VUNDO now inqwire and other redirects

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Rob Beaux, Apr 27, 2005.

  1. Rob Beaux

    Rob Beaux Private E-2

    I have already preformed the steps out lined in Major attitudes "first steps" article.

    My firewall and virus scan has detected "Virtual bouncer", Vundo and I am getting redirected back to other pages such as inqwire, redzip and upspiral. The nasty keeps putting internet shortcuts on my desktop and occasional pops up pages for poker and music downloads. I have been fighting this for about 6 hours and could use some help.

    I am not certain what to do with the hijack this log and can use some advice.
     
    Rob Beaux, Apr 27, 2005
    #1
  2. SGC_Geek

    SGC_Geek Private First Class

    SGC_Geek, Apr 27, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 27, 2005
    #3
  4. Rob Beaux

    Rob Beaux Private E-2

    OK VUNDO tool you suggested did not find the trojan. However I had run that tool before had it not find it, then have Mcafee find it after reboot.

    attached is my log from hijack this. I followed the hijack this instruction according to the sticky post. Just a casual glance I can see that I have "virtual bouncer".

    Thanks for the help.
     

    Attached Files:

    Rob Beaux, Apr 27, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what these lines with Upromise_RemindU stuff is for? I would bet it is not needed.
    O4 - HKLM\..\Run: [Upromise0] "C:\Program Files\Upromise_RemindU\Upromise0.exe"
    O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
    O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
    O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)

    You have a bunch of problems! This is going to take few messages to work on. First answer my question above and then do the following:

    - Click Start > Run and type: cmd and then click OK! This brings up a command prompt window.
    - At the command prompt opens, type the below command and then hit the enter key:

    nail.exe /FullRemove

    Close the command prompt window and reboot your PC then continue with the below.

    Now download the following tool: L2MeFix Tool

    Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

    NOTE: Please do not run any other options or files in the l2mfix Folder!

    Get a new HijackThis log.
    Now come back here and post the l2mfix log and the new HJT log as attachments.

    Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

     
    chaslang, Apr 27, 2005
    #5
  6. Rob Beaux

    Rob Beaux Private E-2

    The Upromise stuff is OK, but lets remove it. We dont use that service any more. I will do the next steps then post the logs.

    Yeah I know its going to take a while Thank for your help.
     
    Rob Beaux, Apr 27, 2005
    #6
  7. Rob Beaux

    Rob Beaux Private E-2

    OK here is the 2 new logs. The l2mfix did not run long. It had some sort of error that stated it was not a 16bit program.
     

    Attached Files:

    Rob Beaux, Apr 27, 2005
    #7
  8. Rob Beaux

    Rob Beaux Private E-2

    my computer froze then blue screened, after I posted. LEt me know if I shoud re run the steps and post new logs.
     
    Rob Beaux, Apr 27, 2005
    #8
  9. Rob Beaux

    Rob Beaux Private E-2

    bump...any more help?
     
    Rob Beaux, Apr 27, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Rob, Bumping will only make it take longer to get an answer. We work oldest threads first. Bumping makes your thread newer. Remember this is a free service. We don't live here or work here. Please just wait patiently and we will get to your place in the queue eventually.

    Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

    Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

    Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
    Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

    Again, don't run any other files in the L2MFix folder.

    Note: When you get error message please provide the exact word for word message.
     
    chaslang, Apr 27, 2005
    #10
  11. Rob Beaux

    Rob Beaux Private E-2

    Sorry about that. I understand better why it took so long.

    Ran your steps as outlined wihtthe cable pulled. Here is the log. Just to let you know I am still getting popups.
     

    Attached Files:

    Rob Beaux, Apr 28, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your last HijackThis log (in message # 7) still showed nail.exe. Did yo do what I asked in message # 5:

    This has fixed the nail.exe problem every time I have used.

    After doing that, post a new HJT log attachment.
     
    chaslang, Apr 28, 2005
    #12
  13. Rob Beaux

    Rob Beaux Private E-2

    yes I did do the nail remove step. Maybe the computer crash after the removal caused the problem.

    Oh and by the way..something must have worked becasue my computer hasnt had any icons placed on the desktop and except for 2 popups when typing my last message I havent had a single one.

    Here is the new HJT log.
     
    Rob Beaux, Apr 28, 2005
    #13
  14. Rob Beaux

    Rob Beaux Private E-2

    disregard previous HJT log..that was before Nail.exe removal was run for teh second time. This is a HJT log from right after reboot. I am getting some popups.

    is there a way to edit posts???
     

    Attached Files:

    Rob Beaux, Apr 28, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need to stop, disable and remove a few bad services. They show in your HijackThis log as:

    O23 - Service: jjlghhrnjwqfa - Unknown owner - C:\WINDOWS\System32\jwqfa\jjlghhrn.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: ymlugskkljaagy - Unknown owner - C:\WINDOWS\System32\ljaagy\ymlugskk.exe

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Now repeat the above for the below two services:

    jjlghhrnjwqfa
    ymlugskkljaagy


    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    System Startup Service or use the short name if the long name does not work: SvcProc

    Now repeat the HijackThis step to delete the other NT services
    jjlghhrnjwqfa
    ymlugskkljaagy

    After doing the above move on to my next message.
     
    Last edited: Apr 29, 2005
    chaslang, Apr 29, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For some reason the fix for nail is not working. I don't understand why. As I said before it has worked everytime thus far. Let's fix a bunch of other problems you have first and come back to it.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\psoft1.exe
    C:\WINDOWS\System32\usrv42a.exe
    C:\WINDOWS\System32\ljaagy\ymlugskk.exe


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\System32\psoft1.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
    O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
    O4 - HKLM\..\Run: [yojboe] c:\windows\system32\yojboe.exe
    O4 - HKLM\..\Run: [s77k3pT] esea2405.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteker32.exe
    O4 - HKLM\..\Run: [jjlghhrn] C:\WINDOWS\System32\jwqfa\jjlghhrn.exe
    O4 - HKLM\..\Run: [disxdu] c:\windows\system32\ifkoyxk.exe
    O4 - HKLM\..\Run: [ymlugskk] C:\WINDOWS\System32\ljaagy\ymlugskk.exe
    O4 - HKCU\..\Run: [usrv42a] C:\WINDOWS\System32\usrv42a.exe
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
    O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c8.cab
    O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia.com/install/pcs_0026.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09bc204106686a0d6715/netzip/RdxIE601.cab
    O23 - Service: jjlghhrnjwqfa - Unknown owner - C:\WINDOWS\System32\jwqfa\jjlghhrn.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: ymlugskkljaagy - Unknown owner - C:\WINDOWS\System32\ljaagy\ymlugskk.exe

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\VBouncer <--- the whole folder
    C:\WINDOWS\cfgmgr51.dll
    C:\WINDOWS\Bolger.dl
    C:\WINDOWS\system32\n20050308.EXE
    C:\WINDOWS\System32\psoft1.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    c:\windows\system32\yojboe.exe
    c:\windows\system32\esea2405.exe
    C:\WINDOWS\System32\usrv42a.exe
    C:\WINDOWS\System32\ljaagy <--- the whole folder
    C:\WINDOWS\System32\jwqfa <--- the whole folder
    C:\WINDOWS\System32\ljaagy <--- the whole folder
    c:\windows\system32\ifkoyxk.exe
    C:\windows\system32\eliteker32.exe <-- also delete any other filenames beginning with elite and ending with exe. There could be up to 10 more.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 29, 2005
    #16
  17. Rob Beaux

    Rob Beaux Private E-2

    OK ..things seem OK So far. Heres the details of your last 2 messsages.

    OK the 'ymlugskkljaagy'( 'ymlu...' from now on in messsage.) service coul dnot be stopped or disbled. I even tried to kill teh process adn it woul dnot let me. I got this error...Could not stop 'ymlu...' service on local computer. The service did not return an error. This could be an internal Windows error or an internal service error. If the problem persists, contact your systems administrator.

    I continued on and went to the MISC tools as you requested. When I got to 'ymlu...' service it responded with this error. "The service 'ymlu...' is enabled and/or running. Disable it first using HJT itself (from scan results) or from service.msc window."

    I moved on to your next message.

    I killed the first 2 process but that 'ymlu...' process was not able to be killed. I received this error "The selected process could not be killed. It may have already closed, or portected by windows. Thsi process might be aservice, which you can stop form the services applet in admin tools." I tried to kill it agin in the services.msc but it didnt kill it. SO I continued on.

    I was able to fix all of the fixes you suggested in the HJT log except for 2 that were not there.

    023 Service jjlghhrnjwqfa and 023 System Startup Service were both not present.

    I rebooted in safe mode as per your instrucions. I deleted all teh files that were present. I did not find :

    C:\Program Files\VBouncer <--- the whole folder Found a zip folder in my documents..so I deleted that one
    C:\WINDOWS\cfgmgr51.dll
    C:\WINDOWS\system32\n20050308.EXE
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    c:\windows\system32\yojboe.exe
    c:\windows\system32\esea2405.exe
    c:\windows\system32\ifkoyxk.exe

    C:\WINDOWS\System32\ljaagy <--- the whole folder--you had this listed twice..was it supposed to be somethign different?

    C:\windows\system32\eliteker32.exe deleted it only found this file no others.

    I ran CCLeaner and it dleted 2.88MB of things..I have that log if you need it.


    While I was deleting file I ran across something called Euplyc.exe. ( listed as a redirect on its properties) it also had about 8 other similar named files that were all.xml extensions. I left it since I was not certain of it.

    When I started IE for the first time I got a pop up on the task bar only with Aurora in it. It lasted about 20 seconds then disappeared. I also noticed on the HJT log that nail is still there as well as 'ymlu..." After I post this I will try the removal for Nail as per your early instructions. As for the removal of 'ymlu...' I will try the procedure again that I tried this morning.

    The log here is at my current situation. I will post agin with a new log after I try to remove Nail and 'ymlu.." another time.

    Thanks for the help..things seem to be improving.
     

    Attached Files:

    Rob Beaux, Apr 29, 2005
    #17
  18. Rob Beaux

    Rob Beaux Private E-2

    OK After that last post I did another nail remove and reboot and then continued on to remove the "ymlu...". I was able to disable it and stop it in the services.msc window. I opened HJY and able to delte the NT process. I opened the process manager and 'ymlu..." was not there. So I scanned wiht HJT and fixed the following:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
    O4 - HKLM\..\Run: [ymlugskk] C:\WINDOWS\System32\ljaagy\ymlugskk.exe

    I then rebooted in safe mode and deleted bolger.dll( again) and then ran CCleaner adn deleted prefetch. I then restarted in normal mode. I ran HJT and posted this message with the new log.

    Things are better. I can search without redirects. However when starting IE I get a brief window on the task bar in addition to the IE window it stays less than a second or so.
    I see thta Nail is still there in the HJT log as well as bolger but at least that says file missing. Also I seemed to have killed the "ymlu..."thing.

    I also noticed a bunch of files with the same date approx time stamp as was when I was infected..( i think anyway).One I mentioned below Euplyc.exe. I addition another one is246765-ventura-hot.exe, these just look suspiciious but I will await your response.
     

    Attached Files:

    Rob Beaux, Apr 29, 2005
    #18
  19. Rob Beaux

    Rob Beaux Private E-2

    I think I fixed it...

    OK, here is what I did. A friend suggested Ewido security suite. I downloaded and ran it. Then I did a trend Micro scan again, then I ran adware and Spybot. then I searched for and physically deleted every instance of nail.exe that I could find. The only one i couldnt was in a folder windows/recycler/ that I could not delete. It said the file was protected or inuse. So I ran HJT, fixed the 02 line with nail and the line with bolger. Ran CCleaner and rebooted. Then I ran the HJT and there is no sight of nail or bolger.

    IF any of my previous messages indicate something else to delete let me know. Heres the log..I await your reply to give me a clean bill of health. :) Thanks for your help.
     

    Attached Files:

    Rob Beaux, Apr 29, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You last log is clean! I would delete those files you mention before:
    Euplyc.exe and 246765-ventura-hot.exe

    Is everything still working OK!
     
    chaslang, Apr 29, 2005
    #20
  21. Rob Beaux

    Rob Beaux Private E-2

    working good...going to delete those files right now. Thanks for your help. I will post again if anything else showes up over the next few days.
     
    Rob Beaux, Apr 29, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 29, 2005
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds