Jump to content

Cannot Get Rid Of MS Juan


Recommended Posts

I had suspisions yesterday evening that my laptop had been invaded by some virus since I kept getting error messages from Windows Security Center that my windows automatic updates was off. The service was disabled and would not start. Through researching the problem in forums such as this one, I downloaded MBAM which found Vundo and other problems. Here is the log from that 1st scan and fix yesterday.

Malwarebytes' Anti-Malware 1.20

Database version: 950

Windows 5.1.2600 Service Pack 2

9:58:19 PM 7/14/2008

mbam-log-7-14-2008 (21-58-19).txt

Scan type: Quick Scan

Objects scanned: 64449

Time elapsed: 35 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 16

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\iifCSKCr.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\sepeyxcv.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\mlJDtrOh.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9387dd6b-f289-4837-bce7-2945b5a57074} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{9387dd6b-f289-4837-bce7-2945b5a57074} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{03e3d45b-681c-481c-b6a3-0d08b12c4ab9} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03e3d45b-681c-481c-b6a3-0d08b12c4ab9} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljdtroh (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0d7a68f (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmf3e49513 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{03e3d45b-681c-481c-b6a3-0d08b12c4ab9} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcskcr -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcskcr -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\iifCSKCr.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\rCKSCfii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rCKSCfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sepeyxcv.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\vcxyepes.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\weprjbab.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Wanda\Local Settings\Temporary Internet Files\Content.IE5\R2170J1R\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\xloulqat.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pmnoMcAp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mlJDtrOh.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\BMf3e49513.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\BMf3e49513.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

After the fixes, I was able to start the Windows Automated Update service and resolve the Windows Security Off alert messages. I however still kept getting random pop-up windows so I knew the job was not totally finished. Throught the rest of the evening and night, I have run Kapersky Online Scanner, LavaSoft Ad-Ware and Spybot Search & Destroy quick and full scans which has slowly chipped away at other items found. I have not seen a Vundo error listed recently but still have occasional pop-up windows. Things are better but I cannot get the MS Juan virus to stay deleted.

This morning I ran another Spybot scan and it did not find any infections. I performed another quick scan with Malwarebytes' Anti-Malware. The log report is as follows:

Malwarebytes' Anti-Malware 1.20

Database version: 952

Windows 5.1.2600 Service Pack 2

10:20:23 AM 7/15/2008

mbam-log-7-15-2008 (10-20-23).txt

Scan type: Quick Scan

Objects scanned: 44345

Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I am in the process of running a PandaActive Scan and will be back with that log and HiJack This soon. Thank you for your help in getting MS Juan and anything else you see left of Vundo and company out of my computer. If you need any more information before Panda is done scanning, please let me know. This is the first time I have posted any virus problem so I hope I am doing it correctly.

Link to post
Share on other sites

Here is the Panda ActiveScan Log:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-07-15 12:19:50

PROTECTIONS: 2

MALWARE: 12

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee Internet Security Suite 2007 8.1 No Yes

McAfee VirusScan Plus 12.1 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00065327 adware/coolsavings Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{549f957e-2f89-11d6-8cfe-00c04f52b225}

00065327 adware/coolsavings Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/cpnmgr.dll

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@atdmt[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@tribalfusion[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@tribalfusion[2].txt

00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@findwhat[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@com[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@ad.yieldmanager[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@ad.yieldmanager[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@advertising[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@ads.pointroll[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@realmedia[1].txt

00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@adrevolver[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@atwola[1].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location +

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description +

;===============================================================================

================================================================================

=

===================

120815 HIGH MS06-022 +

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Here is the HiJack This log:

Logfile of HijackThis v1.99.1

Scan saved at 12:29:07 PM, on 7/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.com

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

That should be the 3 requested logs. Any help in resolving the problem is apprepriated.

Link to post
Share on other sites

Hi Wanda and welcome to Malwarebytes. Please get the current version of HJT http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

The HJT log is always posted last after the removal scans.

C:\Program Files\DNA\btdna.exe <====This program is most likely why your infected, it has little use for legal activities, please uninstall.

Make sure you have your system set to show hidden files and folders.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Please find the file below and attach it in a zipped folder in your reply.

C:\WINDOWS\system32\qfosfj.dll

Update MBAM, do a quick scan post that log and a new HJT with the correct version of that program please.

Link to post
Share on other sites

Jean,

Thank you for your help. I have updated my HiJack This program. I did not know that I had an old version...sorry. I had deleted Bittorrent awhile ago but did not realize a background process was still running. btdna.exe service has been stopped and deleted.

I open my hidden files as directed and looked for C:\Windows\system32\qfosfj.dll. It was not in this directory. I did a search of my computer files and did not find it anywhere else.

Here is my updated MBAM log:

Malwarebytes' Anti-Malware 1.20

Database version: 958

Windows 5.1.2600 Service Pack 2

10:19:27 AM 7/16/2008

mbam-log-7-16-2008 (10-19-27).txt

Scan type: Quick Scan

Objects scanned: 41377

Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is my correct version HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35:18 AM, on 7/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.com

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

--

End of file - 7676 bytes

Also Mcafee has found 2 Vundo trojans today and deleted them so I don't have it completely clear either.

Thank you for your time and assistance.

Link to post
Share on other sites

This new version of Vundo is extra nasty, we are struggling to get all of it into MBAM. It hides very well. Posslibly why you couldn't find it is McAfee took it before you looked? Are you able to access the quarantine files for McAfee and upload them? If you save the logs I would like to see the portion showing what was found, not the whole log just a copy paste of that part please.

You don't have the latest definition version for MBAM, you have to update it every time you scan, often it updates 4 or more times a day. Let's get a new scan with it. Your log is looking good how are symptoms?

Link to post
Share on other sites

Jean,

MBAM was up to date when I ran it this morning but I have updated it again and here is the new log:

Malwarebytes' Anti-Malware 1.20

Database version: 960

Windows 5.1.2600 Service Pack 2

3:09:50 PM 7/16/2008

mbam-log-7-16-2008 (15-09-50).txt

Scan type: Quick Scan

Objects scanned: 42172

Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Yeah, nothing was found!!! Symptoms appear to be gone in the short time I have been on the computer this afternoon.

The Vundo trojan files were alerts from the McAfee Real-Time so the files were deleted and not quarantined. I am currently doing a full file scan with McAfee which I do every Wednesday so will send you files if it finds any. Here are the logs from the 2 McAfee Real-Time Vundo detection events:

One or more items were detected on your computer.

Detection name: Vundo (Trojan), Vundo (Trojan)

File: C:\WINDOWS\system32\bcchxego.dll

Process: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Process description: Malwarebytes' Anti-Malware

One or more items were detected on your computer.

Detection name: Vundo (Trojan), Vundo (Trojan), Vundo (Trojan), Vundo (Trojan), Vundo (Trojan), Vundo (Trojan)

File: C:\WINDOWS\SYSTEM32\QFOSFJ.DLL

Process: **\IEXPLORE.EXE

Process description: **\IEXPLORE.EXE

So McAfee did get the qfosfj.dll file you asked me to send you.

Well, it looks like I am virus clear at this moment so that you for your help. I will post another reply if McAfee search find any affected Vundo files that I can quarantine.

Thank you for all you quick assistance.

Link to post
Share on other sites

McAfee identified MBAM as Vundo. Not the best detection. :)

File: C:\WINDOWS\system32\bcchxego.dll

Process: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Process description: Malwarebytes' Anti-Malware

I saw that MBAM had updated since your scan is why I asked for a new one. Your not having any symptoms? One more HJT log please.

Link to post
Share on other sites

Yes, I am having no symptoms after the last fixes. McAfee full scan was clear yesterday. MBAM is still clear today. No pop-up symptoms at all. Here is a last HJT log that you requested.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:19:53 PM, on 7/17/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.com

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

--

End of file - 7901 bytes

Thank you for all your help.

Link to post
Share on other sites

Oops you have TeaTimer on we don't want that on yet.

Open SB S&D

Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.

Click on the Tools section and then Resident.

You will see two items.

1. Resident "SD helper" (Internet Explorer bad download blocker.) active

2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck number 2..

Leave number 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

Now close all programs and run a scan only with HJT pur a check next to these items and click fix. Exit the program and reboot.

O2 - BHO: (no name) - {30120342-2a52-45c0-86d2-8ca0d0e4d75d} - (no file)

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

Now update MBAB again and scan post that log and a new HJT please.

Link to post
Share on other sites

Jean,

I thought we were done with fixes since there was no symptoms so I turned TeaTimer back on. It is now off again.

Here is the latest no errors MBAM log:

Malwarebytes' Anti-Malware 1.20

Database version: 963

Windows 5.1.2600 Service Pack 2

9:21:32 AM 7/18/2008

mbam-log-7-18-2008 (09-21-32).txt

Scan type: Quick Scan

Objects scanned: 44044

Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Recommended HiJack This fixes were made. Here is a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:22:11 AM, on 7/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.com

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe

--

End of file - 7660 bytes

Thank you for you help. Is there any other fixes that need to be done?

Link to post
Share on other sites

We have some final things to take care of and Tea Timer can interfere.

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.

Link to post
Share on other sites

I have created a new clean system restore point. I planned on keeping Spybot and MBAM. I have Windows Update on automatic and make sure it runs on a regular basis. Since I have McAfee firewall, I have Windows Firewall turned off. I have McAfee viruscan always turned on and updated automatically. I scan the entire system every Wednesday. I will add the other scanners to my Wednesday routine. I will look at the other recommended programs to see what additional layers of protection I want to add. My McAfee subscription renewal is coming up in September so I will look at your firewall recommendation also.

Thank you for your help and advice on preventing potention future virus problems.

Link to post
Share on other sites

Wanda you probably don't need another scanner. Your best move IMO is get rid of McAfee [huge resource hog and not on the cutting edge of protection] go for a free AV and the OA firewall when the subscription runs out. Avira and Avast are very good free. NOD32 from Eset is top notch but you must pay. the other programs I mention are either block lists for bad sites or give an alert when a change is made to the system. All are free and low on resources or use none at all.

From what you describe you have everything set up great. Surf safe/ :)

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.