TechSpot

Still having problems - brdr, zenosearch among others

By dancinhomer
Oct 23, 2007
  1. Help!
    This weekend I started having wierd problems with the old home computer. I've got Norton, but no firewall that I know of. I'll go download one of the free ones asap.
    I was reading other posts with similar problems like brdr error when when shutting down. and I think I saw smething about a midgetlink.php, not exactly sure if I want to know what that is. But it seems to be trying to become my new home page and ever since I am being directed to oddweb pages. I guess it's a pop up, but it sends me to ebay with wierd search results and other sites, most I'm not familiar wth.

    Some other symptoms are general slowishness and also new this week are Microsoft mouse errors.

    I printed out the malware removal instructions and tried to follow all the directions, and found a lot of stuff on my machine that I had no idea was on there.

    While I was typing this in Another pop up opened up with ebay search results with "new" in search parameters. So whatever was there, is still there. I must have missed a step.

    Anyway, as I said at the beginning... help! and thanks for such a handy and lifesaving service.

    Attached are the logs that I made running all these scans today and last night.

    again, thanks for your help
    Joe
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    hello and welcome to Techspot.

    Your system is a mess and we`ve got quite a lot of work to do in order to try and get it clean again.

    You must follow all instructions in full.

    Download and install one of the free firewall programmes below.

    Zonealarm, Kerio or Comodo free firewall programmes.

    Reboot your computer.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    WinUpdater
    mywebsearch

    Close control panel.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

    Also, let me know the results of the Panda Antirootkit scan as per step11 of these instructions.

    Regards Howard :wave: :wave:

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. dancinhomer

    dancinhomer TS Rookie Topic Starter

    re:

    installed comodo
    did not find the wiupdater or mywebseach in the control panel add/remove programs

    ran avenger, but something didn't take. I noticed an error when it was rebooting but couldn't read it. When it came back up, the avenger.txt was blank. When the black dialog box ran thefirst thing it said was, "system cnnot find file specified" something about c:avenger\*.reg, I thoughtit wasn't working but then it started doing something and when it was done it said that it couldn't find the text file, do you want to create one anyway. I said yes and it was just a blank file.

    Also, the panda antirootkit scan I did last night was uneventful, if I remember, it was the only one that said there was no problems found. Did it create a log file like all the others?

    Should I re-run the avenger? Haven't run any other fresh HJT or combofix scans.
    Sorry I've got a crying baby that needs my atention.
    Thanks for all your help.
    Joe
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, just post a fresh HJT and Combofix log.

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. dancinhomer

    dancinhomer TS Rookie Topic Starter

    posting new combofix and hjt scan results

    Here are the new combofix and hjt scan logs
    I kept getting pop ups from komodo firewall during the combofix scan, and seem to remember something about not touching the mouse during the scan, but of course I didn't remember this until midway thru the scan. So I was clicking away.

    Was I supposed to click on anything in the hjt menu to fix anything yet? or is this just digging to find a culprit (s)?
    Thanks again and Sorry if I'm taking too much of your time,
    Joe
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    UltimateBet
    PartyGaming
    PartyPoker

    Close control panel.



    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    m3SrchMn.exe
    krdsrngm.exe
    RunApp.exe
    UltimateBet.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - (no file)

    O2 - BHO: (no name) - {48FFC542-616C-4A00-B0A1-1C6B76FEA276} - (no file)

    O2 - BHO: (no name) - {762D7F4A-148D-4DA8-A7BE-035D8E06327F} - (no file)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: (no name) - {AF4D6F5D-DDE2-41F3-B88B-8D00AD663842} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [7c1397d7] rundll32.exe "C:\WINDOWS\system32\gjofjqyi.dll",b

    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

    O4 - HKLM\..\Run: [{39-97-77-78-ZN}] C:\windows\system32\krdsrngm.exe CHD003

    O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\WinUpdater\update.exe" /background

    O8 - Extra context menu item: &Search - ?p=zuzed004MLUS_ZZzer000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\PartyGaming
    C:\Program Files\UltimateBet
    C:\Program Files\WinUpdater

    C:\PROGRA~1\MYWEBS~1
    C:\windows\system32\krdsrngm.exe
    C:\WINDOWS\SYSTEM32\gjofjqyi.dll

    C:\WINDOWS\SYSTEM32\jjkmp.bak1
    C:\WINDOWS\SYSTEM32\jjkmp.bak2
    C:\WINDOWS\SYSTEM32\jjkmp.ini2

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. dancinhomer

    dancinhomer TS Rookie Topic Starter

    okay, done with next step

    Howard
    upon startup s S&D detected an important registry entry that has been changed.
    should I be allowing these?

    this latest one is wierd because I couldn't find file this in safe mode.

    category: system startup global entry
    Change value detected
    entry: {39-97-77-78-ZN}
    Old data C:\windows\system32\krdsrngm.exe CHD003
    allow change or deny change




    also before I could access your latest instructions, komodo had an error and was trying to email a error log back to komodo.
    not sure if its relevant


    What is shellconhidden? that is another of the error windows that come up when I shut down. It needs help ending or something, kinda like the brdr box that I was getting right after I think I got suspicious something was up
    same with ccapp.exe



    I'm also getting an error pop up from Norton that says Symantec email proxy
    symantec email proxy cannot scan your email messages because your network is not properly configured.
    Cl
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Deny the reg change as krdsrngm.exe is nasty.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    krdsrngm.exe

    Close task manager.


    We`re going to have to manually delete some registry entries.

    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Now, navigate to the following reg keys and delete the bold entries.

    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232D2677-68EE-4FA1-B988-279EBC8969ED}

    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48FFC542-616C-4A00-B0A1-1C6B76FEA276}

    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{762D7F4A-148D-4DA8-A7BE-035D8E06327F}

    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF4D6F5D-DDE2-41F3-B88B-8D00AD663842}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nrbycmqn

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c1397d7

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar Search Scope Monitor

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{39-97-77-78-ZN}

    Close regedit.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [nrbycmqn] C:\swixhova.bat

    O4 - HKLM\..\Run: [7c1397d7] rundll32.exe "C:\WINDOWS\system32\gjofjqyi.dll

    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

    O4 - HKLM\..\Run: [{39-97-77-78-ZN}] C:\windows\system32\krdsrngm.exe CHD003

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\PROGRA~1\MYWEBS~1<Delete the entire folder.
    C:\windows\system32\krdsrngm.exe
    C:\swixhova.bat

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. dancinhomer

    dancinhomer TS Rookie Topic Starter

    quick question
    when I came back to normal mode SS&D detected an important registry entry changed. I denied the first one which was
    category: system startup global entry
    change: value detected
    entry: nrbycmqn
    old data: C:\swixhova.bat

    then I realzied that maybe these changes were supposed to be allowed

    the second one I still have up and it was for 7c1397d7
    rundll32.exe

    should I allow or deny this?

    I was able to delete the first 4 on the list in regedit
    but could not find the last 4 under the path indicated. I did do a find and was able to locate the files in reg edit, but did not delete them
    I was able to see the progra~1 file in the reg edit but cannot see it in MyComputer/Windows explorer

    should I have?

    fresh logs will be uploaded shortly
    Thanks
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Temporarily uninstall SS&D as it`s interfering with the fixes we`re trying to run.

    Then follow the instructions in my post above.

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. dancinhomer

    dancinhomer TS Rookie Topic Starter

    okay uninstalled spybot rebooted and voila

    here are the two fresh logs

    In HJT I saw some of the entries were still there, but did not delete on the second scan.

    awaiting further instructions
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very well done, we`ve got rid of the bugger and your log files are clean.

    Have HJT fix all O2 - BHO: (no name) entries that say (No File) at the end.

    Turn off system restore.(XP/ME only) See how HERE.

    You can now reinstall SS&D

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. dancinhomer

    dancinhomer TS Rookie Topic Starter

    How do I login as admin? This is probably something I should know, but I've
    never done that that I can remember.
    The only place I saw it as an option was in safe mode

    Oh
    and thanks again for all your help, and patience, and positive attitude!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your normal login account, should have admin privileges. That`s assuming you`re the admin of the system?

    Why do you ask?

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. dancinhomer

    dancinhomer TS Rookie Topic Starter

    just couldn't remember seeing an admin login, but I am the main user and the one who set it all up years ago, so I should have admin rights.
    thanks
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, you should have admin rights.

    In fact, you wouldn`t have been able to do all that we`ve done without admin rights lol.

    Regards Howard :)

    This thread is for the use of dancinhomer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...