natcon Posted March 13, 2009 ID:64172 Share Posted March 13, 2009 Even afetr Malwarebytes identifies and deletes, the 2 registry keys, they keep reappearing. Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.I have run HijackThis tool; please see the log file below. Any help will be greatly appreciated.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:59:31 PM, on 3/13/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Novell\XTAgent.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\netdde.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Novell\ZENworks\nalntsrv.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Novell\ZENworks\wm.exeC:\WINDOWS\System32\dmadmin.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Apoint\ApMsgFwd.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Apoint\HidFind.exeC:\WINDOWS\system32\RunDLL32.exeC:\WINDOWS\system32\NWTRAY.EXEC:\WINDOWS\system32\RunDll32.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\WINDOWS\stsystra.exeC:\WINDOWS\system32\dpmw32.exeC:\Program Files\Novell\ZENworks\WMRUNDLL.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080131R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gcsd.k12.sc.us/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080131R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by - Default User's XP PolicyR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO1 - Hosts: 207.232.227.246 ETVO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,StartO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXEO4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitorO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [sigmatelsystrayapp] stsystra.exeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installquietO4 - HKLM\..\Run: [ndps] C:\WINDOWS\system32\dpmw32.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dllO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exeO23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exeO23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exeO23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exeO23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 14, 2009 Staff ID:64371 Share Posted March 14, 2009 Hi,Did you already update MalwareBytes? Click tab "Update" and click "Check for updates".Then post the complete log in your next reply. Link to post Share on other sites More sharing options...
natcon Posted March 16, 2009 Author ID:64779 Share Posted March 16, 2009 Hi,Did you already update MalwareBytes? ...Malwarebytes' Anti-Malware 1.34Database version: 1826Windows 5.1.2600 Service Pack 33/13/2009 11:55:51 AMmbam-log-2009-03-13 (11-55-51).txtScan type: Quick ScanObjects scanned: 89076Time elapsed: 9 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)If I do not connect to the internet after scanning and rebooting, the quick scan returns no infected files. Shortly after rebooting, I get a notification that antivirus protection has been disabled. The next event that occurs is a notification the desktop has been activated. A scan performed after that event shows the 1 registry data item infected. After connecting to the internet with either IE or Firefox, the 2 registry keys reappear on a scan. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 16, 2009 Staff ID:64805 Share Posted March 16, 2009 Hi,I asked you if you already updated malwarebytes. The database version shows it's outdated.So, please open MalwareBytes Antimalware > update tab > check for updatesThen, after the update, perform a scan again and post the log in your next reply. Link to post Share on other sites More sharing options...
natcon Posted March 17, 2009 Author ID:65157 Share Posted March 17, 2009 Hi,I asked you if you already updated malwarebytes. The database version shows it's outdated...Sorry, I am unable to download the updates directly, so I went to the site to download the current database, and the outdated database was the only one listed.Here is the log file:Malwarebytes' Anti-Malware 1.34Database version: 1853Windows 5.1.2600 Service Pack 33/17/2009 12:54:39 PMmbam-log-2009-03-17 (12-54-39).txtScan type: Quick ScanObjects scanned: 90355Time elapsed: 11 minute(s), 1 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 17, 2009 Staff ID:65163 Share Posted March 17, 2009 Hi,* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how. Link to post Share on other sites More sharing options...
natcon Posted March 18, 2009 Author ID:65450 Share Posted March 18, 2009 Hi,* Please visit this webpage for instructions for downloading and running ComboFix:...Because this is my work computer which runs under Novel, I was unable to directly disable the Symantic Antivirus except by stopping all of the processes associated with it. ComboFix log file attached.log.txtlog.txt Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 18, 2009 Staff ID:65512 Share Posted March 18, 2009 Hi,* Open notepad - don't use any other texteditor than notepad or the script will fail.Copy/paste the text in the quotebox below into notepad:File::c:\windows\system32\casujnil.dllc:\windows\system32\gnpsxewp.dllc:\windows\system32\mcrxsuiv.dllc:\program files\rojgxujo.tmpCollect::[8]C:\Windows\System32\drivers\82973728.sysc:\windows\system32\vlkjywqo.dllDriver::82973728Registry::[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"Yagryq"=-Save this as txtfile CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. Then, please visit this site:http://www.bleepingcomputer.com/submit-malware.php?channel=8Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)Then click the "Send File" button below in order to upload it.After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
natcon Posted March 19, 2009 Author ID:65854 Share Posted March 19, 2009 Hi,CFScript... [...post the contents of Combofix.txt in your next reply.ComboFix.txtComboFix.txt Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 19, 2009 Staff ID:65858 Share Posted March 19, 2009 Hi,Navigate to and delete the following file:c:\windows\system32\jwhqmxjv.dllThen, * Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Let me know in your next reply how things are now. Link to post Share on other sites More sharing options...
natcon Posted March 19, 2009 Author ID:65864 Share Posted March 19, 2009 Hi,Let me know in your next reply how things are now.Thank you so very much for all your time and effort helping me with this problem.A.B. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 19, 2009 Staff ID:65865 Share Posted March 19, 2009 Glad I could help. Please read my Prevention page with lots of info and tips how to prevent this in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.Happy Surfing again! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 23, 2009 Staff ID:66907 Share Posted March 23, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts