this virus attacked my system32…can someone help me to delete this virus please!!!
KMON.OCX (VIRUS name: Win32:VIB_EIH[trj])
I suggest:
- Disable System Restore and reenable it after step 3.
- Clean your temporary files.
- Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
- Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
- Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
- Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
- Immunize your system with SpywareBlaster or Windows Advanced Care.
- Check if you have insecure applications with Secunia Software Inspector.
Sorry for being late…I had a problem with my network system…I am now posting the hijack log file…I will be waiting for your answer…thanks for your advice…Rapslayer
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:49 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Documents and Settings\Auto Domanik\My Documents\Download\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe activexdebugger32.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{11E532DE-04D4-494D-AD0F-67B991496D1D}: NameServer = 80.80.160.8,80.80.160.9
O17 - HKLM\System\CS1\Services\Tcpip..{11E532DE-04D4-494D-AD0F-67B991496D1D}: NameServer = 80.80.160.8,80.80.160.9
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
–
End of file - 6023 bytes
slayer
did you do numbers 1-5 above posted by Tech?
are you on high speed or dial up
what is your hardware configuration
someone else will look at your hjt
after you finish 1-5 above or some of them if on dial up post a new hjt
if on dial up try MAlware Bytes Rogue Remover First and the boot time avast scan
From your hjt log F2 -REG: system.ini:shell=Explorer.exe activexdebugger32.exe
we have to conclude you are infected by an Autorun virus, e.g. worm.
Do not panic we give you the instructions to clean your system en restore to
an uninfected state, follow the instructions meticulously and better print
everything on a piece of paper to work from,
As soon as this virus is activated, the worm creates these files:
• %Temp%\NESNELER.EXE
• %System%\PAC.EXE
• %System%[ORIGINAL FILE NAME]
• %System%\lil11.dll
• %System%\MSWINSCK.OCX
• %System%\scrrntr.dll
• %System%\KMON.OCX
• %System%\KTKBDHK3.DLL
• %System%\ACD.CMD
• %System%\ACD2.CMD *
The worm will change there registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Shell" = “Explorer.exe [ORIGINAL FILE NAME]”
Then the worm start trying to spread through shared networks where weak passwords are applied
The worm will further spread through through pendrives like USB sticks and will create the following file and changes settings to hide this:
[DRIVE LETTER]\activexdebugger32.exe
The worm creates next file whenthe pendrive is added to another computer:
[DRIVE LETTER]\Autorun.inf
The worm opens a backdoor on the victim computer and gives remote control to third party.
The virus tries to send data to the attacker. It will send collected data through email to the cyber criminal.
Then the worm is going to download a file to the FTP site to the following location:
%System%\RNSR.EXE
Removal instructions:
There is a free removal tool for this virus the free online scanner van Symantec’s,
http://www.virusalert.nl/?show=link&id=symsec (IE only)
Manual removal for Windows 9x, 2000, NT en XP
A general description for all Windows systems.
Users of Windows XP can use System Restore to put the configuration back to a poibnt before infection.
You can start your system in three different ways with the virus infection configuration!
N.B. The virus files are there but the installation has been undone
(Check you system next with DrWeb;sCureIt.)
-. See Windows for information on system restore
-. Then check your system for virus files and registry rules and manually delete.
Registry adaptations?
Do this only if you have the expertise to do so. If not get advice from an expert
from the forum, ASAP qualified.
Mannually adopt the registry
3.A. - Start your pc in SafeMode, but first close all windows and programs and
close down your pc.
Take the current off and wait for 30 secs (This is ESSENTIAL!).
Restart your PC and keep down the CTRL and F8 keys and a menu will pop up.
Select start up in SafeMode (sometimes you first have to wait for the BIOS to load,
to be able to do this).
3.B. Click Start and Click Programs and MSDOS prompt.
A dos screeen will open up and show you c:\windows> .
If there is something behind c:\windows> , in that case type cd… and press enter.
-Type now “regedit”
Note for users of XP
It is important to open the registry of the local machine, and not that
of the individual user. Then change the folder via the instruction cd.
You should then land in file C:\Windows
3.C. The registry editor will now open up, and you are strictly advised
to make a copy of the registry before you alter things.
The registry is the heart of your computer and when things go wrong
you cannot recussitate your PC, yes things can come to a halt permanently.
You can make a copy by clicking at the top in the register editor and
click computer and then on registry and the export the registryfile to
your desktop, to set it back if things go wrong.
3.D. Changes to make.
Go for the following key and search:
- See specification “recognize infection”.
You can find that to click the plus before HKEY_LOCAL_MACHINE.
Clicking the key then on the right of the screen you see
what values it has. Select as long as you get the right key and
see it fully in the left screen. Then right mouse click endvalue
and chhoose “delete”.
3.E. "Now close this window.
3.F. Shut down the PC, wait another 30 secs, that start up normally.
3.G. Now scan again with a full boot scan, make it is updated.
3.I. Newly install the security software the virus removed through an original installation procedure,
Good luck,
polonus.
P.S. Another removal instruction:
What the virus does:
* Shares your drives to the world as PATRON1, PATRON2, etc...
* Copies itself to any writeable devices around you. USB sticks are great examples.
* On a USB drive, it generates an autorun.inf file and a copy of itself. Each time you connect your USB drive it infects your computer again...
* It uses the CPU at least to 70%... Noisy infector as hell...
How do you know that you are infected:
* Press CTRL+Shift+Esc buttons. You'll see the activexdebugger32.exe process running.
* You can see a copy of the executable (activexdebugger32.exe) in your USB drives if you enabled Windows to show you hidden files.
How to remove it?
* Plugin your USB stick (if you have one)
* Kill the process activexdebugger32.exe
* Delete the activexdebugger32.exe binary. It usually lives under c:\windows\system32 (or c:\winnt\system32 depending your Windows installation)
* open regedit. Go to the top of the tree on the left pane. hit F3 (or CTRL+L) to open the search dialog. type, yes you know it, activexdebugger32.exe, REMOVE these registry entries wherever it's found. (Search until the end)
* Go to the root folder of your USB stick and delete, yes you're right again, activexdebugger32.exe and autorun.inf
* Remove the other trails as given above e.g. NESNELER.EXE (meaning objects.exe in turkish) under c:\Documents and Settings\Local Settings\Temp\
* Update: Delete all the files under C:\windows\system32\ named: as given above *
* Now you are done.
Give a sigh of relief and get educated about security, that is update and patch, use AV and a FW…
Damian
polonus thank you very much for these instructions !!! you helped me to get rid of boring message when i start up my windows [i was searched how to get rid of activex virus and i deleted files but that message was again appeared and i make it with your insturctions I think I managed it with this HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Shell" = “Explorer.exe [ORIGINAL FILE NAME]” in winlogon was smoething shell & I deleted that (because below data was written acitvexdeb…)and message disappeared]…
I registered on this site only to say thank you… ;D ;D ;D
THANK YOU AGAIN !!! 