repitall Posted October 21, 2011 ID:487693 Share Posted October 21, 2011 Hope this is in the right forum.Just updated and ran quick scan. Found 2 entries for a backdoor virus listed as urlmon.dll with 2 entries in the registry. Selected remove and was prompted to restart to finish cleaning. When restarting get "explorer.exe - unable to locate" message and "application failed to start because urlmon.dll not found".Can not boot in safe mode or run repair from the XP Pro disk without getting the same failed to load message. Have no access to the c: drive using other tools ie. UBCDTrying to figure out what happened here. Was it a false positive or was there really a backdoor trojan/virus? Please...any help would be appreciated Link to post Share on other sites More sharing options...
repitall Posted October 21, 2011 Author ID:487699 Share Posted October 21, 2011 Hope this is in the right forum.Just updated and ran quick scan. Found 2 entries for a backdoor virus listed as urlmon.dll with 2 entries in the registry. Selected remove and was prompted to restart to finish cleaning. When restarting get "explorer.exe - unable to locate" message and "application failed to start because urlmon.dll not found".Can not boot in safe mode without getting the same failed to load message. Run repair from XP Pro CD and when I run chkdsk I get " volume appears to contain one or more unrecoverable problems". Have no access to the c: drive using other tools ie. UBCDTrying to figure out what happened here. Was it a false positive or was there really a backdoor trojan/virus? Please...any help would be appreciated Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487832 Share Posted October 22, 2011 Here is a copy of the log.Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 7994Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/21/2011 2:41:15 PMmbam-log-2011-10-21 (14-41-15).txtScan type: Quick scanObjects scanned: 47348Time elapsed: 5 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\urlmon.dll (Backdoor.Bot) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{0968e258-16c7-4dba-aa86-462dd61e31a3} (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\urlmon.dll (Backdoor.Bot) -> Delete on reboot. Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487866 Share Posted October 22, 2011 Can you boot and run mbam to restore the entries from quaritine? Then reboot and let me know what happens. need more specific error messages to see what may be going on. If the restore from quaritine works can you please zip and upload this file?c:\WINDOWS\system32\urlmon.dll Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487874 Share Posted October 22, 2011 Can you boot and run mbam to restore the entries from quaritine? Then reboot and let me know what happens. need more specific error messages to see what may be going on. If the restore from quaritine works can you please zip and upload this file?c:\WINDOWS\system32\urlmon.dllI cannot restore from quarantine because I cannot boot the drive to safe mode or any other option without getting the errors mentioned. I have pulled the drive and can read it connected to my laptop. Have run MSE and Superantispyware and now am running MB again to see what it finds. Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487885 Share Posted October 22, 2011 The error mentioned prevents you from booting? Removing this if it was a valid file should not cause a total non boot problem. Can you please provide the exact error?Can u search for a urlmon.dll file on the drive and see if any are located here:c:\WINDOWS\system32\urlmon.dll Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487889 Share Posted October 22, 2011 Also after you see these errors what happens next? Does it freeze? Does it continue booting?Also if you are 100% booting of cd then this shouldnt be possible.. run repair from the XP Pro disk without getting the same failed to load message. Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487894 Share Posted October 22, 2011 The error mentioned prevents you from booting? Removing this if it was a valid file should not cause a total non boot problem. Can you please provide the exact error?Can u search for a urlmon.dll file on the drive and see if any are located here:c:\WINDOWS\system32\urlmon.dllThe exact error is "explorer.exe - unable to locate" window and "application failed to start because urlmon.dll not found message".No, urlmon.dll is not in c:\WINDOWS\system32When I say prevents me from booting, I mean that windows starts to load, then I get the message and just desktop with nothing on it.Thanks for the help Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487896 Share Posted October 22, 2011 Ok with the drive connected to the laptop please do a file search for urlmon.dllIf one is found here:c:\windows\system32\dllcache\urlmon.dllThen copy it to here:c:\windows\system32\urlmon.dllBoot off the drive. If you still get to desktop without any icons or start bar then ctrl alt del to get to taskmanager. Click on the applications tab of taskmanager.click the new task button at bottomin the create new task window typecmdthen hit enter.In the black dos window type the following.regsvr32 urlmon.dllYou should get registering urlmon.dll succeeded.Reboot and see what happens. Did you run any other tools besides mbam during the booted session when this happened? Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487898 Share Posted October 22, 2011 Ok with the drive connected to the laptop please do a file search for urlmon.dllIf one is found here:c:\windows\system32\dllcache\urlmon.dllThen copy it to here:c:\windows\system32\urlmon.dllBoot off the drive. If you still get to desktop without any icons or start bar then ctrl alt del to get to taskmanager. I do not have dllcache folder in windows\system32 on the laptop, but I have urlmon.dll in windows\system 32 folder and also have the urlmon.dl_ file from the i386 folder. Does it matter?Click on the applications tab of taskmanager.click the new task button at bottomin the create new task window typecmdthen hit enter.In the black dos window type the following.regsvr32 urlmon.dllYou should get registering urlmon.dll succeeded.Reboot and see what happens. Did you run any other tools besides mbam during the booted session when this happened? Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487899 Share Posted October 22, 2011 sorry reply got posted in the middle of your reply..I do not have dllcache folder in windows\system32 on the laptop, but I have urlmon.dll in windows\system 32 folder and also have the urlmon.dl_ file from the i386 folder. Does it matter? Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487911 Share Posted October 22, 2011 Meant do it from the laptop and search on the drive that has the problem. Do not take the files from the laptop.copying files from problem drive to problem drive. Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487913 Share Posted October 22, 2011 Forgot to answer your other question. I ran ccleaner before MB and then when it asked to reboot is when the problem started. Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487918 Share Posted October 22, 2011 Meant do it from the laptop and search on the drive that has the problem. Do not take the files from the laptop.copying files from problem drive to problem drive.Do not have windows\system32\dllcache folder on the affected drive. Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487922 Share Posted October 22, 2011 IT should be there. http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/Please follow the link above for xp. Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487923 Share Posted October 22, 2011 If you can still find it. please do this:Boot off the drive.If you still get to desktop without any icons or start bar then ctrl alt del to get to taskmanager.click the new task button at bottomin the create new task window typeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeMalwarebytes should launch. Go to the quaritine tab and restore the entries shown in the above log. Reboot and see if desktop came back. Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487934 Share Posted October 22, 2011 Ok, you were right, I wasn't showing all folders. So copied urlmon.dll to system32 rebooted and desktop came up with no errors. Ran resvr32 urlmon.dll and it succeeded. Rebooted and appears to be normal.So now should I restore quaratine from MB?Should I run MB again to see if it finds backdoor.bot in urlmon.dll?Still don't know if I had an infection or this was a False Positive.Thanks so much for your help Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487936 Share Posted October 22, 2011 Please stick with me here. Getting help at multiple sites can cause a lot more problems. Do not restore from quarintine as we repaired the stuff manually. Please Do not delete the quarantine section at this time.Ok now that this is repaired. Please run mbam and update. Then re-run the scan. Save the log and post it here. DO NOT remove anything if its detected. Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487939 Share Posted October 22, 2011 Quick scan ran, should I do a full scan also?Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8000Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/22/2011 1:39:12 PMmbam-log-2011-10-22 (13-39-12).txtScan type: Quick scanObjects scanned: 47134Time elapsed: 4 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487942 Share Posted October 22, 2011 No not necessary at this time. Trying to figure out the cause of the detections. Ok now please go into quarantine tab and restore only this one line:(Backdoor.Bot) HKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4} Please leave the others in there at this time.Then please run regedit from the run command off the start menu.please navigate to here:HKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4}Right click on this part {484DC9B4-484D-C9B4-484D-C9B4484DC9B4}and hit export. Save the file to desktop or wherever you will find it.Open the file with notepad and paste the contents here. After that is done please rerun a quick scan again and see if the detections are back. DO NOT remove them if they are. Just paste the log again.Thanks for helping us troubleshoot this! Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487949 Share Posted October 22, 2011 Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4}]@="PersistentZoneIdentifier"[HKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4}\InProcServer32]@="C:\\WINDOWS\\system32\\urlmon.dll""ThreadingModel"="Apartment"running scan now Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487952 Share Posted October 22, 2011 They are backMalwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8000Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/22/2011 2:13:52 PMmbam-log-2011-10-22 (14-13-38).txtScan type: Quick scanObjects scanned: 47386Time elapsed: 2 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\urlmon.dll (Backdoor.Bot) -> No action taken.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4} (Backdoor.Bot) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{0968e258-16c7-4dba-aa86-462dd61e31a3} (Backdoor.Bot) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\urlmon.dll (Backdoor.Bot) -> No action taken. Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487958 Share Posted October 22, 2011 Ok re run the quick scan and check only THIS line to removeHKEY_CLASSES_ROOT\CLSID\{484DC9B4-484D-C9B4-484D-C9B4484DC9B4} (Backdoor.Bot) -> No action Please uncheck the other lines. You should be fine after that. You can verify by running another quick scan. We now have enough information that we can investigate this. Thanks for all your help. Link to post Share on other sites More sharing options...
repitall Posted October 22, 2011 Author ID:487963 Share Posted October 22, 2011 Removed that 1 registry entry and quick scan was clean.I know you need some time to determine if it was a false positive or not, but do you think it is safe to do a full backup at this time? I would hate for this possible backdoor.bot to spread across my network and backups.Also will you let me know what the conclusion is? Link to post Share on other sites More sharing options...
Staff shadowwar Posted October 22, 2011 Staff ID:487971 Share Posted October 22, 2011 Well that one line was bad but it was just a registry entry. Some infection dropped it but was probably partially cleaned by one of the other tools or programs you ran. You had no file infection so all should be fine now and clean. Its safe to run a backup.One other question. When did this first appear? Were any of the other programs you have detect anything about the same time? If so do you have those logs?Thanks. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now