Hi !

I'd like help to remove a very persistent virus that have been on my sons computer since early this summer and I just can't find how to remove it.

I found on the Internet the it is called W32/Sdbot-ZN as I found this wdfmrg.exe in WINNT/system32 folder

You can't find the process in Task-manager and you can't remove the file, not even in fail safe mode.

also When I check with Security Task manager I find it running two instances of Explorer.exe both in the winnt directory.

One is named Explorer.EXE and the other explorer.exe as you can see there is some difference in lower case nothing else.

When I looked in the WINNT directory I can only see one "explorer.exe" and then something called only "Explorer" that in type says "Windows explorer command" could that be something ?
I wouldn't want to remove it without knowing what I'm doing. :o

Also when I look in task manager - processes I find a CMD.exe running and you get a "access denied" if you try to end it.

The thing is that some virus makes this computer cuts off all network connections to our other computers on out LAN after a few minutes.

But the Internet connection ok stays though. Still it's also makes the computer very slack and everything opens very slow.

Serious help is appreciated :o

Recommended Answers

All 8 Replies

The best way that I've found to take care of malware that just won't go away is by following this guide. Starting from Step 1 and moving all the way through Step 2 will remove just about any annoying program. After you run through those steps, let me know if it has been removed or not. I can guide you through more thorough steps to take if it hasn't been fully removed.

(*sigh* here we go again*)

Cough, well, no that will not help.

For the first I don't run XP, I have Windows 2000 pro + SP4 and I have done almost all of those both programs and steps that says there.

Normally I remove a spy-ware in 5 minutes flat, even less if its the second time around and I have had loooooooooooaaaaaaads of them,
and have normally always been very successful in removing them, either manually or partially with a help with a ad-aware or hijack-this or other application and then manually from the registry etc ... etc ...

This is a very particularly nasty bug that I just don't seem to find how to remove. :rolleyes:

Sorry if I underestimated your skills. Most people think running just one remover is all they need to do.

While I look for additional information, load up regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Check for a value named "shell". The data for this value should be "explorer.exe" and nothing else. I have often seen tough malware put itself in there so it loads before everything else. If you have anything in there, delete it, and just leave "explorer.exe". Hopefully, after you reboot, your system won't be running the processes anymore and you can clean them out.

I found that "wdfmrg.exe" usually places itself in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Have you searched the registry and removed all references to this file while in safe mode?

Hm. that was a new directory I hadn't looked in normally.

How ever, there was only one file there and that was this one Explorer.exe (with a big "E" though, not that I think it matters)

anyway, this was the other things I found in that directory.

A kind of suspicious file "userinit.exe" for example, and other things.

As your are familiar with this directory, perhaps you can see if there is something there that shouldn't be there ? :eek:

I normally only check in the "run" / "run once" / "run services" to search for viruses manually, if I don't find any other references from internet, that is. :confused:

[IMG]http://hem.bredband.net/b360565/temp/sep/16.gif[/IMG]

Userinit is a normal value. The "userinit.exe" program handles different startup routines for different users.

There is something I haven't tried yet, but it might be worth a try. Get the Ultimate Boot CD. This CD will boot and give you access to numerous tools, including a number of different anti-virus programs and even access to your drive. This should allow you to remove the offending file, reboot, and have a clean system. If you give it a try, let me know how it goes.

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

==

Go here and download then run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

Hi !

Sorry, I've been very busy lately but now I have time again.

I've also found other virus files on the computer that I can't remove, not even in fail safe mode.

Like devmks32.exe that seem to be a WIN32.RBOT worm.
Norton antivirus don't find it, or any other spy ware that I tried.
I can't find it in the registry either.


I still have the problem other problem left also.

This is my Hijackthis file.

BTW, all SETI and BOINC applications are ok, I choose them my self.
Also
Logfile of HijackThis v1.99.1
Scan saved at 14:10:04, on 2005-09-19
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\Program Files\Speed Disk\nopdb.exe
D:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\D-Tools\daemon.exe
C:\marias\regprot\regprot.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\BoincLogX\boinclogx.exe
D:\Program Files\Ares Lite Edition\AresLite.exe
D:\Program Files\BOINC\boinc_gui.exe
D:\Program Files\GetRight\getright.exe
D:\Program Files\GetRight\getright.exe
D:\Program Files\BOINC\Spy++\spy++.exe
D:\Program Files\BOINC\Spy++\SETISPY.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program

Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.11_

windows_intelx86.exe
D:\WINNT\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE
D:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe
C:\Marias\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8}

- (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F}

- D:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872}

- D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program

Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [RegProt] c:\marias\regprot\regprot.exe

/start
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe

-startgui
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [webscan] "D:\Program Files\Acceleration

Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [eanth_critical_update_alert]

D:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BoincLogX] "D:\Program

Files\BoincLogX\boinclogx.exe"
O4 - HKCU\..\Run: [areslite] "D:\Program Files\Ares Lite

Edition\AresLite.exe" -h
O4 - Startup: S_spy++.exe.lnk = D:\Program

Files\BOINC\Spy++\spy++.exe
O4 - Global Startup: BOINC.lnk = D:\Program

Files\BOINC\boinc_gui.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program

Files\GetRight\getright.exe
O8 - Extra context menu item: &ieSpell Options -

res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling -

res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with GetRight -

D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser -

D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x8

6/client/wuweb_site.cab?1122566911468
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trend

micro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - D:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -

Symantec Corporation - D:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -

Symantec Corporation - D:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service

(dmadmin) - VERITAS Software Corp. -

D:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service

(navapsvc) - Symantec Corporation - D:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service

(NPFMntor) - Symantec Corporation - D:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation -

D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate

Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - D:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec

Corporation - D:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

D:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

D:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe

Please visit at least two of the following sites for an online virus scan:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

==

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

==

Please post a new log from hijackthis, but this time please make sure that it is formatted correctly. It is near on impossible to read your first log :).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.