New Thread: What's yrndlcit.exe?

[itsleo]

New Thread: What's yrndlcit.exe?

I posted the original of this yesterday. No, I didn't post logs, because I wasn't sure if this was the right place or not, and right this instant, I'm not sure how to go about GETting log (keep reading, I'll explain).

I searched for yrndlcit and yrndlcit.exe and found zero references... kinda surprising - is it "the" problem or something totally off the wall?

Anyway, this "yrndlcit.exe" was popping up several times a minute - I'd put it on the blacklist - but either I accidentally put it on the white list too or it managed to add itself - I was getting multiple boxes on the screen announcing that yrndlcit.exe was running because it was white listed followed by boxes announcing that it was terminated because it was blacklisted... somehow I got into the lists - don't recall what I did - and deleted the white list entry, so at least I don't see the *(&#$@ boxes anymore. But something's up - still... my desktop icons are all highlighted all the time, and the computer is slow, and it keeps kicking off IE (I use FF) and complaining about being offline (I have no intention of putting it online on my little home LAN until something is resolved - only one other computer is Windows, but...).

I saw the stickies about the procedure - S&D is running right now [ NOTE: WAS when I write the original - keep reading for results ] on the infected computer, so when it's done I'll d/l the other progs, CD them and copy onto El Sicko and run, if there's any point to it...

Here's what happened next: I went back to edit my original, and provide some more information... but, of course, you can't edit your posts here, so I replied to it (is there some other alternative?), and I got a response, which was basically "RTFM" - which I think I had indicated (see above) that I had done already - and asked to start a new thread, which I am doing right now.

The result of the S&D scan was that it found 3 instances of virtumonde in the registry and said they were fixed (which I took to mean erased). When I rebooted it, intending to hook the computer directly to the DSL and avoid infecting others on my LAN, it came up with nothing but a desktopn wallpaper - no icons, no taskbar. Ctrl-Alt-Del does bring up the Task Manager, but I'm not sure where to go next. I can get it up in safe mode (although on this Dell notebook, the screen in this mode is about half the size of the full screen and a little hard to work with).

I understand that this post, like the previous one, is in violation of the requirement to post logs from Kaspersky Online, as well as some of the following ones, but I can't GET online, which makes it a bit of a problem.

Perhaps I should start somewhere else???

Anyway, if someone can help me get past this point, I promise I'll do my best to keep to the requirements the rest of the way.

Thanks!

[tashi]

New Thread: What's yrndlcit.exe?

Probably a random name in the infection.

The result of the S&D scan was that it found 3 instances of virtumonde in the registry and said they were fixed (which I took to mean erased). When I rebooted it, intending to hook the computer directly to the DSL and avoid infecting others on my LAN, it came up with nothing but a desktopn wallpaper - no icons, no taskbar. Ctrl-Alt-Del does bring up the Task Manager, but I'm not sure where to go next. I can get it up in safe mode (although on this Dell notebook, the screen in this mode is about half the size of the full screen and a little hard to work with).

I will leave a note for our helpers to see if they have any ideas.

Best wishes.

[CalamityJane]

It's very confusing with all the posts going on here but I'll help if I can get some logs from you. We can't tell anything from descriptions. I saw the other log on the "good computer" and didn't see any problems, so let's just concentrate on the one you know is infected here. It probably IS Vundo and some of the new variants come with other multiple infections as well, so there are many scenerios for the behavior you describe. There is not a one-fix step so we need to try to find out some info on the infected machine (i.e.: logs specifically)

Are you able to get online in SAFE MODE with Networking?
If so, try that for the KAV scan.

Meanwhile let's get a report from this free tool.
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

That will give me something to start with.

[CalamityJane]

Also, if you can attach the scan log from Spybot that might help too to see that report. When you go to post a reply, scroll down a bit and you'll see an area to "attach files" in *Additional Options*. That is how you can attach a report, but the DSS logs I want you to just paste that in as it shouldn't be too long and is easier to read that way

[itsleo]

Hello, Jane - I finally got this #(@*&$ notebook to show icons and desktop and got online. Here are the Deckard results you asked for (the machine's name is SHIRLEY WILLIAMS - it came from a county auction and I believe she was a JP). I will go find the S&D log and attach to another post.

Damn - the Deckard is too long, so I'm attaching IT as well.
pos
Aw, hell! As I was typing that, S&D popped up a notice about ZQest.K8L and it caught my kepresses... no telling what happened then... also pls excuse typos, it's a notebook and I usually have a "real" keyboard... plus that (*&#$@ ZQest (or something) keeps running and stealing keypresses and moving the cursor

Well - no go on the attachment. It's about 36K and the "Manage attachments" refused it. I'll zip it and attach that................

Thanks for responding!

[itsleo]

... and while I was doing that, the desktop icons and taskbar disappeared again....

[CalamityJane]

That's a mess alright. When did you acquire the computer? Do you have any of the install or recovery disks?

I'm asking because this computer only has SP1 and is dead meat if you can't get SP2. From the error logs:
Event Record #/Type3307 / Error
Event Submitted/Written: 01/11/2008 01:10:07 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.
................
It looks like you got the KAV scan on this one? Did you save the log?

[CalamityJane]

You've got a remote control program installed. Did you install that?

[CalamityJane]

Hello, Leo? Where did you go?

I think maybe your idea to reformat and reinstall is probably a good one since the software on here isn't yours and you don't have anything important on it - that is going to be your easiest bet because this infection is really messy.

You are still going to need to validate windows to get SP2 installed which is really needed here but not until after you either get it cleaned up or reinstalled.

IF you want to try this tool, we can see what how it does but this computer has been infected quite a while (at least a month) and maybe done some damage we can't see in these.

Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[itsleo]

Hello, Leo? Where did you go?

I think maybe your idea to reformat and reinstall is probably a good one since the software on here isn't yours and you don't have anything important on it - that is going to be your easiest bet because this infection is really messy.

You are still going to need to validate windows to get SP2 installed which is really needed here but not until after you either get it cleaned up or reinstalled.

IF you want to try this tool, we can see what how it does but this computer has been infected quite a while (at least a month) and maybe done some damage we can't see in these.

Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

I had to take my favorite wife to lunch... when I rebooted this computer, it started popping up S&D messages about virtumonde.ddc and asking about registry changes on a couple of others so fast I couldn't get anything done for the next 15 minutes...

If I do have to burn this down, I am very doubtful about installing Windows again. Most of my computers are various flavors of Linux, and I have yet to see even a hint of all this viruspam BS on those. My XP Pro box has had its share of spyspam, but (I think you said you looked at the HJT log for it) nothing bothersome.

Anyway, I will go ahead with the combofix and see if we can make anything GOOD happen.

Jane, thanks again!