-
VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
My XP(SP2)has been infected with umdmgr.exe.Windows 7 is fine.
XP hangs within seconds after logging in and around 300 processes start in the background...I have to force restart the system then.
I'm writing this post from Windows 7.
Please suggest a solution immediately guys...plzzz
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Disinfect the computer using your anti-virus program?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
kalniel
Disinfect the computer using your anti-virus program?
Obviously my Antivirus (AVG 9)is not working!!!I tried that!
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Download Malwarebyte's AntiMalware on your Windows 7 PC.
Copy it to a USB drive you don't care about/have anything useful on.
Safe mode on XP.
Run MBAM install from USB key on infected machine.
^Something like that is what I'd probably try....
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
AVG have a ready made boot CD/USB you can use as well now:
http://www.avg.com/ww-en/avg-rescue-cd
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
pollaxe
Download
Malwarebyte's AntiMalware on your Windows 7 PC.
Copy it to a USB drive you don't care about/have anything useful on.
Safe mode on XP.
Run MBAM install from USB key on infected machine.
^Something like that is what I'd probably try....
Hi,
Do you mean to say that I copy the installer only to the USB drive and install it from there on my infected Windows XP??Please could you clarify??
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Yes, that's what I'd try as MBAM is an executable and needs to be installed. So copy the mbam.exe from your Win 7 PC and try to install it on the affected XP PC from the USB key.
Not sure if that's possible in your situation, though..
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
For such a badly infected machine I'd recommend reformatting really but if that's not an option then I'd go with what kalniel said and use an AV recovery CD like that AVG one or there's a few others listed in this post. Clean up what you can with that which should hopefully make the system usable then run malwarebytes which is usually very good for cleaning infected systems. It wouldn't hurt to run ESET's online scanner too as their detection engine is very good. After that maybe you should consider using something other than AVG as your antivirus if it let your system get that bad. ESET and Kaspersky are about the best paid options.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
For such a badly infected machine I'd recommend reformatting really but if that's not an option then I'd go with what kalniel said and use an AV recovery CD like that AVG one or there's a few others listed in
this post. Clean up what you can with that which should hopefully make the system usable then run malwarebytes which is usually very good for cleaning infected systems. It wouldn't hurt to run ESET's online scanner too as their detection engine is very good. After that maybe you should consider using something other than AVG as your antivirus if it let your system get that bad. ESET and Kaspersky are about the best paid options.
I tried installing Malwarebytres's AntiMalware in XP.But the trojan is not even allowing me to do that.I'm going crazy!I installed it on Windows 7 and ran and it detected 31 infections on my XP partition.Even after cleaning them(from Win 7),XP is having the same problems.
Is AVG boot CD the only option left now??
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
The boot cd may be your only option if you can't get the pc stable enough to work with - give it a try, it should help you..
I've had some success with MBAM without having to resort to rescue disks but it's mostly been with Vista machines. Some Trojans are actively aware of MBAM so another thing to try is renaming the executable to something completely different before installing like 1234.exe - sounds stupid, I know, but it's worked on a couple of machines I had to disinfect in the past...
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
wouldn't it be easier to just recover everything from the drive and install a fresh copy of XP
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Download a copy of hijackthis (http://free.antivirus.com/hijackthis/)
Run it, and click "Scan and save a log file" or something along those lines.
When the scan has finished and notepad pops up with the logfile, copy it's contents and post it here - ill analyse it for you and then we can move from there.
A format is a pretty hefty decision, and rushing it due to malware can often lead to mistakes.
Running Malwarebytes AntiMalware is also a good idea (as suggested) try just installing normally in windows and scanning, see if it detects anything. If it does, attempt to remove it, if it doesnt remove it successfully, repeat the scan in safe mode (tap F8 on booting the system) and post the contents of any log files that Malwarebytes AntiMalware produces.
99.99% of malware can successfully and effectively be removed from a computer.
EDIT - seeing as you are unable to get into windows without it hanging, try all the above steps straight from safemode. The hijackthis log is the vital part in me being able to help you.
Also does AVG offer any name for the infection? Knowing what classification of malware it is will greatly help in it's removal.
Also check the directories -
C:\Documents and Settings\Administrator\Local Settings\Temp\umdmgr.ini
C:\WINDOWS\system32\umdmgr.exe
C:\sand-box\13a04f20a93c84b6bd1f3b77e3ef68e4.exe
Do these directories contain the above files? If so you can attempt to delete these from outside the XP partition (ie, in windows 7) i expect it will have some registry keys associated with it for startup runtime. Im not sure if you can browse and edit the registry from outside of the partition as of yet, but pending your reply i will look into it.
Feel free to pm me too as im working on two seperate machines atm.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Have you tried going into safe mode, installing malwarebytes there and then running it?
Or, take out hard drive and connect to another PC and scan it that way?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Download a copy of hijackthis (
http://free.antivirus.com/hijackthis/)
Run it, and click "Scan and save a log file" or something along those lines.
When the scan has finished and notepad pops up with the logfile, copy it's contents and post it here - ill analyse it for you and then we can move from there.
A format is a pretty hefty decision, and rushing it due to malware can often lead to mistakes.
Running Malwarebytes AntiMalware is also a good idea (as suggested) try just installing normally in windows and scanning, see if it detects anything. If it does, attempt to remove it, if it doesnt remove it successfully, repeat the scan in safe mode (tap F8 on booting the system) and post the contents of any log files that Malwarebytes AntiMalware produces.
99.99% of malware can successfully and effectively be removed from a computer.
EDIT - seeing as you are unable to get into windows without it hanging, try all the above steps straight from safemode. The hijackthis log is the vital part in me being able to help you.
Also does AVG offer any name for the infection? Knowing what classification of malware it is will greatly help in it's removal.
Also check the directories -
C:\Documents and Settings\Administrator\Local Settings\Temp\umdmgr.ini
C:\WINDOWS\system32\umdmgr.exe
C:\sand-box\13a04f20a93c84b6bd1f3b77e3ef68e4.exe
Do these directories contain the above files? If so you can attempt to delete these from outside the XP partition (ie, in windows 7) i expect it will have some registry keys associated with it for startup runtime. Im not sure if you can browse and edit the registry from outside of the partition as of yet, but pending your reply i will look into it.
Feel free to pm me too as im working on two seperate machines atm.
First of all,thanks a lot!
Secondly,I cannot login into XP Safe Mode(XP and Win 7 in dual boot..Safe Mode option not coming for XP).
Do you want me to run Hijack This from Windows 7??
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Trojan Horse Crypt.txj
Virus Worm/Downadup
Virus Win32/Polipos
These are coming on Resident Shield Alert of AVG on Win 7..All are in 'D' Partition(ie XP ).AVG is unable to remove them or Move to Vault.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Finally managed to run Hijack This from XP:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:59 AM, on 4/23/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\bin\isqlplussvc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\BIN\TNSLSNR.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\jdk\bin\java.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\bin\oradim.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
J:\amitdb\jdk\bin\java.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\msvmcls64.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\system32\msvmcls64.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\trpo.exe \s
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [conime.exe] conime.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O4 - HKLM\..\Run: [oo] C:\WINDOWS\ndll.exe
O4 - HKLM\..\Run: [MS Virtual CLS] C:\WINDOWS\system32\msvmcls64.exe
O4 - HKLM\..\Run: [544] C:\WINDOWS\system32\umdmgr.exe
O4 - HKLM\..\Run: [syre32] C:\WINDOWS\system32\syre32.exe
O4 - HKLM\..\Run: [753] C:\WINDOWS\system32\umdmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
--
End of file - 12934 bytes
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I've had two amazing infections lately.
The first one would not let certain programs open i.e. MalwareBytes / Avira - I did manage to get MB to run, it finds the problem, but when you click fix, it shuts down, very clever.
But it did let Spybot S&D - And a few searches from MalwareBytes and it fixed it.
The second one blocked any .exe files from opening, and even if they were already running, and you tried to look at them, it would close it down (even TaskManager). I rebooted and before it started up stopped the process and that worked quite easily.
I'd recommend everything except a format, because there are ways round it, even if it takes you two hours, it's better than a format.
If you have access to the XP account - Open up Run and type in msconfig - Go to start up and stop that process from booting up - The majority of the time that will give you sometime to sort things out.
Spybot S&D has a feature were you can let it scan straight after boot, and that's the first thing your PC does on reboot, you won't even be able to get into Windows before the scan finishes.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
removal tools:
http://www.symantec.com/security_res...011316-0247-99
http://www.bitdefender.com/VIRUS-100...2.Polip.A.html
The viruses are mostly exploiting known and already fixed vulnerabilities. Your XP version (SP2) is really out of date and probably why you got these. When you get it back make sure to update it to SP3 and run windows updater afterwards.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Sometimes a format is the only and probably best solution though
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
SammEl
If you have access to the XP account - Open up Run and type in msconfig - Go to start up and stop that process from booting up - The majority of the time that will give you sometime to sort things out.
I can login onto XP,but as soon as I do so,this Trojan /Virus is starting one process after the another and within one minute,my system freezes.
Quote:
Originally Posted by
SammEl
Spybot S&D has a feature were you can let it scan straight after boot, and that's the first thing your PC does on reboot, you won't even be able to get into Windows before the scan finishes.
At the moment,I cannot even open My Computer in XP.It freezes.
Please help me out guys.Formatting is the very last option I'd go for/
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
Please help me out guys.Formatting is the very last option I'd go for/
What happened when you logged into windows 7 and ran those removal tools I linked to?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I haven't yet...I'm in office right now..The moment i get on my home PC,I'll run those....
Thanks
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
As well as others you have the infamous conficker worm which as kalniel said is because your system is far from up-to-date with security patches. No antivirus is a substitute for keeping Windows up-to-date with Windows Update, whether you run it manually or leave it on auto is up to you but it's very important you keep Windows patched! Conficker tries to protect itself by limiting the websites you can visit i.e. it blocks Symantec, Kaspersky, McAffee and loads more. I think it also stops Windows update from functioning, disables safe mode and does its best to stop AV running. Note also that Conficker spreads itself over networks and USB flash drives so I'd recommend checking other PCs on your network as well as any flash drives for it (you could do that in a Linux LiveCD to be safe).
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
As well as others you have the infamous conficker worm which as kalniel said is because your system is far from up-to-date with security patches. No antivirus is a substitute for keeping Windows up-to-date with Windows Update, whether you run it manually or leave it on auto is up to you but it's very important you keep Windows patched! Conficker tries to protect itself by limiting the websites you can visit i.e. it blocks Symantec, Kaspersky, McAffee and loads more. I think it also stops Windows update from functioning, disables safe mode and does its best to stop AV running. Note also that Conficker spreads itself over networks and USB flash drives so I'd recommend checking other PCs on your network as well as any flash drives for it (you could do that in a Linux LiveCD to be safe).
Oh Holy ****!!!Yes all you say is true..my XP Safe Mode is disabled,no AV is running....no antispyware or antimalware is executing..Its a standstill...Will the two links that Kalniel kindly provided help me remove this thing if I run it from Windows 7????thats the vital question....
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Yes, the first link I gave you is the anti-conflicker tool. Follow the instructions on that page carefully, especially the points about making sure your machine isn't on a network.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
After you deleted the files i mentioned, did they return after rebooting into xp?
How about trying to enter safemode via msconfig? Start>Run>msconfig, boot.ini tab and select /SAFEBOOT. Restart and see if you have any success. If you do run hijackthis and remove the below, then run MBAM.
Also post logs of any mbam scans you may have performed (from win7 or xp)
If you can get hijackthis to run again - select all these for removal (check them and click fix)
Code:
C:\WINDOWS\system32\syre32.exe (all entries of this one, and anything with the same filename)
C:\WINDOWS\system32\msvmcls64.exe (all entries of this one, and anything with the same filename)
C:\WINDOWS\system32\cmd.exe (all entries of this one, and anything with the same filename)
C:\WINDOWS\system32\ping.exe (all entries of this one, and anything with the same filename)
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [conime.exe] conime.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O4 - HKLM\..\Run: [oo] C:\WINDOWS\ndll.exe
O4 - HKLM\..\Run: [MS Virtual CLS] C:\WINDOWS\system32\msvmcls64.exe
O4 - HKLM\..\Run: [544] C:\WINDOWS\system32\umdmgr.exe
O4 - HKLM\..\Run: [syre32] C:\WINDOWS\system32\syre32.exe
O4 - HKLM\..\Run: [753] C:\WINDOWS\system32\umdmgr.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cidrive32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
You also seem to have entries of both Norton and AVG products, i'd advise against having more than one active.
Also try running SilentRunners from http://www.silentrunners.org/ and post the results of the log file.
Another method could be, installing ProcessExplorer and then freezing the processes -
C:\WINDOWS\system32\syre32.exe
C:\WINDOWS\system32\msvmcls64.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
Which will then allowe you to attempt to remove their startup registry keys and any associated dll's, but first try the above.
Quote:
Originally Posted by
kalniel
Please note that simply running this tool will not remove the infection, it will restart itself on next reboot. However if your antivirus programs detect the Win32.Polip virus but fails to remove it, scan with the above tool then scan with your antivirus solution. Hopefully this will remove the actual files (not just simply terminate it from memory.)
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
kalniel
Yes, the first link I gave you is the anti-conflicker tool. Follow the instructions on that page carefully, especially the points about making sure your machine isn't on a network.
Hi ,
I ran the tool from Win7.After scanning completely,it gave a message saying that the virus has not been found!
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I think the removal tool might looks for it in memory, not the HDD and as 7 isn't infected (correct?) it won't detect it. I think you'd need to run it from the infected OS for it to work.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
I think the removal tool might looks for it in memory, not the HDD and as 7 isn't infected (correct?) it won't detect it. I think you'd need to run it from the infected OS for it to work.
Hello friends,
First of all huge thanks to all of you for helping me out on this..I ran the Symantec Removal tool from XP.It detected nothing.Then i ran Malwarebytes Anti Malware.It detected 15 infections which were subsequently quarantined.
Finally I ran Hijack This and removed the entries which CrazyMonkey asked me to remove.
Now XP seems stable enough.
This is the Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:51 PM, on 4/23/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\isqlplussvc.exe
C:\WINDOWS\Explorer.EXE
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 6774 bytes
-----------------------------
And this is MBAM Log after First Run:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
4/23/2010 10:00:49 PM
mbam-log-2010-04-23 (22-00-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 169399
Time elapsed: 14 minute(s), 41 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 4
Memory Processes Infected:
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\passthru (Rootkit.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-7643446107-3389995720-031469612-9168\syscr.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0738854091-9530544505-321780871-1690\wmfcgr.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\trpo.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ndisvvan.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\secupdat.dat (Backdoor.Bot) -> Quarantined and deleted successfully.
----------------------
MBAM Log after Second Run:
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
4/23/2010 10:19:31 PM
mbam-log-2010-04-23 (22-19-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 169196
Time elapsed: 13 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> Quarantined and deleted successfully.
Is my system clean now??
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Try running Windows Update to get critical security patches and I'd recommend running this too, it may not be entirely necessary but like I said before it can't hurt.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
Try running Windows Update to get critical security patches and I'd recommend running
this too, it may not be entirely necessary but like I said before it can't hurt.
For some odd reason whatsoever,I'm not able to connect to the Internet now from Windows XP.I have a DSL Cable connection and I login through Firefox to my ISP.Firefox says Page Cannot Be Displayed.Could it be that this virus has corrupted some TCP/IP settings?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
To check it's not a virus blocking DNS lookups try pinging an IP address on the Internet.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
If the OP would like someone to remote on for an IT bod to do some manual checks with the usual applications*, feel free to PM me and give a date & time - TeamViewer is my personal preference.
* my standard kit = gmer,procexp,procmon,autoruns,smsniff,rootrepeal,rootalyzer,tcpview,hijackthis,lspfix,everything,etc
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
To check it's not a virus blocking DNS lookups try pinging an IP address on the Internet.
I pinged my DNS Server on XP and is showing "Destination Host Unreachable"!!!!
on Win 7 its working fine....
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Does it say limited connectivity for the adapter in adapter settings in control panel? Try running network diagnostics - press F1 on desktop, click "Use Tools to view your computer information and diagnose problems", click network diagnostics then scan your system.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Try this. Note that it will completely reset your network adapter settings and, but it is broken anyway...
start->run:
Code:
cmd /c netsh int ip reset c:\resetlog.txt && start notepad c:\resetlog.txt
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I haven't been able to sort out the connectivity issue yet.But I'd like to personally thank each and everyone of you for the truly wonderful guidance you've given me to remove this dangerous worm from my system.A format would have left me totally crippled.
You guys are truly great.
Thank you so much.
Regards
AD
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Yup, suggesting a format is pretty stupid, I've had the toughest ones throughout the years, including that .wmf one a few years back, it takes time and paitence to remove, but it's possible.
Unless something totally currupts the Registry beyond repair, then do a Windows repair.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
A format would have left me totally crippled.
You should take the opportunity now to back up all your data (not programs), and ensure you have all the serials, product keys, activation codes, etc. for your programs.
Then you should reinstall that OS, ideally formatting the partition it is on if it's not shared.
When you know a system has been compromised, it's very difficult to know it has been sufficiently "cleaned", and impossible to know that access control lists and user accounts have not been tampered with (leaving other backdoors to be later exploited, though not through infected executables).
Basic rule of thumb for systems that get compromised, or unstable after changes have been made - restore from a full backup if available, otherwise reinstall.
And after installing, use a non-admin user account ;)
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Hi friends,I'm anable to access Internet,as I said before on this post.I have posted a detailed description of the problem on this thread http://forums.hexus.net/networking-b...ml#post1912134
Pleas help me out to solve this...
Regards
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Sorry i havent replied i was out last night.
You are not clean yet there are still a few entries that need fixing in hijackthis. Run hijackthis again on the xp system, check the below entries and click fix.
Code:
C:\WINDOWS\system32\nlssrv32.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Next navigate to the below and delete them (if found) (tell me if you cannot delete them)
Code:
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe
Then reboot.
Download http://majorgeeks.com/WinSock_XP_Fix_d4372.html and run it, (hopefully will fix your internet issues).
Reboot.
Run hijackthis again and post a fresh log.
You may also wish to run another MBAM scan (although everything found was removed successfully) and/or a scan with your resident virus scanner.
Also it seems you are getting help on chip.in, if someone else qualified is helping you please say so - i do not want my removal steps conflicting with theirs as this could spell trouble.
Feel free to pm me when you have replied as i will then be notified by email.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Sorry i havent replied i was out last night.
You are not clean yet there are still a few entries that need fixing in hijackthis. Run hijackthis again on the xp system, check the below entries and click fix.
Code:
C:\WINDOWS\system32\nlssrv32.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Next navigate to the below and delete them (if found) (tell me if you cannot delete them)
Code:
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe
Then reboot.
Download
http://majorgeeks.com/WinSock_XP_Fix_d4372.html and run it, (hopefully will fix your internet issues).
Reboot.
Run hijackthis again and post a fresh log.
You may also wish to run another MBAM scan (although everything found was removed successfully) and/or a scan with your resident virus scanner.
Also it seems you are getting help on chip.in, if someone else
qualified is helping you please say so - i do not want my removal steps conflicting with theirs as this could spell trouble.
Feel free to pm me when you have replied as i will then be notified by email.
Cheers.
Thanks a LOT..I'll be carrying out all the steps and update asap
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I'm following your steps only sir....
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
I'm following your steps only sir....
Oh. I dont mind you following other peoples steps posted here because i can see what they are saying and build on what they have suggested.
Post back when you have completed all the steps.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
@ CrazyMonkey
My hats off to you!You are nothing short of a bloody genius!!!
My Internet Connection issue is resolved....!
This is my present situation:
1.I ran Hijack This:
However,the following entries could not be removed in spite of Fixing them..They are reappearing when I run Hijack This again:
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
This entry was not found in the Logfile:
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
All the others have been fixed.However,I'll recheck this again.
2.Both of these two files
(C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe) were not found.
However I found syre32.exe in the same folder and impudently deleted it.i know I should have confirmed this before.Did I do something very wrong here??
3.The WinSock XP Fix worked fine and I'm writing this post on XP only!(Just a quick question--I installed Kaspersky Internet Security 2010 this morning and its forever since running a scan which I am not able to stop.What is this???)
4.This is the latest Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:27 PM, on 4/24/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\WINDOWS\system32\ping.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 7604 bytes
5.I'm yet to run MBAM Scan..I'll run it now and post the Logs...
PS:Sorry for the bold fonts in some places....had to give them since its a long post...
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
SammEl
Yup, suggesting a format is pretty stupid, I've had the toughest ones throughout the years, including that .wmf one a few years back, it takes time and paitence to remove, but it's possible.
Unless something totally currupts the Registry beyond repair, then do a Windows repair.
Without meaning to start an argument or anything suggesting a reformat on a compromised system isn't stupid at all - you can't really be sure it's completely clean once malware has dug its heels is like Paul Adams explains in the post following yours. I wouldn't trust a system that had been badly infected without wiping it TBH and even if the malware was gone they usually cause all sorts of damage to the OS itself and it's usually just not worth the effort trying to sort it all out and far less painless and time consuming to simply reformat which will sort it all out. Which is why backups are important...
Quote:
Originally Posted by
Amitava83
I haven't been able to sort out the connectivity issue yet.But I'd like to personally thank each and everyone of you for the truly wonderful guidance you've given me to remove this dangerous worm from my system.A format would have left me totally crippled.
Did you run that network diagnostics tool I recommended? Where did it fail?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
@ CrazyMonkey
My hats off to you!You are nothing short of a bloody genius!!!
My Internet Connection issue is resolved....!
This is my present situation:
1.I ran Hijack This:
However,the following entries could not be removed in spite of Fixing them..They are reappearing when I run Hijack This again:
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
Ok, the svchost entry isnt too worrying as its a service trying to load an exe that has been deleted. (was malware)
Could you navigate to http://virusscan.jotti.org/en-GB and upload C:\Program Files\1239710008\Amitava1239710008L.exe for analysis please (if the file isnt too large)
Then post the results URL.
Quote:
Originally Posted by
Amitava83
This entry was not found in the Logfile:
17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 4.2.2.2,202.54.1.63,202.54.1.64,172.16.0.1
Thats ok, this was lending itself to the problem of you not being able to gain internet access, it's a good thing that its no longer there.
Quote:
Originally Posted by
Amitava83
All the others have been fixed.However,I'll recheck this again.
2.Both of these two files
(C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe) were not found.
Thats ok i thought they might not be, but was worth checking.
Quote:
Originally Posted by
Amitava83
However I found syre32.exe in the same folder and impudently deleted it.i know I should have confirmed this before.Did I do something very wrong here??
No, good thinking. I'd search your entire drive for 'syre32.exe' (via windows search, ensuring hidden files and system files are checked in advanced search options.) Removing any it finds.
Quote:
Originally Posted by
Amitava83
3.The WinSock XP Fix worked fine and I'm writing this post on XP only!(Just a quick question--I installed Kaspersky Internet Security 2010 this morning and its forever since running a scan which I am not able to stop.What is this???)
5.I'm yet to run MBAM Scan..I'll run it now and post the Logs...
PS:Sorry for the bold fonts in some places....had to give them since its a long post...
Good, that should have restored your internet connectivity.
To answer that question it's most likely performing a first time scan, is it still scanning? or has it hung/froze? Also on that note has it found anything so far?
As for your hijackthis log there are still a few entries that i am concerned with.
Code:
C:\WINDOWS\system32\nlssrv32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Can you please upload C:\WINDOWS\system32\nlssrv32.exe to virusscan.jotti.org as you did before (and post the results url).
Try checking the below in hijackthis and clicking 'fix' as before. Leave the other entries until jotti has analysed them.
Code:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Reboot, repost a hijackthis log and the jotti results urls.
Also do you run netware?? If not we can remove the 010 entry, which will need to be done via another program.
Quote:
Originally Posted by
watercooled
Did you run that network diagnostics tool I recommended? Where did it fail?
I believe his internet connectivity issues are fixed now? The winsock api was corrupt afaik.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
Without meaning to start an argument or anything suggesting a reformat on a compromised system isn't stupid at all - you can't really be sure it's completely clean once malware has dug its heels is like Paul Adams explains in the post following yours. I wouldn't trust a system that had been badly infected without wiping it TBH and even if the malware was gone they usually cause all sorts of damage to the OS itself and it's usually just not worth the effort trying to sort it all out and far less painless and time consuming to simply reformat which will sort it all out. Which is why backups are important...
You know, if that was the case for all infections, Anti-Virus and Anti-Malware products wouldn't exist.
The worse infection I've had was on an old PC 5 years ago, and I had that for 3 or so years after the infection, I cleaned everything within 2 hours, and it was good as new, if not better.
Like I said, if an infection has damaged the Registry then a reinstall IS NEEDED, I had a small desktop PC which did get damaged completely and I had to format it, - I cleary stated that reinstalling is a must if that is the case in my original post. New software is pretty damn good at detections, even the free programs are better than Norton Anti Crapware.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
I believe his internet connectivity issues are fixed now? The winsock api was corrupt afaik.
Oh right didn't see that bit. :)
Quote:
Originally Posted by
SammEl
You know, if that was the case for all infections, Anti-Virus and Anti-Malware products wouldn't exist.
Not strictly true, I believe the main purpose of AV today is as a shield against malware - to detect and block it before it executes and causes any damage. Once it's in there's no telling what sort of damage it can cause and it's not uncommon for advanced malware to kill AV processes like Conficker does. Another important role is it lets you know when something's up, without it malware could be running in the background without you even knowing. And aside from that how many average computer users would want to go through the process of taking the PC to PC world or something every time a bit of malware found its way onto their system?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
@CrazyMonkey:
I'll perform each and every instruction of yours now and post the results asap.
In the meantime,two new complications on XP.
1.Cntrl-Alt-Del is not working.I cannot bring up my Task manager.
2.When I tried to reinstall my Soundmax Audio Driver,XP froze.When I rebooted,a ping showed 'Destination Host Unreachable'(incredible as it sounds,it happened)..and I had to rerun the WinSock XP Program again to fix my Internet connection.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
@CrazyMonkey:
I'll perform each and every instruction of yours now and post the results asap.
In the meantime,two new complications on XP.
1.Cntrl-Alt-Del is not working.I cannot bring up my Task manager.
2.When I tried to reinstall my Soundmax Audio Driver,XP froze.When I rebooted,a ping showed 'Destination Host Unreachable'(incredible as it sounds,it happened)..and I had to rerun the WinSock XP Program again to fix my Internet connection.
Ok lets tackle to ctrl-alt-del problem first - are you able to access task manager by Start>Run> taskmgr.exe
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
@CrazyMonkey:
I'll perform each and every instruction of yours now and post the results asap.
In the meantime,two new complications on XP.
1.Cntrl-Alt-Del is not working.I cannot bring up my Task manager.
2.When I tried to reinstall my Soundmax Audio Driver,XP froze.When I rebooted,a ping showed 'Destination Host Unreachable'(incredible as it sounds,it happened)..and I had to rerun the WinSock XP Program again to fix my Internet connection.
What programs are installed on your XP?
Download these following programs and run them.
MalwareBytes
Spybot Search and Destroy
Avira Free Anti Virus
These three programs SHOULD fix most or all of the mess, if Task Manager is not opening then it's possibly something blocking you from opening it (the whole point of most infections).
Run Spybot and Malwarebytes together, clean Spybot first, then Malware, and reboot.
Then load up Avira and do a full scan. If anything tries to open up during the scan, Avira will pick it up and ask you to Deny Access or Quarantine it - I'd do the latter.
Don't worry about any sound drivers yet, they are not important.
I'll be very surprised if doing the above doesn't get your PC working to how it was before.
Do that, and update us.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
watercooled
Not strictly true, I believe the main purpose of AV today is as a shield against malware - to detect and block it before it executes and causes any damage. Once it's in there's no telling what sort of damage it can cause and it's not uncommon for advanced malware to kill AV processes like Conficker does. Another important role is it lets you know when something's up, without it malware could be running in the background without you even knowing. And aside from that how many average computer users would want to go through the process of taking the PC to PC world or something every time a bit of malware found its way onto their system?
A mate of mine did that last week, because AVG picked up some trojan, he paid £90 for a reinstall.
You can format, but I don't, and won't, unless I know that I have an infection and it's not going anywhere, or my PC has been totally screwed. I've had a few of the worst, and I've successfully got rid of them every single time, and not needed a reinstall once. I've never had any future problems, even with the .WMF virus.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok lets tackle to ctrl-alt-del problem first - are you able to access task manager by Start>Run> taskmgr.exe
Cheers.
Hi pal,
No I'm not able to access it by Start-->Run.Windows says it "cannot find taskmgr.exe.Make sure you typed the name correctly...blah blah blah.. "
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
SammEl
What programs are installed on your XP?
Download these following programs and run them.
MalwareBytes
Spybot Search and Destroy
Avira Free Anti Virus
These three programs SHOULD fix most or all of the mess, if Task Manager is not opening then it's possibly something blocking you from opening it (the whole point of most infections).
Run Spybot and Malwarebytes together, clean Spybot first, then Malware, and reboot.
Then load up Avira and do a full scan. If anything tries to open up during the scan, Avira will pick it up and ask you to Deny Access or Quarantine it - I'd do the latter.
Don't worry about any sound drivers yet, they are not important.
I'll be very surprised if doing the above doesn't get your PC working to how it was before.
Do that, and update us.
Hi SammEl,
I have the first two programs.I'll download Avira...and perform full scans with all three and update you.
PS:This is my third night without sleep..... :P
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Ok -
Open notepad, paste this
Code:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Save the file as fix.reg (note .reg extension not .txt extension (may have to select all files when saving under notepad)
Double click fix.reg and allow it to import into the registry.
Reboot, try taskmanager now.
Also post the results of my steps in the last post when and if you have them.
Quote:
Originally Posted by
Amitava83
I have the first two programs.I'll download Avira...and perform full scans with all three and update you.
If you do chose to do all 3 scans, make sure you do them one after the other, not 2 'together' as has been suggested.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Malwarebytes should've brought back task manager. I've not heard of malware deleting the .exe for it before. Hmmmmm. If the exe is there then perhaps %path% is buggered.
Run this and paste the output, perhaps checking that it doesn't contain anything confidential beforehand - your username etc:
Code:
cmd /c set > c:\set.txt && start notepad c:\set.txt
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok, the svchost entry isnt too worrying as its a service trying to load an exe that has been deleted. (was malware)
Could you navigate to
http://virusscan.jotti.org/en-GB and upload C:\Program Files\1239710008\Amitava1239710008L.exe for analysis please (if the file isnt too large)
Then post the results URL.
here it is:
http://virusscan.jotti.org/en-GB/sca...1771e04d4d1c31
Quote:
Originally Posted by
CrazyMonkey
No, good thinking. I'd search your entire drive for 'syre32.exe' (via windows search, ensuring hidden files and system files are checked in advanced search options.) Removing any it finds.
syre32.exe not found in entire system
But I found Found the following suspicious files in C:\WINDOWS\system32\:
31.exe
57.exe
65.exe
73.exe
85.scr
alg.exe
arp.exe
Quote:
Originally Posted by
CrazyMonkey
Good, that should have restored your internet connectivity.
Unfortunately not...Everytime I'm restarting XP,ping shows Destination Host Unreachable.And everytime I've to run winsockxpfix.exe to fix this....:O_o1:
Quote:
Originally Posted by
CrazyMonkey
To answer that question it's most likely performing a first time scan, is it still scanning? or has it hung/froze? Also on that note has it found anything so far?
Kaspersky is still continuing its scan since morning uninterrupted...No matter how many times I shut down XP,it is continuing its scan as before...
At the time of writing this post,it has scanned 75,100 files-- and detected three viruses and two Riskware Theats.
Quote:
Originally Posted by
CrazyMonkey
Can you please upload C:\WINDOWS\system32\nlssrv32.exe to virusscan.jotti.org as you did before (and post the results url).
here it is:
http://virusscan.jotti.org/en-GB/sca...25e7f8bf204a54
Quote:
Originally Posted by
CrazyMonkey
Try checking the below in hijackthis and clicking 'fix' as before. Leave the other entries until jotti has analysed them.
Code:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Reboot, repost a hijackthis log and the jotti results urls.
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)-----This entry is not getting fixed by Hijack This.
I rebooted,reran Hijack This and here is the latest Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:00 PM, on 4/24/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 7687 bytes
Quote:
Originally Posted by
CrazyMonkey
Also do you run netware?? If not we can remove the 010 entry, which will need to be done via another program.
No I do not run NetAware
PS:Once again,I truly appreciate all the help you've been providing me so far.
Regards
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Ok thanks, im sure that took quite some time.
Are you able to manually delete the file - C:\Program Files\1239710008\Amitava1239710008L.exe ?
As for these files -
31.exe
57.exe
65.exe
73.exe
85.scr
alg.exe
arp.exe
I would upload these to jotti and delete them pending the results of the analysis. However some of these may well be legit programs (i know alg.exe is a legit windows file, however perhaps not in that directory)
Download - lsp fix -http://www.cexx.org/lspfix.htm
Run it and check 'I know what i am doing...'
On the keep side move nwprovau.dll to the remove side and click finish.
Post a fresh hijackthis log after doing the above.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok thanks, im sure that took quite some time.
Are you able to manually delete the file - C:\Program Files\1239710008\Amitava1239710008L.exe ?
Yes I have manually deleted it.
Quote:
Originally Posted by
CrazyMonkey
As for these files -
31.exe
57.exe
65.exe
73.exe
85.scr
alg.exe
arp.exe
I would upload these to jotti and delete them pending the results of the analysis. However some of these may well be legit programs (i know alg.exe is a legit windows file, however perhaps not in that directory)
Ok I'm starting with this.
Quote:
Originally Posted by
CrazyMonkey
Download - lsp fix -http://www.cexx.org/lspfix.htm
Run it and check 'I know what i am doing...'
On the keep side move nwprovau.dll to the remove side and click finish.
Post a fresh hijackthis log after doing the above.
I did exactly as you said and here is the latest HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:36 AM, on 4/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Irfanview\i_view32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/yco...tp://www.yahoo.
com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -
F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow
Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program
Files\CyberLink\MediaShow Espresso\MediaShow Espresso"
UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky
Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program
Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions
present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security
2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver -
res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard -
{4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}
- F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck -
{CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
http://update.microsoft.com/windowsu.../en/x86/client
/wuweb_site.cab?1259424836671
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD
35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS -
{88FED34C-F0CA-4636-A375-3CB6248B04CD} -
F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs:
C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~
1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program
Files\1239710008\Amitava1239710008L.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. -
C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. -
C:\Program Files\Common Files\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program
Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program
Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe
(file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron
Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation -
J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle -
J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner -
J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation -
j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner -
C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner -
C:\WINDOWS\system32\srvany.exe
--
End of file - 7707 bytes
Thanks & regards
AD
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
smargh
Malwarebytes should've brought back task manager. I've not heard of malware deleting the .exe for it before. Hmmmmm. If the exe is there then perhaps %path% is buggered.
Run this and paste the output, perhaps checking that it doesn't contain anything confidential beforehand - your username etc:
Code:
cmd /c set > c:\set.txt && start notepad c:\set.txt
I did this and here is the output:
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
com.adobe.versioncue.client.applocale=en_US
com.adobe.versioncue.client.appname=AdobeDrive
com.adobe.versioncue.client.appversion=1.0.0
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMITAVA-46ACD47
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\AMITAVA-46ACD47
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=J:\amitdb\bin;J:\oracle\product\10.2.0\db_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Syste m32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\;F:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PERL5LIB=J:\amitdb\perl\5.8.3\lib\MSWin32-x86;J:\amitdb\perl\5.8.3\lib;J:\amitdb\perl\5.8.3\lib\MSWin32-x86;J:\amitdb\perl\site\5.8.3;J:\amitdb\perl\site\5.8.3\lib;J:\amitdb\sysman\admin\scripts;J:\oracle \product\10.2.0\db_1\perl\5.8.3\lib\MSWin32-x86;J:\oracle\product\10.2.0\db_1\perl\5.8.3\lib;J:\oracle\product\10.2.0\db_1\perl\5.8.3\lib\MSWin3 2-x86;J:\oracle\product\10.2.0\db_1\perl\site\5.8.3;J:\oracle\product\10.2.0\db_1\perl\site\5.8.3\lib; J:\oracle\product\10.2.0\db_1\sysman\admin\scripts;
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1706
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=AMITAVA-46ACD47
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
Thanks
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok -
Open notepad, paste this
Code:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Save the file as fix.reg (note .reg extension not .txt extension (may have to select all files when saving under notepad)
Double click fix.reg and allow it to import into the registry.
Reboot, try taskmanager now.
I did as you said still Task manager is not coming up...
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Ok thanks,
Navigate to C:\Windows\System32 is taskmgr.exe present?
This may be why - C:\WINDOWS\Syste m32 the space? If you navigate to Control Panel, System, Environment, System/User Variables are you able to remove the space in syste m32?
Can you please repost a new hijackthis log (making sure it doesnt display funny when posting)
You can also try the steps manually -
1. Click Start
2. Click Run
3. Type REGEDIT
4. Click OK The Registry Editor will now open
5. Browse to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
6. In the right pane, look for the value: DisableTaskMgr
7. Right click DisableTaskMgr and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
8. Now browse to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
9. In the right pane, look for the value: DisableTaskMgr
10. Right click DisableTaskMgr and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
11. Close the Registry by choosing File, Exit
12. You should now be able to access Task Manager. If not, reboot into Safe Mode and repeat the steps outlined above.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
SammEl
What programs are installed on your XP?
Download these following programs and run them.
MalwareBytes
Spybot Search and Destroy
Avira Free Anti Virus
These three programs SHOULD fix most or all of the mess, if Task Manager is not opening then it's possibly something blocking you from opening it (the whole point of most infections).
Run Spybot and Malwarebytes together, clean Spybot first, then Malware, and reboot.
Then load up Avira and do a full scan. If anything tries to open up during the scan, Avira will pick it up and ask you to Deny Access or Quarantine it - I'd do the latter.
Don't worry about any sound drivers yet, they are not important.
I'll be very surprised if doing the above doesn't get your PC working to how it was before.
Do that, and update us.
Since I already have Kaspersky Internet Security 2010 installed,would it be a good thing to install Avira as well?Or shud I uninstall Kaspesky first??
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
Since I already have Kaspersky Internet Security 2010 installed,would it be a good thing to install Avira as well?Or shud I uninstall Kaspesky first??
Let kaspersky complete its scan. Dont worry about installing Avira, you can do this after kaspersky has completed its scan (however remove kaspersky.)
I need a new complete hijackthis log before i can continue (your last one didnt post correctly).
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok thanks,
Navigate to C:\Windows\System32 is taskmgr.exe present?
This may be why - C:\WINDOWS\Syste m32 the space? If you navigate to Control Panel, System, Environment, System/User Variables are you able to remove the space in syste m32?
Can you please repost a new hijackthis log (making sure it doesnt display funny when posting)
You can also try the steps manually -
1. Click Start
2. Click Run
3. Type REGEDIT
4. Click OK The Registry Editor will now open
5. Browse to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
6. In the right pane, look for the value: DisableTaskMgr
7. Right click DisableTaskMgr and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
Done.
Quote:
Originally Posted by
CrazyMonkey
8. Now browse to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
9. In the right pane, look for the value: DisableTaskMgr
10. Right click DisableTaskMgr and select Delete. (When prompted with "Are you sure you want to delete this value", select Yes.
Could not find DisableTaskMgr entry here.
Quote:
Originally Posted by
CrazyMonkey
11. Close the Registry by choosing File, Exit
12. You should now be able to access Task Manager. If not, reboot into Safe Mode and repeat the steps outlined above.
Cheers.
Still task manager not coming up.Will try this in Safe Mode (Donno whether its possible to login to XP Safe Mode now,wasn't possible till yesterday)...
Thanks
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Let kaspersky complete its scan. Dont worry about installing Avira, you can do this after kaspersky has completed its scan (however remove kaspersky.)
I need a new complete hijackthis log before i can continue (your last one didnt post correctly).
Cheers.
Sorry,dont know what had happened.Please find the Hijack This Log File :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:01 AM, on 4/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Irfanview\i_view32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 7772 bytes
Thanks
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Kaspersky obviously isn't working very well in this instance. Do manual scans from your Windows 7 installation. Uninstalling it wouldn't do any harm - you can put it back on when it's cleaned up.
Malwarebytes, Spybot & avira are decent programs, but it's not often that *everything* is found with them. You need to do manual checks with rootkit finders, autoruns to disable everything which isn't required, and a few other things to find "odd"-looking stuff.
This thread could go on for a few days yet, unless someone remotes on to the PC.
Combofix could potentially be the last resort - sometimes it can delete files it shouldn't, for example I've seen one person not be able to use AutoCAD after using Combofix.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Ok is C:\Windows\System32 is taskmgr.exe present?
Go to Start>Run>cmd
type followed by enter -
sc stop ".1239710008"
sc delete ".1239710008"
sc stop "PowerManager"
sc delete "PowerManager"
Hopefully it will say SUCCESS after each.
Next select these in hijackthi and click fix -
Code:
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Reboot. Post a fresh copy of hijackthis.
Quote:
Originally Posted by
smargh
This thread could go on for a few days yet, unless someone remotes on to the PC.
Combofix could potentially be the last resort - sometimes it can delete files it shouldn't, for example I've seen one person not be able to use AutoCAD after using Combofix.
Trying Combofix or SDfix would be a good idea. You can remote to his pc if you/him like, though i usually dont do this myself.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok is C:\Windows\System32 is taskmgr.exe present?
oops forgot to mention no taskmgr.exe not present in C:\Windows\System32.Taskman.exe is present(dont know whats that)
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
Amitava83
oops forgot to mention no taskmgr.exe not present in C:\Windows\System32.Taskman.exe is present(dont know whats that)
Ok also do the name servers 172.16.0.1,202.54.1.63 mean anything to you? As they seem to keep returning in the hijackthis log. Are you making sure to check
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
When running hijack this? or are these nameservers indeed legit?
Is this C:\Windows\System32.Taskman.exe the correct path or do you mean C:\Windows\System32\Taskman.exe
Try uploading this file to jotti and post the results.
Are you able to find taskmgr.exe when running a search on the computer?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
This is me if Amitava83 wants someone to go on to do a quicker cleanup: http://www.crossloop.com/smargh
I get far too fed up trying to guide people through checking these things - it's easier to just remote on and get it over with.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok also do the name servers 172.16.0.1,202.54.1.63 mean anything to you? As they seem to keep returning in the hijackthis log. Are you making sure to check
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
When running hijack this? or are these nameservers indeed legit?
Is this C:\Windows\System32.Taskman.exe the correct path or do you mean C:\Windows\System32\Taskman.exe
Try uploading this file to jotti and post the results.
Are you able to find taskmgr.exe when running a search on the computer?
First nameserver look like a legit India ISP DNS server, second is non-routable though but maybe it's only visible inside the ISP's network (or they're doing NAT). Is the OP using a router or is the PC connected directly to the Internet?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
smargh
This is me if Amitava83 wants someone to go on to do a quicker cleanup:
http://www.crossloop.com/smargh
I get far too fed up trying to guide people through checking these things - it's easier to just remote on and get it over with.
Can both you and CrazyMonkey come on Remote with me,at your convenient time and get this over with???
I'm a photographer by profession and all my Photoshop CS4 plugins which I painstakingly acquired over past couple of years work ONLY on XP but not on Win7 Ultimate.I do not even have backups of all other editing softwares I use regularly on XP.
Otherwise I wouldn't have hesitated a sec to reformat XP.
But as the situation is now,reformatting would mean I'd be out of work for quite sometime and I have a family to support.
Help me out guys,thats all I can say.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I am available to remote tonight for the next hour or so. I presume teamviewer would be easiest?
Update me on whether or not you want to take this route.
Would be easiest if you PM me your teamviewer ID and password if thats is what you want to do.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok also do the name servers 172.16.0.1,202.54.1.63 mean anything to you? As they seem to keep returning in the hijackthis log. Are you making sure to check
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
When running hijack this? or are these nameservers indeed legit?
172.16.0.1--my Preferreed DNS Server
202.54.1.63--Alternate DNS Server
Quote:
Originally Posted by
CrazyMonkey
Is this C:\Windows\System32.Taskman.exe the correct path or do you mean C:\Windows\System32\Taskman.exe
Its C:\WINDOWS\system32\Taskman.exe
Quote:
Originally Posted by
CrazyMonkey
Try uploading this file to jotti and post the results.
Here it is:
http://virusscan.jotti.org/en-GB/sca...040243d844f07c
And here is the latest Log from MBAM:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
4/25/2010 1:54:58 AM
mbam-log-2010-04-25 (01-54-58).txt
Scan type: Full scan (C:\|)
Objects scanned: 153960
Time elapsed: 20 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Quote:
Originally Posted by
CrazyMonkey
Are you able to find taskmgr.exe when running a search on the computer?
When i do a search for taskmgr.exe Windows finds TASKMGR.EXE-118158DD.pf in C:\WINDOWS\Prefetch .In D Drive(for Win 7),it finds an actual taskmgr.exe.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
I am available to remote tonight for the next hour or so. I presume teamviewer would be easiest?
Update me on whether or not you want to take this route.
Would be easiest if you PM me your teamviewer ID and password if thats is what you want to do.
Cheers.
yes that would be great.just let me download and install teamviewer.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Ok do you want me to remote you or continue working on here? Your choice, i dont mind.
EDIT - ok, just pm me the details when you are ready, or we can discuss over msn if you perfer?
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Ok do you want me to remote you or continue working on here? Your choice, i dont mind.
EDIT - ok, just pm me the details when you are ready, or we can discuss over msn if you perfer?
Hello,
Ihave pinged you Teamviewer details through private message....I'm ready for the session.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
My machine had crashed!!:(
I have replied to your PMs....Please check.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Your machine appears to have crashed again (due to teamviewer and kaspersky). The teamviewer sessions are incredibly slow too... Far too slow for me to do any real work on it. I can try again, but i'll soon have to be going - work tomorrow and i've got got a paper to write :(
I'll leave you with some links - combofix http://www.bleepingcomputer.com/comb...o-use-combofix
sdfix http://www.bleepingcomputer.com/files/sdfix.php
Your hijackthis log is looking clean from the glimpse i got on the teamviewer session, however feel free to post another.
Also feel free to post the situation with the internet on reboot and the task manager issue. If taskmgr.exe is indeed missing and you do not have a windowsxp disc to restore it from, here is a copy of taskmgr.exe i just pulled off my xp machine.
http://rapidshare.com/files/379761843/taskmgr.zip
You could always put that file back in C:\Windows\system32 - bearing in mind that is from a SP3 machine. I assure you the file is clean and an original, however feel free to scan it on jotti.
I'll be online for another 30 mins should you wish to try teamviewer again.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I've always found Teamviewer very slow when I've had to use it at work. Feel free to try me - I'll be online for another few hours. http://www.crossloop.com/smargh
Note that the first thing I'd do is uninstall Kaspersky and disable all things from autostart which aren't essential to get Windows running normally.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
smargh
I've always found Teamviewer very slow when I've had to use it at work. Feel free to try me - I'll be online for another few hours.
http://www.crossloop.com/smargh
Note that the first thing I'd do is uninstall Kaspersky and disable all things from autostart which aren't essential to get Windows running normally.
You might have to get him to uninstall kaspersky before you teamviewer - as soon as you touch it (whether it be in the system tray or the ui itself) it crashes teamviewer.
If you continue tonight goodluck there isnt much that needs doing i dont think bar resurrecting a few of the windows problems. I've now gotta continue writing my paper on malware mitigation techniques :)
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
You might have to get him to uninstall kaspersky before you teamviewer - as soon as you touch it (whether it be in the system tray or the ui itself) it crashes teamviewer.
If you continue tonight goodluck there isnt much that needs doing i dont think bar resurrecting a few of the windows problems. I've now gotta continue writing my paper on malware mitigation techniques :)
Cheers.
hey guys last night my system had crashed for the second time and it was almost 4:30 am so had to catch some sleep.
My Internet connectivity is getting corrupted(Destination Host Unreachable) every time I restart XP.I've had to run WinSock XP everytime to get this fixed... :(
Please advice how you guys can connect to my system other than using Teamviewer(as it is so slow).Just tell me what to do and I'll do it.
More updates coming up.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
CrazyMonkey
Your machine appears to have crashed again (due to teamviewer and kaspersky). The teamviewer sessions are incredibly slow too... Far too slow for me to do any real work on it. I can try again, but i'll soon have to be going - work tomorrow and i've got got a paper to write :(
I'll leave you with some links - combofix
http://www.bleepingcomputer.com/comb...o-use-combofix
I prefer that you guys execute Combofix on my machine through Remote Login rather than myself...I'm not an expert and I've heard this tool is quite tricky.
Quote:
Originally Posted by
CrazyMonkey
Your hijackthis log is looking clean from the glimpse i got on the teamviewer session, however feel free to post another.
here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:35 AM, on 4/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/yco...tp://www.yahoo.
com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -
F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow
Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program
Files\CyberLink\MediaShow Espresso\MediaShow Espresso"
UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky
Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program
Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions
present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program
Files\Kaspersky Lab\Kaspersky Internet Security
2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver -
res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard -
{4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}
- F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck -
{CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
http://update.microsoft.com/windowsu.../en/x86/client
/wuweb_site.cab?1259424836671
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD
35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS -
{88FED34C-F0CA-4636-A375-3CB6248B04CD} -
F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs:
C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~
1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program
Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. -
C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security
2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. -
C:\Program Files\Common Files\Macrovision Shared\FLEXnet
Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program
Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program
Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe
(file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron
Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure
Networks, Inc. - C:\Program Files\Pure Networks\Network
Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation -
J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle -
J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner -
J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation -
j:\amitdb\bin\ORACLE.EXE
O23 - Service: PrTgressep - Unknown owner -
C:\WINDOWS\system32\srvany.exe
--
End of file - 7548 bytes
[QUOTE=CrazyMonkey;1912358]Also feel free to post the situation with the internet on reboot and the task manager issue. If taskmgr.exe is indeed missing and you do not have a windowsxp disc to restore it from, here is a copy of taskmgr.exe i just pulled off my xp machine.
http://rapidshare.com/files/379761843/taskmgr.zip/QUOTE]
yes I have restored Taskmanager.Thanks a LOT friend.I took your file only.
However,the Internet problem(Destination Host Unreachale) is recurring.I've had to run WinSockXP everytime to repair the settings everytime I restart XP. :(
Also,Kaspersky is now at 235458th file and it has detected 21 threats till now.I cannot simply stop the scan.
And as you saw yourself last night,system is sluggish and freezes randomly.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
I really hate Kaspersky, didn\'t work as good as Avira, and it slows down the PC.
If it\'s found 21 infections, let it run, and then clean it.
I forgot to mention this.
Disable your internet connection while scanning and removing malware - You don\'t need it enabled - And as the infection looks quite serious, you have no idea what an internet connection is doing.
After Kaspersky has finished, uninstall that piece of crap and install free Avira Antivirus.
And why is everyone going against each other here? We are helping a guy solve a problem, if someone suggests something first, don\'t unsuggest and make it more diffucult for the guy.
Scanning two Malware scans at the same time is fine, one might pick up another - And if both find the same infections, whatever one you fix it with first will solve it, the second one will simply think it\'s fixed it as it no longer exists.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
SammEl
And why is everyone going against each other here? We are helping a guy solve a problem, if someone suggests something first, don't unsuggest and make it more diffucult for the guy.
? We're not - it ended up as a tag team kind of thing when he had to go to finish writing his thing.
Sometimes tactics change when dealing with annoying malware.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
@SammEl: I have PMed you my hotmail Id..I'm currently logged in there...I have never used it so please guide me as to how to allow you to remotely access my machine.And I may add that I have only a 256kbps Internet Speed... :(
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Update.
Connected to his PC, Kaspersky is crippling it big time, I couldnt even select it, so I asked him too.
When he tried to uninstall it, his PC crashed as mentioned above, will sort this.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Okk guys here is the latest update.
After a marathon 5 hour session with Sammy on TeamViewer,it looks as if now my system is finally rid of all evil things.
I have absolutely no words to say thanks to him.....!!!
One problem is still left though:
The winsock xp fix is not working.That is,it works when I run it and reset it.But as soon as iIrestart XP and ping my DNS(172.16.0.1),I get "Destination Host Unreachable" and I cannot access Internet.
It is somewhat similar to the problem here http://www.techsupportforum.com/netw...-not-work.html
I'm not a techie guy so please guys i look upon you to help me root out this last bit.
Thanks and Regards
AD
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
here is the latest Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:42 PM, on 4/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\jdk\bin\java.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 7358 bytes
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
In HijackThis, go to "Misc Tools" - it has an option to delete files after a reboot. Do it on those two files and see how it goes.
If SammEl already did these two (or similar) things before, then there's probably something else hidden in the background.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
What's wrong with the second one smargh?
EDIT
Was thinking, these are all old infections.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
smargh
In HijackThis, go to "Misc Tools" - it has an option to delete files after a reboot. Do it on those two files and see how it goes.
If SammEl already did these two (or similar) things before, then there's probably something else hidden in the background.
I'll be doing this today and update you guys.....
Thanks
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Hi guys,
My Internet problem is still not fixed.When I run Winsock XP and configure my LAN,it works fine...But the moment I restart XP,the settings somehow get corrupt and all I get is "Destination Host Unreachable" when I ping my DNS(172.16.0.1)....When I run WinSock XP,it gets fixed!!
Please help me out.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Please fix entries
Code:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
Then browse to C:\WINDOWS\system32\srvany.exe and delete that file.
C:\WINDOWS\system32\drivers\CDAC11BA.EXE appears to be associated with anti-piracy software, however i'd run it through jotti and remove pending the results of the analysis.
Post a new hijackthis log when done. You're looking as clean as previous.
As for the internet issue im a little clueless at the moment, i have no idea why you have to rebuild you winsock api on each restart, my only instinct is that something is corrupting it each time. But i'll dig deeper.
It may be beneficial to restart the computer (Do not run winsockfix) go to Start>Run>Cmd type ipconfig /all and copy the contents here..
After try
netsh int ip reset reset.log
netsh winsock reset catalog
Reboot and see if the changes continue to take effect.
Failing that this link has some interesting information and steps http://networking.nitecruzr.net/2005...-layer-in.html
I'd try running through the steps they outline.
Also remove all programs that you do not use, have no purpose or are simply junk. Try and get your installation as clean as possible, remove most things that are not essential this also limits the amount of items that could be interfering. Oh and another note, be careful when downloading torrents and 'not quite legal' files, be very cautious when running cracks/keygens these are some of the best ways to spread malware. I'd advise employing something like 'sandboxie' to test such files before properly running them.
Quote:
Originally Posted by
SammEl
And why is everyone going against each other here? We are helping a guy solve a problem, if someone suggests something first, don't unsuggest and make it more diffucult for the guy.
Scanning two Malware scans at the same time is fine, one might pick up another - And if both find the same infections, whatever one you fix it with first will solve it, the second one will simply think it's fixed it as it no longer exists.
I believe this statement is a little exaggerated i have had pretty much most the input on this thread and smargh's input has been valid, correct and appreciated and at no point have i 'gone against him'.
As for your second assertion if you cant understand why running two simultaneously is a bad idea i do not think you should be helping others remove malware. There can be many complications from running multiple software at the same time, and the risk simply does not outweigh the time 'saved'.
I do not wish to enter into an argument, however rest assured that i have extensive knowledge in this field that reaches far past home user infections. My field is malware, both removing, analysing and creating it.
Cheers.
-
Re: VERY URGENT.System infected with umdmgr.exe.PLEASE HELP!!!
Quote:
Originally Posted by
crazymonkey
as for your second assertion if you cant understand why running two simultaneously is a bad idea i do not think you should be helping others remove malware. There can be many complications from running multiple software at the same time, and the risk simply does not outweigh the time 'saved'
:) :) :)