procoach Posted May 5, 2008 ID:17674 Share Posted May 5, 2008 I was experiencing a large number of pop-ups when I run IE, some of the sites appearing werehttp://winanonymous.comwww.ZABASEARCH.comSeaDream Yacht ClubAfer a period of time I also got a window:MICROSOFT Visual C++ Runtime LibraryBuffer overrun detected!Program: C:\WINDOWS\Explorer.EXEAdaware Pro didn't find anything, neither did McAfee, Rogue Remover, AVG Anti-Spyware. However Spybot Search & Destroy found 11 instances of the Virtumondo trojan. I removed them and rebooted but now it keeps opening a windowError loading C:\WINDOWS\system32\kdxfural.dllThe specified module could not be foundI have found a reference in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe "C:\WINDOWS\system32\kdxfural.dll",bbut I haven't touched it as my knowledge of the registry is non existentMBAM found a coupleof things so I've deleted and rescanned. The new log is below, as are the PandaActive Scan and HiJack This logsMBAM LOGMalwarebytes' Anti-Malware 1.11Database version: 710Scan type: Full Scan (C:\|)Objects scanned: 185414Time elapsed: 5 hour(s), 4 minute(s), 38 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)PandaActive Scan ;***********************************************************************************************************************************************************************************ANALYSIS: 2008-05-05 19:39:11PROTECTIONS: 1MALWARE: 12SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================McAfee VirusScan Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Mark Drummond\Desktop\VirtumundoBeGone.exe[ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 5, 2008 Root Admin ID:17676 Share Posted May 5, 2008 Please run HiJackThis and do a scan only and place a check mark on these itemsO2 - BHO: (no name) - {893A1889-B5B3-4B94-A0BB-E2C3ABF49DA7} - C:\WINDOWS\system32\opnolMGy.dll (file missing) O4 - HKLM\..\Run: [80bf1682] rundll32.exe "C:\WINDOWS\system32\kdxfural.dll",b O20 - Winlogon Notify: jkkKcYQj - jkkKcYQj.dll (file missing)Then click on Fix checkedFollow these instructions carefully.Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.You can also download it from Majorgeeks.comWhen you run ATF-Cleaner, check the items as shown below for Main.For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFoxNOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignoredThen click on "Empty Selected". . Restart your computer and post back a new HJT log Link to post Share on other sites More sharing options...
procoach Posted May 5, 2008 Author ID:17677 Share Posted May 5, 2008 Thanks for getting back so quickly. I did as you said.This is the log, but I'm a bit worried that there may be stuff still in the system restore area C:\System Volume Information\_restoreThanks for your helpLogfile of Trend Micro HijackThis v2.0.2Scan saved at 21:22:44, on 05/05/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\crypserv.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\SiteAdvisor\6253\SAService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\SiteAdvisor\6253\SiteAdv.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\System32\svchost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dllO4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exeO4 - HKLM\..\RunServices: [schedulingAgent] C:\WINDOWS\system32\mstask.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - HKLM\..\Policies\Explorer\Run: [updateManager] C:\Program Files\Common Files\Microsoft Shared\Web Components\LicenseMan32.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.tesco.netO15 - Trusted Zone: http://register-tesco.qa.business.ntl.comO15 - Trusted Zone: http://memberservices.tesco.netO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exeO23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exeO23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exeO23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe--End of file - 8871 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 5, 2008 Root Admin ID:17678 Share Posted May 5, 2008 Yes, we just don't want to remove your Restore Points too early in case some repair breaks the systemWith an infected restore we could still maybe get the system back to where it was. We wait until the system is clean and then we reset the System Restore Points.I would go into Internet Explorer and go to Tools - Internet Options then the Advanced tab.Then click on the RESET button. This will remove most settings that have been tampered with and reset them back to their defaults.You then launch IE again and it will ask you to confirm your current settings and then say yes and click OK then go to your home page.Then quit IE and then relaunch it again and it should go back to your normal home page.Please delete your old System Restore Points and create a new one.How to turn off and turn on System Restore in Windows XPCurrently I do not see anything in the log to indicate that you still have an infection from Malware. If you see or think there is still an issue please let me know. We will leave this thread open for a couple of daysand if you've not had an issue we'll close it at that time.Thank you.. Link to post Share on other sites More sharing options...
procoach Posted May 5, 2008 Author ID:17681 Share Posted May 5, 2008 Thanks for this, I've done everything that you suggested so I'm just going to run Panda again (as this was the only thing that found the Vundo stuff) and I'll let you know Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 5, 2008 Root Admin ID:17683 Share Posted May 5, 2008 If you think there may be something else on the system and would feel more comfortable running another scan please try this one and let us know the results.Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus ScannerYou must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.Accept the terms and click "Start".Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".Click "Start" to begin the scan.When completed restart your computer Link to post Share on other sites More sharing options...
procoach Posted May 6, 2008 Author ID:17720 Share Posted May 6, 2008 I'm running the ESET scan now but It look like all the other logs are clear. The only thing I was worried about was the connection. When I first turn on my machine, the internet connection item in the system tray flashes and sends a few bytes of data. Is there anyway of finding out what program is sending the data, I only ask as I'm worried that it way be a keyloggerThe final logs are below (except for the ESET one).MBAMMalwarebytes' Anti-Malware 1.11Database version: 710Scan type: Full Scan (C:\|)Objects scanned: 177668Time elapsed: 2 hour(s), 28 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Panda Active Scan;***********************************************************************************************************************************************************************************ANALYSIS: 2008-05-06 01:07:52PROTECTIONS: 1MALWARE: 2SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================McAfee VirusScan Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Mark Drummond\Desktop\VirtumundoBeGone.exe[ Link to post Share on other sites More sharing options...
procoach Posted May 6, 2008 Author ID:17726 Share Posted May 6, 2008 ESET found nothing so it looks like the problem has been solved. I can't tell you how much I appreciate your help.Although I'm still a little curious about what is sending the data. Is there any way of finding out?Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 6, 2008 Root Admin ID:17757 Share Posted May 6, 2008 ESET found nothing so it looks like the problem has been solved. I can't tell you how much I appreciate your help.Although I'm still a little curious about what is sending the data. Is there any way of finding out?ThanksYou're quite welcome. The sending of data could be very normal. When the system starts up it does a lot of network broadcasting for items such as DNS and NetBIOS looking for systems around it and talking with your Internet Service Providers network as well.Using a firewall that can monitor and block both incoming and outgoing traffic can provide more information but often the underlying information being sent is a bit cryptic for most users.Please delete your old System Restore Points and create a new one once again.How to turn off and turn on System Restore in Windows XPMany of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions.Read the overviews of what each program below does so you have an understanding of their importance and how to use.Keep Spybot Search & Destroy and always immunize when you update. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates at least monthly, setting it to Automatic will take care of it for youUse your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. A recommended one is Online Armor Free Also the full protection of MBAM is offered at a very low price which works to help prevent or catch many before they can infect your systemThe fixes in this topic are for this machine only. Applying them to another can cause severe damage. Should you need assistance read the post at the top of this page for Pre-HighJack This log posting and begin your own topic. Someone will be happy to help you. Link to post Share on other sites More sharing options...
procoach Posted May 6, 2008 Author ID:17761 Share Posted May 6, 2008 thanks again. Feel free to close the thread. Link to post Share on other sites More sharing options...
JeanInMontana Posted May 7, 2008 ID:17818 Share Posted May 7, 2008 Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.Many thanks to AdvancedSetup for the excellent help. Link to post Share on other sites More sharing options...
Recommended Posts