PDA

View Full Version : Malware Issues



wfigure
2006-07-29, 18:36
Hi!
My Daughters computer is dying from malware. I can't even run applications to detect, as they crash the system. I was able to run HiJack This in and here is what I got. Please help!
Thanks in Advance

Logfile of HijackThis v1.99.1
Scan saved at 11:32:25 AM, on 7/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\77f5a4f4.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11253\explorer.exe
C:\WINDOWS\system32\spoolsvv.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\COMMON~1\ICROSO~1\RNDLL3~1.EXE
C:\Windows\xpupdate.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\RACLE~1\nopdb.exe
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O2 - BHO: (no name) - {1d662d41-02e4-423f-b182-14d0afbb453e} - C:\WINDOWS\system32\mrgeng.dll
O2 - BHO: (no name) - {38DD246F-B4DA-C207-A141-E82B56BB8490} - C:\WINDOWS\system32\qrfneaun.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {F77B350A-ABB2-D768-CD49-F8BAAF144AC0} - C:\WINDOWS\system32\larmk.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [amCoA] C:\docume~1\admini~1\locals~1\temp\amCoA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Vl6] C:\documents and settings\administrator\local settings\temp\Vl6.exe
O4 - HKLM\..\Run: [KQtu4] C:\documents and settings\administrator\local settings\temp\KQtu4.exe
O4 - HKLM\..\Run: [pqVvF] C:\documents and settings\administrator\local settings\temp\pqVvF.exe
O4 - HKLM\..\Run: [d3m] C:\documents and settings\administrator\local settings\temp\d3m.exe
O4 - HKLM\..\Run: [lZsz3Hll] C:\documents and settings\administrator\local settings\temp\lZsz3Hll.exe
O4 - HKLM\..\Run: [uaDdud2Zb] C:\documents and settings\administrator\local settings\temp\uaDdud2Zb.exe
O4 - HKLM\..\Run: [d3m.exe] C:\documents and settings\administrator\local settings\temp\d3m.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKLM\..\Run: [77f5a4f4.exe] C:\WINDOWS\system32\77f5a4f4.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11253\explorer.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\owinmrez.exe TST001
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Ifc] C:\DOCUME~1\ADMINI~1\MYDOCU~1\SEMBLY~1\POOLSV~1.EXE
O4 - HKCU\..\Run: [Nrou] "C:\PROGRA~1\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [Rpe] C:\PROGRA~1\COMMON~1\ICROSO~1\RNDLL3~1.EXE
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKCU\..\Run: [77f5a4f4.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\77f5a4f4.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\101.tmp3072.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\System32\owinmrez.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - AppInit_DLLs: iniwin32.dll c:\windows\system32\dexplore.dll wuauboot.dll C:\WINDOWS\system32\rundll32.dll C:\WINDOWS\system32\wuauboot.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: mrgeng - C:\WINDOWS\SYSTEM32\mrgeng.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11253\explorer.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_28.dll
O21 - SSODL: cpdBJuT - {9848497C-32E2-E3D6-E687-3FB895BA2790} - C:\WINDOWS\system32\he.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

LonnyRJones
2006-08-02, 10:08
Hello

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later



Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"[ÿ_zsk][BLPA]"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[ÿ_zsk][BLPA]"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[ÿ_zsk][BLPA]"=-

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.






Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse to the files)
Copy/Paste the bolded line below into the File name box then click Open,
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

Answer yes to the prompt to reboot the PC

Once windows has restarted


Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O2 - BHO: (no name) - {1d662d41-02e4-423f-b182-14d0afbb453e} - C:\WINDOWS\system32\mrgeng.dll
O2 - BHO: (no name) - {38DD246F-B4DA-C207-A141-E82B56BB8490} - C:\WINDOWS\system32\qrfneaun.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {F77B350A-ABB2-D768-CD49-F8BAAF144AC0} - C:\WINDOWS\system32\larmk.dll
O4 - HKLM\..\Run: [amCoA] C:\docume~1\admini~1\locals~1\temp\amCoA.exe
O4 - HKLM\..\Run: [Vl6] C:\documents and settings\administrator\local settings\temp\Vl6.exe
O4 - HKLM\..\Run: [KQtu4] C:\documents and settings\administrator\local settings\temp\KQtu4.exe
O4 - HKLM\..\Run: [pqVvF] C:\documents and settings\administrator\local settings\temp\pqVvF.exe
O4 - HKLM\..\Run: [d3m] C:\documents and settings\administrator\local settings\temp\d3m.exe
O4 - HKLM\..\Run: [lZsz3Hll] C:\documents and settings\administrator\local settings\temp\lZsz3Hll.exe
O4 - HKLM\..\Run: [uaDdud2Zb] C:\documents and settings\administrator\local settings\temp\uaDdud2Zb.exe
O4 - HKLM\..\Run: [d3m.exe] C:\documents and settings\administrator\local settings\temp\d3m.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ÿ_zsk] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKLM\..\Run: [77f5a4f4.exe] C:\WINDOWS\system32\77f5a4f4.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11253\explorer.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\owinmrez.exe TST001
O4 - HKLM\..\RunServices: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKCU\..\Run: [Ifc] C:\DOCUME~1\ADMINI~1\MYDOCU~1\SEMBLY~1\POOLSV~1.EXE
O4 - HKCU\..\Run: [Nrou] "C:\PROGRA~1\RACLE~1\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [Rpe] C:\PROGRA~1\COMMON~1\ICROSO~1\RNDLL3~1.EXE
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKCU\..\Run: [77f5a4f4.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\77f5a4f4.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\101.tmp3072.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\System32\owinmrez.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - AppInit_DLLs: iniwin32.dll c:\windows\system32\dexplore.dll wuauboot.dll C:\WINDOWS\system32\rundll32.dll C:\WINDOWS\system32\wuauboot.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: mrgeng - C:\WINDOWS\SYSTEM32\mrgeng.dll
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11253\explorer.exe
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_28.dll
O21 - SSODL: cpdBJuT - {9848497C-32E2-E3D6-E687-3FB895BA2790} - C:\WINDOWS\system32\he.dll (file missing)

====================================
Hit fix checked and close Hijackthis.(not to worry about the error)
[B]Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

wfigure
2006-08-06, 19:11
Did what was asked. Here is the new HiJack This log. Appears that a couple of the items did not get deleted. Should I keep running and fixing until these are gone?
Thanks
Wayne

Logfile of HijackThis v1.99.1
Scan saved at 12:11:21 PM, on 8/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1d662d41-02e4-423f-b182-14d0afbb453e} - C:\WINDOWS\system32\mrgeng.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKCU\..\Run: [Creative Detector] E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: mrgeng - C:\WINDOWS\SYSTEM32\mrgeng.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

LonnyRJones
2006-08-06, 22:04
Hi

Was there any problem creating that registry file (fixme.reg) ?
make and run it once more please.

Please download VundoFix.exe (http://www.atribune.org/content/view/24/2/)
to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less(up to five).
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two minutes then Turn your computer back on.
Please post the contents of C:\vundofix.txt

wfigure
2006-08-08, 00:34
Hi!
Reran registry file and it gave no errors.
Ran Vundofix.exe and it found no infected files see below:

VundoFix V4.2.22
Scan started at 5:28:02 PM 8/7/2006
Listing files found while scanning....
No infected files were found.


ALSO: I am having trouble getting into my C:\WINDOWS directory. Everytime I try to access it it fails and dumps out of File Explorer.

Reran Hijackthis and here is the report. What is next?


Logfile of HijackThis v1.99.1
Scan saved at 5:29:34 PM, on 8/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1d662d41-02e4-423f-b182-14d0afbb453e} - C:\WINDOWS\system32\mrgeng.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKCU\..\Run: [Creative Detector] E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: mrgeng - C:\WINDOWS\SYSTEM32\mrgeng.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

LonnyRJones
2006-08-08, 03:36
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK.
When VundoFix re-opens, Click scan for vundo, when it is finished scanning >
Right click the list box then select add files and add
C:\WINDOWS\system32\mrgeng.dll
do the same for this line
c:\windows\system32\gnegrm.*
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Wait two mimutes then turn your computer back on.
Please post the contents of C:\vundofix.txt

Go start run copy then paste in this command
regedit /a c:\runkey.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Now Post this text file c:\runkey.txt

wfigure
2006-08-08, 04:04
Hi!

Ran Vundofix.exe and it found no infected files!!

I am having trouble getting into my C:\WINDOWS directory. Everytime I try to access it it fails and dumps out of File Explorer.

Here is the contents of vundofix.txt:

VundoFix V4.2.22
Scan started at 9:02:04 PM 8/7/2006
Listing files found while scanning....
No infected files were found.


Didn't do the last instruction since this one didn't do what you said.

LonnyRJones
2006-08-08, 04:18
Hi. re-read the last instructions, we are going to use the add files option in vundofix.

tashi
2006-08-12, 20:18
wfigure, still with us?

tashi
2006-08-16, 08:43
:scratch:

Archived.

LonnyRJones
2006-08-20, 06:43
Re-opend.

You will need to repeat your comments from the pm.

wfigure
2006-08-20, 17:28
Hi!
Remember me?
I was have trouble Vundo malware on my daughter's computer.
I had to go out of town and they closed my thread.
here is the link to my thread's history.

http://forums.spybot.info/showthread.php?t=6197

I did what you asked in your last thread
Quote:
Hi. re-read the last instructions, we are going to use the add files option in vundofix.

End Quote.

I cannot get the add files option in vundofix to come up. I can't right click in the list box after it is done scanning.

Please open my thread and reply.

Thanks in advance
Wayne

LonnyRJones
2006-08-21, 02:19
The author updated vundofix, delete your's and Try this one.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

wfigure
2006-08-26, 20:59
I did what was asked:
I downloaded VundoFix.exe to your desktop.
I Double-click VundoFix.exe to run it.
I Click the Scan for Vundo button.

It never comes back... Here are the results from running...
NOTE: I STILL CAN'T get into my C:\Windows directory.
Wayne

VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 1:00:32 PM 8/26/2006

Listing files found while scanning....

wfigure
2006-08-26, 21:14
BTW, here is the new Hijack log.....
STILL CAN"T INTO C:\WINDOWS...

Logfile of HijackThis v1.99.1
Scan saved at 2:16:10 PM, on 8/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1d662d41-02e4-423f-b182-14d0afbb453e} - C:\WINDOWS\system32\mrgeng.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Creative Detector] E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

LonnyRJones
2006-08-27, 15:05
I assume the popups have stoped ?

Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1d662d41-02e4-423f-b182-14d0afbb453e} - C:\WINDOWS\system32\mrgeng.dll (file missing)

====================================
Hit fix checked and close Hijackthis.
right click on your D:\Program Files\HijackThis.exe
choose rename and rename it to hjt.exe run it scan save log and post another please.

wfigure
2006-08-27, 16:28
Did what was asked. Here is the latest hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:30:02 AM, on 8/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
D:\Program Files\aim.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\hjt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Creative Detector] E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ÿ_zsk][BLPA] C:\WINDOWS\system32\_zskwrkni05KWQDXET^Z\APLB[].exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

LonnyRJones
2006-08-27, 17:40
Good no sign of vundo

Please download, install, and update Ewido anti-spyware (http://www.ewido.net/en/download/)

Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close ewido. Do not run it yet.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.

Please perform another scan with Hijack This, and then post back with a copy of the Ewido log .

tashi
2006-09-02, 21:50
wfigure?

If you wish to keep this topic open please respond, thank you.

tashi
2006-09-05, 02:11
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.