Jump to content


Multiple problems "zdubg"

  • This topic is locked This topic is locked
3 replies to this topic

#1 JhonnyBench



  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 07:22 AM

I have followed the "How to Remove...." from these boards including running SpyBot, Norton CE, AdAware etc.

All of the 6 programs I've run have detected multiple viruses, trojans, and spyware on my system and tell me that they have been removed. However, I have SpyBot running resisdent, anytime I use an executable file for any program it detects several (up to 6) attempts to write more malware entries to my resgistry. I used HJT to remove several obviously bad entries in the registry and they are still there, they just keep coming back.

I even went so far as to shut off system restore and manually delete registry entries that I knew were bad, but on startup they just come back. Some of the recurring and persistent file names it keeps trying to put there contain "zdubg" and "apich.exe"

AdAware detects CWS hijackers but CWShredder does not find them.

As stated before, anytime any program (including IE Explorer) is run there are multiple attempts to edit the registry by some unknown entity.

My IE explorer hompage is hijacked taking me to some site with "zdubg" in the URL. This is accompanied by a pop up that never loads and has "php" in the URL. I can not load any other web page effectively cutting me off from the internet at home.

Somehow it appears that a malware program is installing new trojans/spyware at will.

Any help would be appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 7:27:24 AM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Protection Programs\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Protection Programs\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zdugb.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOEMOO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JOEMOO~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JOEMOO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JOEMOO~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {7C515B49-818B-CFF6-A2BF-BB7DD6353EB9} - C:\WINDOWS\system32\mfcrg.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [winar32.exe] C:\WINDOWS\system32\winar32.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Protection Programs\SpyBot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

This is one of the ones I see frequently as well:
But everytime I delete from the registry it just comes back as well.

Edited by JhonnyBench, 02 July 2004 - 07:36 AM.

#2 Daemon


    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 July 2004 - 02:55 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 JhonnyBench



  • Full Member
  • Pip
  • 5 posts

Posted 04 July 2004 - 10:46 AM

Problem resolved. What a major PITA! Be aware guys that you may have multiple issues. For example I successfully removed the res// jacker but also had the about:blank one and a few others.

Follow all the suggestions in the stickied topics regarding your problem. This site ROCKS, thanks for all your help! I AM FREE!

#4 Daemon


    Security Expert

  • Retired Staff
  • PipPipPipPipPip
  • 3,350 posts

Posted 04 July 2004 - 12:43 PM

Glad we could help :D

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!