Page 3 of 9 FirstFirst 123456 ... LastLast
Results 33 to 48 of 129

Thread: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

  1. #33
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    To check it's not a virus blocking DNS lookups try pinging an IP address on the Internet.

  2. #34
    Senior Member
    Join Date
    Feb 2008
    Posts
    925
    Thanks
    4
    Thanked
    161 times in 148 posts
    • smargh's system
      • Motherboard:
      • Gigabyte GA-EP45-UD3P
      • CPU:
      • Xeon E5450 with 775-to-771 Mod
      • Memory:
      • 16GB Crucial
      • Storage:
      • Intel X25-M G2 80GB/Adaptec 3405 4x 2TB Ultrastar RAID1 / 1x 6TB Hitachi He6 / Dying 2TB Samsung
      • Graphics card(s):
      • GTX 750 Ti
      • PSU:
      • Seasonic X-560
      • Case:
      • Lian-Li PC-A71
      • Operating System:
      • Windows 7 Ultimate 64bit
      • Monitor(s):
      • BenQ G2400WD
      • Internet:
      • Really Crap ADSL2 <3Mbit

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    If the OP would like someone to remote on for an IT bod to do some manual checks with the usual applications*, feel free to PM me and give a date & time - TeamViewer is my personal preference.



    * my standard kit = gmer,procexp,procmon,autoruns,smsniff,rootrepeal,rootalyzer,tcpview,hijackthis,lspfix,everything,etc

  3. #35
    Registered+
    Join Date
    Jul 2009
    Location
    Calcutta,India
    Posts
    86
    Thanks
    7
    Thanked
    1 time in 1 post
    • Amitava83's system
      • Motherboard:
      • ASUS P5Q-E
      • CPU:
      • C2D E7300@stock speed
      • Memory:
      • 2X2 GB 800MHz Corsair
      • Storage:
      • 500.1 GB @7200.11 Seagate
      • Graphics card(s):
      • Palit Radeon HD 4870 1 GB DDR5 Sonic Dual Edition
      • PSU:
      • Corsair TX 650W
      • Case:
      • Corsair CM 690
      • Operating System:
      • XP SP2,Vista SP1
      • Monitor(s):
      • Dell 1909W
      • Internet:
      • 128kbps DSL unlimited

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Quote Originally Posted by watercooled View Post
    To check it's not a virus blocking DNS lookups try pinging an IP address on the Internet.
    I pinged my DNS Server on XP and is showing "Destination Host Unreachable"!!!!

    on Win 7 its working fine....

  4. #36
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Does it say limited connectivity for the adapter in adapter settings in control panel? Try running network diagnostics - press F1 on desktop, click "Use Tools to view your computer information and diagnose problems", click network diagnostics then scan your system.

  5. #37
    Senior Member
    Join Date
    Feb 2008
    Posts
    925
    Thanks
    4
    Thanked
    161 times in 148 posts
    • smargh's system
      • Motherboard:
      • Gigabyte GA-EP45-UD3P
      • CPU:
      • Xeon E5450 with 775-to-771 Mod
      • Memory:
      • 16GB Crucial
      • Storage:
      • Intel X25-M G2 80GB/Adaptec 3405 4x 2TB Ultrastar RAID1 / 1x 6TB Hitachi He6 / Dying 2TB Samsung
      • Graphics card(s):
      • GTX 750 Ti
      • PSU:
      • Seasonic X-560
      • Case:
      • Lian-Li PC-A71
      • Operating System:
      • Windows 7 Ultimate 64bit
      • Monitor(s):
      • BenQ G2400WD
      • Internet:
      • Really Crap ADSL2 <3Mbit

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Try this. Note that it will completely reset your network adapter settings and, but it is broken anyway...

    start->run:
    Code:
    cmd /c netsh int ip reset c:\resetlog.txt && start notepad c:\resetlog.txt

  6. #38
    Registered+
    Join Date
    Jul 2009
    Location
    Calcutta,India
    Posts
    86
    Thanks
    7
    Thanked
    1 time in 1 post
    • Amitava83's system
      • Motherboard:
      • ASUS P5Q-E
      • CPU:
      • C2D E7300@stock speed
      • Memory:
      • 2X2 GB 800MHz Corsair
      • Storage:
      • 500.1 GB @7200.11 Seagate
      • Graphics card(s):
      • Palit Radeon HD 4870 1 GB DDR5 Sonic Dual Edition
      • PSU:
      • Corsair TX 650W
      • Case:
      • Corsair CM 690
      • Operating System:
      • XP SP2,Vista SP1
      • Monitor(s):
      • Dell 1909W
      • Internet:
      • 128kbps DSL unlimited

    Thumbs up Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    I haven't been able to sort out the connectivity issue yet.But I'd like to personally thank each and everyone of you for the truly wonderful guidance you've given me to remove this dangerous worm from my system.A format would have left me totally crippled.

    You guys are truly great.

    Thank you so much.
    Regards
    AD

  7. #39
    Senior Member
    Join Date
    Mar 2007
    Posts
    591
    Thanks
    0
    Thanked
    28 times in 26 posts

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Yup, suggesting a format is pretty stupid, I've had the toughest ones throughout the years, including that .wmf one a few years back, it takes time and paitence to remove, but it's possible.

    Unless something totally currupts the Registry beyond repair, then do a Windows repair.

  8. #40
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Quote Originally Posted by Amitava83 View Post
    A format would have left me totally crippled.
    You should take the opportunity now to back up all your data (not programs), and ensure you have all the serials, product keys, activation codes, etc. for your programs.
    Then you should reinstall that OS, ideally formatting the partition it is on if it's not shared.

    When you know a system has been compromised, it's very difficult to know it has been sufficiently "cleaned", and impossible to know that access control lists and user accounts have not been tampered with (leaving other backdoors to be later exploited, though not through infected executables).

    Basic rule of thumb for systems that get compromised, or unstable after changes have been made - restore from a full backup if available, otherwise reinstall.
    And after installing, use a non-admin user account
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  9. Received thanks from:

    kalniel (24-04-2010),peterb (24-04-2010),watercooled (24-04-2010)

  10. #41
    Registered+
    Join Date
    Jul 2009
    Location
    Calcutta,India
    Posts
    86
    Thanks
    7
    Thanked
    1 time in 1 post
    • Amitava83's system
      • Motherboard:
      • ASUS P5Q-E
      • CPU:
      • C2D E7300@stock speed
      • Memory:
      • 2X2 GB 800MHz Corsair
      • Storage:
      • 500.1 GB @7200.11 Seagate
      • Graphics card(s):
      • Palit Radeon HD 4870 1 GB DDR5 Sonic Dual Edition
      • PSU:
      • Corsair TX 650W
      • Case:
      • Corsair CM 690
      • Operating System:
      • XP SP2,Vista SP1
      • Monitor(s):
      • Dell 1909W
      • Internet:
      • 128kbps DSL unlimited

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Hi friends,I'm anable to access Internet,as I said before on this post.I have posted a detailed description of the problem on this thread http://forums.hexus.net/networking-b...ml#post1912134

    Pleas help me out to solve this...
    Regards

  11. #42
    Late Night Ninja! CrazyMonkey's Avatar
    Join Date
    Oct 2006
    Location
    Bristol
    Posts
    1,510
    Thanks
    29
    Thanked
    44 times in 43 posts
    • CrazyMonkey's system
      • Motherboard:
      • Asus M4N98TD Evo
      • CPU:
      • Phenom II X6 1055T @ 4.1ghz
      • Memory:
      • 8GB DDR3 Dominator @ 1700mhz
      • Storage:
      • 120GB OCZ Vertex 2E - 1TB Hitatchi
      • Graphics card(s):
      • 2x 460 1GB
      • PSU:
      • 850W
      • Case:
      • Silverstone Fortress FT02R-WRI Ltd.Edition
      • Operating System:
      • Win 7, XP, Server2008 RC1, Gentoo
      • Monitor(s):
      • 24" Acer LED - 22" Belinea - 19" Samsung - 19" IIyama
      • Internet:
      • 50 MB Virgin Media Cable

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Sorry i havent replied i was out last night.

    You are not clean yet there are still a few entries that need fixing in hijackthis. Run hijackthis again on the xp system, check the below entries and click fix.

    Code:
    C:\WINDOWS\system32\nlssrv32.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    Next navigate to the below and delete them (if found) (tell me if you cannot delete them)
    Code:
    C:\WINDOWS\system32\runsrv32.exe
    C:\WINDOWS\system32\susp.exe
    Then reboot.
    Download http://majorgeeks.com/WinSock_XP_Fix_d4372.html and run it, (hopefully will fix your internet issues).
    Reboot.

    Run hijackthis again and post a fresh log.

    You may also wish to run another MBAM scan (although everything found was removed successfully) and/or a scan with your resident virus scanner.

    Also it seems you are getting help on chip.in, if someone else qualified is helping you please say so - i do not want my removal steps conflicting with theirs as this could spell trouble.

    Feel free to pm me when you have replied as i will then be notified by email.

    Cheers.
    Last edited by CrazyMonkey; 24-04-2010 at 01:46 PM.

  12. #43
    Registered+
    Join Date
    Jul 2009
    Location
    Calcutta,India
    Posts
    86
    Thanks
    7
    Thanked
    1 time in 1 post
    • Amitava83's system
      • Motherboard:
      • ASUS P5Q-E
      • CPU:
      • C2D E7300@stock speed
      • Memory:
      • 2X2 GB 800MHz Corsair
      • Storage:
      • 500.1 GB @7200.11 Seagate
      • Graphics card(s):
      • Palit Radeon HD 4870 1 GB DDR5 Sonic Dual Edition
      • PSU:
      • Corsair TX 650W
      • Case:
      • Corsair CM 690
      • Operating System:
      • XP SP2,Vista SP1
      • Monitor(s):
      • Dell 1909W
      • Internet:
      • 128kbps DSL unlimited

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Quote Originally Posted by CrazyMonkey View Post
    Sorry i havent replied i was out last night.

    You are not clean yet there are still a few entries that need fixing in hijackthis. Run hijackthis again on the xp system, check the below entries and click fix.

    Code:
    C:\WINDOWS\system32\nlssrv32.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    Next navigate to the below and delete them (if found) (tell me if you cannot delete them)
    Code:
    C:\WINDOWS\system32\runsrv32.exe
    C:\WINDOWS\system32\susp.exe
    Then reboot.
    Download http://majorgeeks.com/WinSock_XP_Fix_d4372.html and run it, (hopefully will fix your internet issues).
    Reboot.

    Run hijackthis again and post a fresh log.

    You may also wish to run another MBAM scan (although everything found was removed successfully) and/or a scan with your resident virus scanner.

    Also it seems you are getting help on chip.in, if someone else qualified is helping you please say so - i do not want my removal steps conflicting with theirs as this could spell trouble.

    Feel free to pm me when you have replied as i will then be notified by email.

    Cheers.


    Thanks a LOT..I'll be carrying out all the steps and update asap

  13. #44
    Registered+
    Join Date
    Jul 2009
    Location
    Calcutta,India
    Posts
    86
    Thanks
    7
    Thanked
    1 time in 1 post
    • Amitava83's system
      • Motherboard:
      • ASUS P5Q-E
      • CPU:
      • C2D E7300@stock speed
      • Memory:
      • 2X2 GB 800MHz Corsair
      • Storage:
      • 500.1 GB @7200.11 Seagate
      • Graphics card(s):
      • Palit Radeon HD 4870 1 GB DDR5 Sonic Dual Edition
      • PSU:
      • Corsair TX 650W
      • Case:
      • Corsair CM 690
      • Operating System:
      • XP SP2,Vista SP1
      • Monitor(s):
      • Dell 1909W
      • Internet:
      • 128kbps DSL unlimited

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    I'm following your steps only sir....

  14. #45
    Late Night Ninja! CrazyMonkey's Avatar
    Join Date
    Oct 2006
    Location
    Bristol
    Posts
    1,510
    Thanks
    29
    Thanked
    44 times in 43 posts
    • CrazyMonkey's system
      • Motherboard:
      • Asus M4N98TD Evo
      • CPU:
      • Phenom II X6 1055T @ 4.1ghz
      • Memory:
      • 8GB DDR3 Dominator @ 1700mhz
      • Storage:
      • 120GB OCZ Vertex 2E - 1TB Hitatchi
      • Graphics card(s):
      • 2x 460 1GB
      • PSU:
      • 850W
      • Case:
      • Silverstone Fortress FT02R-WRI Ltd.Edition
      • Operating System:
      • Win 7, XP, Server2008 RC1, Gentoo
      • Monitor(s):
      • 24" Acer LED - 22" Belinea - 19" Samsung - 19" IIyama
      • Internet:
      • 50 MB Virgin Media Cable

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Quote Originally Posted by Amitava83 View Post
    I'm following your steps only sir....
    Oh. I dont mind you following other peoples steps posted here because i can see what they are saying and build on what they have suggested.

    Post back when you have completed all the steps.

    Cheers.

  15. #46
    Registered+
    Join Date
    Jul 2009
    Location
    Calcutta,India
    Posts
    86
    Thanks
    7
    Thanked
    1 time in 1 post
    • Amitava83's system
      • Motherboard:
      • ASUS P5Q-E
      • CPU:
      • C2D E7300@stock speed
      • Memory:
      • 2X2 GB 800MHz Corsair
      • Storage:
      • 500.1 GB @7200.11 Seagate
      • Graphics card(s):
      • Palit Radeon HD 4870 1 GB DDR5 Sonic Dual Edition
      • PSU:
      • Corsair TX 650W
      • Case:
      • Corsair CM 690
      • Operating System:
      • XP SP2,Vista SP1
      • Monitor(s):
      • Dell 1909W
      • Internet:
      • 128kbps DSL unlimited

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    @ CrazyMonkey

    My hats off to you!You are nothing short of a bloody genius!!!

    My Internet Connection issue is resolved....!

    This is my present situation:

    1.I ran Hijack This:
    However,the following entries could not be removed in spite of Fixing them..They are reappearing when I run Hijack This again:

    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

    O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe

    This entry was not found in the Logfile:
    17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1

    All the others have been fixed.However,I'll recheck this again.


    2.Both of these two files
    (C:\WINDOWS\system32\runsrv32.exe
    C:\WINDOWS\system32\susp.exe) were not found.

    However I found syre32.exe in the same folder and impudently deleted it.i know I should have confirmed this before.Did I do something very wrong here??


    3.The WinSock XP Fix worked fine and I'm writing this post on XP only!(Just a quick question--I installed Kaspersky Internet Security 2010 this morning and its forever since running a scan which I am not able to stop.What is this???)


    4.This is the latest Hijack This log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:38:27 PM, on 4/24/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\SYSTEM32\astsrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nlssrv32.exe
    J:\amitdb\bin\nmesrvc.exe
    J:\amitdb\bin\isqlplussvc.exe
    J:\amitdb\BIN\TNSLSNR.exe
    J:\amitdb\jdk\bin\java.exe
    j:\amitdb\bin\ORACLE.EXE
    C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    C:\WINDOWS\system32\cmd.exe
    J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
    J:\amitdb\jdk\bin\java.exe
    C:\WINDOWS\system32\ping.exe
    J:\amitdb\bin\emagent.exe
    F:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
    O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
    O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
    O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
    O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
    O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
    O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
    O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
    O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe

    --
    End of file - 7604 bytes

    5.I'm yet to run MBAM Scan..I'll run it now and post the Logs...

    PS:Sorry for the bold fonts in some places....had to give them since its a long post...

  16. #47
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Quote Originally Posted by SammEl View Post
    Yup, suggesting a format is pretty stupid, I've had the toughest ones throughout the years, including that .wmf one a few years back, it takes time and paitence to remove, but it's possible.

    Unless something totally currupts the Registry beyond repair, then do a Windows repair.
    Without meaning to start an argument or anything suggesting a reformat on a compromised system isn't stupid at all - you can't really be sure it's completely clean once malware has dug its heels is like Paul Adams explains in the post following yours. I wouldn't trust a system that had been badly infected without wiping it TBH and even if the malware was gone they usually cause all sorts of damage to the OS itself and it's usually just not worth the effort trying to sort it all out and far less painless and time consuming to simply reformat which will sort it all out. Which is why backups are important...

    Quote Originally Posted by Amitava83 View Post
    I haven't been able to sort out the connectivity issue yet.But I'd like to personally thank each and everyone of you for the truly wonderful guidance you've given me to remove this dangerous worm from my system.A format would have left me totally crippled.
    Did you run that network diagnostics tool I recommended? Where did it fail?

  17. #48
    Late Night Ninja! CrazyMonkey's Avatar
    Join Date
    Oct 2006
    Location
    Bristol
    Posts
    1,510
    Thanks
    29
    Thanked
    44 times in 43 posts
    • CrazyMonkey's system
      • Motherboard:
      • Asus M4N98TD Evo
      • CPU:
      • Phenom II X6 1055T @ 4.1ghz
      • Memory:
      • 8GB DDR3 Dominator @ 1700mhz
      • Storage:
      • 120GB OCZ Vertex 2E - 1TB Hitatchi
      • Graphics card(s):
      • 2x 460 1GB
      • PSU:
      • 850W
      • Case:
      • Silverstone Fortress FT02R-WRI Ltd.Edition
      • Operating System:
      • Win 7, XP, Server2008 RC1, Gentoo
      • Monitor(s):
      • 24" Acer LED - 22" Belinea - 19" Samsung - 19" IIyama
      • Internet:
      • 50 MB Virgin Media Cable

    Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!

    Quote Originally Posted by Amitava83 View Post
    @ CrazyMonkey

    My hats off to you!You are nothing short of a bloody genius!!!

    My Internet Connection issue is resolved....!

    This is my present situation:

    1.I ran Hijack This:
    However,the following entries could not be removed in spite of Fixing them..They are reappearing when I run Hijack This again:

    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

    O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
    Ok, the svchost entry isnt too worrying as its a service trying to load an exe that has been deleted. (was malware)

    Could you navigate to http://virusscan.jotti.org/en-GB and upload C:\Program Files\1239710008\Amitava1239710008L.exe for analysis please (if the file isnt too large)
    Then post the results URL.

    Quote Originally Posted by Amitava83 View Post
    This entry was not found in the Logfile:
    17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
    Thats ok, this was lending itself to the problem of you not being able to gain internet access, it's a good thing that its no longer there.

    Quote Originally Posted by Amitava83 View Post
    All the others have been fixed.However,I'll recheck this again.


    2.Both of these two files
    (C:\WINDOWS\system32\runsrv32.exe
    C:\WINDOWS\system32\susp.exe) were not found.
    Thats ok i thought they might not be, but was worth checking.

    Quote Originally Posted by Amitava83 View Post
    However I found syre32.exe in the same folder and impudently deleted it.i know I should have confirmed this before.Did I do something very wrong here??
    No, good thinking. I'd search your entire drive for 'syre32.exe' (via windows search, ensuring hidden files and system files are checked in advanced search options.) Removing any it finds.

    Quote Originally Posted by Amitava83 View Post
    3.The WinSock XP Fix worked fine and I'm writing this post on XP only!(Just a quick question--I installed Kaspersky Internet Security 2010 this morning and its forever since running a scan which I am not able to stop.What is this???)



    5.I'm yet to run MBAM Scan..I'll run it now and post the Logs...

    PS:Sorry for the bold fonts in some places....had to give them since its a long post...
    Good, that should have restored your internet connectivity.

    To answer that question it's most likely performing a first time scan, is it still scanning? or has it hung/froze? Also on that note has it found anything so far?

    As for your hijackthis log there are still a few entries that i am concerned with.

    Code:
    C:\WINDOWS\system32\nlssrv32.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
    O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
    O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    Can you please upload C:\WINDOWS\system32\nlssrv32.exe to virusscan.jotti.org as you did before (and post the results url).

    Try checking the below in hijackthis and clicking 'fix' as before. Leave the other entries until jotti has analysed them.

    Code:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    Reboot, repost a hijackthis log and the jotti results urls.

    Also do you run netware?? If not we can remove the 010 entry, which will need to be done via another program.

    Quote Originally Posted by watercooled View Post
    Did you run that network diagnostics tool I recommended? Where did it fail?
    I believe his internet connectivity issues are fixed now? The winsock api was corrupt afaik.

    Cheers.
    Last edited by CrazyMonkey; 24-04-2010 at 04:41 PM.

Page 3 of 9 FirstFirst 123456 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. server hacked, help plz !
    By GoNz0 in forum Software
    Replies: 34
    Last Post: 10-01-2010, 08:24 PM
  2. Infected or not infected ?
    By Cov in forum Software
    Replies: 2
    Last Post: 15-01-2009, 10:02 AM
  3. HELP! Removing Trojan Vundo.H
    By ryan_w08 in forum Software
    Replies: 14
    Last Post: 06-12-2008, 10:33 AM
  4. Replies: 14
    Last Post: 02-07-2008, 10:36 PM
  5. Replies: 37
    Last Post: 10-09-2007, 03:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •