Malwarebytes Anti-Malware crashes when scanning wlandlg.dll in System32

[KNedyalkov]

Hello, 

Before a few days I connected my hard drives to my mother's computer. After I connected them again to my computer I found a folder named $Recycle.Bin. Then I downloaded Malwarebytes, updated it and start a scan. I check what is the situation after an hour and the whole computer was not responding. So I restarted it and try to scan it again, but... same situation. After a few tries I went to Safe mode but Malwarebytes crashed every time when start scanning C:/Windows/System32/wlandlg.dll . 

I'll be glad if you have idea why is this happening and is it possible to finish the scan and remove the founded malware. 

 

Thank you in advance.

[kevinf80]

That file you quote causing the crash is a legitimate Windows system file, are you sure that is causing the issue you mention..

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Kevin...

[KNedyalkov]

My first scan with Farbar: 

 

And sadly Yes, I am sure that this dll file is the problem.

 

 

FRST.txt

[KNedyalkov]

Here is the Addition.txt file 

Addition.txt

[kevinf80]

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log...

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

• Double click on AdwCleaner.exe to run the tool.
  
• Vista/Windows 7/8 users right-click and select Run As Administrator
  
• Click on the Scan button.
  
• AdwCleaner will begin...be patient as the scan may take some time to complete.
  
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  
• Look over the log especially under Files/Folders for any program you want to save.
  
• If there's a program you want to save, just uncheck it from AdwCleaner.
  
• If you're not sure, post the log for review.
  
• If you're ready to clean it all up.....click the Clean button.
  
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  
• Copy and paste the contents of that logfile in your next reply.
  
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  
• To restore an item that has been deleted (if necessary):
  
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs, also zip up and attach the following file:

 

C:\Windows\Minidump\112813-35069-01.dmp

 

Thanks,

 

Kevin

 

fixlist.txt

[KNedyalkov]

First will post FRST Log:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-12-2013 02

Ran by Kiril at 2013-12-21 23:23:22 Run:2

Running from C:\Users\Kiril\Desktop

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

Start

MountPoints2: I - I:\AutoRun.exe

MountPoints2: {00c64b4f-4e3e-11e3-b9e7-f04da2d32cbf} - H:\_AUTORUN\AUTORUN.EXE

MountPoints2: {00c64b52-4e3e-11e3-b9e7-f04da2d32cbf} - J:\_AUTORUN\AUTORUN.EXE

MountPoints2: {00c64c33-4e3e-11e3-b9e7-f04da2d32cbf} - I:\AutoRun.exe

MountPoints2: {00c64c58-4e3e-11e3-b9e7-002268defd87} - I:\AutoRun.exe

MountPoints2: {81581599-1b93-11e2-9323-002268defd87} - G:\_AUTORUN\AUTORUN.EXE

MountPoints2: {8587b800-06d9-11e3-8d18-f04da2d32cbf} - F:\Windows\AutoRun.exe

HKU\Mcx1-LAPTOP\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [ 2009-07-14] (Microsoft Corporation) <==== ATTENTION 

URLSearchHook: HKLM - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)

URLSearchHook: HKCU - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)

SearchScopes: HKCU - DefaultScope {1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468

SearchScopes: HKCU - {1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468

BHO: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)

Toolbar: HKLM - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)

Toolbar: HKCU - uTorrentControl_v2 Toolbar - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - C:\Program Files\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)

C:\Program Files\uTorrentControl_v2

C:\Users\Kiril\AppData\Local\Temp\avguidx.dll

C:\Users\Kiril\AppData\Local\Temp\DTLite4481-0347.exe

C:\Users\Kiril\AppData\Local\Temp\GenericWndApi.dll

C:\Users\Kiril\AppData\Local\Temp\GomEncDnInstaller.exe

C:\Users\Kiril\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe

C:\Users\Kiril\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe

C:\Users\Kiril\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe

C:\Users\Kiril\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe

C:\Users\Kiril\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe

C:\Users\Kiril\AppData\Local\Temp\MachineIdCreator.exe

C:\Users\Kiril\AppData\Local\Temp\mirc727.exe

C:\Users\Kiril\AppData\Local\Temp\oi_{32FF9F70-3304-4F97-9EA6-3D5853A19366}.exe

C:\Users\Kiril\AppData\Local\Temp\ose00000.exe

C:\Users\Kiril\AppData\Local\Temp\SkypeSetup.exe

C:\Users\Kiril\AppData\Local\Temp\SRLDetectionLibrary290113829818175543.dll

C:\Users\Kiril\AppData\Local\Temp\swt-win32-3349.dll

C:\Users\Kiril\AppData\Local\Temp\tbedrs.dll

C:\Users\Kiril\AppData\Local\Temp\UNINSTALL.EXE

AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51

C:\Users\Kiril\AppData\Local\Temp\utt3BAB.tmp.exe

End

 

 

 

*****************

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I => Key not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64b4f-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.

HKCR\CLSID\{00c64b4f-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64b52-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.

HKCR\CLSID\{00c64b52-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64c33-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.

HKCR\CLSID\{00c64c33-4e3e-11e3-b9e7-f04da2d32cbf} => Key not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00c64c58-4e3e-11e3-b9e7-002268defd87} => Key not found.

HKCR\CLSID\{00c64c58-4e3e-11e3-b9e7-002268defd87} => Key not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81581599-1b93-11e2-9323-002268defd87} => Key not found.

HKCR\CLSID\{81581599-1b93-11e2-9323-002268defd87} => Key not found.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8587b800-06d9-11e3-8d18-f04da2d32cbf} => Key not found.

HKCR\CLSID\{8587b800-06d9-11e3-8d18-f04da2d32cbf} => Key not found.

HKU\Mcx1-LAPTOP\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.

HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value not found.

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} => Key not found.

HKCR\Wow6432Node\CLSID\{1BC142EF-4C3A-4E7B-8F78-042BA0E7F974} => Key not found.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Key not found.

HKCR\CLSID\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Key not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Value not found.

HKCR\CLSID\{7473b6bd-4691-4744-a82b-7854eb3d70b6} => Key not found.

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7473B6BD-4691-4744-A82B-7854EB3D70B6} => Value not found.

HKCR\CLSID\{7473B6BD-4691-4744-A82B-7854EB3D70B6} => Key not found.

"C:\Program Files\uTorrentControl_v2" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\avguidx.dll" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\DTLite4481-0347.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\GenericWndApi.dll" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\GomEncDnInstaller.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\MachineIdCreator.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\mirc727.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\oi_{32FF9F70-3304-4F97-9EA6-3D5853A19366}.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\ose00000.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\SkypeSetup.exe" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\SRLDetectionLibrary290113829818175543.dll" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\swt-win32-3349.dll" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\tbedrs.dll" => File/Directory not found.

"C:\Users\Kiril\AppData\Local\Temp\UNINSTALL.EXE" => File/Directory not found.

C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully.

"C:\Users\Kiril\AppData\Local\Temp\utt3BAB.tmp.exe" => File/Directory not found.

 

==== End of Fixlog ====

 

If I finish the scan with Malwarebyte I'll post it in next post.

[kevinf80]

OK thanks, very strange FRST fix only find/fix two entries from fix script.....Post other logs when ready..

[KNedyalkov]

Good morning, 

First I want to apologize for the FRST report. I contact another forum a week ago and they start with some of these procedures, but now no one is responding anymore :S.

 

Here is fresh FRST log and Addition.txt 

 

 

Addition.txt

FRST.txt

[kevinf80]

If you are already receiving help elsewhere you should be patient and stick with that helper or you will only cause confusion....

[KNedyalkov]

Ok and sorry again, but if the other forum will not reply me in next few days I'll come back here. Thank you again for the help. 

[kevinf80]

Thats ok, I understand you want a fix as quick as possible. We will close out now, stick with your other helper until you get a conclusion.

 

Take care,

 

Kevin.....

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.