Wanda Posted July 15, 2008 ID:22897 Share Posted July 15, 2008 I had suspisions yesterday evening that my laptop had been invaded by some virus since I kept getting error messages from Windows Security Center that my windows automatic updates was off. The service was disabled and would not start. Through researching the problem in forums such as this one, I downloaded MBAM which found Vundo and other problems. Here is the log from that 1st scan and fix yesterday.Malwarebytes' Anti-Malware 1.20Database version: 950Windows 5.1.2600 Service Pack 29:58:19 PM 7/14/2008mbam-log-7-14-2008 (21-58-19).txtScan type: Quick ScanObjects scanned: 64449Time elapsed: 35 minute(s), 49 second(s)Memory Processes Infected: 0Memory Modules Infected: 3Registry Keys Infected: 16Registry Values Infected: 3Registry Data Items Infected: 2Folders Infected: 0Files Infected: 14Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\iifCSKCr.dll (Trojan.Vundo) -> Unloaded module successfully.C:\WINDOWS\system32\sepeyxcv.dll (Trojan.Vundo) -> Unloaded module successfully.C:\WINDOWS\system32\mlJDtrOh.dll (Trojan.Vundo) -> Unloaded module successfully.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9387dd6b-f289-4837-bce7-2945b5a57074} (Trojan.Vundo) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{9387dd6b-f289-4837-bce7-2945b5a57074} (Trojan.Vundo) -> Delete on reboot.HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{03e3d45b-681c-481c-b6a3-0d08b12c4ab9} (Trojan.Vundo) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03e3d45b-681c-481c-b6a3-0d08b12c4ab9} (Trojan.Vundo) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljdtroh (Trojan.Vundo) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f0d7a68f (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmf3e49513 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{03e3d45b-681c-481c-b6a3-0d08b12c4ab9} (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcskcr -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcskcr -> Delete on reboot.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\iifCSKCr.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\rCKSCfii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\rCKSCfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\sepeyxcv.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\vcxyepes.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.C:\WINDOWS\system32\weprjbab.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Wanda\Local Settings\Temporary Internet Files\Content.IE5\R2170J1R\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.C:\WINDOWS\system32\xloulqat.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\pmnoMcAp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mlJDtrOh.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\BMf3e49513.xml (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\BMf3e49513.txt (Trojan.Vundo) -> Quarantined and deleted successfully.After the fixes, I was able to start the Windows Automated Update service and resolve the Windows Security Off alert messages. I however still kept getting random pop-up windows so I knew the job was not totally finished. Throught the rest of the evening and night, I have run Kapersky Online Scanner, LavaSoft Ad-Ware and Spybot Search & Destroy quick and full scans which has slowly chipped away at other items found. I have not seen a Vundo error listed recently but still have occasional pop-up windows. Things are better but I cannot get the MS Juan virus to stay deleted.This morning I ran another Spybot scan and it did not find any infections. I performed another quick scan with Malwarebytes' Anti-Malware. The log report is as follows:Malwarebytes' Anti-Malware 1.20Database version: 952Windows 5.1.2600 Service Pack 210:20:23 AM 7/15/2008mbam-log-7-15-2008 (10-20-23).txtScan type: Quick ScanObjects scanned: 44345Time elapsed: 4 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I am in the process of running a PandaActive Scan and will be back with that log and HiJack This soon. Thank you for your help in getting MS Juan and anything else you see left of Vundo and company out of my computer. If you need any more information before Panda is done scanning, please let me know. This is the first time I have posted any virus problem so I hope I am doing it correctly. Link to post Share on other sites More sharing options...
Wanda Posted July 15, 2008 Author ID:22909 Share Posted July 15, 2008 Here is the Panda ActiveScan Log:;***********************************************************************************************************************************************************************************ANALYSIS: 2008-07-15 12:19:50PROTECTIONS: 2MALWARE: 12SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================McAfee Internet Security Suite 2007 8.1 No YesMcAfee VirusScan Plus 12.1 No No;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00065327 adware/coolsavings Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{549f957e-2f89-11d6-8cfe-00c04f52b225}00065327 adware/coolsavings Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/cpnmgr.dll00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@doubleclick[1].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@atdmt[2].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@tribalfusion[1].txt00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@tribalfusion[2].txt00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@findwhat[1].txt00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@com[1].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@ad.yieldmanager[2].txt00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@ad.yieldmanager[1].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@advertising[1].txt00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@ads.pointroll[1].txt00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@realmedia[1].txt00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@adrevolver[2].txt00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Wanda\Cookies\wanda@atwola[1].txt;===================================================================================================================================================================================SUSPECTSSent Location +;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description +;=================================================================================================================================================================================== 120815 HIGH MS06-022 +;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
Wanda Posted July 15, 2008 Author ID:22910 Share Posted July 15, 2008 Here is the HiJack This log:Logfile of HijackThis v1.99.1Scan saved at 12:29:07 PM, on 7/15/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Macrium\Reflect\ReflectService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DNA\btdna.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.comO16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocxO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocxO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exeO20 - Winlogon Notify: dimsntfy - C:\WINDOWS\O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXEO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXEO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exeO23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exeThat should be the 3 requested logs. Any help in resolving the problem is apprepriated. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 15, 2008 ID:22946 Share Posted July 15, 2008 Hi Wanda and welcome to Malwarebytes. Please get the current version of HJT http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exeThe HJT log is always posted last after the removal scans.C:\Program Files\DNA\btdna.exe <====This program is most likely why your infected, it has little use for legal activities, please uninstall. Make sure you have your system set to show hidden files and folders.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Please find the file below and attach it in a zipped folder in your reply.C:\WINDOWS\system32\qfosfj.dllUpdate MBAM, do a quick scan post that log and a new HJT with the correct version of that program please. Link to post Share on other sites More sharing options...
Wanda Posted July 16, 2008 Author ID:22997 Share Posted July 16, 2008 Jean,Thank you for your help. I have updated my HiJack This program. I did not know that I had an old version...sorry. I had deleted Bittorrent awhile ago but did not realize a background process was still running. btdna.exe service has been stopped and deleted.I open my hidden files as directed and looked for C:\Windows\system32\qfosfj.dll. It was not in this directory. I did a search of my computer files and did not find it anywhere else.Here is my updated MBAM log:Malwarebytes' Anti-Malware 1.20Database version: 958Windows 5.1.2600 Service Pack 210:19:27 AM 7/16/2008mbam-log-7-16-2008 (10-19-27).txtScan type: Quick ScanObjects scanned: 41377Time elapsed: 6 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here is my correct version HiJack This log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:35:18 AM, on 7/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Macrium\Reflect\ReflectService.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.comO16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocxO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocxO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exeO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXEO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXEO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exeO23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe--End of file - 7676 bytesAlso Mcafee has found 2 Vundo trojans today and deleted them so I don't have it completely clear either.Thank you for your time and assistance. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2008 ID:23009 Share Posted July 16, 2008 This new version of Vundo is extra nasty, we are struggling to get all of it into MBAM. It hides very well. Posslibly why you couldn't find it is McAfee took it before you looked? Are you able to access the quarantine files for McAfee and upload them? If you save the logs I would like to see the portion showing what was found, not the whole log just a copy paste of that part please.You don't have the latest definition version for MBAM, you have to update it every time you scan, often it updates 4 or more times a day. Let's get a new scan with it. Your log is looking good how are symptoms? Link to post Share on other sites More sharing options...
Wanda Posted July 16, 2008 Author ID:23021 Share Posted July 16, 2008 Jean,MBAM was up to date when I ran it this morning but I have updated it again and here is the new log:Malwarebytes' Anti-Malware 1.20Database version: 960Windows 5.1.2600 Service Pack 23:09:50 PM 7/16/2008mbam-log-7-16-2008 (15-09-50).txtScan type: Quick ScanObjects scanned: 42172Time elapsed: 6 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Yeah, nothing was found!!! Symptoms appear to be gone in the short time I have been on the computer this afternoon. The Vundo trojan files were alerts from the McAfee Real-Time so the files were deleted and not quarantined. I am currently doing a full file scan with McAfee which I do every Wednesday so will send you files if it finds any. Here are the logs from the 2 McAfee Real-Time Vundo detection events:One or more items were detected on your computer.Detection name: Vundo (Trojan), Vundo (Trojan)File: C:\WINDOWS\system32\bcchxego.dllProcess: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeProcess description: Malwarebytes' Anti-MalwareOne or more items were detected on your computer.Detection name: Vundo (Trojan), Vundo (Trojan), Vundo (Trojan), Vundo (Trojan), Vundo (Trojan), Vundo (Trojan)File: C:\WINDOWS\SYSTEM32\QFOSFJ.DLLProcess: **\IEXPLORE.EXEProcess description: **\IEXPLORE.EXESo McAfee did get the qfosfj.dll file you asked me to send you.Well, it looks like I am virus clear at this moment so that you for your help. I will post another reply if McAfee search find any affected Vundo files that I can quarantine.Thank you for all you quick assistance. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2008 ID:23031 Share Posted July 16, 2008 McAfee identified MBAM as Vundo. Not the best detection. File: C:\WINDOWS\system32\bcchxego.dllProcess: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeProcess description: Malwarebytes' Anti-Malware I saw that MBAM had updated since your scan is why I asked for a new one. Your not having any symptoms? One more HJT log please. Link to post Share on other sites More sharing options...
Wanda Posted July 17, 2008 Author ID:23110 Share Posted July 17, 2008 Yes, I am having no symptoms after the last fixes. McAfee full scan was clear yesterday. MBAM is still clear today. No pop-up symptoms at all. Here is a last HJT log that you requested.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:19:53 PM, on 7/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Macrium\Reflect\ReflectService.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.comO16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocxO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocxO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exeO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXEO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXEO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exeO23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe--End of file - 7901 bytesThank you for all your help. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 18, 2008 ID:23153 Share Posted July 18, 2008 Oops you have TeaTimer on we don't want that on yet. Open SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.Click on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck number 2..Leave number 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done. Now close all programs and run a scan only with HJT pur a check next to these items and click fix. Exit the program and reboot.O2 - BHO: (no name) - {30120342-2a52-45c0-86d2-8ca0d0e4d75d} - (no file)O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u Now update MBAB again and scan post that log and a new HJT please. Link to post Share on other sites More sharing options...
Wanda Posted July 18, 2008 Author ID:23164 Share Posted July 18, 2008 Jean,I thought we were done with fixes since there was no symptoms so I turned TeaTimer back on. It is now off again.Here is the latest no errors MBAM log:Malwarebytes' Anti-Malware 1.20Database version: 963Windows 5.1.2600 Service Pack 29:21:32 AM 7/18/2008mbam-log-7-18-2008 (09-21-32).txtScan type: Quick ScanObjects scanned: 44044Time elapsed: 7 minute(s), 18 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Recommended HiJack This fixes were made. Here is a new HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:22:11 AM, on 7/18/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Macrium\Reflect\ReflectService.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\PROGRA~1\McAfee.com\Agent\mcagent.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.mcafee.comO16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocxO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cabO16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocxO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195923650390O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1196028046968O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocxO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exeO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXEO23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXEO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exeO23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe--End of file - 7660 bytesThank you for you help. Is there any other fixes that need to be done? Link to post Share on other sites More sharing options...
JeanInMontana Posted July 18, 2008 ID:23181 Share Posted July 18, 2008 We have some final things to take care of and Tea Timer can interfere.Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature. Link to post Share on other sites More sharing options...
Wanda Posted July 18, 2008 Author ID:23191 Share Posted July 18, 2008 I have created a new clean system restore point. I planned on keeping Spybot and MBAM. I have Windows Update on automatic and make sure it runs on a regular basis. Since I have McAfee firewall, I have Windows Firewall turned off. I have McAfee viruscan always turned on and updated automatically. I scan the entire system every Wednesday. I will add the other scanners to my Wednesday routine. I will look at the other recommended programs to see what additional layers of protection I want to add. My McAfee subscription renewal is coming up in September so I will look at your firewall recommendation also.Thank you for your help and advice on preventing potention future virus problems. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 19, 2008 ID:23279 Share Posted July 19, 2008 Wanda you probably don't need another scanner. Your best move IMO is get rid of McAfee [huge resource hog and not on the cutting edge of protection] go for a free AV and the OA firewall when the subscription runs out. Avira and Avast are very good free. NOD32 from Eset is top notch but you must pay. the other programs I mention are either block lists for bad sites or give an alert when a change is made to the system. All are free and low on resources or use none at all.From what you describe you have everything set up great. Surf safe/ Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts