7 replies to this topic

[Mike42]

Got a nasty one here, seems similar to some others but is very off.

I've found and removed a "titobigi.dll" and associated registry entries from the PC. Yanked the H/D and put it in a USB cage, did an external (MBAM) scan on it, that caught titobigi.dll but nothing else. I scanned the registry afterwards and removed all reference keys to it.

MBAM.exe is still being "auto-deleted" under the system. It cannot be run to completion.
Attempting to run Combofix gives a "Some installation files are corrupt. Please download a fresh copy and retry the installation" error.
HJT closes immediately on attempting to open.
Windows Automatic Updates service is being disabled ~60 seconds after enabling and starting it.

Any suggestions? I am guessing that something is loading up attached to either explorer.exe, winlogon.exe, or lsass.exe but am not sure how to go about checking for it.

[Mike42]

Followup:

I've also been able to identify one registry bit that keeps coming back:

HKLM\Software\Microsoft\Windows\dofasaga

Two binary keys labeled "bayofula" and "lisuvuli".

[Mike42]

Third pass:

"beperuka.dll" attached to LSA as a load process under all three controlsets in the registry. Not deletable.

"nukanaji.dll" attached to explorer.exe as a load process according to the registry.

also found a pananini.dll and sidomuri.dll in the windows/system32 folder that were "hidden" files. Those are the only four that fit this thing's known profile (random-looking 8-character dll name, "hidden", in windows/system32) if this is a new Vundo variant.

Fair warning, MBAM (running off of a clean laptop and scanning the H/D in a USB SATA bay) is not seeing beperuka.dll and nukanaji.dll as threats... looks like there's a brand-new variant out there.

[Mike42]

Fourth pass:

deleted each dll manually, with drive hooked up to an uninfected laptop via USB/SATA cage.

Reloaded PC in safe mode, cleared registry of all references to each DLL, restarted.

Post-manual cleaning, MBAM ran correctly under safe mode and announced the finding of nothing untoward. Next step is to see if MBAM runs in normal Windows mode and see if automatic updates can be turned back on permanently. Will check back in.

[Mike42]

Final update:

MBAM is running fine in normal mode, cleared out the registry entries suppressing windows' little "oops you don't have a firewall" warnings and so forth. It appears the manual cleaning has worked. Man, this was a pain.

[AdvancedSetup]

Hi Mike,

Please run the following and we'll check and see if anything appears to be left over or not.

[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

[AdvancedSetup]

Just checking to see if you want us to check any further for you or not. If I don't hear back soon I'll go ahead and close the post.

Thanks.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.