Hi there,

Thanks for providing this forum!

History:

A few weeks ago I downloaded a program which came with some nasty malware. I have a software firewall installed which alerted me to the program trying to access the internet (which was unexpected, so I denied it and removed the offending program).

The program had however, installed some nasty stuff before attempting to access the internet. In particular, I noticed:
- "mlljh.dll" (which I tracked down to be the Vundo virus - very nasty).
- Bar888.

I got rid of vundo by using VundoFix as described in another thread on this forum. Bar888 was dealt with by one of the anti-spyware packages (likely spybot, but can't remember exactly).

I didn't realise at the time, but it had also given me a downloader trojan. I noticed that my firewall was blocking a file called "Update.exe" which was trying to access the internet every so often. As I couldn't find out much info about this file, I decided (:oops:) to let it through once, and it brought down a bunch of malware including Smitfraud). These I was able to fix with anti-spyware, but now I knew I needed to get rid of the Update.exe.

The obvious thing was to kill the process, and remove the file. Tried that, and it came back again when I restarted (obviously some other process restoring it).

Noticed the following thread with similar problem:
http://forums.spybot.info/showthread.php?t=9816

- Found svchosts.exe running.
- Ran svchosts.exe throught http://www.virustotal.com/ and found a lot of problems with it.

Result of virus total as follows:

Complete scanning result of "svchosts.exe", received in VirusTotal at 02.02.2007, 13:19:34 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.34 02.02.2007 TR/Dldr.Agent.bca.10
Authentium 4.93.8 02.01.2007 W32/Downloader.AVUF
Avast 4.7.936.0 02.01.2007 Win32:Agent-DXT
AVG 386 02.01.2007 Generic2.MHF
BitDefender 7.2 02.02.2007 Trojan.Downloader.Agent.BCA
CAT-QuickHeal 9.00 02.01.2007 TrojanDownloader.Agent.bca
ClamAV devel-20060426 02.02.2007 no virus found
DrWeb 4.33 02.02.2007 no virus found
eSafe 7.0.14.0 02.01.2007 Win32.Agent.bca
eTrust-InoculateIT 30.4.3364 02.02.2007 Win32/Matcash.0qg!Dropper
eTrust-Vet 30.4.3364 02.02.2007 no virus found
Ewido 4.0 02.01.2007 Downloader.Agent.bca
Fortinet 2.85.0.0 02.02.2007 W32/Agent.BCA!tr.dldr
F-Prot 4.2.1.29 02.01.2007 W32/Downloader.AVUF
Ikarus T3.1.0.31 02.02.2007 Trojan-Downloader.Win32.Agent.bca
Kaspersky 4.0.2.24 02.02.2007 Trojan-Downloader.Win32.Agent.bca
McAfee 4954 02.01.2007 Matcash
Microsoft 1.2101 02.02.2007 Caishow (threat-c)
NOD32v2 2030 02.02.2007 Win32/TrojanDropper.Agent.BCA
Norman 5.80.02 02.02.2007 W32/Agent.AVHP
Panda 9.0.0.4 02.02.2007 Adware/Maxifiles
Prevx1 V2 02.02.2007 Trojan.SystemPoser
Sophos 4.13.0 01.31.2007 CommAd
Sunbelt 2.2.907.0 02.01.2007 Trojan-Downloader.Win32.Agent.bca
Symantec 10 02.02.2007 Adware.MaxSearch
TheHacker 6.0.3.162 02.02.2007 Trojan/Downloader.Agent.bca
UNA 1.83 02.01.2007 TrojanDownloader.Win32.Agent.0A3B
VBA32 3.11.2 02.02.2007 Trojan.Win32.TrojanDropper.Agent.BCA
VirusBuster 4.3.19:9 02.01.2007 Trojan.DL.Agent.FXL

Aditional Information
File size: 36864 bytes
MD5: 4b0d96f34c6a82b255474263d8e9095e
SHA1: eecb9ff3e97ba583678acc85ba43d5e86de030e5
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=6f6365112879


Results of panda online scan:


Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.com.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Steam\Application Data\Mozilla\Firefox\Profiles\uod6ayc9.default\cookies.txt[stat.onestat.com/]
Adware:Adware/SuperSpider Not disinfected C:\Documents and Settings\Steam\Local Settings\Temporary Internet Files\Content.IE5\YJ2B85UV\antzom[1].exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{8CAD4A76-08A3-1033-0909-05081305003d}\system.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{8CAD4A76-08A3-1033-0909-05081305003d}\Update.exe
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc1\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc1\Update.exe
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc2\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc2\Update.exe
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc3\system.dll
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\S-1-5-18\Dc3\Update.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\svchosts.exe

steam: Update.exe and svchosts.exe found...


I would like some help to make sure I don't miss anything this time...

I'll put the hi-jack log in a separate post.

Thanks,
Steam.

HijackThis log as follows (highlighting added by me):

The "mlljh.dll" looks like a remnant from vundo which I should remove - please confirm.

Thanks,
Steam.


Logfile of HijackThis v1.99.1
Scan saved at 1:49:35 PM, on 3/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
C:\Program Files\Common Files\{8CAD4A76-08A3-1033-0909-05081305003d}\Update.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\wuauclt.exe
C:\antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apple.com/support/ipod
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47DAEE58-A362-4F13-9186-04A56DDF24A1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [{8CAD4A76-08A3-1033-0909-05081305003d}] "C:\Program Files\Common Files\{8CAD4A76-08A3-1033-0909-05081305003d}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Hi steam and welcome to the Forums :)

I must warn that one or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

Hi Mr Jak3,

Given your advise, I'll do the format and reinstall.

For my own interest, did you spot any problems other than the svchosts infection - or is this the main problem as you see it.

Is there somewhere where I can read more details on the way this virus works (what data it tries to send, what programs/malware it tries to download).

Thanks again for your help and advice,
Steam.

Hi again :)

I'll respect your decision to do a clean install.

Well you have a SDbot (http://www.symantec.com/security_response/writeup.jsp?docid=2002-051312-3628-99)family backdoor. So the attacker can take whatever he/she wants...

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

Reformatting Windows XP by wng_z3r0 (http://spyware-free.us/tutorials/reformat/mainnopics.html)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)

Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)


Get all Windows updates installed!

Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

Hi again Mr Jak3,

Thanks for the information.

I have another query...

Over the last week or so, I've noticed that sometimes when I search for files on the computer, windows explorer starts using up all the CPU and gets stuck on one file (quite often a zip file) for quite a while. I kill explorer, and re-run it and it's ok as long as I don't search...

I suspect that this is related to the trojan in some way.

Some of the zip files (and other files) contain reasonably important info, so I've backed them up. After I've finished the format and reinstall, what should I do to ensure that none of my backups have the virus (apart from the obvious of running a virus scanner).

Thanks,
Steam.

Hi again :)

That problem might be related to the trojan, it can slow downs the pc.

Well if you have created the zipp files before the infection they should be ok. You should avoid backing up Exe and Dll files as they might be infected. Pics, text, music should be safe to backup. Yes, it would be good to scan the files before opening them....

:bigthumb:

Hi Mr Jak3,

Have formatted, reinstalled and scanned PC.

No viruses found. :bigthumb:

Thanks for your time,
Steam.

Hi and sorry for the delay, I was out of town.

That's great news and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: