Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/ Downloader Newjuan Reinfecting


  • Please log in to reply
1 reply to this topic

#1 chip_pan_fire

chip_pan_fire

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 12 November 2007 - 04:30 AM

Hi.
I have some issues with malware on my PC, which is not being successfully removed by any of my anti-spyware/virus programs. The problems it is causing seem to be:
•Firefox generates errors and is closed (message: Firefox has generated errors and will be closed etc) any time I need to use the IE tab or the WMP plugin
•Maxthon (the default browser, the one my boyfriend - the owner of the computer - uses by choice) launches itself every ten minutes or so, and after a pause will try to open an unwanted site (so far Sky Poker, adplex.mediaclick and various sites that only show the IP address rather than a name)
•The desktop wallpaper keeps reverting to the previous choice

I have blocked Maxthon from accessing the internet in ZoneAlarm for the moment

I have run all the recommended programs, and spybot S&D and SUPERAntiSpyware have 'fixed' Virtumonde and "Trojan Downloader NewJuan", but I am sure they will be found again if I run these again in a few minutes. My HJT log is below - I am having trouble generating it as when I try to open HJT I get the 'has generate errors and will be closed' message

I am running Windows 2000 on a no-brand PC.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:12:26, on 12/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
D:\Program Files\AVPersonal\AVWUPSRV.EXE
D:\Program Files\Executive Software\DiskeeperServer\DKService.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\AVPersonal\AVGNT.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\NetMeter\NetMeter.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Administrator\Desktop\stinger.exe
D:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Compliant] nonqtm.exe
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [AVGCtrl] "D:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [Windows Compliant] nonqtm.exe
O4 - HKCU\..\Run: [Windows Compliant] nonqtm.exe
O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] "D:\Program Files\NetMeter\NetMeter.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Compliant] nonqtm.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: D:\WINNT\system32\__c006B1A5.dat
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5073 bytes

BC AdBot (Login to Remove)

 


#2 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:02:27 AM

Posted 15 November 2007 - 09:39 AM

Hi

I will be helping you with your problems.

Before we go any further you are running Hijackthis from your desktop. This is not advised as any backups that Hijackthis makes will not be safe.

So delete any existing copies of Hijackthis you have and go here and download a fresh copy to your desktop. Double click HJTinstall.exe and then click on install. This will automatically give you a shortcut on your desktop for future use.

With HJT running choose "Do a system scan and save a logfile" and post the resultant log in a reply to this thread.

Regards

Demon Cleaner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users