Hello! Just wanted to let you know that I had 2 positive matches yesterday:

Virtumonde

and

win32.joleee.k

Both were 'fixed', but I'm afraid the win32.joleee.k found a trick to stay resident somewhere, because Search and Destroy finds the trojan again each time I run the check, even without rebooting or launching the internet again. I also have McAfee Security Center running in the background, but it is not aware of any problems at all. Since I raised my firewall protection level, I had requests from services.exe to go to the internet.

Yesterday, before downloading Spybot, I noticed 281 processes running in the taskmanager, of which services, svchost and cmd where present more than once. I'm not sure anymore of the integrity of these windows system files, but I don't really know how to check if they are still OK. A

fter running Spybot. The number of processes was reduces to 4 services, and 6 or 7 svchost instances. I also had visual contact on the desktop with an alien file, probably dropped there by malignant software, as it had a german title, had a text file icon, but WAS an exe file. I did not execute the file. It had autostartoffice.exe in (at the end of) the filename, but McAfee security center did not think anything was wrong.

Today, Spybot kept on telling that win32.joleee.k was still present. Ad-aware did not find anything similar though. McAfee Security site just mentioned a minute ago that it found and removed something called generic.dx, a process initialized from the lavasoft folder (ad-aware).

I also note that 2 changes have been made recently: On october the 2nd, services.exe has been added to the startup in the reg on HKEY LOCAL MACHINE... current version. Today something tried to alter my iexplorer bar. That may be OK or not. Not sure.

If anyone has hints or tips to get rid of win32.joleee.k or know what is cruising around on my system, feel free to tell me so :-)

Thanks!

Koen

using Hijack this, I removed the run key that launched C://windows/services.exe. I killed the process. Removed the key again :-)

Then I was able to remove the services.exe file from my windows folder. However, Spybot is still convinced that the trojan is present. There might be another file involved, or some part of the cleaning went wrong. In case this is important: Spybot did not ask me at anytime to reboot.

Also good to know: during the first scan after download it did not provide any info on the 'Joleee.k' result, but after the update, it referred to the services file. Either a new generation of the trojan, or removal not yet fully implemented?

In the early days of wwwcoolsearch, I had a similar problem, but then Merijn's Coolshredder saved me from having to buy a wig after pulling my hair several days... :-)

I'm not sure if any log may help you now that I have been altering the system manually, but if you need more info, just let me know.

Koen

Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
-

I have had a similar problem with this trojan. If you run a complete scan with your up to date McAfee viruscan software (takes a lo-o-ong time) power down machine, switch back on and check with Spybot. This has so far seemed to work for me.:present:

:oops: Not a trojan but a worm!:oops:

Thanks for the comments. I will first try Dave500's remark, and if it does not work, I might post a log in the appropriate forum. I did upload to an auto Hijack log analyzer (just as a first opinion). It did found a key and the services.exe to be quite quite obvious malware, and after I removed these parts, for the moment, the system seems to be stable again. I suppose there's one (inactive) trace left somewhere, as Spybot still finds traces, but I can't get other software to confirm it's presence. Anyway. Thanks for your hints and tips!

The procedure as described by Dave500 worked. Joleee has gone now.

And I decided to make a small donation. Not rich, so the stress is on small, but this is the second time Spybot helps me out is 3 years. That's worth something!

Hello,

This is my first visit here and my first request. Thanks to all for being here and for your help.

I use Spybot. After 1 year without any problem, I had yersterday one attack. When I run Spybot, I now have :

1. Microsoft.WindowSecurityCenter.FirewallOverride

2. Win32.Joleee.k

Win32.Joleee.k added an icon at the bottom right corner as if I had 2 internet connections working simultanously. If I go to "Parameter" and the "Network connection" I have a new connection there that I did not create. If I erase it, my normal connection to the internet is down. If I restart the machine the "new" one or parasite one comes back. This is basically how it appears.

I check throughout the forum to find some help and used the manual removal here :

http://forums.spybot.info/showthread.php?t=38962&highlight=win32.joleee.k

I applied these instructions and also ran "Rootalyzer" which did not find anything wrong. In spite of these 2 procedures, the 2 "worms" or malware are still present on the computer. (The 2nd internet connection icon is still there and Spybot detects both malwares when scanning).Therefore I make this post hoping it is at the right place !

Thanks to all who may bring some light to solve this problem

Geezee

Hello. If the thread created by PepiMK does not resolve your problem, you can always feel free to start your thread in the Malware Removal Forum, where a specialist will assist you to purge the threats.
-
Regarding the Firewall override entry, it just a heads-up to tell you that the notification of the monitoring of your Firewall in the Security Center has been disabled. So if your firewall should be turned off purposely or accidentally, Security Center will tell you that it's off. However, in this case it is not monitored. It could be caused by a Internet Security Suite like Norton for example, which purposely disables Windows Firewall and it's monitoring because it has it's own.

I believe that fixing that entry should bring everything back to normal, so Windows will monitor your firewall again. It'll reset the value to default.

Hi Drragostea,

Thanks for the advice. Actually win32.joleee.k disabled the internet security suite (I don't have Norton and it never happened before) but I could put it back. As fas as the worm win32.joleee.k is concerned, no change yet. I suspect the manual procedures is not complete and some files may be still there hidden. I'll place this post as advised in the main section if no reply.

Geezee

Well, I would suggest you start your post in the Malware Removal Forums as soon as possible. I mean with an Internet Connection, this worm can download more junk and malware components. A worm's main goal is to leech and destroy files.

On the infected machine I would suggest you do as little surfing as possible. :oreo:
-
Is your Norton still able to update and scan normally?