Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Trojan.duntek


  • Please log in to reply
7 replies to this topic

#1 fsupilam

fsupilam

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 28 March 2007 - 08:16 AM

I am constantly getting popups from registrydefener, laughnetwork and many others. I followed all of the steps in the preperation guide. When I run my anti virus scanner Trojan.Duntek always shows up in the jkkjihg.dll file under system32. I have cleaned and deleted the problem, but it keeps coming back. I also deleted all cookies, but after a couple minutes many come back automatically. media fasclick is the most prominent. Thanks for any help. Here is the hijack this log file

Logfile of HijackThis v1.99.1
Scan saved at 9:02:33 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\Explorer.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {182543c6-50a3-44b6-9c5b-14779566d920} - C:\WINDOWS\system32\lnkess.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp14A.tmp.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [naqudw] C:\WINDOWS\system32\oimdey.exe reg_run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Wtss] "C:\WINDOWS\PPPATC~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kwxvf] C:\WINDOWS\system32\oimdey.exe reg_run
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O20 - AppInit_DLLs: c:\windows\system32\jkkjihg.dll
O20 - Winlogon Notify: lnkess - C:\WINDOWS\SYSTEM32\lnkess.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


m

#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 AM

Posted 31 March 2007 - 06:37 AM

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Then please upload this file:

c:\windows\system32\jkkjihg.dll

To either jotti or virustotal

Repeat for this file:

C:\WINDOWS\System32\alg.exe

Please download Qoofix by RubbeR DuckY from one of the following locations:

http://www.malwarebytes.org/Qoofix.zip or
http://www.besttechie.net/tools/Qoofix.zip
  • Unzip all files to a convenient location such as C:\Qoofix.
  • Go to the folder you unzipped all files and run Qoofix.exe.
  • Click Begin Removal and wait for the scan to finish.
  • If an infection has been found, select yes to restart your computer.
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt, the qoofix log, the jotti/virustotal results and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#3 fsupilam

fsupilam
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 02 April 2007 - 10:33 AM

I ran the panda software before you were able to get back to me. That was able to remove the problems with the Trojan.Duntek in the jkkjihg.dll file in system 32. It also appears to have gotten rid of alg.exe as neither file is there any more. I still have problems with pop ups thought. Also, when I start my computer I get an error that C://Windows/jkkjihg.dll cannot run because the module is not found. Not sure what this is.
. Symantec blocks two downloaders that are new. One in C://windows/system32/explorer.exe the other is 070327[1].exe
Attached is the new Hijack this log and vundo log. Qoofix found nothing wrong.

Logfile of HijackThis v1.99.1
Scan saved at 11:27:34 AM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkhigg.dll",setvm
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Wtss] "C:\WINDOWS\PPPATC~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O20 - AppInit_DLLs: c:\windows\system32\jkkjihg.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Scan started at 11:13:01 AM 4/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\lnkess.dll
C:\WINDOWS\system32\tmp12.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\lnkess.dll
C:\WINDOWS\system32\lnkess.dll Has been deleted!

Performing Repairs to the registry.
Done!

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 AM

Posted 03 April 2007 - 05:33 AM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)


O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkhigg.dll",setvm
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Wtss] "C:\WINDOWS\PPPATC~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O20 - AppInit_DLLs: c:\windows\system32\jkkjihg.dll

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

C:\WINDOWS\jkhigg.dll
c:\windows\system32\IExplorer.dll
c:\windows\system32\jkkjihg.dll

And this folder:

C:\WINDOWS\PPPATC~1\ <<The first six letters in the folder name will be PPPATC

Then please upload this file:

C:\WINDOWS\system32\redistributor.exe

To either jotti or virustotal

Post back with the jotti/virustotal results and a new HijackThis log

#5 fsupilam

fsupilam
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 03 April 2007 - 07:45 AM

When I tried to delete the items from Hijackthis I got the following error:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: c:\windows\system32\jkkjihg.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Of the files and folders you said to delete the only one left was System32/Iexplorer.dll

I could not find the file you wanted me to upload to jotti.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:02 AM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ACT\SideACT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 AM

Posted 03 April 2007 - 08:48 AM

Hows it running now?

#7 fsupilam

fsupilam
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 03 April 2007 - 08:51 AM

Seems to be running fine. I have had no popups.

Should I leave Qoofix and Vunundo on my computer?

Thanks for your help

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 AM

Posted 03 April 2007 - 09:39 AM

You can delete qoofix and vundofix, they're both only used for specific infections

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
The infection you had was vundo

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot.

    Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis
  • Keep your antivirus and firewall updated
  • Keep windows up to date with the latest patches


    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
  • Install spywareblaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    Make sure to update it on a regular basis
  • Install IE-SPYAD
    Dowload and instructions located here
    Make sure to update it on a regular basis
  • Use a HOSTS file
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Install and use Ad-aware & Spybot search & destroy
    Instructions are located here
    Make sure to update them on a regular basis
  • Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
    Two good alternative browsers are
    Firefox
    Opera
    It is essential to update to the latest version of your browser, as the updates fix known security holes
  • Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    Change the allow paste operations via script to Disable
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
  • Clean out you temp file on a regular basis
    I use and recommend ATF Cleaner by Attribune
    To use it, follow these instructions
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Main at the top and choose Select All from the list.
    • Click the Empty Selected button.
    If you use Firefox browser:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser:
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users