TechSpot

Win32:vndrop virus

By patdi_1
Apr 3, 2009
  1. I found a virus on one of PCs when avast was running a full scan. The win32:vndrop virus was detected and removed and was associated mousehook.dll. Once Windows fully loaded, virus was reloaded, changing the background saying I have a virus and an icon in lower right hand corner showing up also noting a virus with a link to website. I started with the standard 8 step procedure (http://www.techspot.com/vb/topic58138.html), but got stuck and could not load Malwarebytes' Anti-Malware. I am running on Windows XP home SP3.
     
  2. Spyder_1386

    Spyder_1386 TS Rookie Posts: 498

    hi patdi_1

    Why could you not load Malwarebytes? Did it give you an error messge of some sort? Did your screen freeze up? Any other information you might have could be helpful.

    Spyder_1386 :)
     
  3. mflynn

    mflynn TS Rookie Posts: 2,655

    Go here and download to Desktop: http://www.adrive.com/public/97c4357781f45c7e443061094b8cfaff3836f57446eb242ab2ee0b6cd68a0107.html

    Double click Fixer.exe to run it. This will extract a Fixer folder to the desktop.

    Now before running boot to Safe Mode Networking.

    Then Dbl Clk to enter the Fixer Folder .

    To run it 1st double click Daft, then click scan and check any found items and click fix and then exit.

    Next dbl click Fixit.cmd to run it.

    When it completes try again to install MBAM and SAS and HJT and post logs for Spyder to continue!

    Mike
     
  4. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Loaded fixer folder to PC. In Safe Network mode, I opened the folder and double clicked daft and got no response, nothing ran. This is the same for Malwarebytes' Anti-Malware install, double clicking on setup does nothing with no message. Tried download of fixer file in Safe Network mode with same results of no execution.
     
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    
    sc stop Service_TDSSserv.sys
    sc delete Service_TDSSserv.sys
    
    sc stop Legacy_TDSSSERV.SYS
    sc delete Legacy_TDSSSERV.SYS
    
    Attrib -h -s -r /s c:\tdss*.*
    del /f /q /s c:\tdss*.*
    
    Attrib -h -s -r /s "c:\Legacy_*.*"
    del /f /q /s tdss*.* "c:\Legacy_*.*"
    
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    del /f /q c:\WINDOWS\system32\ieupdates.exe
    
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    del /f /q c:\WINDOWS\system32\scui.cpl
    
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    del /f /q c:\WINDOWS\system32\winsrc.dll
    
    attrib -h -s -r /s c:\xwdxqu.txt
    del /f /q /s c:\xwdxqu.txt
    
    attrib -h -s -r c:\windows\x
    del /f /q c:\windows\x
    
    attrib -h -s -r /s "c:\SxsCaPendDel*.*"
    del /f /q /s "c:\SxsCaPendDel*.*"
    
    attrib -h -s -r /s c:\h3s.sys
    del /f /q /s c:\qh3s.sys
    
    attrib -h -s -r /s c:\jsdpp32.sys
    del /f /q /s c:\jsdpp32.sys
    
    attrib -h -s -r /s c:\oxauau96.sys
    del /f /q /s c:\oxauau96.sys
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    sc stop gaopdxserv.sys
    sc delete gaopdxserv.sys
    
    attrib -h -s -r /s c:\gaopdx*.*
    del /f /q /s c:\gaopdx*.*
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    sc stop Service_UACd.sys
    sc delete Service_UACd.sys
    attrib -h -s -r /s "c:\Service_UACd*.*"
    del /f /q /s "c:\Service_UACd*.*"
    
    attrib -h -s -r "c:\program files\Common Files\System\Uninstall*.*"
    del /f /q "c:\program files\Common Files\System\Uninstall*.*"
    rd /s /q "c:\program files\Common Files\System\Uninstall"
    
    attrib -h -s -r /s "c:\PlayMP3z*.*"
    del /f /q /s  "c:\PlayMP3z*.*"
    rd /s /q "c:\program files\PlayMP3z"
    
    sc stop UACkdqxyyms.sys
    sc delete UACkdqxyyms.sys
    
    attrib -h -s -r /s "c:\UAC????????.sys"
    del /f /q /s "c:\UAC????????.sys"
    
    attrib -h -s -r /s "c:\uacinit.dll"
    del /f /q /s "c:\uacinit.dll"
    
    attrib -h -s -r c:\documents and settings\NetworkService\Application Data\.rdr.ini
    del /f /q c:\documents and settings\NetworkService\Application Data\.rdr.ini
    
    attrib -h -s -r c:\documents and settings\NetworkService\Application Data\install.dat
    del /f /q c:\documents and settings\NetworkService\Application Data\install.dat
    
    attrib -h -s -r "c:\windows\system32\f06WtR"
    del /f /q "c:\windows\system32\f06WtR"
    
    attrib -h -s -r c:\windows\system32\ntnet.drv
    del /f /q c:\windows\system32\ntnet.drv
    
    attrib -h -s -r "c:\windows\system32\W70MLRES.DLL"
    del /f /q "c:\windows\system32\W70MLRES.DLL"
    
    attrib -h -s -r "c:\windows\system32\dumphive.exe"
    del /f /q "c:\windows\system32\dumphive.exe"
    
    attrib -h -s -r "c:\windows\system32\IEDFix.exe"
    del /f /q "c:\windows\system32\IEDFix.exe"
    
    attrib -h -s -r "c:\windows\system32\Process.exe"
    del /f /q "c:\windows\system32\Process.exe"
    
    attrib -h -s -r "c:\windows\system32\SrchSTS.exe"
    del /f /q "c:\windows\system32\SrchSTS.exe"
    
    attrib -h -s -r "c:\windows\system32\VACFix.exe"
    del /f /q "c:\windows\system32\VACFix.exe"
    
    attrib -h -s -r "c:\windows\system32\VCCLSID.exe"
    del /f /q "c:\windows\system32\VCCLSID.exe"
    
    attrib -h -s -r "c:\windows\system32\WS2Fix.exe"
    del /f /q "c:\windows\system32\WS2Fix.exe"
    
    attrib -h -s -r "c:\windows\patch.exe"
    del /f /q "c:\windows\patch.exe"
    
    attrib -h -s -r "c:\windows\Readme.txt"
    del /f /q "c:\windows\Readme.txt"
    
    attrib -h -s -r "c:\windows\system32\apiri32.dll"
    del /f /q "c:\windows\system32\apiri32.dll"
    
    attrib -h -s -r "c:\windows\system32\crrh32.exe"
    del /f /q "c:\windows\system32\crrh32.exe"
    
    attrib -h -s -r "c:\windows\system32\d3im32.exe"
    del /f /q "c:\windows\system32\d3im32.exe"
    
    attrib -h -s -r "c:\windows\system32\deuau.dll"
    del /f /q "c:\windows\system32\deuau.dll"
    
    attrib -h -s -r "c:\windows\system32\fsszd.dll"
    del /f /q "c:\windows\system32\fsszd.dll"
    
    attrib -h -s -r "c:\windows\system32\iecw.exe"
    del /f /q "c:\windows\system32\iecw.exe"
    
    attrib -h -s -r "c:\windows\system32\ievd32.dll"
    del /f /q "c:\windows\system32\ievd32.dll"
    
    attrib -h -s -r "c:\windows\system32\iezj.exe"
    del /f /q "c:\windows\system32\iezj.exe"
    
    attrib -h -s -r "c:\windows\system32\ipiz.exe"
    del /f /q "c:\windows\system32\ipiz.exe"
    
    attrib -h -s -r "c:\windows\system32\javach.exe"
    del /f /q "c:\windows\system32\javach.exe"
    
    attrib -h -s -r "c:\windows\system32\jzimv.dll"
    del /f /q "c:\windows\system32\jzimv.dll"
    
    attrib -h -s -r "c:\windows\system32\klieq.dll"
    del /f /q "c:\windows\system32\klieq.dll"
    
    attrib -h -s -r "c:\windows\system32\mfcib32.exe"
    del /f /q "c:\windows\system32\mfcib32.exe"
    
    attrib -h -s -r "c:\windows\system32\nths.dll"
    del /f /q "c:\windows\system32\nths.dll"
    
    attrib -h -s -r "c:\windows\system32\ntzy32.exe"
    del /f /q "c:\windows\system32\ntzy32.exe"
    
    attrib -h -s -r "c:\windows\system32\sdkhq.exe"
    del /f /q "c:\windows\system32\sdkhq.exe"
    
    attrib -h -s -r "c:\windows\system32\sdkqw32.exe"
    del /f /q "c:\windows\system32\sdkqw32.exe"
    
    attrib -h -s -r "c:\windows\system32\sdkxu.exe"
    del /f /q "c:\windows\system32\sdkxu.exe"
    
    attrib -h -s -r "c:\windows\system32\sysgr.exe"
    del /f /q "c:\windows\system32\sysgr.exe"
    
    attrib -h -s -r "c:\windows\system32\windows.scr"
    del /f /q "c:\windows\system32\windows.scr"
    
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    attrib -h -s -r /s "C:\WinSvcHostmanager*.*"
    del /f /q /s "C:\WinSvcHostmanager*.*"
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r /s C:\ntndis.*
    del /f /q /s C:\ntndis.*
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r /s "c:\\u_lehj32*.*"
    del /f /q /s "c:\u_lehj32.*.*"
    
    net stop Legacy_SECURITY
    attrib -h -s -r /s "c:\Legacy_SECURITY*.*"
    del /f /q /s c:\Legacy_SECURITY*.*"
    
    sc stop Service_SECURITY
    sc delete Service_SECURITY
    
    attrib -h -s -r /s "c:\Service_SECURITY*.*"
    del /f /q /s c:\Service_SECURITY*.*"
    
    attrib -h -s -r /s c:\svcprs32.exe
    del /f /q /s c:\svcprs32.exe
    
    attrib -h -s -r /s c:\wmdrtc32.dll
    del /f /q /s c:\wmdrtc32.dll
    
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    attrib -h -s -r /s c:\ebkp*.*
    del /f /q  /s c:\ebkp*.*
    
    :: AV2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
    del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed AV2008-9
    
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    When above finished continue below

    Run both MBAM and SAS again Quick scan, as they had found/removed items and could find more. We need a clean log.

    Post both new logs and a new HJT log.

    Mike
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK the above post is to big for me to add to it so this is the continuation.

    After the copy/paste above completes reboot again to Safe Mode networking and now try Fixer again beginning with Daft! It will look similar but will do more!

    Mike
     
  7. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Did as shown in above thread but sorry to say, but the daft executable does not run.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    OK lets take another shot

    Please do not skip steps and do in the order presented below and it is CRITICAL that you boot to Safe Mode Networking and not
    allow normal mode untill directed at the bottom of this post!

    Download the below file

    http://www.adrive.com/public/f678dd54d3ceed310ff637f01b529f0bc04391dcdf90140488ebfda62189f1c8.html

    Then boot to SafeMode Networking

    Execute it. It will make a ZIPS folder. Enter the folder and Dbl Clik the RepairAssoc.reg approve it to run.

    When it finishes run the RatsCheddar and enable all.

    Without doing anything esle close everything and reboot again to Safe Mode Networking (do not allow normal boot) before moving on to the below.

    1. Try the Daft again! If or not it works continue below.

    2.Download MBAM that uses a different name http://malwarebytes.gt500.org/mbam-rules.exe
    Try to install if it installs try to update. If it will update or not but will run then run it select and clean all found and post its log.

    Then run it again to confirm it now finds nothing post this log also. If it finds more then run it even again and post this log.

    3.Download SAS that uses a different name http://downloads.superantispyware.com/downloads/SAS_FREE.EXE
    Try to install if it installs try to update. If it will update or not but will run then run it select and clean all found and post its log.

    Then run it again to confirm it now finds nothing post this log also. If it finds more then run it even again and post this log

    If these run then boot back to normal mode and go to the 8 Steps and do the CCleaner (clean temps and registry twice or more until no more found).

    Then post a HJT log!

    Mike
     
  9. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Things are bad to worse. Now I get to select user in Safe mode Networking, pick Administrator, it tries to log on and automatically logs me off back to select user again.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK then do all in normal mode!

    Mike
     
  11. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Normal mode does the same thing. I get to user selection, select Admin, it attempts to logon, says it is logging off and returns to select users again.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    OK you have a Nastie.

    Boot the Advanced Boot menu (where you boot Safe Mode) and choose Last known good..

    If you get on run the steps in Post 8 immediately!

    Do you have your Windows install CD?

    Mike
     
  13. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Trying from last known good was no good. I have the restore CD that came with the PC.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok Pat do not do anything Drastic like format before consulting with me? we will get this.

    Do you feel you can make a UBCD4Win CD? http://ubcd4win.com/

    Do you have a DVD burner on the pc you are now using?

    Mike
     
  15. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Yes I can do it
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok I hope all is going well building the CD!

    While I have time here are the steps for after you can boot the UBCD4Win.

    After to desktop click Start-Programs-Registry Tools-Registry Restore Wizard.

    It will display a Window asking to Specify your Windows. C:\WINDOWS should be selected so click next.

    The next window will have a Dot (selected ) Fix the system registry to that of a previous state, click next.

    NOTE: If you had System Restore off or SR had issues then we will ned to do something else!

    It will show you restore points by dates. You need to choose one that is a day or 2 before you had these problems.

    Complete the process and reboot when back up jump directly to the 8 Steps and run MBAM and SAS and Clean and post logs!

    Mike
     
  17. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    I have built the CD and booted the UBCD4Win. I am working on next steps

    Tried to use the Registry Restore Wizard. There are no restore points to select.
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Now is a good time to backup using the UBCD4Win CD
    I believe that disc has a Virus scanner as well, (somewhere in the programs menu) are you able to scan for Viruses on your main drive?

    Also try running a CheckDisk as well (after backing up)

    If all options fail to help, then backup and re-install clean
    The UBCD4Win link I posted (just above) will help you in that process
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok typical! When you really need it SR is not there for you most times!

    So since you only have a factory recovery Cd you can not do a proper repair install.

    So do this.

    Make sure you enabled network when you first boot up.

    Start-Programs-AntiSpyware tools and update and run all but EZPCfix.

    Then do the same with Anti-Virus tools. Update and do all of these and hope they clean enough to let you boot normally.

    Mike
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    "SR" is probably infected anyway ;)
    Best to backup
     
  21. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    I am in the middle of trying to run all of antispywares but can't select / run some due to default monitor resolution provided. I cannot change from the default monitor; no higher resolution can be picked. Any help?
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    Pat run all that you can of the Virus and malware Scanners that you can and try to boot normally.

    We may still have some work to do if you can do that.

    How many have you gotten thu?

    And are you trying to boot normally between these cleanings,

    Mike
     
  23. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    I haven't tried to boot normally yet. I've just finished all of the spyware scans I can perform from the boot CD and was going to head to the antivirus scans. Should I try a normal boot before the antivirus scans?
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    Should be OK to try a Boot!

    Mike
     
  25. patdi_1

    patdi_1 TS Rookie Topic Starter Posts: 36

    Tried the normal boot, get to list of users, select any of the users, tries to logs in and logs out immediately without opening windows. Maybe a critical windows file was nicked somewhere during the process?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...