# Still having problems - brdr, zenosearch among others

Oct 23, 2007
1. Help!
This weekend I started having wierd problems with the old home computer. I've got Norton, but no firewall that I know of. I'll go download one of the free ones asap.
I was reading other posts with similar problems like brdr error when when shutting down. and I think I saw smething about a midgetlink.php, not exactly sure if I want to know what that is. But it seems to be trying to become my new home page and ever since I am being directed to oddweb pages. I guess it's a pop up, but it sends me to ebay with wierd search results and other sites, most I'm not familiar wth.

Some other symptoms are general slowishness and also new this week are Microsoft mouse errors.

I printed out the malware removal instructions and tried to follow all the directions, and found a lot of stuff on my machine that I had no idea was on there.

While I was typing this in Another pop up opened up with ebay search results with "new" in search parameters. So whatever was there, is still there. I must have missed a step.

Anyway, as I said at the beginning... help! and thanks for such a handy and lifesaving service.

Attached are the logs that I made running all these scans today and last night.

Joe

2. ### howard_hopkinsoTS RookiePosts: 24,177   +19

hello and welcome to Techspot.

Your system is a mess and weve got quite a lot of work to do in order to try and get it clean again.

You must follow all instructions in full.

Zonealarm, Kerio or Comodo free firewall programmes.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

WinUpdater
mywebsearch

Close control panel.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

Also, let me know the results of the Panda Antirootkit scan as per step11 of these instructions.

Regards Howard :wave: :wave:

3. ### dancinhomerTS RookieTopic Starter

re:

installed comodo
did not find the wiupdater or mywebseach in the control panel add/remove programs

ran avenger, but something didn't take. I noticed an error when it was rebooting but couldn't read it. When it came back up, the avenger.txt was blank. When the black dialog box ran thefirst thing it said was, "system cnnot find file specified" something about c:avenger\*.reg, I thoughtit wasn't working but then it started doing something and when it was done it said that it couldn't find the text file, do you want to create one anyway. I said yes and it was just a blank file.

Also, the panda antirootkit scan I did last night was uneventful, if I remember, it was the only one that said there was no problems found. Did it create a log file like all the others?

Should I re-run the avenger? Haven't run any other fresh HJT or combofix scans.
Sorry I've got a crying baby that needs my atention.
Joe

4. ### howard_hopkinsoTS RookiePosts: 24,177   +19

No, just post a fresh HJT and Combofix log.

Regards Howard

This thread is for the use of dancinhomer only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

5. ### dancinhomerTS RookieTopic Starter

posting new combofix and hjt scan results

Here are the new combofix and hjt scan logs
I kept getting pop ups from komodo firewall during the combofix scan, and seem to remember something about not touching the mouse during the scan, but of course I didn't remember this until midway thru the scan. So I was clicking away.

Was I supposed to click on anything in the hjt menu to fix anything yet? or is this just digging to find a culprit (s)?
Thanks again and Sorry if I'm taking too much of your time,
Joe

6. ### howard_hopkinsoTS RookiePosts: 24,177   +19

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

UltimateBet
PartyGaming
PartyPoker

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

m3SrchMn.exe
krdsrngm.exe
RunApp.exe
UltimateBet.exe

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - (no file)

O2 - BHO: (no name) - {48FFC542-616C-4A00-B0A1-1C6B76FEA276} - (no file)

O2 - BHO: (no name) - {762D7F4A-148D-4DA8-A7BE-035D8E06327F} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {AF4D6F5D-DDE2-41F3-B88B-8D00AD663842} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [7c1397d7] rundll32.exe "C:\WINDOWS\system32\gjofjqyi.dll",b

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

O4 - HKLM\..\Run: [{39-97-77-78-ZN}] C:\windows\system32\krdsrngm.exe CHD003

O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background

O8 - Extra context menu item: &Search - ?p=zuzed004MLUS_ZZzer000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\PartyGaming
C:\Program Files\UltimateBet
C:\Program Files\WinUpdater

C:\PROGRA~1\MYWEBS~1
C:\windows\system32\krdsrngm.exe
C:\WINDOWS\SYSTEM32\gjofjqyi.dll

C:\WINDOWS\SYSTEM32\jjkmp.bak1
C:\WINDOWS\SYSTEM32\jjkmp.bak2
C:\WINDOWS\SYSTEM32\jjkmp.ini2

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

7. ### dancinhomerTS RookieTopic Starter

okay, done with next step

Howard
upon startup s S&D detected an important registry entry that has been changed.
should I be allowing these?

this latest one is wierd because I couldn't find file this in safe mode.

category: system startup global entry
Change value detected
entry: {39-97-77-78-ZN}
Old data C:\windows\system32\krdsrngm.exe CHD003
allow change or deny change

also before I could access your latest instructions, komodo had an error and was trying to email a error log back to komodo.
not sure if its relevant

What is shellconhidden? that is another of the error windows that come up when I shut down. It needs help ending or something, kinda like the brdr box that I was getting right after I think I got suspicious something was up
same with ccapp.exe

I'm also getting an error pop up from Norton that says Symantec email proxy
symantec email proxy cannot scan your email messages because your network is not properly configured.
Cl

8. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Deny the reg change as krdsrngm.exe is nasty.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

krdsrngm.exe

Were going to have to manually delete some registry entries.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Now, navigate to the following reg keys and delete the bold entries.

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232D2677-68EE-4FA1-B988-279EBC8969ED}

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48FFC542-616C-4A00-B0A1-1C6B76FEA276}

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{762D7F4A-148D-4DA8-A7BE-035D8E06327F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrbycmqn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c1397d7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar Search Scope Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{39-97-77-78-ZN}

Close regedit.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [nrbycmqn] C:\swixhova.bat

O4 - HKLM\..\Run: [7c1397d7] rundll32.exe "C:\WINDOWS\system32\gjofjqyi.dll

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

O4 - HKLM\..\Run: [{39-97-77-78-ZN}] C:\windows\system32\krdsrngm.exe CHD003

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\PROGRA~1\MYWEBS~1<Delete the entire folder.
C:\windows\system32\krdsrngm.exe
C:\swixhova.bat

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

9. ### dancinhomerTS RookieTopic Starter

quick question
when I came back to normal mode SS&D detected an important registry entry changed. I denied the first one which was
category: system startup global entry
change: value detected
entry: nrbycmqn
old data: C:\swixhova.bat

then I realzied that maybe these changes were supposed to be allowed

the second one I still have up and it was for 7c1397d7
rundll32.exe

should I allow or deny this?

I was able to delete the first 4 on the list in regedit
but could not find the last 4 under the path indicated. I did do a find and was able to locate the files in reg edit, but did not delete them
I was able to see the progra~1 file in the reg edit but cannot see it in MyComputer/Windows explorer

should I have?

fresh logs will be uploaded shortly
Thanks

10. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Temporarily uninstall SS&D as its interfering with the fixes were trying to run.

Then follow the instructions in my post above.

Regards Howard

This thread is for the use of dancinhomer only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

11. ### dancinhomerTS RookieTopic Starter

okay uninstalled spybot rebooted and voila

here are the two fresh logs

In HJT I saw some of the entries were still there, but did not delete on the second scan.

awaiting further instructions

12. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Very well done, weve got rid of the bugger and your log files are clean.

Have HJT fix all O2 - BHO: (no name) entries that say (No File) at the end.

Turn off system restore.(XP/ME only) See how HERE.

You can now reinstall SS&D

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of dancinhomer only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

13. ### dancinhomerTS RookieTopic Starter

How do I login as admin? This is probably something I should know, but I've
never done that that I can remember.
The only place I saw it as an option was in safe mode

Oh
and thanks again for all your help, and patience, and positive attitude!

14. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Your normal login account, should have admin privileges. Thats assuming youre the admin of the system?

Regards Howard

15. ### dancinhomerTS RookieTopic Starter

just couldn't remember seeing an admin login, but I am the main user and the one who set it all up years ago, so I should have admin rights.
thanks

16. ### howard_hopkinsoTS RookiePosts: 24,177   +19

Yes, you should have admin rights.

In fact, you wouldnt have been able to do all that weve done without admin rights lol.

Regards Howard