I’m having trouble with this one virus. I was watching a video in Firefox 3.1beta when all of a sudden popups started showing up (I’m also running adblock plus) and my start menu was in the process of disappearing when I hit the power button. I used a bootup CD to get rid of the first round of virus’ but they just keep sticking around.

The popups that show up in firefox first hit an ip address beginning with 84.???.???.???. (Not seeing the popups at this moment though)

At first it looked like WinHancer, but it appears to be changing all the time.

I have run VundoFix, MalwareBytes, SuperAntispyware, Spybot, Avast, and Hijackthis. Depending on the program it seems to find something different. Spybot kept finding winhancer, but it was unable to delete the registry keys. I have run sysinternals tool to remove the null characters in the registry, but that didn’t seem to affect it much.

I keep deleting BHO’s from IE, but they keep coming back. Is there any way to totally disable BHO’s in IE?

Does anyone have any suggestions on what I should do next?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:13 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\MagicKey\MagicKey.exe
C:\Program Files\NNsquad\nnma.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MagicKey\OSD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [Versato] C:\Program Files\MagicKey\MagicKey.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NNma] C:\Program Files\NNsquad\nnma.exe
O4 - HKLM..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM..\Run: [PaperPort PTD] “C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe”
O4 - HKLM..\Run: [PPort11reminder] “C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe” -r “C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini”
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [AdobeCS4ServiceManager] “C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe” -launchedbylogin
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra ‘Tools’ menuitem: Tri&xie Options… - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://members.harmonyremote.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191768637703
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.beta.instantaction.com/download/iaplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip..{7FAF96FE-4362-4BF3-891B-1DC3A1147511}: NameServer = 204.101.251.1,204.101.251.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

–
End of file - 9815 bytes

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

I can’t see anything obvious in the log: I’d recommend you update MalwareBytes, SuperAntispyware and Spybot and run scans in Safe Mode.

IE has an option in one of its menus for disabling unwanted BHO’s.

If you’re still having problems, try some rootkit scanners:

Panda Antirootkit
Blacklight
Trend Micro Rootkit Buster
McAfee Rootkit Detective
Sophos AntiRootki

What I can see in the log is why you were infected: out of date and vulnerable software.

http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1

Scan for out-of-date and insecure software using Secunia Online Software Inspector (OSI) and update any vulnerable software: this will help to prevent future infections.

You don’t appear to have a firewall that monitors outbound traffic.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

What is your firewall ?

AdAware doesn’t really cut it now and is more of a passenger than an active participant, SuperAntiSpyware and MalwareBytes AntiMalware being much better options.
SUPERantispyware On-Demand only in free version.
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Could be there is a hardware firewall David

Yes it could, the problem being a hardware firewall unless it specifically states it the majority don’t check outbound connections.

Spybot has asked for a boot time scan, so I’ll do that first, and then an avast one (That’ll be 5+ hours)

I have uninstalled Java to eliminate that as a possible attack… hopefully. Unfortunately I removed Java before trying to analyze for out of date software… which uses Java. D’oh.

As for the firewall situation. XP says that its firewall is running and I have a DLink router as a hardware firewall. I am now running peer guardian 2 to block some ip’s, but I have no idea if it will work.

Mirar is in my add/remove programs. I think thats the software launching the popups but nothing has uninstalled it yet. Is there a tool to specifically remove this?

I have also noticed Vundo on the machine.

Malware bytes latest log:

Malwarebytes’ Anti-Malware 1.30
Database version: 1454
Windows 5.1.2600 Service Pack 3

12/3/2008 1:35:28 PM
mbam-log-2008-12-03 (13-35-28).txt

Scan type: Quick Scan
Objects scanned: 60041
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{

f77bbe3b-9c38-47f6-99d7-b79b453d0f50} (Trojan.Vundo) → Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{

371ee1ef-f177-1390-7807-08525dc0e55c} (Trojan.Vundo) → Quarantined and

deleted successfully.
HKEY_CLASSES_ROOT\CLSID{55fcbb52-741c-489d-9931-94cc4c4dabc8}

(Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instbndlkeyldr (Trojan.Vundo) →

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) →

Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) → Quarantined and deleted

successfully.
C:\WINDOWS\system32\tlprbo.dll (Trojan.Vundo) → Quarantined and

deleted successfully.
C:\WINDOWS\system32\iidwiqnq.dll (Trojan.Vundo) → Quarantined and

deleted successfully.
C:\Documents and Settings\Neil\Application Data\TmpRecentIcons\Micro

Antivirus 2009.lnk (Rogue.Link) → Quarantined and deleted

successfully.

Panda AntiRootKit didn’t find anything.

Well since MBAM found malware in the system32 folder and since they were likely to have been running I would have hoped they would have featured in the HJT log, so it is possible they might be hidden by a rootkit. Which is why FWF gave so many different ones, so I would work my wat through them all, yes it takes time, but it is time well spent.

The same with the trojan fake alert that on occasion has a partner to try to keep it hidden.

You only did a Quick scan in MBAM, I would do a full scan.

I would also move on to an SAS scan and see if that reveals anything also, though MBAM seems to have done a reasonable job so far.

For your JAVA issue, the current version is now JRE version 6 update 11, so the one you removed was well out of date. Get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 11 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

MBAM finds nothing at the moment.
SpyBot finds
WinHancer (Unable to remove it and asks for a reboot every time. On reboot it never finds it)
Virtumonde - SpyBot says that it’s hard to get rid of and to remove the computer from the internet. I’ve just removed the antenna from my card and I’m running spybot again.
Avast finds nothing. I did a system boot scan and it didn’t find a thing.
I can’t remember what SAS said at the moment. As far as I remember it didn’t find anything.

SAS keeps logs, check the Preferences, Statistics/Logs tab.

Are you running MBAM and SAS from safe mode ?

Run ComboFix and post the log here.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Still trying to install Combo Fix (It’s taking a very long time for some reason 30+ minutes now).

MBAM in Safe Mode: No virus’
SAS in Safe Mode: Got rid of something the first time (Don’t have the log handy at the moment). Detected nothing the second time.
SpyBot after those: Still detects Virtumonde and WinHancer.

i hate to intrude, but I have a win32 dialer trogan. The problem is I have a tried to start a thread but evertime I do the window closes.

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)
Also, what actions did you take with the trojan?

I did a boot scan and tried to move it to the chest. It wouldn’t let me. I am using Avast home. I will look into the other info you asked for.

Very strange… The file couldn’t be blocked at boot time… Hope someone with more “cleaning” knowledge jump here.

Ok, I just did a regular scan so I could get the name of the file infected but it advised me to do a boot scan because I had more viruses. I did that and there was no mention of the win32 dialer but there was two different rootkin gen, win32: Monder-HO and a trojan gen. I was able to put all the new viruses in the chest but my cpu is having the same problems as far as what the win32 dialer was causing.

If I may jump in I would like a deeper look at your system if I may. When you run this programme please disconnect from the internet, right click the Avast icon and select Stop on access protection. Otherwise Avast will throw a hissy fit and not let part of the programme run

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the Radio button for Rootkit check YES
[*]Under Additional Scans check the following:
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EventViewer Errors/Warnings (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.