Slyck.com
 
Slyck Chatbox - And More

Help with corrupted programs

This is the forum to discuss tech-software related issues.
Forum rules
PLEASE READ BEFORE POSTING: Slyck Forum Rules

Help with corrupted programs

Postby borisborkem » Mon Jun 16, 2008 6:40 pm

Hi, I was wondering if anyone had some tips on how I could fix some of my programs that seem to be corrupted.

I acquired Virtumonde the other day, but have gotten rid of it. That may be the cause of my problems, maybe not.

Basically, the programs I was using when I got the virus seem to have been corrupted: Acrobat Pro, Office 2007, Endnote, and Correl. All of these programs still funciton perfectly, but some bad stuff is going on behind the scenes. I first noticed because there are no longer icons for any of these programs in the start menu, just the generic white ones. Their file associations are still intact, but individual word and pdf files are just generic white files. When I look at the shortcuts for the files, the "Target" is just the name of the program, the "Start in" is empty, and "Find Target" and "Change Icon" are greyed out. Uninstalling the programs is not possible, I get errors. The Office uninstall gives a critical error, I looked at the uninstall report and it said that I had a MsiAPICallFailure.

I haven't done much to fix it, I have reinstalled Windows Installer 4.5, not sure what else to do but try and remove it with Windows Install Clean Up.

I'm running XP SP3, and the problem started long after I upgraded to SP3.

Thanks
borisborkem
 
Posts: 23
Joined: Tue Mar 11, 2008 1:34 pm

Re: Help with corrupted programs

Postby Paladwyn » Mon Jun 16, 2008 6:44 pm

Sounds like it took a chunk out of the registry.

Sadly, unless you have a real good registry cleaner or can manually edit it without messing it up...there might not be alot of hope left.

You could try the MSI uninstaller you mentioned, I've used it before and it helped.

I'd get a good registry cleaner first, and be careful there as there are alot of infected programs. I like Norton Systemworks, because it's more or less trusted.
Don't roll your chair backwards, you might run over my foot.
Paladwyn
 
Posts: 3991
Joined: Thu Sep 27, 2007 4:55 pm
Location: Saskatchewan, Canada

Re: Help with corrupted programs

Postby borisborkem » Mon Jun 16, 2008 7:05 pm

Sigh, it appears that Virtumonde is back. Whoever made this ****ing thing should be shot. That's probably what is still causing the problem.
borisborkem
 
Posts: 23
Joined: Tue Mar 11, 2008 1:34 pm

Re: Help with corrupted programs

Postby Paladwyn » Mon Jun 16, 2008 7:13 pm

Virtuemonde is a nasty critter...it hides itself as a windows system file, with Hijackthis you can see it as a bunch of random characters, and you can't delete the DLL file.

You can use programs to remove Virtumonde and Vundo, use an array of spyware removal programs (Adaware, Spybot S&S, Grisoft Antispyware) and running them in safemode for best results. Hijackthis to remove specific files. I've even had to take the drive to another computer to delete troublesome files.

Once you locate the file, it's just a matter of getting to delete it...SOMETIMES. Every version has it's 'thing'. And after a reboot, if it comes back...then it's still hanging around. I've had to remove this damn peice of spyware a few times.
Don't roll your chair backwards, you might run over my foot.
Paladwyn
 
Posts: 3991
Joined: Thu Sep 27, 2007 4:55 pm
Location: Saskatchewan, Canada

Re: Help with corrupted programs

Postby ejonesss » Mon Jun 16, 2008 11:07 pm

it looks like ransomware

viewtopic.php?t=43058 Ransomware Encrypts Victim Files With 1,024-Bit Key
…-..-..-..-..-.-----.-…-..-…-..-…-...
ejonesss
 
Posts: 2973
Joined: Thu Feb 06, 2003 5:43 pm

Re: Help with corrupted programs

Postby Lee1001 » Tue Jun 17, 2008 2:16 am

Virtumonde is password protected,therefore if you use Spybot to remove it you must do a search afterwards and delete to recycle bin.I had same thing last week eventually got it removed by using a combination of 4 programs,BD,Spybot,Ad-aware and Windows Defender, Virtumonde is part of the Vundo family it has many different names including Media2.media filehost ect.On Bitdefender I got after scan report that told me they were unable to remove Virtumonde due to it being password protected,Windows Defender got 2 really bad ones Trojan:win32/vundo.gen!H and Trojan:win32/conhook.D,Spybot got about 4 per scan,ad aware got 1 critical,now my computor is ok still get some but easier to remove now
Lee1001
 
Posts: 671
Joined: Tue Mar 07, 2006 6:12 am

Re: Help with corrupted programs

Postby HouseCrowd » Tue Jun 17, 2008 6:03 am

If I remember correctly, the last time I fixed a PC with a Virtumonde infection, most of the issues you describe went away once it was properly removed. Although I think I had to manually repair a few registry entries, such as key entries used to disable Task Manager, etc.

I could be thinking of another virus but ..... I seem to remember that removing Virtumonde was a little tricky, since the DLLs it used had randomly generated file names, which would return (with a different name) when attempts were made to delete them. I think in the end, I used Hijackthis to identify the names currently in use then abruptly switched off the PC (By pressing and holding the power button, so that it had no chance to rename them again), then I connected the HDD up to another PC and removed the files. Once they were removed, I rebooted and went through the registry to remove any remaining traces of it.
There are 10 types of people in the World; those who understand binary, and those who do not.
User avatar
HouseCrowd
 
Posts: 33862
Joined: Mon Oct 13, 2003 4:18 am
Location: UK

Re: Help with corrupted programs

Postby thejynxed » Fri Jun 20, 2008 10:04 pm

Not only that, but Virtumonde/Vundo, tends to have files, that list their external filenames as one thing, but the internal file name that the system "sees" is actually the same file name in reverse, so trying to delete file "dskagljgddg.dll" gets you no where but an error message, so you need special tools to delete it because the internal file name is actually "gddgjlgaksd.dll" and Windows Explorer can't handle that properly.

Some proper help for our fellow member:

http://www.bleepingcomputer.com/forums/topic18610.html
http://www.dslreports.com/faq/13619
http://forums.maddoktor2.com/index.php?showtopic=7154

Virtumonde/Vundo is most commonly installed via the Zlob family of Trojan Horse malware programs.
"FlickR is supposed to be weird, fun, experimental, way out-there -- oh no, wait, now that it's so close to being part of Microsoft, FlickR's supposed to bore people to death and empty their pockets while pretending to innovate." - Bruce Sterling
thejynxed
 
Posts: 1953
Joined: Mon Sep 06, 2004 12:22 pm
Location: In a Galaxy Far, Far Away....

Re: Help with corrupted programs

Postby Lee1001 » Sat Jun 21, 2008 5:11 am

mine seems to have been remove successfully,MS did a urgent update a couple days ago re this pest,it seems to have worked,another point worth noting is that in the live tool bar there are a couple Search_glowbugs ,I just removed the tool barI've also found several of java.cvd and java.xmd which I can't send to recycle bin
Lee1001
 
Posts: 671
Joined: Tue Mar 07, 2006 6:12 am

Re: Help with corrupted programs

Postby thejynxed » Sat Jun 21, 2008 7:46 am

Use either Pocket Killbox or Unlocker to get rid of those pesky no-delete files. Teracopy also works, if you select the files using Teracopy and use the delete function, it will kill them dead- it ignores open handles to the files...
"FlickR is supposed to be weird, fun, experimental, way out-there -- oh no, wait, now that it's so close to being part of Microsoft, FlickR's supposed to bore people to death and empty their pockets while pretending to innovate." - Bruce Sterling
thejynxed
 
Posts: 1953
Joined: Mon Sep 06, 2004 12:22 pm
Location: In a Galaxy Far, Far Away....


Return to Tech/Software Discussion

Who is online

Users browsing this forum: No registered users and 2 guests

cron
© 2001-2008 Slyck.com