Help with Malware/Virus - Blocking Programs from Opening

Status
Not open for further replies.

JHibb

Posts: 19   +0
Hello!

I've attempted to follow protocol and follow the 8 steps. So far I have been able to install Avira, Comodo, CCleaner, HijackThis. For somereason or another I have been unsuccessful with antiMalwareBytes and Super AntiSpyware. MalwareBytes is installed but won't run. I haven't been able to install superAntiSpyware...

Once I boot up my computer it pretty much locks up on me. Whatever is infecting my computer is forced on my thtough notifications, website, antispyspware programs.

Once this goes into effect I am unable to open Task Manager, The programs I just installed (from the 8-steps), Or a web browser.

I am only able to access some functionality if I immediately open my task manager and begin deleting processes. It appears i can get some of the programs to run if i get them opened immediately open after i boot up. After a minute or two, I am unable to do anything.

Avira however seems to work regardless and i get flooded with alerts.

So far the only step of the 8 I have been successful with is HiJackThis. I have attached my log.

I will be running CCleaner and Avira over night - everything seems to be moving at a snails pace. Avira did complete a scan today and found all sorts of stuff, then when i tried to quarantine the files... it stopped working . I've been at this all day and I am very frustrated.

Please help.

Thank you,
Jamie
 
Yep 60 Windows Startups can cause that :D
I have 1 if that helps ;)

Start your Computer in Safe Mode With Networking (F8 before Windows starts up)
Then update Avira and run another scan (a few things were missed ;))
And also run updated Malwarebytes scan (although in Safe Mode Malwarebytes does not find them all)

Restart

Then run another updated Malwarebytes scan
 
Thank you!
I tried to start in Safe Mode with Networking and was unable. The computer kept shutting off when it was trying to load.

However i was able to run the 8 steps. I have attached my logs.

Now, for whatever reason, I can no longer access the internet from that computer. My connection doesn't even show up.

Thank you, again for your help.
 
Ok well still lots of issues, I think compounded by lack of Internet connection and not being able to do updates

Start Hijackthis Scan Only
Tick all of the following entry boxes
Before selecting FIX, close all Internet browsers (and close Spybot S&D)
Then select FIX
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [oseckt] RUNDLL32.EXE C:\WINDOWS\system32\msronhte.dll,w
O4 - HKLM\..\Run: [e0a2q5a8] C:\Documents and Settings\All Users\Application Data\e0a2q5a8\e0a2q5a8.exe
O4 - HKLM\..\Run: [Myuzapojuyibo] rundll32.exe "C:\WINDOWS\ayimiforawumi.dll",Startup
O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\jhibbard\LOCALS~1\Temp\qeo6a.exe
O4 - HKCU\..\Run: [NeoChronos] C:\DOCUME~1\jhibbard\LOCALS~1\Temp\y.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\jhibbard\LOCALS~1\Temp\mdm.exe
O4 - HKUS\S-1-5-21-2326956574-3100943105-2500339100-1128\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\jhibbard\LOCALS~1\Temp\qeo6a.exe (User '?')
O4 - HKUS\S-1-5-21-2326956574-3100943105-2500339100-1128\..\Run: [NeoChronos] C:\DOCUME~1\jhibbard\LOCALS~1\Temp\y.exe (User '?')
O4 - HKUS\S-1-5-21-2326956574-3100943105-2500339100-1128\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\jhibbard\LOCALS~1\Temp\mdm.exe (User '?')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {0D062C61-F69C-11D6-A718-00C0F02CC8EE} (FISERV FIPSCO Report Viewer) - https://lpss.amerus.com/amu/reports/control/amurptview.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nfp.webex.com/client/T25L/webex/ieatgpc.cab
O20 - AppInit_DLLs: c:\windows\system32\zufusosa.dll rusogebu.dll C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: kbupdate - C:\WINDOWS\SYSTEM32\kbupdate.dll
O21 - SSODL: rimudakub - {0f275c84-6e48-4c6c-a81f-ba7059128c82} - c:\windows\system32\pirabumo.dll (file missing)
O21 - SSODL: bayuranov - {766654b0-d92e-4e32-bc7b-878a88256bf1} - c:\windows\system32\pirabumo.dll (file missing)
O21 - SSODL: jokanegeh - {8cee4343-62e7-4a4f-a7e1-dac2757f2d53} - c:\windows\system32\pirabumo.dll (file missing)
O21 - SSODL: dumagihiy - {8429491a-f90e-4330-a37e-2876d0f89cf4} - c:\windows\system32\pirabumo.dll (file missing)
O21 - SSODL: mirefajay - {d0b66102-c9d0-492d-9895-e7f7fbfd9dd3} - c:\windows\system32\zufusosa.dll (file missing)
O21 - SSODL: hugolodop - {01ba4c23-4d9c-4145-8f8e-1d914c4437c4} - (no file)
O22 - SharedTaskScheduler: Apartment - ThreadingModel - (no file)
O22 - SharedTaskScheduler: gahurihor - {0f275c84-6e48-4c6c-a81f-ba7059128c82} - c:\windows\system32\pirabumo.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {766654b0-d92e-4e32-bc7b-878a88256bf1} - c:\windows\system32\pirabumo.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {8cee4343-62e7-4a4f-a7e1-dac2757f2d53} - c:\windows\system32\pirabumo.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {8429491a-f90e-4330-a37e-2876d0f89cf4} - c:\windows\system32\pirabumo.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {d0b66102-c9d0-492d-9895-e7f7fbfd9dd3} - c:\windows\system32\zufusosa.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {01ba4c23-4d9c-4145-8f8e-1d914c4437c4} - (no file)
Close HJT

Restart

Try to update Malwarebytes and Avira Antivirus, and run another scan (still issues there that both of these tools will remove)

Also, you can uninstall Spybot S&D and SUPERAntispyware

Give that a go :)
 
Thanks for th quick response.

When I try to Fix on HJT, I get an error message:

"Registry Editor:
Registry Editing has been disabled by your administrator"


And it pops up approx 20 times. That means its not working right? Any suggestions?

I'm going to try restarting anyway.
 
Yes it refers to this one:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
But as long as you are an Administrator account holder (check in Users in Control Panel) then you should be able to run the lot
As that entry just stops the program running
 
You are right, it says I am an admin.

How come I get this error message when I try to fix? :confused:

Is it working despite the messages?
 
You will need to Restart and test
Or better yet, Restart to Safe Mode (F8 before Windows starts to load) run HJT Scan Only, and remove all the entries I stated above
Then Restart again to Normal mode.
 
So, I hit F8 during start up. The prompt of "safe mode", "safe mode with networking", etc. screen shows. If i choose anything other than "run windows normally" it begins to load running through the system32/drivers untill it gets to system32/drivers/mup.sys - my computer then shuts off.

start windows normally and run test?
 
If I understand correctly, only Normal Mode will load up?

If this is true then we can fix Safe Mode (well try whilst malware is present) by running >> Safeboot Repair (obviously in Normal Mode)

You may also need to run CheckDisk (before you restart again, as it scans after restarting)
Start > Run > chkdsk /r > ok > Y > Restart
(Note: one space after chkdsk, in that run command)
 
Yep, only normal mode.

I'll do the safeboot repair and the chkdsk /r.

since my last post, I ran another set of scans. I was able to get rid of the:
"O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
"
From HijackThis. I have attached the new scans.

A few notes:
My ethernet connection is still not showing up in my system tray.
My wireless connection shows up in system tray and recognizes the router but has limited or no connectivity.
when i restart, it looks like there is a litte DOS window (minimized) in the bottom left hand corner of my screen. It only pops up momentarily, but what I can see is it says something about my "S" drive which is the shared drive in muy office. I also think it says something about the system32/cmd.dll on that drive.
 
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]
RC1.png
[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
 
Update: Kimsland - Able to boot up in safe mode after following your directions.

I ran Combofix, however since this incident I have been unable to connect to the internet. I have no idea why (I have been working from another comp). I have attached the report.

I uninstalled Comodo in order to get Combofix to work - I'm not sure if i needed to this, but after I did, combofix worked. It looks like comodo had been supressing the malware bc next boot up, everything went back to going crazy. Combo fix was still able to run though - which is pretty cool :approve:

Right now the computer is just sitting there in safemode, hanging out.

Thanks again,
Jamie
 
Is it a wireless or wired connection?

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

KB310994.gif



Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

RC1-4.gif



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    whatnext.png



  • At the next prompt, click 'No' to exit.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\umvoku.exe
c:\windows\system32\winsts.sys

Folder::
c:\documents and settings\jhibbard\Local Settings\Application Data\amljvu
c:\documents and settings\All Users\Application Data\e0a2q5a8

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e0a2q5a8"=-

Driver::
winsts

KILLALL::

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
Ok, steps completed.

To answer your last question, it is a wired connection. Still not showing up in my system tray.

Log attached.

Thank you!
 

Attachments

  • ComboFixLog.txt
    14.3 KB · Views: 5
Whilst waiting for kritius to check the logs, can you disable (or uninstall) Spybot Search & Destroy
Then startup Malwarebytes again, and update it (this is found in the program itself)
Then run a quick scan. At the end of the scan you must remove all found infections yourself
Ideally submit the log as an attachment
 
Hi Kimsland,

Thanks for the response.

I already had uninstalled spybot, i did this from control panel Add/Remove programs. Is there something i should do further?

Also, I am still blocked off from the internet... is there another way i can update?

Thank you, you all are very helpful.
 
Hi Kimsland,

Thanks for the response.

I already had uninstalled spybot, i did this from control panel Add/Remove programs. Is there something i should do further?

Also, I am still blocked off from the internet... is there another way i can update?

Thank you, you all are very helpful.

*Sorry for the Double Post!!*
 
Oh, you still cannot connect to the Internet

Hmm, lets try a few resets:

Run IE Reset Fixit Tool:

Or manually from here https://www.techspot.com/vb/post682762-2.html
Then restart Internet Explorer

Uninstall COMODO free personal firewall

Restart

Start > Run > CMD > ok
Run (copy/paste) each command below followed by enter key (note: some commands may not work)
ipconfig /release

ipconfig /flushdns

ipconfig /registerdns

ipconfig /renew

netsh winsock reset catalog

netsh int ip reset reset.log

netsh winsock reset
Restart again

Test Internet/Network
 
Ok! I'm on the internet from the virus addled comp.

I can connect, but a few notes:

1. My ethernet connection still does not show up in my system tray

2. My Wireless conncetion does, however it still shows a "!" on it and when I mouse over it says there is "limited or no connectivity.

3.When I was running the commands, not sure which one it was, the "!" came off the wireless connection symbol.

I have updated and quick scanned with Malware as requested, logs attached.

thank you!
 

Attachments

  • hijackthis.log
    8.6 KB · Views: 6
  • mbam-log-2009-12-11 (10-51-38).txt
    868 bytes · Views: 6
Wireless Setup Wizard:

Start > Run > %SystemRoot%\system32\rundll32.exe shell32.dll,Control_RunDLL NetSetup.cpl,@0,WNSW
 
JHibb, kritius is the best there is. Please follow what he is setting up for you and don't run any other programs in between.
 
DDS by sUBs
Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

  • Double click on dds to run it.
  • When done, DDS.txt will open.
  • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  • When done, Attach.txt will open.
  • Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.
 
Status
Not open for further replies.
Back