rundll32.exe not found error. Cannot run dds or GMER

[anu1]

Hello,

My computer is infected with this virus/spyware System Security Version 4.52. I am unable to open a browser to get the logs files mentioned in the instruction on how to remove the malware. I tried using my laptop to download dds.scr and gamer.exe and copied to the infected PC. But the program wont run or do anything. It seems that the whole computer is hijacked. Please help.
Thanks
Anu

[anu1]

Here is the latest update. When I logon now, I get the popup saying cannot find rundll32.exe Application not found. After I click ok, nothing works. I cannot open any application.

[anu1]

I am unable to run GMER or DDS on the computer because of the rundll32.exe not found error. When I opened browwer, It prompted to open with popup. I clicked firefox again and it opened the broswer. I did a free online scan from Kaspersky and found I have numerous trojans. The log is attached here. Please help.
Thanks

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, August 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, August 01, 2009 19:42:06
Records in database: 2570735
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 128914
Threat name: 10
Infected objects: 17
Suspicious objects: 1
Duration of the scan: 02:44:44


File name / Threat name / Threats count
c:\windows\system32\iasex.dll/c:\windows\system32\iasex.dll Infected: Trojan-Spy.Win32.Agent.aytn 1
c:\windows\system32\evdoserver.dll/c:\windows\system32\evdoserver.dll Infected: Trojan.Win32.Koblu.ang 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IOLDCW4Y\w[1].bin Infected: Trojan-Downloader.Win32.DlfBfkg.ry 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IOLDCW4Y\w[2].bin Infected: Trojan-Downloader.Win32.DlfBfkg.ry 1
C:\SW\Microsoft Money 2007 Home & Business.iso Infected: not-a-virus:Monitor.Win32.Ardamax.k 1
C:\WINDOWS\Fonts\cooecp.tlb Infected: Trojan-Dropper.Win32.Agent.aven 1
C:\WINDOWS\Fonts\logcde.dll Infected: Trojan-Dropper.Win32.Agent.aven 1
C:\WINDOWS\Fonts\services.exe Infected: Trojan-Spy.Win32.VB.bvw 1
C:\WINDOWS\Fonts\windef.dll Infected: Trojan-Dropper.Win32.Agent.aven 1
C:\WINDOWS\Fonts\windef.Log Infected: Trojan-Dropper.Win32.Agent.aven 1
C:\WINDOWS\Fonts\winpaged.ocx Infected: Trojan-Dropper.Win32.Agent.aven 1
C:\WINDOWS\system32\EvdoServer.dll Infected: Trojan.Win32.Koblu.ang 1
C:\WINDOWS\system32\ghaf8jkdfd.dll1 Infected: Trojan-Downloader.Win32.Agent.ckkp 1
C:\WINDOWS\system32\Iasex.dll Infected: Trojan-Spy.Win32.Agent.aytn 1
C:\WINDOWS\system32\LA37A.tmp.exe Infected: Trojan-Downloader.Win32.PepperPaper.ja 1
C:\WINDOWS\system32\net.net Suspicious: Packed.Win32.PECompact 1
C:\WINDOWS\system32\vhosts.exe Infected: Trojan-Downloader.Win32.Agent.azg 1
C:\WINDOWS\Temp\xtva1jk.exe Infected: Trojan-Downloader.Win32.Agent.ckkp 1

The selected area was scanned.

[thewall]

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

[thewall]

Hello again anu1,

One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall



For the time being I will proceed on the assumption you wish to clean up your computer and have provided some more things I would like you to try and do. Note the GMER scan I have for you is different than the one in our initial instructions. If you do not wish to continue and would rather reformat or reinstall let me know in your next reply.




Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





If no success with GMER give this one a try:

• Download RootRepeal from the following location and save it to your desktop.
  
• Extract the contents of RootRepeal.zip, to your desktop.
  
• Double click on your desktop.
  
• Click on the report tab, then click scan
  
• Check all seven boxes:
  Drivers
  Files
  Processes
  SSDT
  Stealth Objects
  Hidden Services
  Shadow SSDT
• Click Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

Also please run the following:

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  

In your next reply please provide either the GMER or RootRepeal log if successful with running one of them and the two logs from RSIT


Thank you,



thewall

[anu1]

Hello,

Thanks for helping me out. I am unable to run any of the exe's you mentioned. When I double click the exe, it prompts me with a window saying Choose the program you want to open this file with? and gives all programs installed in the computer?

Please advice.
Thanks

[thewall]

Is System Security Version 4.52 still present on your machine and if it is will it open?

[anu1]

System Security is no more there. I found the directory where the files were there and deleted it. Since then atleast I can use explorer and my desktop does not have that blue screen saying my computer is infected and asking me to buy some software.

[thewall]

Here's what I want you to try first:

Navigate to this directory using Windows Explorer -> C:\Documents and Settings\All Users\Application Data
Look for a folder named like this - 12365489 (all numbers)
Drag that folder over to Desktop while you are still in Explorer and drop it there.

Now reboot the machine.

If you can find the folder and complete the instruction try to run the tools I gave you in post #5.

[anu1]

Hello,

There is no folder called Application Data under C:\Documents and Settings\All Users
If its hidden, I dont have the folder option under tool menu to select show hidden files. It seems everything in my computer is messed up.

[thewall]

Try this next:

Download This file to your Desktop and double click on it.

After doing so see if you can get the tools to run.



It's getting late so it will probably be tomorrow before I am back to work on this but don't despair we'll keep trying to straighten it out.

[anu1]

I am getting the same window Choose the program to open with.
I really appreciate all your help. Have a great evening

[thewall]

Hi anu1, I'm back.

Let's try running what we did in post #11 but this is a different file:




Download This file to your Desktop and double click on it.

After doing so see if you can get the tools to run.

.................................................


If you can't I need for you to go to Start>>Control Panel>>Folder Options and click on File Types. There should be quite a few entries showing up in there. Let me know if there are, you don't have to be all that specific I just need to know if they are there.

[anu1]

Hello,

I had to leave out of state this morning for work. I will be back home on Saturday. I will test this file once I reach home. Thanks for all your help and this site.

[thewall]

OK, let me know when you get back.

[anu1]

Hello,

I followed the steps you mentioned and I am getting the same popup window. Choose the program you want to use to open the file.
Also there is no folder option under control panel. I guess its hijacked by this virus

[thewall]

I might as well be straight up with you here and let you know things are not looking real good right now. You may need to start thinking about a reformat due to the damage that has been done to your computer. Some of these new rogues are really tearing machines up bad. It seems that is you don't want to buy their nefarious products then they will do their best to just screw up your whole computer.

We are going to try ComboFix. Let's just hope it will run.


Please download ComboFix from this location:

HERE

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[anu1]

Hello,

I ran the combofix but it did not create a log file. I did not get any prompt for windows recovery console either. Thanks for all your help.

[thewall]

Did it appear to be running at all? Also is your system an XP?

[anu1]

Yes, It did run. The command window popped for a sec and I was able to read some pv.com was running before it disappeared. I have XP with SP3