Greetings,
I will be very happy and grateful if anyone can help me get rid of this thing…
Info, as accurate as I can make it:
I recently (a few days ago) reformatted my hard drive (let’s call it D since I have another partition called C which I did not make any changes to.) So this means I reinstalled WinXP Pro on it; the reason why I reformatted was because I was having severe issues with booting my PC.
The next day I installed avast Home Edition, 3 hours later it tells me I have a trojan horse associated with the lsass.exe file.
The day after, it tells me of another Trojan.
Today, yet another.
Now I do not remember the names it gave me and they do not seem to be in the avast log even though I didn’t erase it. All times it recommended me to ‘move to chest’ and so that’s what I did in all cases.
Yesterday while I was browsing the net with my beloved MSIE v.6 I started getting random browser windows opening to various sites: some porn, some dating sites, etc. So I did some research and found out some stuff about BHOs which I did find running as processes, so I disabled them in IE. Upgrading to IE7 did not solve the problems. So I installed Firefox. The windows do not pop up in Firefox browsing windows. But, they still popped up in IE windows even when I did not have any IE windows running. I haven’t yet discerned a pattern to when they do appear.
This still happened today. However, the big problem of today is that all of a sudden I started getting stuff that you see in the screenshot. Obviously, these messages are fake and not alerts from my OS but are caused by the virus/trojan/worm/whatever that I have. The messages that they bring up are persistent and varied and involve notifying me of infection and the need to download software to fix it (software which undoubtedly leads to more infection. No I have not downloaded any of it.) Also, I see I have two new icons on my desktop as you see.
So I ran avast virus cleaner and made sure I closed programs, disabled on-access protection. It found nothing.
Er…also the problem I had prior to reformatting about not being able to boot up Windows with any amount of ease persists though it is definitely better than before. However, I do not know if this is related to this virus/trojan/worm/whatever or just some hardware issue.
Help, please. I have tried to be as detailed as I can. Yes it is messing up some of my programs.
Welcome to the forum.
The virus cleaning tool is for certain specific viruses, and is not intended for general scanning puposes.
Schedule a boottime scan. Open the avast interface and from the menu select schedule boottime scan. Move anything found to the chest.
You can run these also avg antispyware http://www.ewido.net/en/ , and superantispyware http://www.superantispyware.com/
And
Click here to download HJTsetup.exe
[*]
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
The hjt log will probably have to be broken into multiple posts.
Click here to download HJTsetup.exe
There is no link in the click ‘here’ to download.
Here you go.
Hello, thanks for the quick responses.
I cannot find an option for a boottime scan for avast.
AVG tells me I have a bunch of Tracking cookies.
The superantispyware tells me it found 42 Tracking cookie adware items and 6 items called Trojan.WinFixer (4 of which in my registry keys, and one of these is a BHO). It gives me the option to quarantine, should I do this? This is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/18/2007 at 05:13 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Quick Scan
Total Scan Time : 00:09:50
Memory items scanned : 523
Memory threats detected : 1
Registry items scanned : 620
Registry threats detected : 4
File items scanned : 8450
File threats detected : 43
Trojan.WinFixer
D:\WINDOWS\SYSTEM32\JKHHH.DLL
D:\WINDOWS\SYSTEM32\JKHHH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{3286B9A3-A792-463A-A3F2-7CE38B878BEB}
HKCR\CLSID{3286B9A3-A792-463A-A3F2-7CE38B878BEB}
HKCR\CLSID{3286B9A3-A792-463A-A3F2-7CE38B878BEB}\InprocServer32
HKCR\CLSID{3286B9A3-A792-463A-A3F2-7CE38B878BEB}\InprocServer32#ThreadingModel
Adware.Tracking Cookie
D:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@clicksor[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads.mytelus[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ad.zanox[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads1.nsamedia[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@network-ca.247realmedia[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@microsoftwlmessengermkt.112.2o7[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@www.popundersupply[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ehg-mybc.hitbox[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@adcentriconline[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@adserver.adreactor[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tremor.adbureau[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@advertising[3].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@toplist[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@3.adbrite[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
Thanks guys.
This is the log file after running the Hijack program:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:43 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\vopijige.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM..\Run: [MMTray] “D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe”
O4 - HKLM..\Run: [DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM..\Run: [NBKeyScan] “D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “D:\WINDOWS\system32\skthcmav.dll”,sitypnow
O4 - HKLM..\Run: [!AVG Anti-Spyware] “D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “D:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
–
End of file - 6297 bytes
@ alex1234
This likely to be scum/scam/rogueware and Should be caught by the rogue malware removal tool.
Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php
Re you HJT log.
First you don’t appear to have an active firewall, what is your firewall ?
Upload both of the files below, vopijige.dll and skthcmav.dll to VirusTotal (VirusTotal - Multi engine on-line virus scanner) and report the results. If as suspected multiple scanners report infection, send the samples to avast, see below. A google search on the above filenames returns zero hits, which in itself is suspicious
This one appears to be Vundo/Virtumonde
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\vopijige.dll
See VundoFix below.
This one is suspect.
O4 - HKLM..\Run: [SearchIndexer] rundll32.exe “D:\WINDOWS\system32\skthcmav.dll”,sitypnow
If the above items are confirmed as infected at VirusTotal, then run HJT again and fix both the entries.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
VunodFix
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html
Download VundoFix.exe to your desktop.
Sorry about that, I’ll have to fix that. :-[ Thanks mauserme.
This likely to be scum/scam/rogueware and Should be caught by the rogue malware removal tool. Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.phpRan it and all it found was one of the icon .lnk files that's been created on my desktop by this thing.
Also as far as I know I have the Windows Firewall on (just checked it), though I have exceptions enabled for Windows Live Messenger, µtorrent and Remote Assistance.
VirusTotal returned this on my vopijige.dll file:
File vopijige.dll received on 10.19.2007 02:34:22 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 11/31 (35.49%)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 ADSPY/SecToolBar.F.1
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 Adware Generic2.TWW
BitDefender 7.2 2007.10.19 -
CAT-QuickHeal 9.00 2007.10.18 AdWare.SecToolBar.f (Not a Virus)
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 Trojan.Hammer
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.19 -
Fortinet 3.11.0.0 2007.10.19 W32/Agent.ADAG!tr
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.19 -
Ikarus T3.1.1.12 2007.10.19 -
Kaspersky 7.0.0.125 2007.10.19 not-a-virus:AdWare.Win32.SecToolBar.f
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.19 -
NOD32v2 2601 2007.10.18 Win32/Adware.SecToolbar
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 Adware/SecurityToolbar
Prevx1 V2 2007.10.19 Heuristic: Suspicious File With Bad Parent Associations
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 Mal/Behav-010
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.19 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.19 AdWare.Win32.SecToolBar.f
VirusBuster 4.3.26:9 2007.10.18 -
And on the skthcmav.dll file:
File skthcmav.dll received on 10.19.2007 02:44:12 (CET)
Current status: Loading … queued waiting scanning finished
Result: 11/32 (34.38%)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 Lop
BitDefender 7.2 2007.10.19 Trojan.Vundo.DNR
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.19 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.19 Vundo.gen41
Ikarus T3.1.1.12 2007.10.19 -
Kaspersky 7.0.0.125 2007.10.19 -
McAfee 5144 2007.10.18 Vundo
Microsoft 1.2908 2007.10.19 Trojan:Win32/Vundo.K
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 Vundo.gen41
Panda 9.0.0.4 2007.10.18 Suspicious file
Prevx1 V2 2007.10.19 Trojan.Vundo
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 Virtumundo
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.19 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.19 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.19 Trojan.Dldr.ConHook.Gen
I’m going to wait to hear your opinions on the results before I take any action. The second file seems to be that Vundo thing you mentioned.
Windows XP’s firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn’t provide outbound protection. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Send samples of both the files to avast (I would suggest you add them to the user files section of the avast chest and send from there), before you download Read and print the VundoFix instructions so you can follow them and then run VundoFix.
Once you have done that run HJT and check if these entries that I mentioned before have gone, if not, tick the fix box to the left of the entry and click the Fix button.
The first file would seem to be a toolbar also related to vundo so hopefully that too will be picked up when you run vundofix.
Okay, is there a good firewall you recommend?
I ran VundoFix.exe and the alerts are now gone! WOoot! I still got a few pop up ads in IE but then I found yet another BHO add-on, disabled it and so far it seems to be alright. I think I’ve just been converted to Firefox.
As well, I suppose I should have sent the two files to avast before I ran the fix, now I don’t think I can send them so sorry about that.
Also I ran Hijack and did not find these two entries:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:23 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
D:\Program Files\D-Tools\daemon.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\WINDOWS\system32\spider.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM..\Run: [IMJPMIG8.1] “D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM..\Run: [MMTray] “D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe”
O4 - HKLM..\Run: [DAEMON Tools-1033] “D:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM..\Run: [NBKeyScan] “D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “D:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
–
End of file - 6440 bytes
Hopefully it is gone, thanks to all of you for your help, especially DavidR. And hopefully I won’t have the misfortune to come back for more help…you guys were very quick and efficient, nice to know some people give their time and skills to help people they don’t even know, especially considering that others only use their time and skills to screw over people they also don’t even know. :
Comodo firewall 8)
@ alex1234
This needs fixed as it is a remnant of having cleaned out Vundo.
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
This isn’t really needed to run on boot, but also see my comments below.
O4 - HKLM..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
I’m assuming that IE opens automatically after boot (?) for me I don’t feel this is a good idea, especially if your considering Firefox as your default browser. I hate things loading automatically on or after boot unless they are absolutely essential.
The strange thing about this is it is supposed to be related to IE 5.5, the other strange thing is it wasn’t on your first HJT log and being a suspicious sod. I would suggest you upload iernonce.dll to VirusTotal for checking also, though this file should be a legit in that system32 folder.
Other than that I don’t see anything else obvious in your HJT log.
It is a shame that you didn’t send the files to avast to help improve detections, but it is hard to think logically when your a** is in the fire.
Comodo firewall as Tech mentions works well with avast.
In my view firefox is much less susceptible to these pop-ups, etc. as for one it doesn’t have BHOs that can blight IE. There are also many, many, extensions that can improve your browser experience and make you more secure, NoScript should be a mandatory pick for an extension.
We’re glad that we could help, welcome to the forums.
Stick around and browse the forums, especially the sticky topics at the top of each of the forums, not to mention the avast help file. They provide a wealth of information to help you get the best from avast.
This needs fixed as it is a remnant of having cleaned out Vundo. O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)Done.
I'm assuming that IE opens automatically after boot (?)It doesn't.
I would suggest you upload iernonce.dll to VirusTotal for checking alsoDone and it came out clear.
Er, just as I typed the above, I started to get the fake alerts that appear in the taskbar again. I can almost laugh. Never mind, I am laughing. Ah well, at least I can send the files to avast this time. I believe that this started at about the same time of day as yesterday. Coincidence?
Well, I ran Hijack This again and found another suspicious file that VirusTotal tells me is bad (O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\ixnnajpv.dll) so I guess I’ll run VundoFix again; if that doesn’t work there’s always the VirtumundoBeGone.
hello guys… i’m collecting undetected Virtumonde variants now, so you can expect a detection to be done soon… 
If you didn’t fix that
O4 - HKLM..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
I don’t know what it does I thought wrongly it start, but from some google hits it doesn’t seem to be a required start/run item, I would check if it is in the startup tab of msconfig (windows start, run type msconfig) if there is an entry there uncheck it (don’t delete the entry) and see if there is any negative impact. If so it can always be checked again, which is why I said not to delete the entry.
I would also upload the new probable Vundo file to VT and send to avast if confirmed infected.
If you haven’t downloaded the new firewall I would suggest you get on it with urgency as it is often difficult to get your system clean without an effective firewall.
Since this is back there may be something hidden that is restoring this.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.
Good to hear - lots of tough ones out there right now.
yep… vundo and autorun are current points of pain for many users… we’ll target on them in next few days…
If you didn't fix that O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcessI don’t know what it does I thought wrongly it start,
Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn’t already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.
Then I ran msconfig as you said and looked at the Startup Tab and found something that’s obviously related to the problem (screenshot provided as attachment–edit—sorry my PC is starting to mess up now and I can’t attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh
The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.
And yes I have sent the ixnnajpv.dll file to avast. 