Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Packed.win32.Morp...

  1. #1
    hoyt Guest

    Default Packed.win32.Morp...

    Can someone please help me get rid of this nasty????
    ZA says it's there and that it will delete on re-boot, but when I click dome I get an error...
    Thanks,

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Packed.win32.Morp...

    Where is the file located? You have tried a scan in the safe mode? Tried other scanners such as superantispyware (freeware version) or a squared free or ewido (online scan, and free)?

    Oldsod
    Best regards.
    oldsod

  3. #3
    hoyt Guest

    Default Re: Packed.win32.Morp...

    ZA scan results, which come up every time I turn on the computer says:Packed.win32.Morp...C:\WINDOWS\system 32\unblh/dllAfter a while more show up, a few more Packed. win32 ones, different dll files but same system folderAlso a couple Trojan.win32.delf.cj ones in the same folder alsoThe first one always says delete on reboot and I always get a red ERROR when I click done.
    All the others that show up get Quarantined and no error shows up for them.
    Yes, I tried a scan in safe mode, nothing.
    I tried SpybotSD14, nothing.
    I tried to online scan with Trend Housecall, it locked up and wouldn't finish.
    I had hoped to find a patch or something to get rid of this bug, but haven't had any luck.
    I'm not exactly a computer guru, so my knowledge is limited.
    I also hoped that ZA would get onboard with a fix for this one and after a scan I could delete it.
    Unfortunately that hasn't happened either.
    A while back, when you could actually email ZA support for help, I did so and the person was awesome and fixed me right up completley.
    It looks like the email for help option has since been removed...
    Thank you very much for the help, it is greatly appreciated...:8}

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Packed.win32.Morp...

    unblh/dll is not read - is this what the scanner shows or just a typo?

    First do this>

    to enable the viewing of Hidden files follow these steps:
    Close all programs so that you are at your desktop.
    Double-click on the My Computer icon.
    Select the Tools menu and click Folder Options.
    After the new window appears select the View tab.
    Put a checkmark in the checkbox labeled Display the contents of system folders.
    Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    Remove the checkmark from the checkbox labeled Hide protected operating system files.
    Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

    (quoted from)

    http://www.bleepingcomputer.com/tuto...utorial62.html




    Open the system32 folder of the WINDOWS folder do the search (with all options enabled) for the item or just look manually. Right click it and open the Properties.Dates. tims, vendor, version, and other information is available. Other than time and dates, these can be googled- including the correct name of the dll. Specifically google it using the correct dll name and liutilities.com, and the correct dll name and neuber.com, and the correct dll name and processlibrary.com.

    If the item is declared rogue, then delete it.

    Googling the trojan/malware found with "remove" often yields removal instructions. Often the AV vendors such as CA or Symantec have complete removal instructions for many infections.

    NOW DO THIS>

    Run freeware CCleaner after (clean all files and uncheck the 48hr limit), download from here>

    http://www.majorgeeks.com/CCleaner_S...ish_d4191.html


    Use the IE for these free online scans (they use Active X) and turn off the antivirus of the PC off for these scans. Be sure to either Allow all web content from the secuirty sites involved or disable the Privacy completely. The resident antivirus MUST BE DISABLED for the online scanner installs and scan/removal or they do not work.


    http://www.bitdefender.com/scan8/ie.html

    http://www.ewido.net/en/onlinescan/


    These detect and remove (for free).

    Download, install and update then run these freeware scanners>

    http://www.emsisoft.com/en/software/free/

    http://www.lavasoftusa.com/products/...e_personal.php

    http://www.superantispyware.com/


    After running the online scans, the downloaded applications scans and the first run after using the removal utility, run the CCleaner again.

    Cheers.

    Oldsod

    Message Edited by Oldsod on 05-18-2007 11:45 PM
    Best regards.
    oldsod

  5. #5
    hoyt Guest

    Default Re: Packed.win32.Morp...

    Oops, sorry it's unblh.dll
    Well, I did as you said.
    I followed your instructions to the T and my system was apparently full of junk.
    Each scan found new stuff to remove.

    **bleep** was actually the only one that found the Packed.win32.Morp...

    Unfortunately, it couldn't do anything with it.
    It tried to repair, failed.
    Tried to delete, failed.

    It is still there, same as always, every time I turn on the computer I get the same ZA message.
    Every time I click on the apply button I get ERROR.....
    It's too bad that ZA can only find the thing and not delete it.

    I'm open for suggestions???
    Thank you again,


  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Packed.win32.Morp...

    okay, time for some work.

    First locate where this dll is placed in the PC. The scanners should have listed a location.

    Second, open the Search and select all files and folder, then in the first bar enter the unblh.dll, then in the more advanced options check all items listed and then begin the search. The locations should match.

    Locate the item in the Explorer and right click it, open the properties, and see about the date/time vendor and version. I have searched the web for unblh.dll and came up with no results. The information could be valuable.

    If the file is located in system information, it is lodged in the system restore.

    Third download the Dellater (freeware) from diamondcs>

    http://www.diamondcs.com.au/index.php?page=dellater


    Disable the system restore, if the file is located in the system information and then scan again in the safe mode. The scanner should be able to clean the system restore once it is turned off.

    If the file is not in the system restore, then use the dekkater tool to remove. In other words, no scanner is being used to remove the malware, you are going to do it yourself instead.

    It requires the file name and probably the location and the PC must be restarted again. The dellater tool may be able to remove this file in the boot time.

    Then rescan again.

    Oldsod

    Message Edited by Oldsod on 05-20-2007 03:15 AM
    Best regards.
    oldsod

  7. #7
    hoyt Guest

    Default Re: Packed.win32.Morp...

    Oldsod,Okay, I downloaded dellater from the website you gave me.
    I un-zipped it and clicked on the file.
    It says in the pop-up box, usage: dellater.exe<filename>
    I'm a bit lost, I was actually expecting something to run.
    I know where the file is located, it's in the system32 folder.
    There are two dll's with this unblh extension.
    One is (unblh.dll) and the other is (unblh.dll.bak)They both are protected in some way that won't let me delete them.
    The properties only say "unknown file type"
    dellater sounds like it will help me delete these files, but I'm not sure how to run it.

    Thanks for your help, :8}

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Packed.win32.Morp...

    First , move/copy the dellater.exe to windows\system32 folder.

    Second,
    Click Start of the taskbar and open the Run, then type dellater.exe +path to file

    example

    dellater.exe c:\windows\system32\unblh.dll)


    then press enter. Now reboot.

    Do the same for the second file.

    Yes it does not seem that straight forward to people who do not know the trick.

    Oldsod
    Best regards.
    oldsod

  9. #9
    hoyt Guest

    Default Re: Packed.win32.Morp...

    Unable to mark this file for deletion.
    That's the popup message I get.

    Persistent little bug this one is!!!
    I'm going to re-boot anyway I guess....We'll see...
    Thanks,

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Packed.win32.Morp...

    Do two things.

    Download Killbox..

    http://www.downloads.subratam.org/KillBox.exe

    Double-click Killbox.exe to run it.
    Then Select: "Delete on Reboot"
    then click on the All Files button.
    Then type in the c:wiomdows\system32\unblh.dll

    Click the red-and-white Delete File button. Click Yes at the Delete on Reboot. Click OK at PendingFileRenameOperations. Reboot.

    Do the same for the unblh.dll.bak



    Download HJT or Hijack This..

    http://www.majorgeeks.com/download3155.html

    Run it. And do not delete or remove anything at all.

    Just let it make a "system scan and save" for a hijackthis.log. Then open the config and the Misc Tools and check both next to the generate startup log and this will make a startuplist.txt.

    Now go to castlecops.com and registrer as a member. Now go to the HJT Forum and post the HJT log and the Startuplist text. I do suspect there is more involved than just these two items. The experts there will efficently and effectively clean your PC. They may even want you to use more tools and the advice tbey give is excellent!

    http://www.castlecops.com/f67-Hijack...ans_Oh_My.html

    Oldsod

    Message Edited by Oldsod on 05-20-2007 09:22 PM
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •