Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Virus once thought it was gone..wrong?


  • Please log in to reply
10 replies to this topic

#1 V Martyr

V Martyr

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 29 March 2009 - 02:30 AM

Early this year 1/1/09, I had the help of another forum (Internet Inspiration - They were great) and I thought I was clean, but I had a few indications that maybe I still had a remnant.
- When I open word docs I get a warning that the file is already in use by another user (I did set up another user at one point but have since deleted it)
- I hear that windows "thud" every so often (a search on this site lead to that exact thread (http://www.bleepingcomputer.com/forums/index.php?showtopic=212192&hl=background%20processes&st=45) which lead me to register and ask your help. I am trying to attaching a .bmp of my task manager as there are 2 tasks that do not belong.

One is related to a user profile that has been deleted and the other is linked to "owner"

I still have several of the programs from my previous battle loaded on the computer. MBAM, Combofix, Killbox, and am using the f-secure product for protection from my Cable ISP.

I ran adaware and removed a piece of malware it found, but It will likely be back. I ran simple scans for malware after that using f-secure, as well as a rootkit scan and at that time both came up with nothing.

Thanks for reading this.
PS - I'll need a brief lesson in attaching images. I tried to link to my picasa album but that was a no go. If the thread I added a link for was followed you would see the same 2 tasks (different letters hvvxvijy for example) as that person had.

Again, thank you.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2009 - 11:25 AM

Hi,

First, delete ComboFix and Killbox immediately.
This, because those tools can damage your computer when you don't use them the right way (with a supervising person of the HJT-group).

After this, do the following:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 V Martyr

V Martyr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 29 March 2009 - 12:03 PM

Thanks SB. Since my original post I updated MBAM and ran it. I messed up a bit because my F-secure through my cable isp was still active, But here is the log:

Malwarebytes' Anti-Malware 1.35
Database version: 1915
Windows 5.1.2600 Service Pack 3

3/29/2009 10:26:56 AM
mbam-log-2009-03-29 (10-26-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147639
Time elapsed: 41 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekavhkwbpfu.dll.0ir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekawjeyxety.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekawwqjnkvp.dll.0ir (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekajrwwaiyb.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{96439F1C-62BE-4598-89D2-C57363B204EC}\RP349\A0030838.dll (Trojan.Agent) -> Quarantined and deleted successfully.


I restarted and ran the full scan for F-secure (found one rootkit), rebooted, turned f-secure off, and ran MBAM again. Here is the second log:

Malwarebytes' Anti-Malware 1.35
Database version: 1915
Windows 5.1.2600 Service Pack 3

3/29/2009 12:28:29 PM
mbam-log-2009-03-29 (12-28-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147422
Time elapsed: 23 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{96439F1C-62BE-4598-89D2-C57363B204EC}\RP349\A0030835.0ys (Rootkit.Agent) -> Quarantined and deleted successfully.

This second time I didn't reboot right away and tied to check email, things ran slow, but I was hoping for a notification that my post at Bleep had been replied to. Took so long I gave up and rebooted. Before it would shut down I got a "The following program is not responding: () I ended and rebooted. On power up downloaded the email notification from Bleep came here and found your instructions.

I have deleted Killbox and combofix as instructed.

I may still need to figure out how to attach a screen shot because the 2 tasks in scheduler are still there. ddcdcCTM.dll and opnnkhfv.dll if you need to see them.

I will be patient and look forward to your next instructions, thank you!

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2009 - 12:06 PM

Hi,

Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

#5 V Martyr

V Martyr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 29 March 2009 - 12:44 PM

SB, I ran it and it didn't find anything.



VundoFix V7.0.6

Scan started at 1:25:44 PM 3/29/2009

Listing files found while scanning....

No infected files were found.


I went to properties of the task running with a mess of letters snytjbky this is below


C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ddcdcCTM.dll",ShellPath

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2009 - 12:50 PM

Hi,

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#7 V Martyr

V Martyr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 29 March 2009 - 01:10 PM

I never use IE, so I will do it through Firefox, but I don't know what IETab is. How do I find that in firefox?

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 March 2009 - 01:15 PM

IETab is an Add-on for FireFox. But you can use IE too. It's just for one time.. :thumbsup:

#9 V Martyr

V Martyr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:54 PM

Posted 29 March 2009 - 03:13 PM

Rats, I hope I have done it right. I went through firfox and ran Kasper through there, I don't know anything about the IE add-on. I first did "critical areas" (accidentally) and I am now scanning "my Computer" Is that ok? Or should I start over? It is 71% done and found one threat names and one suspicious object.

#10 V Martyr

V Martyr
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 29 March 2009 - 03:24 PM

It finished, and it loks as though I didn't completely erase kill box. I will have to go and check that again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 29, 2009 18:18:29
Records in database: 1984838
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 66755
Threat name: 1
Infected objects: 0
Suspicious objects: 1
Duration of the scan: 00:51:00


File name / Threat name / Threats count
C:\!KillBox\Dc1.exe Suspicious: Trojan-Downloader.JS.gen 1

The selected area was scanned.

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 March 2009 - 12:25 AM

Hi,

Indeed, delete this folder:
C:\!KillBox
Then, reboot your system.

Do you still have problems? :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users