Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.prx/MSServer Infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 lgates

lgates

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 11 January 2009 - 09:58 AM

Hi guys -- Some brief history: At one point I had the Virtumonde virus which I *think* I successfully removed. However, Spybot is reporting that I still have the MSServer startup entry (which I definitely do although it points to a dll I successfully removed). Unfortunately I am unable to remove this startup entry. I've successfully removed it when in safe mode when disconnected from the internet, however, it comes back once I plugin in my ethernet cable.

So if possible I'd like to remove this startup entry and MSServer as well.

Thanks!!

Louis



DDS (Ver_09-01-07.01) - NTFSx86
Run by Louis at 9:48:41.99 on 2009-01-11
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1838 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Proxure\MCE Tunes Pro\MCETunesExtenderSupport.exe
C:\Program Files\Proxure\MCE Tunes Pro\ProxureQTHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\jureg.exe
C:\Windows\system32\schtasks.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Louis\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {22B7B5F0-5124-4946-A6BE-0B78599D32C5} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {B1E27642-6F45-4253-A46A-E6261BC67A5A} - No File
BHO: {B3983B5E-1B68-44D8-8D36-D9AD07F4778D} - No File
BHO: {BC3FC01A-E85B-4FC3-89C7-C6A5CC7C31AF} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: js memory leaks detector: {4a4c9351-2729-4715-a85c-7c91f9ba1d22} - c:\program files\microsoft\jsleaksdetector\JSLeaksDetector.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSServer] rundll32.exe c:\windows\system32\ljJbawxx.dll,#1
mRunOnce: [MCE Tunes Extender Support] "c:\program files\proxure\mce tunes pro\LaunchExtenderSupport.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: {B3983B5E-1B68-44D8-8D36-D9AD07F4778D} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\vTlLcyAP

================= FIREFOX ===================

FF - ProfilePath - c:\users\louis\appdata\roaming\mozilla\firefox\profiles\wx0d9mgu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-14 97928]
R3 Pxrmcet;Pxrmcet;c:\windows\system32\drivers\Pxrmcet.sys [2007-11-13 15104]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-14 231704]
R4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R4 MSSQL$MYMOVIES;SQL Server (MYMOVIES);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-15 809296]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-1-17 24635]
S4 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]

=============== Created Last 30 ================

2009-01-04 08:25 2,014 a------- c:\windows\wininit.ini
2008-12-28 09:42 <DIR> --d----- c:\users\louis\appdata\roaming\JimbobSoft
2008-12-28 09:42 <DIR> --d----- c:\program files\JimbobSoft
2008-12-21 12:15 <DIR> --d----- c:\users\louis\appdata\roaming\OpenOffice.org
2008-12-21 12:13 <DIR> --d----- c:\users\louis\Logitech
2008-12-21 12:12 <DIR> --d----- c:\program files\common files\Remote Control Software Common

==================== Find3M ====================

2008-12-21 12:12 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-21 12:12 51,200 a------- c:\windows\inf\infpub.dat
2008-12-21 12:12 86,016 a------- c:\windows\inf\infstor.dat
2008-11-24 20:06 318,976 a------- c:\windows\system32\CF5294.exe
2008-11-17 23:50 262,144 a------- C:\ntuser.dat
2008-11-14 22:44 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-14 22:44 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-10-31 22:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 22:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 22:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 22:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 22:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 22:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 20:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 01:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 22:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 20:22 2,048 a------- c:\windows\system32\tzres.dll
2008-10-21 00:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 00:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 15:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 15:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-15 23:47 827,392 a------- c:\windows\system32\wininet.dll
2008-07-21 21:49 174 a--sh--- c:\program files\desktop.ini
2008-07-21 21:39 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-27 13:04 794 a------- c:\users\louis\appdata\roaming\wklnhst.dat
2007-12-23 09:26 92,064 a------- c:\users\louis\mqdmmdm.sys
2007-12-23 09:26 79,328 a------- c:\users\louis\mqdmserd.sys
2007-12-23 09:26 66,656 a------- c:\users\louis\mqdmbus.sys
2007-12-23 09:26 25,600 a------- c:\users\louis\usbsermptxp.sys
2007-12-23 09:26 22,768 a------- c:\users\louis\usbsermpt.sys
2007-12-23 09:26 9,232 a------- c:\users\louis\mqdmmdfl.sys
2007-12-23 09:26 6,208 a------- c:\users\louis\mqdmcmnt.sys
2007-12-23 09:26 5,936 a------- c:\users\louis\mqdmwhnt.sys
2007-12-23 09:26 4,048 a------- c:\users\louis\mqdmcr.sys
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-17 19:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-17 19:28 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-17 19:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-02-19 13:31 22 a--sh--- c:\windows\sminst\HPCD.sys
2007-09-11 16:47 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:49:13.72 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 25 January 2009 - 03:10 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. I appologize for the delay in getting you help.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform FULL Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

It has been a while since you posted your log, if you still want help could you please post a new one?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 January 2009 - 06:22 PM

Hi Hoov -- Thanks for the reply! I would still like help figuring out how to remove the startup entry. I have attached recent DDS and Attach log files.

As far as what I have done to fix the problem it was so long ago I honestly can't tell you exactly what I did. At one point I know that I scanned all those DLLs in my system32 folder using kapersky's online file scan. It said several of the DLLs that Virtumonde creates were obviously infected so I booted in safe mode and deleted them all. That actually seemed to fix things however now when I run Spybot it still detects that registry entry for c:\windows\system32\ljJbawxx.dll even though that file no longer exists (it's one of the files that Kapersky said was infected so I deleted it). I'd like to accomplish 2 things - 1) confirm that I no longer have the Virtumonde virus and 2) remove that startup entry from my registry so Spybot no longer reports that I have the Virtumonde virus. I actually was able to remove that file from my registry when I booted in safe mode and was disconnected from the internet, however, it returned as soon as I connected plugged in the ethernet cable and booted in normal mode. This makes me think that I have some residual effects of Virtumonde.

Thanks for the help Hoov!

Here is the output of the Malware scan:

Malwarebytes' Anti-Malware 1.33
Database version: 1697
Windows 6.0.6001 Service Pack 1

2009-01-27 06:21:44 PM
mbam-log-2009-01-27 (18-21-44).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 363406
Time elapsed: 2 hour(s), 39 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 27 January 2009 - 08:26 PM

OK, go ahead and update Spybot and run a full scan. Looks like Malwarebytes' Anti-Malware got that registry entry for you, and 3 other tracks of Vundo.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 January 2009 - 09:54 AM

Hi Hoov -- Unfortunately that registry entry still exists according to SpyBot. Can you please help me figure out how to remove it?

Thank you.

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 31 January 2009 - 12:27 PM

Can you post up the log from Spybot?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 January 2009 - 01:39 PM

Hi Hoov. The SpyBot report is attached.

Attached Files



#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 31 January 2009 - 01:42 PM

copy the lines below and paste them into Notepad.
Save the file as begone.reg, double click it and allow for the registry changes to be made.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer]

Now reboot and run the scan again.

Edited by Hoov, 31 January 2009 - 01:43 PM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 January 2009 - 02:01 PM

Hi Hoov, that didn't help. The registry entry still exists.

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 31 January 2009 - 02:54 PM

  • Please download VirtumundoBeGone. and save the file to a convenient location, such as your Windows desktop.
  • Close ALL running programs including your Internet Browser.
  • Double-click VirtumundoBeGone.exe to launch it.
  • Read the introductory information, and then click "Continue".
  • Click "Start".
  • When asked if you want to continue, click "Yes" to run the fix.
  • Do not worry if you see a BLUE SCREEN "Fatal Error" Message. It is normal and expected.
  • When finished it will create a log named VBG.TXT on your desktop.
    *]Reboot your PC and post the VBG.TXT along with a fresh hijackthis log in your next reply.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 January 2009 - 10:33 PM

Hi Hoov - I've attached both logs as requested. When I rebooted I still see the same error message about the missing c:\windows\system32\ljJbawxx.dll which means that registry entry still exists. What keeps adding that entry back to my registry? Is it the Virtumonde virus itself or some other process?

Thank you.

Louis

Attached Files



#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 31 January 2009 - 11:02 PM

Got me. Your system scans clean, except for 1 registry entry, and by itself it can't do anything because the file isn't there.

# Open Registry Editor. (Go to the run command and type in regedit)
# On the File menu, click Export.
# In File name, enter a name for the registry file.
# Under Export range, do one of the following:

* To back up the entire registry, click All.
* To back up only a particular branch of the registry tree, click Selected branch and enter the name of the branch you want to export.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer

Then attach the file with your next post.


Is there anything else that you can think of that happens out of the ordinary? No matter how small.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 February 2009 - 07:53 AM

Hi Hoov -- Using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer as the selected branch didn't work because it said it didn't exist. However I was able to use HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and have attached the file.

The only things that I see and consider to be out of the ordinary are the message I get when starting up that says it can't find that DLL and the SpyBot message I get everytime I run SpyBot. Both of those things happen because of that MSServer startup registry entry that I can't permanently get rid of. The thing that concerns me is that registry entry is added back by some process after a reboot even after we successfully deleted it. This makes me think I'm somehow not virus free just yet.

Thanks again.

Louis

Attached Files



#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:17 PM

Posted 01 February 2009 - 11:47 AM

Apparently I had it wrong, and you were closer to being right. Go to this key,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

And delete this entry, "MSServer"="rundll32.exe C:\\Windows\\system32\\ljJbawxx.dll,#1" it will be in the right hand window.

Once you do that, reboot windows and do another scan and lets make sure it doesn't popup again.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 lgates

lgates
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 February 2009 - 09:52 PM

Hi Hoov - Manually deleting that registry entry doesn't help. After rebooting it shows up in the registry again.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users