Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Juan/MS Track System: Help!


  • Please log in to reply
14 replies to this topic

#1 jorge8907

jorge8907

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 12 January 2009 - 02:38 PM

Hello!

I've been having problems with removing the MS Juan/Trojan.Vundo combination. I ran the free version of AVG anti-virus and it was able to remove several threats on my computer system. I also ran Malawarebyte's Anti-Malware and it was able to remove most of the problematic threats also.

But when I keep doing a scan using Malawarebytes' program, I keep seeing two of the same infected files.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:11 PM

Posted 12 January 2009 - 03:31 PM

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Now SAS,may need an hour
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:11 PM

Posted 12 January 2009 - 03:59 PM

Hello, could you also post the MBam log,so we can see what those entries are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 jorge8907

jorge8907
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 12 January 2009 - 10:34 PM

Hello garmanma and boopme,

I would like to thank you for responding to my topic concerning the MS Juan/MS Track system infection.

Below I will attach the MBAM log that boopme asked for; I will also post the SuperAntiSpyware log that I received after running it in safe mode with the instructions given to me.

Thank you for all the help and I hope this is all better.




Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 1

1/10/2009 9:13:07 PM
mbam-log-2009-01-10 (21-13-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 143573
Time elapsed: 53 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pjsnme.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{783165c5-08aa-4e87-ad10-2f5e80a5b3d3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pjsnme.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\feyhetok.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



---------------------------------------



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2009 at 08:23 PM

Application Version : 4.24.1004

Core Rules Database Version : 3706
Trace Rules Database Version: 1681

Scan type : Complete Scan
Total Scan Time : 02:20:21

Memory items scanned : 144
Memory threats detected : 0
Registry items scanned : 5385
Registry threats detected : 15
File items scanned : 75238
File threats detected : 8

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}
HKCR\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}
HKCR\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}
HKCR\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}#ThreadingModel
HKCR\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32
HKCR\CLSID\{D5BF4552-94F1-42BD-F434-3604812C807D}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RAKMDLKD83INDFGNBU.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF4552-94F1-42BD-F434-3604812C807D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{D5BF4552-94F1-42BD-F434-3604812C807D}
C:\WINDOWS\SYSTEM32\FFKUZ.DLL

Adware.IST/YourSiteBar
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf

Trojan.Unknown Origin
C:\Documents and Settings\Owner.YOUR-RVLNHR6V8D.005\Local Settings\Temporary Internet Files\CPV.stt

Rogue.Component/Trace
HKLM\Software\Microsoft\A8E1D8CA
HKLM\Software\Microsoft\A8E1D8CA#a8e1d8ca
HKLM\Software\Microsoft\A8E1D8CA#Version
HKLM\Software\Microsoft\A8E1D8CA#a8e1754a
HKLM\Software\Microsoft\A8E1D8CA#a8e11caf
HKU\S-1-5-21-2430854337-3498511485-1881300864-1003\Software\Microsoft\CS41275
HKU\S-1-5-21-2430854337-3498511485-1881300864-1003\Software\Microsoft\FIAS4018

Trojan.Fake-Alert/Trace
C:\Documents and Settings\Owner.YOUR-RVLNHR6V8D.005\Local Settings\Temporary Internet Files\fbk.sts

Trojan.Dropper/Packed
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\U8XQXAUP\PROTECTOR[1].EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\U8XQXAUP\PROTECTOR[2].EXE

Trojan.Gen
C:\WINDOWS\UNIFISH3.EXE

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:11 PM

Posted 13 January 2009 - 11:31 AM

Hello, it wasn't my intebntion to take this thread away. iwas just looking to see a similarity in the Mbam log to something else. Any way i've a few questions. Are you running Internet Explorer 5 ? Any particular reason. I see you also have XP service pack 1, Thes older versions contain vulnerabilities to infection.

Please check another item...
Go to Start>Control Panel. Add/Remove programs
Look up Java(if there). Highlight it and tell me what version it is.

You will need to run another MBam scan..
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 jorge8907

jorge8907
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 13 January 2009 - 02:05 PM

Hello boopme,

Thank you for responding. Well, I wasn't sure if I am using Internet Explorer 5 but under the "About Internet Explorer" link, I found this: Version 6.0.2800.1106.xpsp2.050301-1526. I'm not sure if that's correct though. I understand that Internet Explorer is rumored to be the browser that is the most prone to infections, but I really can't install any other browsers due to SP1. I've installed Firefox but I don't like the way it works and it scrolls very oddly. I now see in MBAM where it might say that I have Internet Explorer 5, but I don't know which of the newer versions will install correctly due to SP1.

I've wanted to intall one of the newer service packs but it says that you need to save all your files in a safe place. Of that I'm not sure.

As for the Java Version, I see Java™ SE Runtime Environment 6 Update 1 along with Java 6 update 7 and Java 6 update 10.

---------------

I have a question. After running all the programs I was instructed to do, I keep hearing the error sound such as the one you hear when the computer could not locate a file and shows a box on the screen. I hear the sound but I see no box, which has me wondering what it could be.


Finally, here is the updated MBAM log you asked for.




Malwarebytes' Anti-Malware 1.32
Database version: 1648
Windows 5.1.2600 Service Pack 1

1/13/2009 11:48:41 AM
mbam-log-2009-01-13 (11-48-41).txt

Scan type: Quick Scan
Objects scanned: 67766
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






Thank you :]!

Edited by jorge8907, 13 January 2009 - 02:06 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:11 PM

Posted 13 January 2009 - 07:55 PM

Ok, Your not the first now with that ding sound. I've been looking at this. I don't have your answer yet.
You clicked on help and about and it said IE 6 so I believe you have 6. Perhaps the malware just found some old version files to hide in. Besides the tool took it out.
Your Java is one version back at you have vulnerable old ones on you machine . so here's how to fix that.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 jorge8907

jorge8907
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 13 January 2009 - 08:28 PM

Hello boopme,

I'd like to thank you again for replying to my topic. I deleted the older versions of Java and and installed the new version that you asked me to. So that's squared away.

The error ding still keeps appearing because I heard it not too long ago. I thank you for your efforts in trying to figure out what this is because it just appears randomly out of nowhere.

And I'd like to say I'm glad that the MBAM log came out clean because I was sick of running the MBAM quick scan and those two items showing up time and time again.

Thank you.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:11 PM

Posted 13 January 2009 - 08:49 PM

You're welcome jorge. Please read this article from Microsoft as I feel you should at least try get to service pack 2.

Detailed installation walkthrough for Windows XP Service Pack 2
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jorge8907

jorge8907
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 13 January 2009 - 11:50 PM

Hello boopme,

Sorry to get off-topic here but the thing that concerns me is the installation of SP2 is the backing up of files. I'm not sure how to do that exactly nor do I have some sort of external memory to back up the files. I have all my music files on this computer and it would be bad if I lost them.

So if I were to install SP2, would I need to get some sort of external memory to make a backup of all my files? And I understand that you can make a CD backup, but my CD burner died a long time ago; I never took the time to buy a new one since I use mp3's.

But thank you again for all the help and I hope the error ding gets fixed soon.

:D

#11 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:11 PM

Posted 14 January 2009 - 04:22 PM

Depending on what you mean by "a lot of music files", it might pay for you to invest in a external hard drive, instead of burning a large amount of CDs
You can keep the cost down by buying the drive and the enclosure separately. Just be sure to get an enclosure that comes with a power module, not a USB power cord
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 jorge8907

jorge8907
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 16 January 2009 - 02:27 AM

Hello,

What I meant by my all my music files is about 5 GB's worth of music files. So that may not be a lot, but that's all I have :D. So I don't know what would be the best method to approach for the installation of SP2.

Jorge

#13 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:11 PM

Posted 16 January 2009 - 06:05 PM

Option 1 - buy a burner $$30 +
Option 2 - buy an external enclosure $30-$45 and a hard drive $50-??
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 jorge8907

jorge8907
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Mexico
  • Local time:02:11 PM

Posted 18 January 2009 - 06:30 PM

Hello,

I will think about those options. What is an external enclosure? I notice you said not to buy an external hard drive with a usb connection but with an external enclosure.

I was online the other day and the same rogue program that was giving me trouble last week was trying to install itself again. Luckily this time I was able to stop it and get rid of it fairly quickly- thanks to the instructions you guys had given me to deal with it.

Sometimes, I'd rather buy a new computer since this one is almost six years old (since we bought it). But I don't know how things are going to turn out.

-Jorge

#15 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:11 PM

Posted 18 January 2009 - 07:44 PM

You can buy a prebuilt external hard drive or put your own together with an external enclosure:
http://www.newegg.com/Product/Product.aspx...N82E16817145656
I like this one because it has a fan

And a compatible IDE hard drive
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users