Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Few Stubborn Trojans And Such. . . .


  • Please log in to reply
9 replies to this topic

#1 peacock1

peacock1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 21 February 2008 - 03:18 PM

Well let me start by saying what i have done. I have ran ad-aware, spysweeper and a few fixes i got from this site, both virtumonde fixes adn also the simithfraudfix.exe. all of this i did in safe mode and none seems to work, with the exception of the simthfraudfix which i think it got rid of the zlob trojan.
The things that are still on there after all this is:
Security Toolbar
Trojan.Virtumonde
Trojan.gen

those are the things that spysweeper and ad-aware keep coming up with. I have been trying to get all this off for a week and i hoping someone has some ideas for me. Thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 21 February 2008 - 05:01 PM

Hi Welcome to the forum
I'm not certain what tool you have run so I''ll give you the full instructions.
There are 2 fixes inside. If you have run those including VirtumundoBegone, run the next one anyway.

NOTE: all blue wording are links to instructions
First you will need to follow the instructions in our Tutorial
How To Remove Vundo/Winfixer Infection

NEXT:
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 peacock1

peacock1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 February 2008 - 12:57 AM

Well its better than it was but as soon i started internet explorer i got a pop up for some anti spyware program can save my computers life.
below is my log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2007 at 00:32 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:59:27

Memory items scanned : 172
Memory threats detected : 0
Registry items scanned : 5787
Registry threats detected : 9
File items scanned : 23854
File threats detected : 0

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

shoud i run hijack this and post that log as well? thanks for all of your help theres no way i could do this myself.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 22 February 2008 - 01:08 AM

You're very welcome.

No we don't want the HJT log yet.
Can you Please post the contents of C:\vundofix.txt
This is the result of the VundoFix scan or the SmitFraud scan ,whichever was run last.

i got a pop up for some anti spyware program

The name of this would be helpful.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 peacock1

peacock1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 February 2008 - 01:36 AM

this time it is not a anti spyware program here is the address: http://www.fubar.com/join_lp1a.php
vundofix.txt:

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 10:07:14 AM 7/17/2007

Listing files found while scanning....

C:\windows\system32\hqoqdmzq.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\hqoqdmzq.dllbox
C:\windows\system32\hqoqdmzq.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 9:48:08 PM 7/21/2007

Listing files found while scanning....

C:\WINDOWS\system32\dfsjpqgv.dll
C:\windows\system32\fkfdrjck.dllbox
C:\windows\system32\vhoxmjbk.dllbox
C:\WINDOWS\system32\wqlcngfk.dll
C:\windows\system32\wqlcngfk.dllbox
C:\windows\system32\zwvakbhd.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dfsjpqgv.dll
C:\WINDOWS\system32\dfsjpqgv.dll Has been deleted!

Attempting to delete C:\windows\system32\fkfdrjck.dllbox
C:\windows\system32\fkfdrjck.dllbox Has been deleted!

Attempting to delete C:\windows\system32\vhoxmjbk.dllbox
C:\windows\system32\vhoxmjbk.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\wqlcngfk.dll
C:\WINDOWS\system32\wqlcngfk.dll Has been deleted!

Attempting to delete C:\windows\system32\wqlcngfk.dllbox
C:\windows\system32\wqlcngfk.dllbox Has been deleted!

Attempting to delete C:\windows\system32\zwvakbhd.dllbox
C:\windows\system32\zwvakbhd.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Edited by boopme, 22 February 2008 - 02:49 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 22 February 2008 - 02:57 PM

Hi a couple of questions and comments.
Why is you PC clock set to July 2007 (notice scan dates)
Set clock to today and run Post 2 again after updating SAS.
Post the new Logs and tell me how it's running now.
Your java is outdated

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Edited by boopme, 22 February 2008 - 02:58 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 peacock1

peacock1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 22 February 2008 - 11:12 PM

I had no idea that my date was wrong. I set my date back and updated java and ran the sas and it appers to me to be fine.

Here is my SAS Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/22/2008 at 10:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Quick Scan
Total Scan Time : 00:34:25

Memory items scanned : 368
Memory threats detected : 3
Registry items scanned : 691
Registry threats detected : 19
File items scanned : 10778
File threats detected : 39

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\TUVSQ.DLL
C:\WINDOWS\SYSTEM32\TUVSQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JNRGUSDI.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE955D35-F5C7-40FD-86C8-533E34604814}
HKCR\CLSID\{DE955D35-F5C7-40FD-86C8-533E34604814}
HKCR\CLSID\{DE955D35-F5C7-40FD-86C8-533E34604814}\InprocServer32
HKCR\CLSID\{DE955D35-F5C7-40FD-86C8-533E34604814}\InprocServer32#ThreadingModel
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\JPQUWFBR.DLL
C:\WINDOWS\SYSTEM32\JPQUWFBR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a179bd5d-e726-4a06-ab71-0187424407e2}
HKCR\CLSID\{A179BD5D-E726-4A06-AB71-0187424407E2}
HKCR\CLSID\{A179BD5D-E726-4A06-AB71-0187424407E2}\InprocServer32
HKCR\CLSID\{A179BD5D-E726-4A06-AB71-0187424407E2}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\FCFSSALJ.DLL
C:\WINDOWS\SYSTEM32\GBNDLDNM.DLL
C:\WINDOWS\SYSTEM32\HBOUKPIR.DLL
C:\WINDOWS\SYSTEM32\HEGLSHCQ.DLL
C:\WINDOWS\SYSTEM32\HXSMIPOU.DLL
C:\WINDOWS\SYSTEM32\IPGUKELO.DLL
C:\WINDOWS\SYSTEM32\JLEQVLQJ.DLL
C:\WINDOWS\SYSTEM32\JVUGCBNL.DLL
C:\WINDOWS\SYSTEM32\MJSIFOSR.DLL
C:\WINDOWS\SYSTEM32\MQYMOXSQ.DLL
C:\WINDOWS\SYSTEM32\NGSESWBO.DLL
C:\WINDOWS\SYSTEM32\PGRVUTUG.DLL
C:\WINDOWS\SYSTEM32\SVCUQWAD.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\NGLVDSKW.DLL
C:\WINDOWS\SYSTEM32\NGLVDSKW.DLL

Trojan.Downloader-Gen/FotoMoto
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{733716E1-76D2-4003-AC39-845281C0EF85}

Adware.Tracking Cookie
C:\Documents and Settings\chris\Cookies\chris@bestsellerantivirus[1].txt
C:\Documents and Settings\chris\Cookies\chris@ad.yieldmanager[1].txt
C:\Documents and Settings\chris\Cookies\chris@msnportal.112.2o7[1].txt
C:\Documents and Settings\chris\Cookies\chris@sale.antispywaresuite[1].txt
C:\Documents and Settings\chris\Cookies\chris@doubleclick[1].txt
C:\Documents and Settings\chris\Cookies\chris@specificclick[2].txt
C:\Documents and Settings\chris\Cookies\chris@antispywaresuite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\kim\Cookies\kim@ad.yieldmanager[2].txt
C:\Documents and Settings\kim\Cookies\kim@ads.pointroll[1].txt
C:\Documents and Settings\kim\Cookies\kim@atdmt[1].txt
C:\Documents and Settings\kim\Cookies\kim@doubleclick[1].txt
C:\Documents and Settings\kim\Cookies\kim@msnportal.112.2o7[1].txt
C:\Documents and Settings\kim\Cookies\kim@richmedia.yahoo[1].txt
C:\Documents and Settings\kim\Cookies\kim@specificclick[1].txt
C:\Documents and Settings\kim\Cookies\kim@statsgod[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel

Malware.LocusSoftware Inc/PCPrivacyTool
HKLM\Software\Purchased Products

Rogue.SysCleaner
HKU\S-1-5-21-1645522239-813497703-1202660629-1004\Software\WinTouch

Adware.WinTouch/XInside
C:\Documents and Settings\chris\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\chris\Application Data\WinTouch

Trojan.Downloader-Gen/Bundle Installer
C:\WINDOWS\B153.EXE

Trojan.Downloader-Gen/FotoMoto-A
C:\WINDOWS\SYSTEM32\NSA1288.DLL
C:\WINDOWS\SYSTEM32\NSR8.DLL

Adware.Rabio Search Enhancer
C:\WINDOWS\SYSTEM32\W11\HIBA3133.EXE

Well i hope im all clear doc, let me know what your see. Thanks

EDIT i just realized that this was a quick scan and i am currently performing a complete scan sorry

Edited by peacock1, 22 February 2008 - 11:29 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 22 February 2008 - 11:34 PM

Yeah whay happened is none of the tools were updating to the proper date so it had old malware files. And you needed to close the possible exploits in java.
Well I think your clean so..
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 peacock1

peacock1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 23 February 2008 - 08:35 AM

thats great but i just did the complete scan and i came up with a few items so hopfully im still clean here is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2008 at 00:30 AM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 01:03:11

Memory items scanned : 366
Memory threats detected : 0
Registry items scanned : 6045
Registry threats detected : 9
File items scanned : 24816
File threats detected : 5

Adware.SprtAds/AdRotator
HKLM\Software\Classes\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\InprocServer32
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\InprocServer32#ThreadingModel
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\ProgID
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\Programmable
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\TypeLib
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\SPRT_ADS.DLL

Adware.Tracking Cookie
C:\Documents and Settings\chris\Cookies\chris@msnportal.112.2o7[1].txt
C:\Documents and Settings\chris\Cookies\chris@specificclick[1].txt
C:\Documents and Settings\kim\Cookies\kim@advertising[2].txt

Rogue.LocusSoftware-Installer
C:\DOCUMENTS AND SETTINGS\CHRIS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\99K70XJ6\ANTIVIRUSINSTALLFREENM_EN[1].CAB

I will set a restore point after i get the all clear from you, and thanks agin for all of your help your a life saver!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 23 February 2008 - 08:59 PM

Sorry to take so long, had a really busy day today. You may want to upadate and run the SAS scan a time or 2 more before the reset. Also scan your PC with this please. RogueRemover FREE
Also you should perhaps try installing this SpywareBlaster 3.5.1 update it weekly. It helps prevent spyware from ever installing,and free.

Just for the record what are your AV,spyware and firewall?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users