virus / trojan / malware / ?

Computing.Net > Forums > Security and Virus > virus / trojan / malware / ?

virus / trojan / malware / ?

Original Message

Name: mangelo
Date: February 29, 2008 at 07:02:04 Pacific
Subject: virus / trojan / malware / ?
OS: Windows XP Pro SP2
CPU/Ram: P IV 3.2GHz / 1 gig
Model/Manufacturer: Dell Optiplex GX270

Comment:

After cleaning with eTrust, Spybot & Adaware I still have an intermittent pop-up and startup lag on my work computer. IT just says run the scanners and shrugs their shoulders. Spybot is repeatedly reporting Virtumonde. I have VundoFix which returns nothing and VirtumundoBeGone returns a bunch of I don't know what. I also put AVG on and it's got 70 files in the vault including a repeating trojan in
C:\Windown\System32\xyguyyf.dll (hope I wrote that correct)
AVG has recorded viruses and malware, I can only hope it's really fixed some of what it's found. I know enough not to trust myself to just dump the vault, nor simply follow help you provided someone else (...or should I?)

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: February 29, 2008 at 14:08:14 Pacific
Subject: virus / trojan / malware / ?

Reply: (edit)

Run the following scans in order and post the results.
Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 2

Name: plrpro
Date: March 1, 2008 at 10:59:23 Pacific
Subject: virus / trojan / malware / ?

Reply: (edit)

Man I have seen this adware program for years. It still bugs me when I run into it. Just go to http://www.virtumonde.net
They have like 5 different guides on how to remove this thing. The guides are actually well written. Just be sure to follow what they say with out missing a step.

Report Offensive Follow Up For Removal

Response Number 3

Name: mangelo
Date: March 3, 2008 at 07:18:49 Pacific
Subject: virus / trojan / malware / ?

Reply: (edit)

I may be flaunting my ignorance here, I ran combo fix and didn't see any results or log file. Feel free to point out my mistakes if I made any. Here's what HJT produced. VundoFix came up empty.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:00 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MP4 Player\mp4Player.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TimeTracking\TIMETRAK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Alpine\View750\CRP32002.NGN
C:\Alpine\Ais\AlOutput.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\alpine\view750\shared\AlpineCommonInfo.exe
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Electronic Office\PlotEdit.Exe
c:\progra~1\msgcntr\MSGCNTR.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22DB6ECA-BCA3-412B-A56D-BE37546CD5EA} - \
O2 - BHO: (no name) - {23746B40-0738-4E2B-ACB8-271A7FC8BF3C} - \
O2 - BHO: {bd2e5ffa-de43-8b89-38a4-1cb4bbac2b82} - {28b2cabb-4bc1-4a83-98b8-34edaff5e2db} - C:\WINDOWS\system32\oibqwjox.dll (file missing)
O2 - BHO: (no name) - {2DDEF4CB-16C3-4062-86A2-340D7CEAFCC8} - \
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3AAEC48E-DE35-46A9-9973-3B4BB62CDBEE} - C:\WINDOWS\system32\gebcc.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {97189509-1b4e-4b78-b86e-f374000ef6ad} - C:\WINDOWS\system32\yvlyqgw.dll (file missing)
O2 - BHO: (no name) - {C66E91A8-320C-463D-ADE5-044F09F90802} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {D19A5B04-982E-49A8-90DA-D97C668E334D} - C:\WINDOWS\system32\ssttu.dll (file missing)
O2 - BHO: (no name) - {FBDE72B7-E5CF-4EF8-9D4B-D03C6795131E} - C:\WINDOWS\system32\vtutu.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NGTray] "C:\Program Files\Symantec\Ghost\ngtray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MP4 Player] "C:\Program Files\MP4 Player\mp4Player.exe" hmw
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HB 7.50.lnk = C:\Alpine\View750\ASF\ASF.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Service Manager.LNK = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Shortcut to TIMETRAK.EXE.lnk = C:\Program Files\TimeTracking\TIMETRAK.EXE
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.com...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Ghost Client Agent (NGCLIENT) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe
--
End of file - 10290 bytes

Report Offensive Follow Up For Removal

Response Number 4

Name: jabuck
Date: March 3, 2008 at 14:48:19 Pacific
Subject: virus / trojan / malware / ?

Reply: (edit)

Go to start> run> type in combofix /u (there must be a space after combofix) then press ok. Download combofix and run it again it may take up to twenty minutes but usually much less for it to finish. The log is the last item produced.

Report Offensive Follow Up For Removal

Response Number 5

Name: mangelo
Date: March 4, 2008 at 07:03:24 Pacific
Subject: virus / trojan / malware / ?

Reply: (edit)

I loaded and ran ComboFix again and I get the same thing as before. I hit the icon and a progress bar appears and finishes. The screen flashes for a second and then nothing. I see no new files created to my knowledge. That run command doesn't work, windows doesn't find it.
I searched C: and my desktop for ComboFix files and got 1. the ComboFix.exe,
2. a ndis_combofix.dat which had this
findstr.exe -mi "update_load" %systemdrive%\cp*.nls >ndis00 2>nul
for /f "tokens=*" %%g in ( ndis00 ) do @(
del /a/f/q "%%~g" >nul 2>&1
if not exist "%%~g" echo."%%~g">>drev.dat
if exist "%%~g" echo.%%~g . . . . failed to delete>>drev.dat
)
del ndis00 2>nul
3. and last a COMBOFIX.EXE-1D776EAF.pf which has some indecipherable computer garble.
Is any of this telling you anything?

Report Offensive Follow Up For Removal


msconfig32.exe virus/trojan? Cannot Remove Virus/Trojan MSN Virus - Trojan Horse Suspected Virus/Trojan VIRUS : Trojan.Win32.Pakes.cdw	IE virus/trojan problem Sid virus/trojan Vista Winantivirus + trojan winlogonhook Can you help ID this virus? Virus Filling up HDD

Response Number 6

Name: jabuck
Date: March 5, 2008 at 03:15:29 Pacific
Subject: virus / trojan / malware / ?

Reply: (edit)

Go to start> run> controll panel> add/remove programs and uninstall theis rogue program
WinAntiSpyware 2007
Then search for combofix.exe and rename it to fixme.exe and try to run it again.

Report Offensive Follow Up For Removal

POS.TMP files and Red X o...

Virus Disabled Norton, .e...

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: virus / trojan / malware / ?

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

Installing Win XP over Vista

Burning Boot Disk

faulty hdd?

Booting with a broken graphic card

Help with my DRAM:FSB Ratio

All Posts Awaiting Replies