Win32:vndrop virus

[patdi_1]

I found a virus on one of PCs when avast was running a full scan. The win32:vndrop virus was detected and removed and was associated mousehook.dll. Once Windows fully loaded, virus was reloaded, changing the background saying I have a virus and an icon in lower right hand corner showing up also noting a virus with a link to website. I started with the standard 8 step procedure (https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/), but got stuck and could not load Malwarebytes' Anti-Malware. I am running on Windows XP home SP3.

 

[Spyder_1386]

hi patdi_1

Why could you not load Malwarebytes? Did it give you an error messge of some sort? Did your screen freeze up? Any other information you might have could be helpful.

Spyder_1386

 

[mflynn]

Go here and download to Desktop: http://www.adrive.com/public/97c4357781f45c7e443061094b8cfaff3836f57446eb242ab2ee0b6cd68a0107.html

Double click Fixer.exe to run it. This will extract a Fixer folder to the desktop.

Now before running boot to Safe Mode Networking.

Then Dbl Clk to enter the Fixer Folder .

To run it 1st double click Daft, then click scan and check any found items and click fix and then exit.

Next dbl click Fixit.cmd to run it.

When it completes try again to install MBAM and SAS and HJT and post logs for Spyder to continue!

Mike

 

[patdi_1]

Loaded fixer folder to PC. In Safe Network mode, I opened the folder and double clicked daft and got no response, nothing ran. This is the same for Malwarebytes' Anti-Malware install, double clicking on setup does nothing with no message. Tried download of fixer file in Safe Network mode with same results of no execution.

 

[mflynn]

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys

sc stop Service_TDSSserv.sys
sc delete Service_TDSSserv.sys

sc stop Legacy_TDSSSERV.SYS
sc delete Legacy_TDSSSERV.SYS

Attrib -h -s -r /s c:\tdss*.*
del /f /q /s c:\tdss*.*

Attrib -h -s -r /s "c:\Legacy_*.*"
del /f /q /s tdss*.* "c:\Legacy_*.*"

reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\ieupdates.exe

attrib -h -s -r c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\scui.cpl

attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r /s c:\xwdxqu.txt
del /f /q /s c:\xwdxqu.txt

attrib -h -s -r c:\windows\x
del /f /q c:\windows\x

attrib -h -s -r /s "c:\SxsCaPendDel*.*"
del /f /q /s "c:\SxsCaPendDel*.*"

attrib -h -s -r /s c:\h3s.sys
del /f /q /s c:\qh3s.sys

attrib -h -s -r /s c:\jsdpp32.sys
del /f /q /s c:\jsdpp32.sys

attrib -h -s -r /s c:\oxauau96.sys
del /f /q /s c:\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

sc stop gaopdxserv.sys
sc delete gaopdxserv.sys

attrib -h -s -r /s c:\gaopdx*.*
del /f /q /s c:\gaopdx*.*

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

sc stop Service_UACd.sys
sc delete Service_UACd.sys
attrib -h -s -r /s "c:\Service_UACd*.*"
del /f /q /s "c:\Service_UACd*.*"

attrib -h -s -r "c:\program files\Common Files\System\Uninstall*.*"
del /f /q "c:\program files\Common Files\System\Uninstall*.*"
rd /s /q "c:\program files\Common Files\System\Uninstall"

attrib -h -s -r /s "c:\PlayMP3z*.*"
del /f /q /s  "c:\PlayMP3z*.*"
rd /s /q "c:\program files\PlayMP3z"

sc stop UACkdqxyyms.sys
sc delete UACkdqxyyms.sys

attrib -h -s -r /s "c:\UAC????????.sys"
del /f /q /s "c:\UAC????????.sys"

attrib -h -s -r /s "c:\uacinit.dll"
del /f /q /s "c:\uacinit.dll"

attrib -h -s -r c:\documents and settings\NetworkService\Application Data\.rdr.ini
del /f /q c:\documents and settings\NetworkService\Application Data\.rdr.ini

attrib -h -s -r c:\documents and settings\NetworkService\Application Data\install.dat
del /f /q c:\documents and settings\NetworkService\Application Data\install.dat

attrib -h -s -r "c:\windows\system32\f06WtR"
del /f /q "c:\windows\system32\f06WtR"

attrib -h -s -r c:\windows\system32\ntnet.drv
del /f /q c:\windows\system32\ntnet.drv

attrib -h -s -r "c:\windows\system32\W70MLRES.DLL"
del /f /q "c:\windows\system32\W70MLRES.DLL"

attrib -h -s -r "c:\windows\system32\dumphive.exe"
del /f /q "c:\windows\system32\dumphive.exe"

attrib -h -s -r "c:\windows\system32\IEDFix.exe"
del /f /q "c:\windows\system32\IEDFix.exe"

attrib -h -s -r "c:\windows\system32\Process.exe"
del /f /q "c:\windows\system32\Process.exe"

attrib -h -s -r "c:\windows\system32\SrchSTS.exe"
del /f /q "c:\windows\system32\SrchSTS.exe"

attrib -h -s -r "c:\windows\system32\VACFix.exe"
del /f /q "c:\windows\system32\VACFix.exe"

attrib -h -s -r "c:\windows\system32\VCCLSID.exe"
del /f /q "c:\windows\system32\VCCLSID.exe"

attrib -h -s -r "c:\windows\system32\WS2Fix.exe"
del /f /q "c:\windows\system32\WS2Fix.exe"

attrib -h -s -r "c:\windows\patch.exe"
del /f /q "c:\windows\patch.exe"

attrib -h -s -r "c:\windows\Readme.txt"
del /f /q "c:\windows\Readme.txt"

attrib -h -s -r "c:\windows\system32\apiri32.dll"
del /f /q "c:\windows\system32\apiri32.dll"

attrib -h -s -r "c:\windows\system32\crrh32.exe"
del /f /q "c:\windows\system32\crrh32.exe"

attrib -h -s -r "c:\windows\system32\d3im32.exe"
del /f /q "c:\windows\system32\d3im32.exe"

attrib -h -s -r "c:\windows\system32\deuau.dll"
del /f /q "c:\windows\system32\deuau.dll"

attrib -h -s -r "c:\windows\system32\fsszd.dll"
del /f /q "c:\windows\system32\fsszd.dll"

attrib -h -s -r "c:\windows\system32\iecw.exe"
del /f /q "c:\windows\system32\iecw.exe"

attrib -h -s -r "c:\windows\system32\ievd32.dll"
del /f /q "c:\windows\system32\ievd32.dll"

attrib -h -s -r "c:\windows\system32\iezj.exe"
del /f /q "c:\windows\system32\iezj.exe"

attrib -h -s -r "c:\windows\system32\ipiz.exe"
del /f /q "c:\windows\system32\ipiz.exe"

attrib -h -s -r "c:\windows\system32\javach.exe"
del /f /q "c:\windows\system32\javach.exe"

attrib -h -s -r "c:\windows\system32\jzimv.dll"
del /f /q "c:\windows\system32\jzimv.dll"

attrib -h -s -r "c:\windows\system32\klieq.dll"
del /f /q "c:\windows\system32\klieq.dll"

attrib -h -s -r "c:\windows\system32\mfcib32.exe"
del /f /q "c:\windows\system32\mfcib32.exe"

attrib -h -s -r "c:\windows\system32\nths.dll"
del /f /q "c:\windows\system32\nths.dll"

attrib -h -s -r "c:\windows\system32\ntzy32.exe"
del /f /q "c:\windows\system32\ntzy32.exe"

attrib -h -s -r "c:\windows\system32\sdkhq.exe"
del /f /q "c:\windows\system32\sdkhq.exe"

attrib -h -s -r "c:\windows\system32\sdkqw32.exe"
del /f /q "c:\windows\system32\sdkqw32.exe"

attrib -h -s -r "c:\windows\system32\sdkxu.exe"
del /f /q "c:\windows\system32\sdkxu.exe"

attrib -h -s -r "c:\windows\system32\sysgr.exe"
del /f /q "c:\windows\system32\sysgr.exe"

attrib -h -s -r "c:\windows\system32\windows.scr"
del /f /q "c:\windows\system32\windows.scr"


sc stop WinSvchostManager
sc delete WinSvchostManager

attrib -h -s -r /s "C:\WinSvcHostmanager*.*"
del /f /q /s "C:\WinSvcHostmanager*.*"

sc stop ntndis
sc delete ntndis

attrib -h -s -r /s C:\ntndis.*
del /f /q /s C:\ntndis.*

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r /s "c:\\u_lehj32*.*"
del /f /q /s "c:\u_lehj32.*.*"

net stop Legacy_SECURITY
attrib -h -s -r /s "c:\Legacy_SECURITY*.*"
del /f /q /s c:\Legacy_SECURITY*.*"

sc stop Service_SECURITY
sc delete Service_SECURITY

attrib -h -s -r /s "c:\Service_SECURITY*.*"
del /f /q /s c:\Service_SECURITY*.*"

attrib -h -s -r /s c:\svcprs32.exe
del /f /q /s c:\svcprs32.exe

attrib -h -s -r /s c:\wmdrtc32.dll
del /f /q /s c:\wmdrtc32.dll

attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"

attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"

attrib -h -s -r /s c:\ebkp*.*
del /f /q  /s c:\ebkp*.*

:: AV2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed AV2008-9

:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

When above finished continue below

Run both MBAM and SAS again Quick scan, as they had found/removed items and could find more. We need a clean log.

Post both new logs and a new HJT log.

Mike

 

[mflynn]

OK the above post is to big for me to add to it so this is the continuation.

After the copy/paste above completes reboot again to Safe Mode networking and now try Fixer again beginning with Daft! It will look similar but will do more!

Mike

 

[patdi_1]

Did as shown in above thread but sorry to say, but the daft executable does not run.

 

[mflynn]

OK lets take another shot

Please do not skip steps and do in the order presented below and it is CRITICAL that you boot to Safe Mode Networking and not
allow normal mode untill directed at the bottom of this post!

Download the below file

http://www.adrive.com/public/f678dd54d3ceed310ff637f01b529f0bc04391dcdf90140488ebfda62189f1c8.html

Then boot to SafeMode Networking

Execute it. It will make a ZIPS folder. Enter the folder and Dbl Clik the RepairAssoc.reg approve it to run.

When it finishes run the RatsCheddar and enable all.

Without doing anything esle close everything and reboot again to Safe Mode Networking (do not allow normal boot) before moving on to the below.

1. Try the Daft again! If or not it works continue below.

2.Download MBAM that uses a different name http://malwarebytes.gt500.org/mbam-rules.exe
Try to install if it installs try to update. If it will update or not but will run then run it select and clean all found and post its log.

Then run it again to confirm it now finds nothing post this log also. If it finds more then run it even again and post this log.

3.Download SAS that uses a different name http://downloads.superantispyware.com/downloads/SAS_FREE.EXE
Try to install if it installs try to update. If it will update or not but will run then run it select and clean all found and post its log.

Then run it again to confirm it now finds nothing post this log also. If it finds more then run it even again and post this log

If these run then boot back to normal mode and go to the 8 Steps and do the CCleaner (clean temps and registry twice or more until no more found).

Then post a HJT log!

Mike

 

[patdi_1]

Things are bad to worse. Now I get to select user in Safe mode Networking, pick Administrator, it tries to log on and automatically logs me off back to select user again.

 

[mflynn]

OK then do all in normal mode!

Mike

 

[patdi_1]

Normal mode does the same thing. I get to user selection, select Admin, it attempts to logon, says it is logging off and returns to select users again.

 

[mflynn]

OK you have a Nastie.

Boot the Advanced Boot menu (where you boot Safe Mode) and choose Last known good..

If you get on run the steps in Post 8 immediately!

Do you have your Windows install CD?

Mike

 

[patdi_1]

Trying from last known good was no good. I have the restore CD that came with the PC.

 

[mflynn]

Ok Pat do not do anything Drastic like format before consulting with me? we will get this.

Do you feel you can make a UBCD4Win CD? http://ubcd4win.com/

Do you have a DVD burner on the pc you are now using?

Mike

 

[patdi_1]

Yes I can do it

 

[mflynn]

Ok I hope all is going well building the CD!

While I have time here are the steps for after you can boot the UBCD4Win.

After to desktop click Start-Programs-Registry Tools-Registry Restore Wizard.

It will display a Window asking to Specify your Windows. C:\WINDOWS should be selected so click next.

The next window will have a Dot (selected ) Fix the system registry to that of a previous state, click next.

NOTE: If you had System Restore off or SR had issues then we will ned to do something else!

It will show you restore points by dates. You need to choose one that is a day or 2 before you had these problems.

Complete the process and reboot when back up jump directly to the 8 Steps and run MBAM and SAS and Clean and post logs!

Mike

 

[patdi_1]

I have built the CD and booted the UBCD4Win. I am working on next steps

Tried to use the Registry Restore Wizard. There are no restore points to select.

 

[kimsland]

Now is a good time to backup using the UBCD4Win CD
I believe that disc has a Virus scanner as well, (somewhere in the programs menu) are you able to scan for Viruses on your main drive?

Also try running a CheckDisk as well (after backing up)

If all options fail to help, then backup and re-install clean
The UBCD4Win link I posted (just above) will help you in that process

 

[mflynn]

Ok typical! When you really need it SR is not there for you most times!

So since you only have a factory recovery Cd you can not do a proper repair install.

So do this.

Make sure you enabled network when you first boot up.

Start-Programs-AntiSpyware tools and update and run all but EZPCfix.

Then do the same with Anti-Virus tools. Update and do all of these and hope they clean enough to let you boot normally.

Mike

 

[kimsland]

"SR" is probably infected anyway
Best to backup

 

[patdi_1]

I am in the middle of trying to run all of antispywares but can't select / run some due to default monitor resolution provided. I cannot change from the default monitor; no higher resolution can be picked. Any help?

 

[mflynn]

Pat run all that you can of the Virus and malware Scanners that you can and try to boot normally.

We may still have some work to do if you can do that.

How many have you gotten thu?

And are you trying to boot normally between these cleanings,

Mike

 

[patdi_1]

I haven't tried to boot normally yet. I've just finished all of the spyware scans I can perform from the boot CD and was going to head to the antivirus scans. Should I try a normal boot before the antivirus scans?

 

[mflynn]

Should be OK to try a Boot!

Mike

 

[patdi_1]

Tried the normal boot, get to list of users, select any of the users, tries to logs in and logs out immediately without opening windows. Maybe a critical windows file was nicked somewhere during the process?