VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

[watercooled]

To check it's not a virus blocking DNS lookups try pinging an IP address on the Internet.

[smargh]

If the OP would like someone to remote on for an IT bod to do some manual checks with the usual applications*, feel free to PM me and give a date & time - TeamViewer is my personal preference.



* my standard kit = gmer,procexp,procmon,autoruns,smsniff,rootrepeal,rootalyzer,tcpview,hijackthis,lspfix,everything,etc

[Amitava83]

To check it's not a virus blocking DNS lookups try pinging an IP address on the Internet.

I pinged my DNS Server on XP and is showing "Destination Host Unreachable"!!!!

on Win 7 its working fine....

[watercooled]

Does it say limited connectivity for the adapter in adapter settings in control panel? Try running network diagnostics - press F1 on desktop, click "Use Tools to view your computer information and diagnose problems", click network diagnostics then scan your system.

[smargh]

Try this. Note that it will completely reset your network adapter settings and, but it is broken anyway...

start->run:

Code:

cmd /c netsh int ip reset c:\resetlog.txt && start notepad c:\resetlog.txt

[Amitava83]

I haven't been able to sort out the connectivity issue yet.But I'd like to personally thank each and everyone of you for the truly wonderful guidance you've given me to remove this dangerous worm from my system.A format would have left me totally crippled.

You guys are truly great.

Thank you so much.
Regards
AD

[SammEl]

Yup, suggesting a format is pretty stupid, I've had the toughest ones throughout the years, including that .wmf one a few years back, it takes time and paitence to remove, but it's possible.

Unless something totally currupts the Registry beyond repair, then do a Windows repair.

[Paul Adams]

A format would have left me totally crippled.

You should take the opportunity now to back up all your data (not programs), and ensure you have all the serials, product keys, activation codes, etc. for your programs.
Then you should reinstall that OS, ideally formatting the partition it is on if it's not shared.

When you know a system has been compromised, it's very difficult to know it has been sufficiently "cleaned", and impossible to know that access control lists and user accounts have not been tampered with (leaving other backdoors to be later exploited, though not through infected executables).

Basic rule of thumb for systems that get compromised, or unstable after changes have been made - restore from a full backup if available, otherwise reinstall.
And after installing, use a non-admin user account

[Amitava83]

Hi friends,I'm anable to access Internet,as I said before on this post.I have posted a detailed description of the problem on this thread http://forums.hexus.net/networking-b...ml#post1912134

Pleas help me out to solve this...
Regards

[CrazyMonkey]

Sorry i havent replied i was out last night.

You are not clean yet there are still a few entries that need fixing in hijackthis. Run hijackthis again on the xp system, check the below entries and click fix.

Code:

C:\WINDOWS\system32\nlssrv32.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Next navigate to the below and delete them (if found) (tell me if you cannot delete them)

Code:

C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe

Then reboot.
Download http://majorgeeks.com/WinSock_XP_Fix_d4372.html and run it, (hopefully will fix your internet issues).
Reboot.

Run hijackthis again and post a fresh log.

You may also wish to run another MBAM scan (although everything found was removed successfully) and/or a scan with your resident virus scanner.

Also it seems you are getting help on chip.in, if someone else qualified is helping you please say so - i do not want my removal steps conflicting with theirs as this could spell trouble.

Feel free to pm me when you have replied as i will then be notified by email.

Cheers.

[Amitava83]

Sorry i havent replied i was out last night.

You are not clean yet there are still a few entries that need fixing in hijackthis. Run hijackthis again on the xp system, check the below entries and click fix.

Code:

C:\WINDOWS\system32\nlssrv32.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Next navigate to the below and delete them (if found) (tell me if you cannot delete them)

Code:

C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe

Then reboot.
Download http://majorgeeks.com/WinSock_XP_Fix_d4372.html and run it, (hopefully will fix your internet issues).
Reboot.

Run hijackthis again and post a fresh log.

You may also wish to run another MBAM scan (although everything found was removed successfully) and/or a scan with your resident virus scanner.

Also it seems you are getting help on chip.in, if someone else qualified is helping you please say so - i do not want my removal steps conflicting with theirs as this could spell trouble.

Feel free to pm me when you have replied as i will then be notified by email.

Cheers.

Thanks a LOT..I'll be carrying out all the steps and update asap

[Amitava83]

I'm following your steps only sir....

[CrazyMonkey]

I'm following your steps only sir....

Oh. I dont mind you following other peoples steps posted here because i can see what they are saying and build on what they have suggested.

Post back when you have completed all the steps.

Cheers.

[Amitava83]

@ CrazyMonkey

My hats off to you!You are nothing short of a bloody genius!!!

My Internet Connection issue is resolved....!

This is my present situation:

1.I ran Hijack This:
However,the following entries could not be removed in spite of Fixing them..They are reappearing when I run Hijack This again:

O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe

This entry was not found in the Logfile:
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1

All the others have been fixed.However,I'll recheck this again.


2.Both of these two files
(C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe) were not found.

However I found syre32.exe in the same folder and impudently deleted it.i know I should have confirmed this before.Did I do something very wrong here??


3.The WinSock XP Fix worked fine and I'm writing this post on XP only!(Just a quick question--I installed Kaspersky Internet Security 2010 this morning and its forever since running a scan which I am not able to stop.What is this???)


4.This is the latest Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:27 PM, on 4/24/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\WINDOWS\system32\ping.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe

--
End of file - 7604 bytes

5.I'm yet to run MBAM Scan..I'll run it now and post the Logs...

PS:Sorry for the bold fonts in some places....had to give them since its a long post...

[watercooled]

Yup, suggesting a format is pretty stupid, I've had the toughest ones throughout the years, including that .wmf one a few years back, it takes time and paitence to remove, but it's possible.

Unless something totally currupts the Registry beyond repair, then do a Windows repair.

Without meaning to start an argument or anything suggesting a reformat on a compromised system isn't stupid at all - you can't really be sure it's completely clean once malware has dug its heels is like Paul Adams explains in the post following yours. I wouldn't trust a system that had been badly infected without wiping it TBH and even if the malware was gone they usually cause all sorts of damage to the OS itself and it's usually just not worth the effort trying to sort it all out and far less painless and time consuming to simply reformat which will sort it all out. Which is why backups are important...

I haven't been able to sort out the connectivity issue yet.But I'd like to personally thank each and everyone of you for the truly wonderful guidance you've given me to remove this dangerous worm from my system.A format would have left me totally crippled.

Did you run that network diagnostics tool I recommended? Where did it fail?

[CrazyMonkey]

@ CrazyMonkey

My hats off to you!You are nothing short of a bloody genius!!!

My Internet Connection issue is resolved....!

This is my present situation:

1.I ran Hijack This:
However,the following entries could not be removed in spite of Fixing them..They are reappearing when I run Hijack This again:

O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe

Ok, the svchost entry isnt too worrying as its a service trying to load an exe that has been deleted. (was malware)

Could you navigate to http://virusscan.jotti.org/en-GB and upload C:\Program Files\1239710008\Amitava1239710008L.exe for analysis please (if the file isnt too large)
Then post the results URL.

This entry was not found in the Logfile:
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1

Thats ok, this was lending itself to the problem of you not being able to gain internet access, it's a good thing that its no longer there.

All the others have been fixed.However,I'll recheck this again.


2.Both of these two files
(C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe) were not found.

Thats ok i thought they might not be, but was worth checking.

However I found syre32.exe in the same folder and impudently deleted it.i know I should have confirmed this before.Did I do something very wrong here??

No, good thinking. I'd search your entire drive for 'syre32.exe' (via windows search, ensuring hidden files and system files are checked in advanced search options.) Removing any it finds.

3.The WinSock XP Fix worked fine and I'm writing this post on XP only!(Just a quick question--I installed Kaspersky Internet Security 2010 this morning and its forever since running a scan which I am not able to stop.What is this???)



5.I'm yet to run MBAM Scan..I'll run it now and post the Logs...

PS:Sorry for the bold fonts in some places....had to give them since its a long post...

Good, that should have restored your internet connectivity.

To answer that question it's most likely performing a first time scan, is it still scanning? or has it hung/froze? Also on that note has it found anything so far?

As for your hijackthis log there are still a few entries that i am concerned with.

Code:

C:\WINDOWS\system32\nlssrv32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Can you please upload C:\WINDOWS\system32\nlssrv32.exe to virusscan.jotti.org as you did before (and post the results url).

Try checking the below in hijackthis and clicking 'fix' as before. Leave the other entries until jotti has analysed them.

Code:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Reboot, repost a hijackthis log and the jotti results urls.

Also do you run netware?? If not we can remove the 010 entry, which will need to be done via another program.

Did you run that network diagnostics tool I recommended? Where did it fail?

I believe his internet connectivity issues are fixed now? The winsock api was corrupt afaik.

Cheers.