I have a machine I'm trying to rid of a nasty

Discussion in 'malware problems & news' started by Littlemutt, Jan 1, 2008.

Thread Status:
Not open for further replies.
  1. Littlemutt

    Littlemutt Guest

    I have a machine I'm trying to rid of a nasty and so far not having any luck. There is something called 'gebyw.exe' and gebyw.dll in my System32 folder. Machine takes forever to boot - and has killed eTrust AV from starting, along with Windows Defender, a time-sync program, and a program for the the HP combo printer/fax/copy machine.

    I have done a re-install of windows and reupdated all the updates. I have run Vundo fix programs as what I found on the net led me to believe that the file was related to that, but the scanners/fix programs says its not on my system.

    I tried to run CureIT and got an instant reboot of the system. I had just downloaded the program, so I'm pretty sure its not relevant to the initial issues with crashes, but does anyone have any hints ?

    I'll be going to work around 2PM, and will have access to the machine to work on it some more.

    Thanks

    PS: I have ran KAV online scanner and it says it found 2 files infected, but didn't offer to clean them ?
     
  2. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    Have you tried booting the computer from a boot disk and then running CureIt?
     
  3. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Or a reboot to safe mode
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
  5. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Go to the techsupportforum.com help forum and start where it says "Having problems with spyware and pop-ups? First Steps"

    Run through and follow the steps and do the DSS scan for em,then get into the HijackThis section and hope someone sees your logs and can help,sounds alot like the vundo fileinfector thats making rounds and thats why I suggest this forum first.

    The author of vundofix also has a forum at atribune.org
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Unlucky freind,you have more than likely been infected with the latest strain of Vundo(mass file infector) which can be royal PITA to nuke.

    The trojan in <WinDir> will have been patching/renaming executable's that load at system startup inorder to reinfect apon reboot.This is probaly why those softwares that load at startup are borking:thumb: and the trojan keeps reappearing in system32 folder.

    You will need expert help at a HiJackThis/malware removal forum inorder to sort this one out.
    http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

    All the best!
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi C:cool:

    Can Vundofix take down this particular evo as when i had the infection loaded earliar i did'nt test any onefix solutions:oops:

    Do you know what is the canned fix,if any yet?

    Ade
     
  8. Littlemutt

    Littlemutt Guest

    Thanks for the suggestions guys. I got CureIT to run, in fact still running, and so far has found a couple of things, but not at all sure that will fix the issues.

    Thanks for the heads-up that I'm in for a long battle - sigh :oops:

    EDIT: CureIT found a trojan dropper - trojan.muldrip.9785 and a hacker tool: tool.prockill - both were deleted, and startup error I was seeing is now gone. Currently running a scan with NOD32.

    I removed eTrust from the system - (no confidence at this point)
     
    Last edited by a moderator: Jan 1, 2008
  9. flimbag

    flimbag Registered Member

    Joined:
    Mar 23, 2005
    Posts:
    48
    I had a recent Vundo infection, and none of the single-fix tools came close. Vundofix didn't even see it. A combination of Trojan Remover and SuperAntiSpyware eventually sorted it, but only after a day or two (when they'd presumably updated.)
     
  10. Littlemutt

    Littlemutt Guest

    Well, I thought I was making progress when NOD32 found a couple of items, and put those in quarantine.

    Then downloaded superantispyware and it found 42 more items, and several items of Vundo, and Vundo smart-a ? (left list at work)
    All those items were supposedly removed, or quarantined and I thought all was getting well.

    Rebooted the system and both NOD32 and SAS and Windows Defender were once again rendered unable to start up... Sigh - will continue more later in a couple of days when I go back to work.

    I did neglect to try running SAS and NOD32 in Safe-Mode - will try that next I guess..

    Thanks all for the ideas.
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    That will make no difference on this occaision.....unless your defenders(AV/AT/ASW) can affect a cleanup on all the infection(Principal .exe+.dll) and all the patched software load exe's in one logon session then the infection will respawn at the next reboot:ouch:

    As advised earliar visit an expert help forum to get assistance with this one because even savvy tech guys are finding this one a nightmare to manually disinfect;)

    http://www.dslreports.com/forum/r19702820-Virtumonde-would-someone-please-shoot-these-guys
    http://forums.superantispyware.com/viewtopic.php?t=1076

    All the best!
     
  12. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    Best hopes at the moment lay at techsupportforum,thats where subs calls home and so far, CF + RenV switch he built are the only tool working.
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Thanks MJ,so onestopfix is out there for assistance by the malware removal experts:D

    FYI I allowed myself my first full blown infection from the new strain last Sunday,up until now i was allowing system32 trojan to drop and deploy but blocked any patching activities via HIBS;)

    So i finally bit the bullet and took one for teh hometeam....curious y'know!

    Surprisingly it was quite easy to manually remove as it only affected all my 04's in a HJT log.Inspection of relevent programme folders revealed tainted load exe(larger file) and renamed original with " " gap in the file name(smaller exe)present.So with use of IceSword(file delete) on the system32 Vundo(DLL+exe) and the nobbled exe's ,followed by renaming of the original executables in one session said goodnight to this badboy and restored software integrity on reboot:D
     
Loading...
Thread Status:
Not open for further replies.