Weird problem resurfaces after cleaning

[momok]

Hi,

lately I was surfing on the internet when a random dialog from my SpyBot SSD and Ad aware popped up to ask for permission to allow the addition of the entry 'rundl132.exe' and 'load'. My ZL firewall asked me for internet access permission for a program 'logo1_.exe'. I found this extremely disturbing and denied all access. Thereafter I conducted a series of checks on processes and system scans using all my programs (Ad aware, SpyBot, HijackThis, AVG Anti-Spyware 7.

The scans on Ad aware and spybot did not turn up anything, except for 1 or 2 random tracking cookies on ad aware which I removed. The scan on AVG revealed a series of malware:

Worm.Viking.ix
Trojan.WOW.qa
Trojan.OnLineGames.lc
byetmr.exe -> Trojan.WOW.ec
TrackingCookie.Burstnet
Worm.Viking.jr

I promptly cleaned them all up. I fixed the suspicious entries on my HijackThis too.
I did a forum search here for these files, and thereafter found Logo1_.exe, rundl132.exe in C:\windows and C:\windows\uninstall respectively. I deleted both files and the 'uninstall' folder.
I did another scan on AVG and nothing turned up. I thought that was the end of my problems and nothing else happened for the rest of the night. However, the next day when I reboot my laptop, the same programs came up again requesting to add registry values.

I have no idea what is going on, been running AVG a few times and repeating this whole process 3 or 4 times already. Apparently the problems only resurface after sometime from the last cleaning when I think they're gone and I go on about my business.

I have posted the following files.

AVG:
"AVG 1st Scan.txt" - the first time I scanned after discovering the weird problems
"AVG latest scan.txt" - the scan that I just did after discovering for the 3rd/4th? time the problem is still there
"AVG latest rescan after cleaning.txt" - a rescan I did right after "AVG latest scan.txt" and cleaning. The last scan I've done so far.

"HijackThis.log" latest scan on hijack this.

Sorry if this seems a little paranoid. I don't know when the problems will resurface again, so I decided to post these logs when I've just finished my own round of cleaning to ask for help to see if there was anything I left out.

Thanks guys!

PS im going to do one more rescan on AVG after this to see if anything comes up.

<edit>
ar har. something came up in AVG.
I've replaced the first hijackthis.log because I've hit the 5 file limit =p
Also added the latest AVG log together. "AVG latest scan.txt"

 

[momok]

please help

I have encountered the same problems again. This time on running Hijackthis I found the rund132.exe again and it seems there is a mutation or something. I found a new 'dcoh.exe' trying to run on startup.

Somebody please help me.. Thanks.

<edit> I also discovered a file richdll.dll which I highly suspect is linked to all this. Would someone advise me on this thanks.

 

[howard_hopkinso]

I have removed your old log files as they are no longer required. Your running an outdated version of hijackThis. See HERE for the latest version.

Please do the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Logo1_.exe
rundl132.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\uninstall<Delete the entire folder.
C:\WINDOWS\Logo1_.exe

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan. Instructions HERE.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

oh no....

It appears the problem is still there.
I've followed ur instructions to the word, except for the part on logging in using my usual username. I'm not sure why, I'm using a Fujitsu tablet, and on safe mode somehow it didnt allow me to log in using my usual username and password. So I had to log in with the administrator password.

Apparently, while in safe mode, HJT did not show 'rundl132.exe', although I did find logo1_.exe and the 'uninstall' folder, which I promptly deleted. My processes did not reveal anything.

AVG picked up the same problems after I had deleted those files and rebooted. HJT does not show anything. I dont know how to read Combofix logs, but there's a quarantine log. Anyways, I've attached all 4 logs for your perusal. Thanks for helping me again. =)

AVG rootkit revealed no hidden objects too.

PS. When I tried logging in to post this reply, I was prevented from doing so. The page repeatedly brought me back to the log in prompt page, but does not state explicitly that I had entered a wrong username/password. I tried several times and restarted IE before I finally logged back in. This is the 2nd time I've experienced this; could it be due to the infection?

 

[howard_hopkinso]

Your HJT log is clean.

Delete all files in AVG and Combofix quarantine and empty your recycle bin.

Run the Ccleaner programme as per step9 of the instructions HERE.

As far as I can tell, your system looks clean.

I`m not sure what caused your Techspot login problem, hopefully, it was just a glitch.

I suggest you start using Firefox and only use IE for windows updates. It`s a lost more secure.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

I'm terribly sorry to bother you once again, but it appears that the problem is still there.

I had run my AVG scan once more (I'm paranoid)before following your instructions to delete the quarantined files and off system restore. The AVG scan revealed nothing. However, when I opened CCleaner, the dreaded popup dialog appeared again requesting for permission to add the rundl132.exe registry key to start up! I immediately went to check my windows folder and found the logo1_.exe and the uninstall folder with rundl132.exe in it back there. They were previously not there. I quickly deleted them, before running AVG antispyware once more. It was clean.

Based on this, I suspect that the bug does not run actively in the background, but rather infects my files with some coding of some sort to run it. I suspect many of my exe files were such infected.

I then set out to open random programs one at a time to see what happened. I noted that when I opened Microsoft programs or windows default programs such as word, excel, IE, windows journal, Freecell, etc, nothing happened. However when I opened other types of programs like spybot, winzip, AVG, Adwatch, bittorrent, emule, teatimer etc, my registry monitoring program (either ad watch or spybot teatimer) would prompt me with the permission dialog stating that the registry key rundl132.exe was being added. Each time I would discover the damned files in my windows folder again, after which I would delete them from my computer but on opening the next program they would appear once more. Another thing I noted was that this did not happen the 2nd time I opened the program.

I have no idea if all these problems would return again if I rebooted my laptop. I did a google search for rundl132.exe, and logo1_.exe. It appears that richdll.dll is also related to it, so I deleted it. I’m going to reboot my laptop to see what happens next. HJT does not reveal anything new so far.

PS: the login thing is really a glitch. I can only successfully login when I check the ‘remember me’ tick box. Otherwise I would just be repeatedly returned to the ‘welcome guest’ page.

 

[howard_hopkinso]

I`m sorry to hear you`re still having problems. Please do the following.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

woah! this is a really cool program. anyways heres my log =)

 

[howard_hopkinso]

I`d like you to have the following files checked over at Jotti`s.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file c:\windows\system32\drivers\u3shlpdr200.sys
* Click Open
Then, do the same for these files.

c:\windows\system32\drivers\smcirda.sys
c:\windows\system32\drivers\ozscr.sys

Please let me know the results.

Search your system for this file kdnsb.exe and let me know it`s full filepath.

Rehide your protected OS files.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Hi..
I've scanned the 3 files, and all of them appear to be clean.
The search for kdnsb.exe showed nothing apparently.

 

[howard_hopkinso]

In that case, your Autoruns log looks clean.

See HERE for info on the Logo1_.exe file.

Please post a fresh HJT log.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Here it is. I read the site, but I don't have symantec or norton antivirus. =(
I doubt HJT would detect much? I suspect most of it has been killed, just that I don't know how to 'cure' my infected exe's.

 

[howard_hopkinso]

You`re right, that HJT log is clean.

The only way to clean an infection that has infected lots of different .exe files is to reformat and reinstall from scratch.

However, before resorting to that, please search your system for this file and delete it if found. rundl132.exe

If you have problems deleting it, please let me know the full filepath.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

I rebooted my laptop and tried running various programs again. Right now, nothing has cropped up so far! =D
rundl132.exe used to be found in 'C:\Windows\uninstall', but now its gone (for good I hope)

Thanks for the help =)
(I'm now running AVG for a final round of scanning before I go to sleep. Probably will turn out fine now.)

 

[howard_hopkinso]

I`ll keep my fingers crossed for you.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

not again!

oh no...

this turned up in AVG after i rebooted. (see log)
the rundl132.exe and logo1_.exe came back when I opened an exe that I did not open before rebooting. Apparently all the previous exe's worked fine until I opened that one. =(
I also discovered dangerous files like upxdnd.dll, upxdnd.exe in "C:\Documents and Settings\zhiwei.low.2005\Local Settings\Temp"

I tried deleting them, and only the exe could be deleted. I couldnt find a way to kill the dll. I couldnt even locate the process on HJT or the autoruns program you recommended. The best I could do is set HJT to delete the file on reboot. gah!!!

I cant believe its back. I need to do my work and can't afford to format my system now. I really need my sleep its 530 am.. be back later.. ~.~

 

[howard_hopkinso]

C:\Documents and Settings\zhiwei.low.2005\Cookies\zhiwei.low.2005@burstnet[1].txt is just a tracking cookie and is nothing to be alarmed about.

The C:\WINDOWS\system32\cmdtbcs.dll and C:\WINDOWS\system32\wstddtshrs.dll are nasty, but AVG Antispyware has cleaned them with backups. Delete all files in AVG Antispyware quarantine.

Which .exe file did you open, when the infections came back?

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

C:\Documents and Settings\zhiwei.low.2005\Cookies\zhiwei.low.2005@burstnet[1].txt is just a tracking cookie and is nothing to be alarmed about.

The C:\WINDOWS\system32\cmdtbcs.dll and C:\WINDOWS\system32\wstddtshrs.dll are nasty, but AVG Antispyware has cleaned them with backups. Delete all files in AVG Antispyware quarantine.

Which .exe file did you open, when the infections came back?

Download and install one of the free antivirus programmes below.

AVG free or Avast antivirus programmes.

Once installed, run the antivirus updates, then do the following.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run whichever antivirus programme you chose and delete whatever it finds, including anything in it`s virus vaults/quarantine.

Reboot into normal mode and rehide your protected OS files.

let me know the results.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

omg. I ran the AVG anti virus in safe mode and it detected 397 .exe files which were infected, thereafter promptly 'healing' them. When I rebooted my laptop i found myself unable to execute winword and adobe reader, amongst other important programs that I need to use for my school report which is due in a few days! AVG had deleted them all =(

May I enquire where I can get the exe files, especially winword and adobe reader?
I checked my computer and its clean so far. The program which I opened was a very old game I used to play but I have since deleted the entire folder.

 

[howard_hopkinso]

I suggest you uninstall and reinstall Winword and adobe Reader, as they have obviously been damaged by whatever infection you had.

I`m pleased to hear your system looks clean. However, don`t be surprised if you come across other programmes that don`t work properly. I don`t exactly know what malware you had on your system, but it looks like AVG has taken care of it.

At your earliest opportunity, I advise you to backup your important data and reformat. Unless of course, you have no further problems, in which case, you can carry on as normal.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

The main problem here is although I'm using original XP and office, they are all under my school's licence, ie, they were preinstalled into my laptop and I do not have the CD. =(
Do you have any advice on where to get an exe file for word and excel online?

 

[howard_hopkinso]

You can download the free Adobe reader from HERE.

Not too sure about the winword files. I suggest you ask your school to reinstall it for you.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Thanks for all the help =)

 

[howard_hopkinso]

No worries mate.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of momok only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.