Jump to content


Photo

IE Exception Errors, Mirka4.exe, & umc.dll


  • Please log in to reply
1 reply to this topic

#1 BigBooch

BigBooch

    Dispensing Poison To All Evil-Ware

  • Helper Trainee
  • Pip
  • 80 posts

Posted 26 June 2004 - 07:34 PM

After two weeks of clearing out a massive number of files downloaded from some extremely malicious pop-up using McAfee, Spybot, Windows Add/Remove, and manual searches, I was still left with a file that kept regenerating itself and causing Windows to take forever to load and then causing IE to go belly up every time I opened a desktop folder, including My Computer taking 10 to 20 seconds to load its icons while the Windows status bar in the lower right corner showed a "Unknown Zone" message instead of "My Computer". I followed the Browser Hijacking instructions at TomCoyote.com and downloaded and ran HJT and found four registry items that I could fix without seeking expert advice, which appears to have stopped the Mirka4.exe file from reappearing for the moment. I also used Spybot to toggle off the umc.dll BHO file that was accompanying many of the IE exception error messages, as follows:

EXPLORER caused an exception eedfadeH in module UMC.DLL at 0167:03ef3db9.
Registers:
EAX=03f33dec CS=0167 EIP=03ef3db9 EFLGS=00000202
EBX=03f33a00 SS=016f ESP=0407fb84 EBP=0407fbcc
ECX=00000002 DS=016f ESI=00000000 FS=35a7
EDX=03ef3db9 ES=016f EDI=0000007d GS=2e16
Bytes at CS:EIP:
eb 3c 8b 45 fc e8 e9 fc fe ff 8b 45 08 8b 40 fc
Stack dump:
03ef3db9 03f33dec 03f33a00 00000000 0000007d 0407fbcc 0407fba0 0407fbac
03ec3af0 0407fbcc 0407fbd8 03ec3af0 0407fbcc 00000050 0000ea60 03f33aa8

My remaining problem appears to be that I have 270 *.js files and 990 *.tmp files, 62 of which I have safely deleted so far, but many of them are in the 90 to 100 MB range and some of them are actually .tmp folders which contain 10's of MB's of execution and dll files themselves. Some of these tmp files are hidden and appear to be Windows system folders - msdownld.tmp, for example.

Is it safe to disturb or delete any of these large tmp files and/or tmp folders and what should I do about the 270 .js files ?
If You Don't Know Where You're Going,
You Can Only Be Half-Way There . . .


SWI support site. Donation link and discounted software deals, daily security-related news and much more.

#2 BigBooch

BigBooch

    Dispensing Poison To All Evil-Ware

  • Helper Trainee
  • Pip
  • 80 posts

Posted 03 July 2004 - 09:14 PM

Update on my situation:
1) System still appears to be stable and Spybot and AV scans are clean.
2) Still no *.hta files, but my *.js files have grown from 270 to 288.
3) Deleted most of my *.tmp files except for the one's dated yesterday or today.
4) My latest HJT scan results are as follows:

Logfile of HijackThis v1.97.7
Scan saved at 9:52:20 PM, on 7/3/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\SETI@HOME\SETI@HOME.EXE
C:\PROGRAM FILES\QUICKEN ONLINE BACKUP\OLLAUNCH.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\QUICKEN ONLINE BACKUP\OLSYSTRAY.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...t/7search/?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O1 - Hosts: 147.129.30.35 icwebmail.ithaca.edu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINDOWS\SYSTEM\umc.dll__SpybotSDDisabled (file missing)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {72A58725-2635-4725-8C53-676DFD1FEB8D} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKLM\..\Run: [Quicken Online BackupOnlineBackup] "C:\Program Files\Quicken Online Backup\OLlaunch.exe"
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\OLSysTray.exe
O4 - User Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Quicken Online Backup\OLSysTray.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\SYSTEM\ZPHP.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O12 - Plugin for .hcvm: C:\PROGRA~1\INTERN~1\PLUGINS\NPAXHyp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {E98B87EE-3FCB-11D3-8A62-00C0F03C3792} (FTWL Class) - http://download1.fir...WebLauncher.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcaf...an/mgavinst.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.102...etzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/do...py/iesnoopy.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?38095.330625
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Please advise as to any further actions I should take - Thanks.
If You Don't Know Where You're Going,
You Can Only Be Half-Way There . . .


SWI support site. Donation link and discounted software deals, daily security-related news and much more.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button