present here as well, but we can deal with that manually too

The advantage is that you appear to know how to work with computers, so manual removal (even when it's a bit more advanced) shouldn't be any problem then.

Combofix in combination with the script is just an easier way to deal with it, but if combofix won't run, then we'll use other methods

[Mark B]

Its official Malware owns my computer. The DDS .scr file is killed as soon as it opens, and combofix gets killed as soon as it opens. Nothing will run in either normal or safe mode. For the love of god what got on my machine.....

What are the next steps? I do have an external enclosure.... will any of these programs run against a slaved drive?

[miekiemoes]

What are the next steps? I do have an external enclosure.... will any of these programs run against a slaved drive?

No, I'm pretty sure that would fail as well, however, if you don't try, you won't know

Looks like the malware is targetting certain tools - however, if there's NOTHING that you can run, other tools which are no scans or security tools, then it means that it's already a lost case and the malware already comprmised too much (when file infector is present)

Anyway, try next:

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the
  Avira AntiVir Rescue System
  from
  here

• Place a blank CD in your burner and double-click on the downloaded file.

• The program will automatically burn the CD for you.

• Place the burned CD into the affected computer and start the computer from this CD.

• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

• Click on the
  Configuration
  button.
  • Select
    Scan all files

  • Select
    Try to repair infected files
    and
    Rename files, if they cannot be removed

  • Select
    Scan for dialers

  • Select
    Scan for joke programs (Jokes)

  • Select
    Scan for games

  • Select
    Scan for spyware (SPR)

  [*]
  Click on
  Virus scanner
  [*]
  Click on
  Start scanner
  at the bottom of the screen
  [*]
  Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post

here

if you're unable to view the entire screen of Avira.

When done, try Combofix again. If still no luck with running combofix,

Download OTListIt2 to your desktop. http://oldtimer.geekstogo.com/OTListIt2.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

1. When the window appears, underneath Output at the top change it to Minimal Output.

2. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

3. When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.

4. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your topic.

[Mark B]

Avira AntiVir disk is made. It ran into problems on boot when it was trying to mount fd0. I dont think its the trojan this time at least:) Will probably need to turn off floppy controller and maybe remove internal combo flash drive to make it happy.

I did come across a few other interesting things when trying to figure out how to get it to boot:

1) Will windows2000 compatibility mode make a difference for combofix? I saw several posts recommending this to get around trojans shutting down MBAM

2) Is the Trojan loaded as a driver? I looked at the non-pnp (hidden) system files there are only 20 or so. If i come across something that is for hardware I dont have will disabling the hardware help things?

3) Finally, is there a way to update MBAM offline on another computer and copy over the updated database? What files do I copy.

Still working on getting the linux boot disk to work (once upon a time I knew how to maintain my own linux box for a programming class but memories fade)

Thanks for all your patience

[miekiemoes]

Hi,

I can only answer your questions if I see the logs. Now it's just a matter of guessing what exactly is disabling it.

For all three of your questions... No, whatever you'll try, I know already it won't work

[Mark B]

Finally! I am getting somewhere

Avira boot disk is quite cool. Took a little bit of fiddling (it is linux after all) but I got it working

Here is what it found so far:

/sda1 3278rXXXXwfwx contains APPL/PsExec.E Same error as combofix

/sda1/mark/local settings/diphohp.xiy TR/Spy.Agent.frt

/sda1/.../mydoc/classes/duane AGASetup0609.exe DR/Gator.3102 I think this is the instal file from something I killed a while back

/sda1/windows/system32/dabuloje.exe TR/Dldr.FLoad.vnjg

rest were warnings for encrypted files or too large to scan completely (all were things that have been there for years)

The thing that worries me is that it did not seem to care about the dofewisu.dll that norton was going nuts about. I shut down the system as Im not sure if I should rename that file manually from the linux prompt. (I think I remember how to navigate linux) Pretty sure that one will boot right back up from the load init in the registry

Whats next?

[Mark B]

also had error about not being able to scan the boot record not sure if that is a linux compatibility issue or something more sinister

It had error (25) for drive 128 and

error (2) for drive 129

[miekiemoes]

Hi,

Please reboot to Windows and try Combofix again.

If that still doesn't work, run the scan I talked about earlier:

Download OTListIt2 to your desktop. http://oldtimer.geekstogo.com/OTListIt2.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

1. When the window appears, underneath Output at the top change it to Minimal Output.

2. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

3. When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.

4. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your topic.

Edited. See posts below

[miekiemoes]

Extra addition...

It *could* be possible that you're also dealing with newest Daonol variant, because that may explain why most tools don't work either (except from Malwarebytes).

If you were dealing with the CLB rootkit, then you wouldn't even be able to run MalwareBytes either, so since you can use malwarebytes, it may be something else. And the other malware present shouldn't block tools like combofix and DDS either.

I know the Daonol trojan does, so let's check for it as well..

To do this... Open your regedit via start > run..

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32

Rightclick the drivers32 key (folder) and select to export:

(sorry, my regedit is in dutch, but I'm sure you understand)

Give it a name and export it as a txtfile on your desktop.

Then copy and paste the contents of it in your next reply.

If confused, please ask first.

In case you can't run regedit, use reglite instead: http://www.resplendence.com/download/rrtri.exe

Edit:I'm pretty sure now you're dealing with Daonol as well. Regedit won't work either, so you'll have to use reglite instead to get that export.

Once we deal with the Doanol trojan, then we can deal with the rest as well (since tools will work again)

Edited April 3, 2009 by miekiemoes

[Mark B]

Are you sure there is no harm in using the linux shell from Avira and renaming the 3 dll files that I know are in the registry. I have the computer disconnected from the internet so it will have a hard time recreating the files from scratch. Take that darth vader! Anyway, im getting tired of the dll files and NAV fighting it out and slowing down the computer. Otherwise, Ill get the system booted and pull the registry. If worst comes to worst, I can pull the raw hive and look at it from another computer.

Will you be around over the weekend?

[miekiemoes]

Hi,

Skip that step with Avira etc etc and boot to Windows and perform the instructions I posted the last

Then we'll deal with the rest. There will be no need to use Avira anyway since I'm pretty sure now what the cause is. Once we dealt with the main cause, then tools like Combofix will run so we can deal with the rest very easily.