Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with jwgkvsq.vmx Win32:Confi [Wrm](avast)

  • This topic is locked This topic is locked
4 replies to this topic

#1 div_dib


  • Members
  • 12 posts
  • Local time:05:43 AM

Posted 08 January 2009 - 05:54 AM

Whenever I insert USB drive in computer file named autorun.inf and RECYCLER\5....\jwgkvsq.vmx file create automatically in all USB drives. I used avast but it is not able to solve problem it can detect jwgkvsq.vmx as Win32:Confi [Wrm] and also successfully remove but when I remove USB and again insert it create both file again. so please Help as soon as possible. I used malwarebytes antimalware, trand micro total security, avast, USB virus scan, combofix, smitfraudfix and other tools but not able to solve this problem. :thumbsup:

This block all antivirus sites. like www.avast.com, www.trendsecure.com, www.quickheal.com etc..

I attached both files which created automatically in USB drive and also DDS log Attache.txt

DDS (Ver_09-01-07.01) - NTFSx86
Run by omkar at 15:45:57.20 on 2009-01-08
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.578 [GMT 5.5:30]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\USBScan\USBScan.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [USBScan.exe] c:\program files\usbscan\USBScan.exe -Hide
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\omkar\applic~1\mozilla\firefox\profiles\pv0twibq.default\
FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll
FF - component: c:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll

============= SERVICES / DRIVERS ===============

R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2008-6-9 227584]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-1-7 334352]
R4 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-1-7 181584]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-1-7 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-1-7 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-7 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-1-7 677128]
S4 jxxseclud;Helper Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 MyDNS;Window Net Dns;c:\program files\internet explorer\svchost.exe --> c:\program files\internet explorer\svchost.exe [?]

=============== Created Last 30 ================

2009-01-08 15:45 368,831 a------- c:\windows\dds.scr
2009-01-08 14:18 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-01-08 14:18 77,824 a------- c:\windows\system32\kdfapi.dll
2009-01-08 14:18 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-01-08 14:18 846,336 a------- c:\windows\system32\kdfinj.dll
2009-01-08 14:18 722,472 a------- c:\windows\system32\kdfmgr.exe
2009-01-08 14:18 <DIR> --d----- c:\windows\kdefense
2009-01-08 10:17 <DIR> --d----- C:\!KillBox
2009-01-08 09:26 <DIR> --d-h--- c:\windows\PIF
2009-01-07 17:50 <DIR> --d----- c:\windows\LocalSSL
2009-01-07 17:49 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-07 17:49 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-01-07 17:49 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-01-07 17:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-01-07 17:48 <DIR> --d----- c:\program files\Trend Micro
2009-01-07 17:47 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-01-07 17:47 1,195,448 a------- c:\windows\system32\drivers\vsapint.sys
2009-01-07 17:47 334,352 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-01-07 17:47 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-01-07 17:47 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-01-07 17:47 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-01-07 17:02 161,792 a------- c:\windows\SWREG.exe
2009-01-07 17:02 98,816 a------- c:\windows\sed.exe
2009-01-07 17:02 388,608 a------- c:\windows\system32\CF5010.exe
2009-01-07 17:02 <DIR> --d----- C:\ComboFix
2009-01-07 17:01 2,911,625 a----r-- c:\windows\ComboFix.exe
2009-01-07 16:52 <DIR> --d-h--- C:\wallpaper
2009-01-07 08:52 380,928 a------- c:\windows\system32\act3.tmp
2009-01-07 08:52 4,096 a------- c:\windows\system32\02.tmp
2009-01-07 08:47 380,928 a------- c:\windows\system32\act2.tmp
2009-01-07 08:46 4,096 a------- c:\windows\system32\01.tmp
2009-01-06 17:01 <DIR> --d----- c:\docume~1\omkar\applic~1\Malwarebytes
2009-01-06 17:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-10-23 09:46 53,248 a------- c:\windows\system32\hklspl.dll
2008-08-07 14:48 39 a------- c:\docume~1\omkar\applic~1\svighost.dll
2004-08-04 04:26 165,025 a--shr-- c:\windows\system32\pwvsgtnw.dll

============= FINISH: 15:46:34.12 ===============

So I need help.

Waiting for positive reply.

Divyesh Bardoliwala.

Attached Files

Edited by div_dib, 08 January 2009 - 06:00 AM.

BC AdBot (Login to Remove)


#2 div_dib

  • Topic Starter

  • Members
  • 12 posts
  • Local time:05:43 AM

Posted 09 January 2009 - 02:20 AM

can anyone help please???

#3 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:13 PM

Posted 22 January 2009 - 12:20 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. I appologize for the delay in getting you help.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

First Please perform a scan with Panda ActiveScan - ActiveScan does not remove adware/spyware but will autoclean for viruses & worms.

1. Click "Scan Your PC".
2. A new window will open. Click "Check Now!".
3. Fill in your registration and click "Scan Now!".
4. You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.
5. A new window will appear asking "Do you want to install this software?" Name: asinst.cab.
6. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
7. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow".
8. Select a device to scan: Click on "Local Disks" [allow it to Auto Clean].
9. When the scan completes, if anything malicious is detected, click the "See Report button", then "Save Report" to your desktop.
10. Post back the results of your scan and any infected files that are found but not deleted.

then turn off autoplay for your thumbdrives, http://www.howtogeek.com/howto/windows/dis...and-usb-drives/
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#4 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:13 PM

Posted 27 January 2009 - 12:45 PM

if you still need help, please post something here to let me know you are still interested. If I don't hear anything in the next couple days, then this thread will be closed.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:13 PM

Posted 03 February 2009 - 10:46 PM

This thread is closed due to inactivity.
If you need this topic reopened, please send me or another moderator a PM. This applies to the thread originator only, all others start a new thread.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users