Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

MR - bleachlizard

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

MR - bleachlizard

Unread postby agrarianmonk » March 26th, 2006, 4:45 am

http://www.malwareremoval.com/forum/viewtop ... 0431#60431



i've identified this line as the culprit:

O20 - Winlogon Notify: winmfu32 - C:\WINCORP\SYSTEM32\winmfu32.dll

but i'm thinking there might be something else...



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download ewido anti-malware it is a free version of the program.
  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

Reboot

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next post, please include:

  • Ewido log
  • Panda Log
  • Fresh HJT



*Please include the entire HJT log (including the header) in your next post.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove

Unread postby LDTate » March 26th, 2006, 9:00 am

O20 - Winlogon Notify: (random DLL)

Can you tell me what infection this indicates?
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby agrarianmonk » March 26th, 2006, 1:31 pm

doh,

i think they're mediatickets malware:

http://castlecops.com/o20list-167.html


running ewido would probably be enough;


but i'd still like to see a new hjt log b/c i don't see the header in the first one.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby LDTate » March 26th, 2006, 1:43 pm

Looks like Vundo to me, but we'll see.

Post away ;)
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby agrarianmonk » March 26th, 2006, 1:50 pm

Hi LDTate,

Was hoping for a clarification before I posted.

So I can post Ewido + ask for new HJT? or just ask for a new HJT?

I did consider Vundo, but I didn't see the corresponding 02 entry, and also, the file isn't running from a random folder from the windows directory, but directly from system32.

thanks for checking this for me :)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby LDTate » March 26th, 2006, 1:58 pm

So I can post Ewido + ask for new HJT? or just ask for a new HJT?
Yes ;)
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby agrarianmonk » March 29th, 2006, 1:33 pm

http://www.malwareremoval.com/forum/viewtop ... 1273#61273

PS: Is there any way to rid myself of this manually? I mean, I want to do it without extra software.


Hi LDTate. I suppose we could scan w/ kaspersky and nuke everything Kaspersky finds, but using ewido is a lot easier b/c it has pattern detection right? I'm not entirely sure how to respond to a question like this from the user.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby LDTate » March 29th, 2006, 2:04 pm

O20 - Winlogon Notify: winmfu32 - C:\WINCORP\SYSTEM32\winmfu32.dll
That's Vundo.

To answer the victim's question:
No, we need to run some fixes that make registry changes.

Run the vundofix.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby agrarianmonk » March 29th, 2006, 2:49 pm

Okay.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » April 11th, 2006, 10:09 pm

dead, please archive.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 277 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware