PDA

View Full Version : Virtumonde, Vundo, Trojan, Win32.Sality.X and a tons of coockies...:-)



IFKSJOLD
2007-07-16, 16:04
Hi my cpu is badly infected. Avast prompts me with trojans all the time and the browser gets hijacked all the time to...

When running XoftSpySE it finds two vundo trojan and three win32.sality.x and a lot of coockies among them errorsafe and drivecleaner.

When running Spybot it finds Virtumonde and a ocean of tracking coockies.

Fixed the stuff succesfully with the programs and return to the "before you post" thread...

Did the eTrust Antivirus Web Scanner

with this result:


Scan Results: Scan Completed. 50463 files scanned. No viruses found.

File Infection Status Path
- No Infections

The Trend Micro Online Scan found a Troj_Vundo.AWC and a spyware_keyl_astlog and some other stuff. Couldn't fix it though.

Rebooted into safe mode and ran Spybot. Got rid of those possible, the Virtumonde kept comming back together with something else.

Rebooted to normal mode. Ran Hijackthis and here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 15:02:57, on 16-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DEAC811-5F0A-4631-8A42-EE2E225B016C} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\awttrpp.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\diayyblo.dll",realset
O4 - HKCU\..\Run: [Caffe-Client] C:\Antamedia\Caffe\Client.exe
O4 - HKCU\..\Run: [Caffe-ICHelper] C:\Antamedia\Caffe\ICHelper.exe
O4 - HKCU\..\Run: [InternetCaffeHelper] ICHelper.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146059828736
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awttrpp - awttrpp.dll (file missing)
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe

shelf life
2007-07-17, 01:58
hi IFKSJOLD,

1)download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

2)F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan will take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.

shelf life

IFKSJOLD
2007-07-17, 12:17
Ran Vundofix, when trying to fix it prompts me with this error message:


Error: 75. Path/File access error

It though seems that it took care of it anyway :) (still the vundofix found 10 files but deleted 8???)

here is the C:\vundofix.txt:


VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 10:14:32 17-07-2007

Listing files found while scanning....

C:\WINDOWS\system32\awttrpp.dll
C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\diayyblo.dll
C:\windows\system32\dtqtlbkp.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\nuguetix.dll
C:\windows\system32\olbyyaid.ini
C:\windows\system32\qnfrvxsw.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\diayyblo.dll
C:\WINDOWS\system32\diayyblo.dll Has been deleted!

Attempting to delete C:\windows\system32\dtqtlbkp.dll
C:\windows\system32\dtqtlbkp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.dll Has been deleted!

Attempting to delete C:\windows\system32\olbyyaid.ini
C:\windows\system32\olbyyaid.ini Has been deleted!

Attempting to delete C:\windows\system32\qnfrvxsw.exe
C:\windows\system32\qnfrvxsw.exe Has been deleted!

Performing Repairs to the registry.


Did the F-secure scan and here are that report:


Scanning Report
Tuesday, July 17, 2007 10:28:50 - 11:15:08
Computer name: SKJOLD2
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 21 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan.Win32.KillAV.ka (virus)
C:\WINDOWS\SYSTEM32\DRIVERS\LRHKMN.SYS (Renamed & Submitted)
Vundo.gen30 (virus)
C:\DOCUMENTS AND SETTINGS\ODENSEGADE K؋KEN\LOKALE INDSTILLINGER\TEMP\HKVSESND.DLL (Submitted)
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\DLXDENOO.INI (Submitted)
C:\WINDOWS\SYSTEM32\VYFMHVSH.INI (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 23442
System: 3184
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
None: 19
Submitted: 4
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-07-16
F-Secure AVP: 7.0.171, 2007-07-17
F-Secure Orion: 1.2.37, 2007-07-17
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Pegasus: 1.19.0, 2007-06-12
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.




Done!

IFKSJOLD
2007-07-17, 12:19
And here are a fresh Hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 11:19:51, on 17-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DE05A1F-5ACC-41B8-81B0-C45C8FD5E15C} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Caffe-Client] C:\Antamedia\Caffe\Client.exe
O4 - HKCU\..\Run: [Caffe-ICHelper] C:\Antamedia\Caffe\ICHelper.exe
O4 - HKCU\..\Run: [InternetCaffeHelper] ICHelper.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146059828736
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awttrpp - awttrpp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe

shelf life
2007-07-17, 16:39
hi IFKSJOLD,

ok thanks for the info.
please rerun vundo again and post the results. also rename your highjack.exe icon to something else like scanner.exe. then rescan and post a new hjt log.

shelf life

IFKSJOLD
2007-07-18, 11:12
Hi, the VundoFix couldn't find anything this time:



VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 10:09:55 18-07-2007

Listing files found while scanning....

No infected files were found.

and here is the Hijackthis/scanner log:


Logfile of HijackThis v1.99.1
Scan saved at 10:12:44, on 18-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DE05A1F-5ACC-41B8-81B0-C45C8FD5E15C} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Caffe-Client] C:\Antamedia\Caffe\Client.exe
O4 - HKCU\..\Run: [Caffe-ICHelper] C:\Antamedia\Caffe\ICHelper.exe
O4 - HKCU\..\Run: [InternetCaffeHelper] ICHelper.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146059828736
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awttrpp - awttrpp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe

shelf life
2007-07-18, 21:25
hi IFKSJOLD,

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O2 - BHO: (no name) - {6DE05A1F-5ACC-41B8-81B0-C45C8FD5E15C} - C:\WINDOWS\system32\jkhfc.dll (file missing)

O20 - Winlogon Notify: awttrpp - awttrpp.dll (file missing)

other than that log looks ok.

shelf life

IFKSJOLD
2007-07-19, 12:29
Did as told and here are a fresh HJT log, just to be sure:


Logfile of HijackThis v1.99.1
Scan saved at 10:34:04, on 19-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Antamedia\Caffe\ICHelper.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Caffe-Client] C:\Antamedia\Caffe\Client.exe
O4 - HKCU\..\Run: [Caffe-ICHelper] C:\Antamedia\Caffe\ICHelper.exe
O4 - HKCU\..\Run: [InternetCaffeHelper] ICHelper.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146059828736
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe


Did a spybot to check if all were good and it found only some tracking coockies.

Then used True Sword 4.0 to finally test the cpu and it found:


Malicious component in file c:\windows\system32\hidphone.tsp which is part of "win32.trojandownloader.zlob" malware * 2

Malicious component in file c:\windows\servicepackfiles\i386\hidphone.tsp which is part of "win32.trojandownloader.zlob" malware

If you expect error messages at startup like "procedure entry GetProcessImageFileNameW could not be located in the dynamic link library", choose to solve this problem

Non-malicious problemware SunJavaUpdateSched in startup list.

Malicious registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C)-11DA-8BDE-F66BAD1E3F3A}\Iexplore which is part of "WinFixer" adware

Malicious registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C)-11DA-8BDE-F66BAD1E3F3A}\iexplore which is a part of "WinFixer" Adware

Malicious registry key HKEY_LOCAL_MACHINE\Software\Microsoft\UniqData which is part of "Vundo Trojan" spyware/trojan

Malicious regsitry value "NextInstance" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32 which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "service" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "legacy" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "Class" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "ClassGUID" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "Devicedesc" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "0" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\services\NDISFILESERVICES32\Enum which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "count" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\services\NDISFILESERVICES32\Enum which is part of "Win32.sality.x" spyware/trojan

Malicious regsitry value "NextInstance" at key HKEY_LOCAL_MACHINE\System\CURRENTCONTROLSET\services\NDISFILESERVICES32\Enum which is part of "Win32.sality.x" spyware/trojan

Tracking coockie named odensegade køkken@hit.gemius[1].txt

After this i ran XoftSpySE to see if it could find the same and it came out with a vundo trojan registry key and 3 Win32.sality.x registry values all servere risks, which fits the True Sword check.
XoftSpySE also found this file:

A Better Internet in location c:\WINDOWS\eSellerateEngine.dll

So i believe that i'm still infected in some way:sad: weird.

shelf life
2007-07-20, 00:38
hi IFKSJOLD,

those are leftover harmless registry entries. iam not familiar with true sword. at one point it was listed here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

but has been removed from the list recently.

shelf life