Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Finally managed to run Hijack This from XP:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:59 AM, on 4/23/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\bin\isqlplussvc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\BIN\TNSLSNR.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\jdk\bin\java.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\bin\oradim.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\jdk\bin\java.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\msvmcls64.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\system32\msvmcls64.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\trpo.exe \s
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [conime.exe] conime.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O4 - HKLM\..\Run: [oo] C:\WINDOWS\ndll.exe
O4 - HKLM\..\Run: [MS Virtual CLS] C:\WINDOWS\system32\msvmcls64.exe
O4 - HKLM\..\Run: [544] C:\WINDOWS\system32\umdmgr.exe
O4 - HKLM\..\Run: [syre32] C:\WINDOWS\system32\syre32.exe
O4 - HKLM\..\Run: [753] C:\WINDOWS\system32\umdmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
--
End of file - 12934 bytes
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I've had two amazing infections lately.
The first one would not let certain programs open i.e. MalwareBytes / Avira - I did manage to get MB to run, it finds the problem, but when you click fix, it shuts down, very clever.
But it did let Spybot S&D - And a few searches from MalwareBytes and it fixed it.
The second one blocked any .exe files from opening, and even if they were already running, and you tried to look at them, it would close it down (even TaskManager). I rebooted and before it started up stopped the process and that worked quite easily.
I'd recommend everything except a format, because there are ways round it, even if it takes you two hours, it's better than a format.
If you have access to the XP account - Open up Run and type in msconfig - Go to start up and stop that process from booting up - The majority of the time that will give you sometime to sort things out.
Spybot S&D has a feature were you can let it scan straight after boot, and that's the first thing your PC does on reboot, you won't even be able to get into Windows before the scan finishes.
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
removal tools:
http://www.symantec.com/security_res...011316-0247-99
http://www.bitdefender.com/VIRUS-100...2.Polip.A.html
The viruses are mostly exploiting known and already fixed vulnerabilities. Your XP version (SP2) is really out of date and probably why you got these. When you get it back make sure to update it to SP3 and run windows updater afterwards.
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Sometimes a format is the only and probably best solution though
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
SammEl
If you have access to the XP account - Open up Run and type in msconfig - Go to start up and stop that process from booting up - The majority of the time that will give you sometime to sort things out.
I can login onto XP,but as soon as I do so,this Trojan /Virus is starting one process after the another and within one minute,my system freezes.
Quote:
Originally Posted by
SammEl
Spybot S&D has a feature were you can let it scan straight after boot, and that's the first thing your PC does on reboot, you won't even be able to get into Windows before the scan finishes.
At the moment,I cannot even open My Computer in XP.It freezes.
Please help me out guys.Formatting is the very last option I'd go for/
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
Please help me out guys.Formatting is the very last option I'd go for/
What happened when you logged into windows 7 and ran those removal tools I linked to?
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I haven't yet...I'm in office right now..The moment i get on my home PC,I'll run those....
Thanks
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
As well as others you have the infamous conficker worm which as kalniel said is because your system is far from up-to-date with security patches. No antivirus is a substitute for keeping Windows up-to-date with Windows Update, whether you run it manually or leave it on auto is up to you but it's very important you keep Windows patched! Conficker tries to protect itself by limiting the websites you can visit i.e. it blocks Symantec, Kaspersky, McAffee and loads more. I think it also stops Windows update from functioning, disables safe mode and does its best to stop AV running. Note also that Conficker spreads itself over networks and USB flash drives so I'd recommend checking other PCs on your network as well as any flash drives for it (you could do that in a Linux LiveCD to be safe).
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
As well as others you have the infamous conficker worm which as kalniel said is because your system is far from up-to-date with security patches. No antivirus is a substitute for keeping Windows up-to-date with Windows Update, whether you run it manually or leave it on auto is up to you but it's very important you keep Windows patched! Conficker tries to protect itself by limiting the websites you can visit i.e. it blocks Symantec, Kaspersky, McAffee and loads more. I think it also stops Windows update from functioning, disables safe mode and does its best to stop AV running. Note also that Conficker spreads itself over networks and USB flash drives so I'd recommend checking other PCs on your network as well as any flash drives for it (you could do that in a Linux LiveCD to be safe).
Oh Holy ****!!!Yes all you say is true..my XP Safe Mode is disabled,no AV is running....no antispyware or antimalware is executing..Its a standstill...Will the two links that Kalniel kindly provided help me remove this thing if I run it from Windows 7????thats the vital question....
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Yes, the first link I gave you is the anti-conflicker tool. Follow the instructions on that page carefully, especially the points about making sure your machine isn't on a network.
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
After you deleted the files i mentioned, did they return after rebooting into xp?
How about trying to enter safemode via msconfig? Start>Run>msconfig, boot.ini tab and select /SAFEBOOT. Restart and see if you have any success. If you do run hijackthis and remove the below, then run MBAM.
Also post logs of any mbam scans you may have performed (from win7 or xp)
If you can get hijackthis to run again - select all these for removal (check them and click fix)
Code:
C:\WINDOWS\system32\syre32.exe (all entries of this one, and anything with the same filename)
C:\WINDOWS\system32\msvmcls64.exe (all entries of this one, and anything with the same filename)
C:\WINDOWS\system32\cmd.exe (all entries of this one, and anything with the same filename)
C:\WINDOWS\system32\ping.exe (all entries of this one, and anything with the same filename)
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [conime.exe] conime.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O4 - HKLM\..\Run: [oo] C:\WINDOWS\ndll.exe
O4 - HKLM\..\Run: [MS Virtual CLS] C:\WINDOWS\system32\msvmcls64.exe
O4 - HKLM\..\Run: [544] C:\WINDOWS\system32\umdmgr.exe
O4 - HKLM\..\Run: [syre32] C:\WINDOWS\system32\syre32.exe
O4 - HKLM\..\Run: [753] C:\WINDOWS\system32\umdmgr.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
You also seem to have entries of both Norton and AVG products, i'd advise against having more than one active.
Also try running SilentRunners from http://www.silentrunners.org/ and post the results of the log file.
Another method could be, installing ProcessExplorer and then freezing the processes -
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\msvmcls64.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
Which will then allowe you to attempt to remove their startup registry keys and any associated dll's, but first try the above.
Quote:
Originally Posted by
kalniel
Please note that simply running this tool will not remove the infection, it will restart itself on next reboot. However if your antivirus programs detect the Win32.Polip virus but fails to remove it, scan with the above tool then scan with your antivirus solution. Hopefully this will remove the actual files (not just simply terminate it from memory.)
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
kalniel
Yes, the first link I gave you is the anti-conflicker tool. Follow the instructions on that page carefully, especially the points about making sure your machine isn't on a network.
Hi ,
I ran the tool from Win7.After scanning completely,it gave a message saying that the virus has not been found!
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I think the removal tool might looks for it in memory, not the HDD and as 7 isn't infected (correct?) it won't detect it. I think you'd need to run it from the infected OS for it to work.
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
I think the removal tool might looks for it in memory, not the HDD and as 7 isn't infected (correct?) it won't detect it. I think you'd need to run it from the infected OS for it to work.
Hello friends,
First of all huge thanks to all of you for helping me out on this..I ran the Symantec Removal tool from XP.It detected nothing.Then i ran Malwarebytes Anti Malware.It detected 15 infections which were subsequently quarantined.
Finally I ran Hijack This and removed the entries which CrazyMonkey asked me to remove.
Now XP seems stable enough.
This is the Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:51 PM, on 4/23/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\isqlplussvc.exe
C:\WINDOWS\Explorer.EXE
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 6774 bytes
-----------------------------
And this is MBAM Log after First Run:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
4/23/2010 10:00:49 PM
mbam-log-2010-04-23 (22-00-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 169399
Time elapsed: 14 minute(s), 41 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\passthru (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-7643446107-3389995720-031469612-9168\syscr.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0738854091-9530544505-321780871-1690\wmfcgr.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\trpo.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ndisvvan.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
----------------------
MBAM Log after Second Run:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
4/23/2010 10:19:31 PM
mbam-log-2010-04-23 (22-19-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 169196
Time elapsed: 13 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Quarantined and deleted successfully.
Is my system clean now??
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Try running Windows Update to get critical security patches and I'd recommend running this too, it may not be entirely necessary but like I said before it can't hurt.
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
Try running Windows Update to get critical security patches and I'd recommend running
this too, it may not be entirely necessary but like I said before it can't hurt.
For some odd reason whatsoever,I'm not able to connect to the Internet now from Windows XP.I have a DSL Cable connection and I login through Firefox to my ISP.Firefox says Page Cannot Be Displayed.Could it be that this virus has corrupted some TCP/IP settings?