Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log for Vundo infection (MS JUAN/MS TRACK SYSTEM) regenerating on reboot


  • Please log in to reply
2 replies to this topic

#1 sheara

sheara

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 25 December 2008 - 11:52 PM

Hi. Below the row of astericks I have attached my Hijack This log. (Note: I ran this log after running MBAM and quarantining my two stubborn bugs. So I don't know if the problem will show up in my log. Once I reboot, the problem will be back, and maybe I should run this log again then? further explanation is below).

And here is a description of the status of my problem... I was alerted to a malware infection the other night by AVG and Zone Alarm as well as by the fraudulent "scan your computer" pop ups and other IE pop ups (even though I use Firefox) and the fact that I couldn't run Windows automatic updates.

Using Spybot and Malwarebytes Anit-malware (MBAM), I was able to reduce a big infection (including lots of Virtumonde/Vundo bugs and a few Smitfraud-C and MyWay.MyWebSearch bugs) and recover my access to Windows Updates. But two bugs remain, regenerating every time I reboot. They are:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MS JUAN (Malware.Trace)
and
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MS TRACK SYSTEM (Trojan.Vundo)

When I quarantine/remove these with MBAM, the next scan shows zero infections until I reboot. Then the same two registry key infections show up, just to disappear again until reboot… I'm doing this all in safe mode, and my wireless internet radio is disabled. Also, I've tried scanning with Trojan Remove, AVG, VundoFix, and Spybot again and they all reveal nothing. I also uninstalled Java and manually removed remaining files (though I can see there are still files remaining in regedit that I'm afraid to mess with). And I've been repeatedly running RegSeeker and cleaning stuff out of some temp folders (though I'm not sure which ones matter and whether I should delete all files including desktop.ini files, etc.).

I have downloaded SuperAntiSpyware but haven't used it yet (and it was not able to get updates from the web for some reason; actually i wasn't able to get them for MBAM either), and I've heard about ComboFix but don't know if I need that. I've also read about using Avenger to remove certain targeted files. I don't really understand which to choose and in what sequence or how to use them. I was hoping some kind soul with experience with this particular pattern would walk me through what to do at this stage. Thanks in advance.



***********************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:36 PM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Creative Labs

Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Adobe Version Cue

CS2\ControlPanel\VersionCueCS2Tray.exe
C:\DOCUME~1\me\LOCALS~1\Temp\clclean.0001
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {932FCE39-8F5E-42C8-A9FA-FB1251727A58} - (no file)
O2 - BHO: {a7218cfa-b438-c1e9-0824-7751a3de230a} -

{a032ed3a-1577-4280-9e1c-834bafc8127a} - C:\WINDOWS\system32\gzfyll.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround

Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe

Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe

Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program

Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"

-atboottime
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media

Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support

Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program

Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program

Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support

Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program

Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program

Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common

Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

/boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program

Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe"

/startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support

Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco

Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Adobe Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Adobe Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Adobe Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Adobe Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Adobe Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Adobe Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program

Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: KATRACK.DLL gzfyll.dll
O20 - Winlogon Notify: GoToAssist - C:\Program

Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated -

C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program

Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program

Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc.

- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program

Files\DellSupport\brkrsvc.exe
O23 - Service: IntelŪ PROSet/Wireless Event Log (EvtEng) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc.

- C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program

Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: IntelŪ PROSet/Wireless Registry Service (RegSrvc) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: IntelŪ PROSet/Wireless Service (S24EventMonitor) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program

Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)

(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell

Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: IntelŪ PROSet/Wireless SSO Service (WLANKEEPER) - IntelŪ

Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12754 bytes

Edited by sheara, 26 December 2008 - 12:05 AM.


BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:10:07 AM

Posted 06 January 2009 - 03:56 PM

Hello sheara

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

Please post your HJT log this way as its unreadable the way you posted it
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:10:07 AM

Posted 12 January 2009 - 04:31 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users