Multiple virus detected, error messages, etc.....

???

Toshiba Satellite U-305 (notebook) using Vista Home Premium, avast! Home
Antivirus 4.8, Zone Alarm (firewall), Ad-Aware, (IP) Galaxy.net (DSL)

Hello:
It’s hard to wrap my 70 year-old brain around this stuff but I’ve read
Polonus’ “what to do” list and here goes:

My son was using the computer (secondary user “Segundo”), told
me he got a virus alert and moved it to the virus chest.

Yesterday I took a look; when I logged on to his user account, I got two error
messages:
“Run DLL Error loading: C:\Users\Segundo\AppData\Loca\Temp\geBurpMC.dll
Access is denied.”
“Run DLL Error loading:
C:\Users\Segundo…\Temp\jkexjaic.dll Access is denied.”

(I don’t get any error messages when I log on to my user account.)

I clicked OK on each of those messages and opened avast!. During the “Test
of Memory and Startup”, I got four more virus alerts. I put them all in
the virus chest. At the end of the Memory Test there was a brief message
about scheduling a 'boot start-up or scan" (?) or something like that; it
went by quickly. Then a message…'start (or schedule?) boot scan"…I
clicked on that and got a message, something like "unable to do boot
‘whatever’ ", so I went offline.

Here is what I find in Virus Chest:

A number of old infections from Jan/Feb 2008: JS FEEBS family, and JS
ADODB-V

Those files are:

6b27 (Feebs)
_0000_1 (ADODB-V)
adult-toons.org[1] (Feebs)
cb74 (Feebs)
d972 ADODB-V
extrime-list_com[1] (Feebs)
MEMORY.DMP (2/22/2008) Win32: VD-EIW
picshunter_info[1].h ADODB-V

Recent (current) infected files: the last four came up as virus alerts
while avast! was testing memory:

5/15/08 geburpmc.dll Win32:Vundo
5/15/08 jkexjaic.dll Win32:Vundo
5/20/08 ddcAsrQI.dll Win32:Vundo
5/20/08 fccawuVO.dll Win32:Vundo
5/20/08 opnkLLKA.dll Win32:Vundo
5/20/08 xxyaxxXQ.dll Win32:Vundo

While I was online typing out this list, I got another virus alert.
I put it in the chest and went offline. Looking in the chest, I didn’t
find a new entry related to that alert.

Performing item 6 on Polonus’ list, re-scanning those files, I got two
more alerts, which I put in the virus chest. These are:
“C:\Users\Segundo\AppData\Local\Temp…\vbksrofa.dll Infection:
Win32A… File was successfully moved to chest.” …and
“C:Users.…same as above… …\fvowketqonp.dll Infection: Win32V
Error occurred during moving file to chest.”

I looked around my avast! program and didn’t find a Virus Cleaner tool.
Since I was getting virus alerts online, I DID NOT GO BACK ONLINE to do an
online scan or jotti.

I thought maybe what I’ve written so far is enough to get some help to get
me started on this problem.

To complicate things, for the next week I will be at a house where there is
a business network which I can’t log on to. I will be using a computer on
that network to communicate with this forum; when I need to go online with
this computer which I’m having the problem with, I will have to go to the
public WiFi spot at the local library.

This has me feeling a bit on overload. Needless to say, any and all assistance and suggestions will be greatly appreciated!!

:slight_smile: Hi Ron :

The “Feebs” family of “Infections” are very serious; appears your son is
engaging in highly risky internet activity . Probably using Peer-to-peer
( P2P ) programs . The most qualified One on these Forums to help you
with “Feebs” would be “Oldman” .

As to “Vundo”, I recommend you use “VundoFix”, available from
http://vundofix.atribune.org/ ; make sure you follow the
“Normal Usage for Removal:” Instructions .

By the way, Ad-Aware is no longer a top antiSPYWARE/antiTROJAN program;
would be wise to use the FREE Version of “SUPERAntiSpyware” from
www.superantispyware.com ; it MAY even help with your Feebs “infection” !?

Run a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Update Ad-Aware and run a full scan.

When you have finished, post a HijackThis! log.

:o

Thanks folks. I’ll take suggestions and get back to you.

Am posting Hijackthis log, having done an avast! boot time scan, updated AdAware and done a full scan, followed by Hijack this scan. Thanks in advance for looking it over…

Here is log: (posting it in two parts since it exceeds the maximum length per post)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:36 PM, on 5/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

Part two of Hijackthis scan:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.att.net/ie4/search/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM..\Run: [Camera Assistant Software] “C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe”
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon
O4 - HKLM..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM..\Run: [RoxWatchTray] “C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe”
O4 - HKLM..\Run: [DMXLauncher] “C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [advap32] C:\Users\Segundo\AppData\Local\Temp\stdcons.exe/r
O4 - HKCU..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User ‘Default user’)
O4 - Global Startup: Post-it(R) Digital Notes.lnk = C:\Program Files\3M\PDNotes\PDNotes.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{8801AB5B-E60A-464B-A16E-E38AAAF37F22}: NameServer = 192.168.1.1,4.2.2.2
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Ron\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\Windows\system32\ThpSrv.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe


End of file - 11096 bytes

I couldn’t find any information on this file:

C:\Users\Segundo\AppData\Local\Temp\stdcons.exe

Could you enable view hidden files and folders and send it to VirusTotal for analysis please?

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#vista

http://www.virustotal.com/

Post the result here if you would.

Your Sun Java application is out of date: this can lead to drive-by infections. Run the Secunia Software Inspector- it will tell you about this and other programs that need updating and give you a download link.

http://secunia.com/software_inspector/

Ad-Aware 2008 is available now:

http://lavasoft.com/products/ad_aware_free.php

Update and run a fresh scan as the new version claims better detection.

I couldn’t see anything really sinister in the log? Do you still have symptoms- pop-up ads etc?

:slight_smile:

Thanks again for the guidance. Will follow suggestions and post again. (It won’t be till later in the day when I’ll be able to get to WiFi access for my notebook which needs the scans etc.)

:smiley:

I enabled ‘view hidden files and folders’, sent C:\Users\Segundo\AppData\Local\Temp\stdcons.exe to www.virustotal.com, had it analyzed (twice) and got this message:

“0 bytes size received / Se ha recibido un archivo vacio”

That would be consistent with your saying “I couldn’t find any information on this file”…maybe.

I haven’t been online very long but the only malfunction I’ve found so far is that Windows Media Center froze up on me when I tried to play a commercial DVD.

I will run Secunia Software Inspector, and update my anti-spyware.

Should I do anything like delete old System Restore points? or anything like that…

I’m wondering if I should have my Processes analyzed; also would it be advisable to check the Registry? I don’t go into the Registry myself but I notice there is Registry Scan freeware available, with guided support available.

Ref. all the virus data in my avast! Virus Chest, shall I just leave it there? Are there things I should watch for? Is there anything else I should do now?

Or maybe I’m OK now. That would be nice. (I’ve already advised my son to go to the public library if he wants to use a computer!)

Sincere thanks for suggestions and help…and God bless the forums!!

I enabled 'view hidden files and folders', sent C:\Users\Segundo\AppData\Local\Temp\stdcons.exe to www.virustotal.com, had it analyzed (twice) and got this message:

“0 bytes size received / Se ha recibido un archivo vacio”

That would be consistent with your saying “I couldn’t find any information on this file”…maybe.

Not really. It sometimes means something is blocking the upload. Can you copy and past the file to the desktop and upload from there?

I will run Secunia Software Inspector, and update my anti-spyware.

Updating your computer is a priority because at the moment you are vulnerable to drive-by downlaods- more infections just by visiting the wrong site.

Should I do anything like delete old System Restore points? or anything like that....

You can delete System Restore points by turning System Restore off and on again.

http://www.bleepingcomputer.com/tutorials/tutorial143.html#manual

As far as I’m aware, viruses are not active in System Restore, so you can ignore detections in System Restore, and viruses will eventually get flushed out as older System Restore points are deleted- possibly the safer option.

I'm wondering if I should have my Processes analyzed; also would it be advisable to check the Registry? I don't go into the Registry myself but I notice there is Registry Scan freeware available, with guided support available.

HijackThis analyses both active processes and the registry. Be careful- there’s a lot of scam ‘registry cleaners’ around. The only one I’d recommend is the registry scanner in CCleaner:

http://www.ccleaner.com/

Ref. all the virus data in my avast! Virus Chest, shall I just leave it there?

Leave it for a few weeks just to make sure it wasn’t a false positive then you can delete it. Malware in the chest is inactive and doesn’t take up much room. There’s always the remote possibility that any AV program can identify a legitimate program as malware, so it’s better to be safe than sorry and leave it in the chest where you have the possibility of restoring any falsely identified files.

Are there things I should watch for? Is there anything else I should do now?

Run the Secunia scan and update all vulnerable software- that’s critical. After that, run scans every few weeks- it’s surprising how often software vulnerabilities appear.

Secunia also do a program you can install which will run regular scans. Worth considering:

https://psi.secunia.com/

:slight_smile:

Thanks, F-W Frank…

I’ll get to follow up on your latest recommendations this afternoon. This seems not to be turning out to be the horror show I thought it was.

You’ve been great and I’ve learned a lot.

I’ll post when I’ve updated everything and tried to get that C://Users/Segundo/ line run through VirusTotal.