ebubaraxonug.dll

[anneR]

hi there

my kasparsky internet security 2010 has now a number of critical high risk files in quarantaine
system (windows 7) seems now compromised
and, since 24/7 every time at start up this appears:

bubaraxonug.dll - HEUR: trojan.win.32.generic

RunDll redcirclewhitecross wee window:
"There was a problem starting
C:\Users\Anneruth\AppData\Local\ebubaraxonug.dll
The specific module could not be found

attached one file I managed to create via kasparsky virus removal tool

tried running tool in normal mode
does not finish, even after 6 hours running

don't know how to start laptop here in safe mode
have downloaded the other tools
but am not sure now whether there is any point in me running them
as I feel totally intimidate by your 'before you post' guidelines


have already spent 12 hours trying to do the above

apart from feeliing overwhelmed with the many tools you ask me to run, I don't know what you mean with unload antivirus (uninstall? ) and then my Internet explorer is not working anyway, and firefox is compromised ( links in google search do not work) and evrything is endlessly slow loading, specially i n startup, with system running mysteriously at 100% CPU

with my former anti virus software on another PC when I had a problem all I needed to do was go into chat and a technician cleared my PC via remote control

to do these processes is beyond me and the little time and little skill I have;

however, my work right now is dependent on this laptop, so, please help me...

anneR


ps:tried to post, some russian message coming up
what's the point of this for me

Добавлено через 18 минут

can also not find where to find the quarantined files to send you

nor how to convert the text logs from quarantine into zip files for yu to accept them

pps:
found a way to convert long log txt to doc to zip!
hope ths helps
still don't know where to locate quarantined files

[olejah]

tried running tool in normal mode
does not finish, even after 6 hours running

What tool have you used? Neither AVZ nor Kaspersky Virus Removal Tool can finish running in normal mode, right? Or you tried only one of those two?

[anneR]

So far tried only Kasparsky anti virus tool.

AVZ still unzipping - takes ages..
need to work here and all is held up!

would like to know whether to close the little window

RunDll redcirclewhitecross window:
"There was a problem starting
C:\Users\Anneruth\AppData\Local\ebubaraxonug.dll
The specific module could not be found

please advise

causes something of the trojan/worm to get executed?= Should I close it or leave it open?
a ebubaraxonug file is in Kasparsky's quarantaine, along with numerous others..

5 minutes later:
AVZ is scanning now in normal mode; auto removal mode is selected;
lots of red scripts coming up in log file window...

Just see that it tells me to update data base
I have no idea how to do this :-(
please instruct

[olejah]

C:\Users\Anneruth\AppData\Local\ebubaraxonug.dll - I guess it is part of some malware. So, let's make it clear, is there any way to make at least one log or maybe scan your PC by any of the instruments described here?

Добавлено через 14 минут

I have no idea how to do this :-(
please instruct

- AVZ - Файл => Обновление баз => Пуск.

[anneR]

I had attached my kasparsky main log (from my K. Internet Security) already with my first post after I managed to get it into zip via coonvert to doc - can you not see it?
please - why are your last line instructions in russian? No good for me as you know :-(

had also attached the report the extra Kasparsky virus removal tool did, but I can't see it anymore here - what happened? It still shows on my uploaded file window?

I am just trying it again to upload it again

[anneR]

just tried to make a zip file out of the start of the AVZ scan (running right now still), ut God knows why I can findout again how to make it into ziip file!

here a few entries from beginning and middle

do they help?

colour seems to have been lost (some came in red for the hijackfiles) and symbols gone into smileys!

I am having leave with the laptop into town, so I might have to pause scan. Hope I can pause and don't have start again when I get back!

<!-- /* Font Definitions */ @font-face {font-family:&quot;Cambria Math&quot;; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520092929 1073786111 9 0 415 0;} @font-face {font-family:&quot;MS Sans Serif&quot;; panose-1:0 0 0 0 0 0 0 0 0 0; mso-font-alt:&quot;Times New Roman&quot;; mso-font-charset:204; mso-generic-font-family:auto; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:513 0 0 0 4 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:&quot;&quot;; margin-top:0cm; margin-right:0cm; margin-bottom:10.0pt; margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;; mso-fareast-font-family:Calibri; mso-bidi-font-family:&quot;Times New Roman&quot;; mso-fareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; mso-ascii-font-family:Calibri; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> Attention !!! Database was last updated 08/07/2010 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.34
Scanning started at 26/07/2010 11:11:31
Database loaded: signatures - 275419, NN profile(s) - 2, malware removal microprograms - 56, signature database released 08.07.2010 09:40
Heuristic microprograms loaded: 383
PVS microprograms loaded: 9
Digital signatures of system files loaded: 213048
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7600, ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Function user32.dllefDlgProcA (1657) intercepted, method - ProcAddressHijack.GetProcAddress ->76C65F5A->776B8944
Function user32.dllefDlgProcW (165 intercepted, method - ProcAddressHijack.GetProcAddress ->76C65F75->776A3F54
Function user32.dllefWindowProcA (1664) intercepted, method - ProcAddressHijack.GetProcAddress ->76C65F90->77682893
Function user32.dllefWindowProcW (1665) intercepted, method - ProcAddressHijack.GetProcAddress ->76C65FAB->7767247D
Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:AddMandatoryAce (1029) intercepted, method - ProcAddressHijack.GetProcAddress ->769C24B5->752BC334
Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method - ProcAddressHijack.GetProcAddress ->769C2655->765B72D8

and then it goes for pages lke this (my guess - it hit the 'highjackthis' file I downloaded on my poor attempts here following your sophisticated iinstruction...

<!-- /* Font Definitions */ @font-face {font-family:&quot;Cambria Math&quot;; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520092929 1073786111 9 0 415 0;} @font-face {font-family:&quot;MS Sans Serif&quot;; panose-1:0 0 0 0 0 0 0 0 0 0; mso-font-alt:&quot;Times New Roman&quot;; mso-font-charset:204; mso-generic-font-family:auto; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:513 0 0 0 4 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:&quot;&quot;; margin-top:0cm; margin-right:0cm; margin-bottom:10.0pt; margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;; mso-fareast-font-family:Calibri; mso-bidi-font-family:&quot;Times New Roman&quot;; mso-fareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; mso-ascii-font-family:Calibri; mso-fareast-font-family:Calibri; mso-hansi-font-family:Calibri;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> ProcAddressHijack.GetProcAddress ->7370551B->74A35D67
Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method - ProcAddressHijack.GetProcAddress ->73705543->74A36198
1.2 Searching for kernel-mode API hooks
Error loading driver - operation interrupted [C000036B]
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
Error loading driver - operation interrupted [C000036B]
2. Scanning RAM
Number of processes found: 37

[olejah]

please - why are your last line instructions in russian? No good for me as you know :-(

Sorry, you asked me how to update data base and I thought your AVZ version is Russian.

Ok, now we're gonna check some files -

Close/unload all the programs

Switch off:
- Antivirus and, if you have - Firewall.

- Execute following script in Manual Healing

Код:

begin
 SearchRootkit(true, true);
 SetAVZGuardStatus(true);
 QuarantineFile('C:\Windows\system32\msdtckrm.dll','');
 QuarantineFile('C:\Windows\system32\lsm.exe','');
 QuarantineFile('C:\Windows\system32\dwm.exe','');
 QuarantineFile('C:\Windows\system32\drivers\fvevol.sys','');
 QuarantineFile('C:\Windows\system32\drivers\fltmgr.sys','');
 QuarantineFile('C:\Windows\system32\dfdts.dll','');
 QuarantineFile('C:\Windows\System32\win32k.sys','');
 QuarantineFile('C:\Windows\System32\snmptrap.exe','');
 QuarantineFile('C:\Windows\System32\mdsched.exe','');
 QuarantineFile('C:\Windows\System32\mctadmin.exe','');
 QuarantineFile('C:\Users\Anneruth\AppData\Local\ebubaraxonug.dll','');  
 BC_ImportAll;
 BC_Activate;
 RebootWindows(true);
end.

After reboot:
- Execute following script in Manual Healing

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');    
end.

- Upload the C:\quarantine.zip here: upload_virus_eng.

[anneR]

hi Olejah

thank you for reply, and instructions...

Went to a friend yesterday afternoon as her husband offered to have a look at this infected laptop for me. He spent 4 - 5 hours on it and now at least the ebubaraxonug.dll beastie seems gone. There are still some problems - all browsers very slow in start up, firefox redirecting to a nclk.gif image 1x1 with blank page in google searches , are the worst. He recommended that I uninstall and rei-install firefox which I will do today.

the whole shebang here has thrown my workschedule - which is making a blog and online photo albums and videos for a craft project - totally off kilter. I must focus on this right now to fulfill my commitment to the project and its people, and hope that what my friend's husband did here will enable me for now to keep my head cool and my laptop free when busy.

I will get back here as soon as possible to do what you asked me here.

When you say "manual healing" - are you refering to the second tab in the Kasparsky virus removal tool programme I had downloaded?

kind regards
anneR

[olejah]

Exactly, I think this instruction could help.

[anneR]

thanks again

some news here re nclk redirect in firefox:
when preparing to uninstall me firefox I realisd that not only would I need to safe ny bok marks, I also would hav to reset numerous pass words the browser remembers for me !
So I did another search on the nclk problem and found on
http://h**p://support.mozilla.com/ti...2993&forumId=1
that disabling Kasparski's antibanner was doing the trick. Tried it out just now, and right enough - no more blank nclk windows in my firefox when doing google searches!

What do you think about the anti-banner function of Kasparsky?
How needed is it?

on http://h**p://74.125.127.189/support...0949a690&hl=en
someone who had tried lots of ways to find and delete malware found in the end that the ordinary Kasparsky virus scan found and cleared those two for him

1. trojan-downloader.Win32 Mufanom.hpx

2. trojan.JS.Gord.a

So, is nclk now a problem with a trojan or is it a conflict in antibanner?

since I had anti banner on all the time, and had no probs with any nclk redirect, I am puzzled doubly..

if you advise me with a good reason to activate Kasparsky anti banner again, I will do so and do my google searches with google chrome browser, which is fine just now (= doing the right redirects)

[Rene-gad]

.............

Such questions you might discuss in any other forum, e.g. http://forum.kaspersky.com/
Pls. let you read the manual for your antivirus
This topic is closed

[CyberHelper]

Статистика проведенного лечения:

• Получено карантинов: 1
• Обработано файлов: 2
• В ходе лечения вредоносные программы в карантинах не обнаружены