W32/Vundo.gen7 persistant

Did you purchase and knowingly install SpywareBot? Uninstall it now if it is in your Add/Remove programs list.

Also do the below while I work thru all of your logs in detail.

Uninstall CounterSpy since you did not attach a log from it anyway and it is only a trial and you have too many antispyware blockers installed.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 9
Viewpoint Media Player (Remove Only) <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

 

Okay I just noticed that you are using VERY OLD versions of GetRunKey and ShowNew. You must always work from the current online copy of the READ ME. Please download the current version and use them to get new logs. Attach the logs. I need these before I can continue.

Also I hope you have your Windows XP boot CD because you are going to new it to remove your infection. The only way to remove part of what you have is by booting to the recovery console.

 

Okay let's just try something first to see if we can find an easier way to remove this.

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands in the command prompt window and ignore any message about any process jlgajlg or jlgajlg.dll not being found. If taskkill is not found please tell me. There are space inbetween the -r and the -s and the -h

taskkill jlgajlg
attrib -r -s -h C:\WINDOWS\system32\jlgajlg.dll
del C:\WINDOWS\system32\jlgajlg.dll
exit

The exit command will close the command prompt window.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Okay I guess you do not have Windows XP Pro. Continue with the other steps and then we will probably have to resort to using your XP CD.

 

As I said in my previous message

This means all steps! Sorry if that was not clear.

 

It does not matter whether it is found or not. It is there. Yes it may be best to uninstall Norman since it really is not protecting you from or stopping any of this from infecting you. All it is doing is getting in the way of cleanup.

Why? Are you saying you have an XP Pro disk? It should be in the i386 folder and will be named TASKKILL.EX_

The underscore at the end means the file is compressed and needs to be expanded to become taskkill.exe. You would use a command like the below from a command prompt:

expand d:\i386\taskkill.ex_ c:\windows\system32\taskkill.exe

where d: should be replace by your CD ROM drive letter.

 

Just in case you don't have the taskkill.exe file or in case it does not work (and I would not bet on it), here is what you will need to do next.



Now read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will not be able to browser once starting the below.

1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
2. Then restart your computer
3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the "Recovery Console" by pressing R It is normally the middle item in the list. Press R
6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>

Now from this command prompt window, here are some things I want you to do. Enter the below commands (the commands are in bold black) in the order given. I will add comments in purple.

cd system32\drivers <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS>

del houdxrue.sys
del nvcw32mf.sys

If you get any error mesages while running the del command which should delete those two file then run the below two commands which will attempt to rename the files.

ren houdxrue.sys
ren nvcw32mf.sys


If the del and the ren do not work just type exit to leave the Recovery Console and boot into Windows and just come back here and tell me exactly what happened. Do not do any of the below!

If the above worked then continue with the below.

cd C:\WINDOWS\system32
del jlgajlg.dll
del ltgkoosz.dll
del wcmcpooj.dll
del jlgajlg.dll.bak
del ltgkoosz.dll.bak

exit <--- this will exit the Recovery Console and boot to Windows

After booting into Windows, run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {2BEDF8C4-7C34-426D-93AA-26BB65BA4715} - c:\windows\system32\jlgajlg.dll
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O20 - Winlogon Notify: rnulhpwn - C:\WINDOWS\SYSTEM32\jlgajlg.dll

Now exit HJT


Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

 

Looks like combofix along with the Recovery Console (I assume you ran that) fixed the main problem.

Did you forget to have HJT fix the below? Fix them now.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Also you missed a few files to delete. Delete the below:
C:\WINDOWS\SYSTEM32\ltgkoosz.dll
C:\WINDOWS\SYSTEM32\wcmcpooj.dll
C:\WINDOWS\SYSTEM32\ltgkoosz.dll.bak

Then reboot and after reboot, run CCleaner

Then attach new logs from ShowNew and HJT.

How are things running now?

 

Okay that looks much better.

Delete the below files:
C:\Documents and Settings\Karen Croft\Local Settings\Application Data\2BEDF8C4-7C34-426D-93AA-26BB65BA4715.dat
C:\Documents and Settings\Karen Croft\Local Settings\Application Data\2BEDF8C4-7C34-426D-93AA-26BB65BA4715.ini
C:\Documents and Settings\Karen Croft\Local Settings\Application Data\2BEDF8C4-7C34-426D-93AA-26BB65BA4715.txt

Now reboot!

Do you still see the window you mentioned with junk in it?
Can you get a snapshot of it (probably not if you cannot boot until passing it)?
If it does still happen, does it happen when booting in safe mode?
Also does it happen if you login to a different user account in normal boot mode.
If you do see this Window, attach a new GetRunKey log along with a new ShowNew log.

Reinstall your Norman Software now too and let me know if it is complaining.

 

Not true! Including the Administrator account which can only be used in safe mode, I see an account for Daniel and also for Karen.


First let's fix another problem you have with a missing registry key.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now please download ProcessExplorer in preparation for later steps.

• Unzip it to its own folder somewhere you can locate it later

When that Window appears, leave it there and can you do the two things below?

1. Get a HijackThis log
2. Now run procexp.exe by double clicking on it.
   • Let's configure some options first:
     • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
     • Now click on explorer.exe.
     • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
   • Now click on File and then Save As. And save the process list.
   • Post it back here as an attachment.

If you can do the above while the window is present, then attach the two logs.

 

If this runs before Windows Even truly starts, it will be difficult to find what it is since we cannot peak into what's running until after Windows loads. I'm also not sure if it is malware or not. Let's try something.


Download Registry Search (see the link titled RegSearch Download Link )
Extract the files from Regsearch.zip into a folder.
Doubleclick regsearch.exe to start the program.
Copy & paste the following string bdjbxxft in the top area of the form and then click "Ok".
Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.


Then repeat the above for this string: dyzrmlrx

Also tell me if you know what the below folder is for. If not, what is in this folder?
C:\WINDOWS\SxsCaPendDel

Also you show two Tasks that are scheduled to run:
2007-03-28 10:07:42 C:\WINDOWS\tasks\McAfee Cleanup.job
2007-06-20 15:55:00 C:\WINDOWS\tasks\MP Scheduled Scan.job

The first makes not sense since you don't have McAfee. The second is related to Microsoft Windows Defender which I assume you setup to run at certain times. You should delete the McAfee task.

Scheduled scans are cretaed via the Windows Scheduled tasks facility. Go to Control Panel, Performance and Maintenance, Scheduled tasks.

In the menu at the top, choose Advanced, View hidden tasks

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

• Run Registrar Lite
• Copy & Paste the below registry key into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

• In the right side window pane, you will see two instances of something titled netsvcs. The first should be a folder (notice the yellow folder icon). The second is the item we want which is a registry value. Double click on this second instance of netsvcs (it probably has an icon with a b in it ).
• This will bring up another window titled Data Editor. In this window in the bottom section of the forim which is titled Test: you will see a long list of words.
• Locate the word dyzrmlrx and highlight it using your mouse.
• Then hit backspace to delete the text
• Then hit backspace once more to delete the blank line created by the erase
• Then click the Apply button
• Then Okay your way out of this window and close Registrar Lite.
• Reboot your PC.

After reboot are you still getting this popup at startup? If so, this may not be malware.

Also re-run the RegSearch command looking for the dyzrmlrx string and attach a new log.

 

You're welcome.

Let's try something with MSconfig. Run MSconfig and select Diagnostic Startup then reboot and tell me if that window still appears. You can return to Normal Startup after you get this answered.

 

Based on what I read in the below link (which was never properly answered/addressed by Lavasoft), your problem may have been cause by Ad-Aware.

http://www.lavasoftsupport.com/index.php?showtopic=4841

Sounds exactly like your problem especially post # 3.

 

There can be many reasons for losing file associations. I was more concerned with the fact that that link at Lavasoft was talking about the early popup windows. At this point I will have to declare your system free for malware. This problem (whatever it is) is due to something that is loading very early in the boot stage. It could be due to the fact that something needed is even missing. You may be better off discussing this in the Software Forum or with Norman since it could still be Ad-Aware relalated.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!