Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown Malware [RESOLVED]

Started by evil joe , Nov 09 2008 05:31 PM

  • This topic is locked This topic is locked

#1
evil joe
Posted 09 November 2008 - 05:31 PM

evil joe

    Member

  • Member
  • PipPip
  • 13 posts
I downloaded a keygen yesterday and it must have had a virus on it. That's the last time I download a keygen. Anyways, now I'm getting some pop-ups once in a while and it turned my Automatic Updates off and I can't seem to turn them back on. I've done a few different scans and found some virtumonde files. I downloaded the virtumonde deleter program that was in one of the stickies on this forum. Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:48 PM, on 11/9/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Computer Alarm Clock\cac.exe
C:\Program Files\Linksys\WUSB54GSC\WLService.exe
C:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\Razer\razertra.exe
C:\Program Files\Razer\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C0AD4BB5-A3BB-4638-93E8-C8F218FDC66F} - C:\WINDOWS\system32\rqRLBSLB.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Computer Alarm Clock] C:\Program Files\Computer Alarm Clock\cac.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3421C473-681B-4320-9AAE-9EC4363F3A89}: NameServer = 192.168.0.1,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3421C473-681B-4320-9AAE-9EC4363F3A89}: NameServer = 192.168.0.1,192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WUSB54GSC - GEMTEKS - C:\Program Files\Linksys\WUSB54GSC\WLService.exe

--
End of file - 5777 bytes


Any help would be greatly appreciated.
  • 0

Advertisements

#2
OldTimer
Posted 09 November 2008 - 05:43 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello evil joe and welcome to GeeksToGo. Yup, keygens', P2P downloads, cracked software, it's all loaded with malware. Let's see what we can find.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Do not change any settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).
Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Cheers.

OT
  • 0

#3
evil joe
Posted 09 November 2008 - 07:54 PM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
For some reason, it won't let me upload it. It says it's too big. I pasted the log here: http://www.eviljoe.com/log.html.
  • 0

#4
OldTimer
Posted 09 November 2008 - 09:34 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi evil joe. This system must have been just installed. That many operating system files is not normal lol.

The file cannot be read from an html page. Upload it here:

http://www.bleepingc....php?channel=43

Cheers.

OT
  • 0

#5
evil joe
Posted 09 November 2008 - 11:33 PM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Alright, I uploaded it.
  • 0

#6
OldTimer
Posted 10 November 2008 - 12:18 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi evil joe. The log was so larger because the system clock is incorrect so go in and fix that first. Set the clock to the correct date/time. Next, follow the steps below in order:

Step #1

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {4967FCF6-0AE7-4774-BDB0-F2CC20005AC7} [HKLM] -> %SystemRoot%\system32\rqRLBSLB.dll [Reg Error: Value  does not exist or could not be read.]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \\"NoActiveDesktopChanges" -> [0]
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [0]
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \\"NoActiveDesktop" -> [0]
YN -> \\"NoSaveSettings" -> [0]
YN -> \\"ClassicShell" -> [0]
YN -> \\"NoThemesTab" -> [0]
YN -> \\"ForceActiveDesktopOn" -> [0]
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [0]
YN -> \\"NoDispAppearancePage" -> [0]
YN -> \\"NoColorChoice" -> [0]
YN -> \\"NoSizeChoice" -> [0]
YN -> \\"NoDispBackgroundPage" -> [0]
YN -> \\"NoDispScrSavPage" -> [0]
YN -> \\"NoDispCPL" -> [0]
YN -> \\"NoVisualStyleChoice" -> [0]
YN -> \\"NoDispSettingsPage" -> [0]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.]
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\rqRLBSLB -> %SystemRoot%\system32\rqRLBSLB.dll
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> vtUoLFWP.dll -> %SystemRoot%\System32\vtUoLFWP.dll
NY -> qoMfecYs.dll -> %SystemRoot%\System32\qoMfecYs.dll
NY -> pmnkKaAR.dll -> %SystemRoot%\System32\pmnkKaAR.dll
NY -> dugiwo.dll -> %SystemRoot%\System32\dugiwo.dll
NY -> sdfdvwqi.dll -> %SystemRoot%\System32\sdfdvwqi.dll
NY -> FNooqtwa.ini -> %SystemRoot%\System32\FNooqtwa.ini
NY -> anvfaawc.jgs -> %SystemRoot%\System32\anvfaawc.jgs
NY -> iifddeBr.dll.vir -> %SystemRoot%\System32\iifddeBr.dll.vir
NY -> qrrnjdhy.ini -> %SystemRoot%\System32\qrrnjdhy.ini
NY -> GgQrCJjl.ini -> %SystemRoot%\System32\GgQrCJjl.ini
NY -> oaoesbko.ini -> %SystemRoot%\System32\oaoesbko.ini
NY -> icppoqtw.ini -> %SystemRoot%\System32\icppoqtw.ini
NY -> gxopyhin.ini -> %SystemRoot%\System32\gxopyhin.ini
NY -> nihypoxg.dll -> %SystemRoot%\System32\nihypoxg.dll
NY -> ptezgs.dll -> %SystemRoot%\System32\ptezgs.dll
NY -> frywvedv.dll -> %SystemRoot%\System32\frywvedv.dll
NY -> BLSBLRqr.ini -> %SystemRoot%\System32\BLSBLRqr.ini
NY -> BLSBLRqr.ini2 -> %SystemRoot%\System32\BLSBLRqr.ini2
NY -> rqRLBSLB.dll -> %SystemRoot%\System32\rqRLBSLB.dll
NY -> ieohjf.dll -> %SystemRoot%\System32\ieohjf.dll
NY -> hmlplnoo.dll -> %SystemRoot%\System32\hmlplnoo.dll
NY -> nuqxbukn.dll -> %SystemRoot%\System32\nuqxbukn.dll
NY -> bkisrojs.dll -> %SystemRoot%\System32\bkisrojs.dll
NY -> sswahv.dll -> %SystemRoot%\System32\sswahv.dll
NY -> nhykewko.dll -> %SystemRoot%\System32\nhykewko.dll
[Files/Folders - Modified Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> vtUoLFWP.dll -> %SystemRoot%\System32\vtUoLFWP.dll
NY -> qoMfecYs.dll -> %SystemRoot%\System32\qoMfecYs.dll
NY -> pmnkKaAR.dll -> %SystemRoot%\System32\pmnkKaAR.dll
NY -> sdfdvwqi.dll -> %SystemRoot%\System32\sdfdvwqi.dll
NY -> dugiwo.dll -> %SystemRoot%\System32\dugiwo.dll
NY -> anvfaawc.jgs -> %SystemRoot%\System32\anvfaawc.jgs
NY -> iifddeBr.dll.vir -> %SystemRoot%\System32\iifddeBr.dll.vir
NY -> qrrnjdhy.ini -> %SystemRoot%\System32\qrrnjdhy.ini
NY -> GgQrCJjl.ini -> %SystemRoot%\System32\GgQrCJjl.ini
NY -> oaoesbko.ini -> %SystemRoot%\System32\oaoesbko.ini
NY -> icppoqtw.ini -> %SystemRoot%\System32\icppoqtw.ini
NY -> BLSBLRqr.ini -> %SystemRoot%\System32\BLSBLRqr.ini
NY -> BLSBLRqr.ini2 -> %SystemRoot%\System32\BLSBLRqr.ini2
NY -> gxopyhin.ini -> %SystemRoot%\System32\gxopyhin.ini
NY -> nihypoxg.dll -> %SystemRoot%\System32\nihypoxg.dll
NY -> ptezgs.dll -> %SystemRoot%\System32\ptezgs.dll
NY -> frywvedv.dll -> %SystemRoot%\System32\frywvedv.dll
NY -> rqRLBSLB.dll -> %SystemRoot%\System32\rqRLBSLB.dll
NY -> ieohjf.dll -> %SystemRoot%\System32\ieohjf.dll
NY -> hmlplnoo.dll -> %SystemRoot%\System32\hmlplnoo.dll
NY -> nuqxbukn.dll -> %SystemRoot%\System32\nuqxbukn.dll
NY -> FNooqtwa.ini -> %SystemRoot%\System32\FNooqtwa.ini
NY -> bkisrojs.dll -> %SystemRoot%\System32\bkisrojs.dll
NY -> sswahv.dll -> %SystemRoot%\System32\sswahv.dll
NY -> nhykewko.dll -> %SystemRoot%\System32\nhykewko.dll
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #2

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Run a new OTScanIt2 scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located.
  • Attach that file back here in your next reply.
Step #4

Copy/paste the following back here in your next reply:
  • The latest OTScanIt2 fix log (look in the OTScanIt2 folder for a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt2 scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
  • 0

#7
evil joe
Posted 10 November 2008 - 08:38 PM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
The first OTScanIt2 log is attached. It wouldn't let me upload it as a .log file, so I changed it to .txt. Hopefully that doesn't matter.

Here's the F-Secure report:

Scanning Report
Monday, November 10, 2008 15:55:23 - 17:33:53

Computer name: HAL
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 17 malware found
AdWare.Win32.SuperJuan (spyware)

* System

Trojan.Win32.Agent (virus)

* System

Trojan.Win32.Agent.amng (virus)

* C:\WINDOWS\SYSTEM32\RTHHUVDF.DLL

Vundo.FBW (virus)

* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\GGQRCJJL.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\GXOPYHIN.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\ICPPOQTW.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\OAOESBKO.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\QRRNJDHY.INI (Submitted)
* C:\WINDOWS\SYSTEM32\FDVUHHTR.INI (Submitted)
* C:\WINDOWS\SYSTEM32\QESTLACQ.INI (Submitted)
* C:\WINDOWS\SYSTEM32\VJRNGENJ.INI (Submitted)

W32/Packed_FSG.D (virus)

* C:\DOCUMENTS AND SETTINGS\USER1\MY DOCUMENTS\DOWNLOADS\MACROMEDIA DREAMWEAVER CS3 + PLUGINS AND CRACK\PLUGINS\LAB_PLUGS_IN\PLUGINLAB COMBO BOX MENU V1.4.0 FOR ADOBE DREAMWEAVER\KEYGEN\KEYGEN.EXE (Submitted)

W32/Vundo.ESD (virus)

* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\PMNKKAAR.DLL (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\QOMFECYS.DLL (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\VTUOLFWP.DLL (Submitted)
* C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20021108-133437-609.DLL (Submitted)
* C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20021108-133514-839.DLL (Submitted)

Statistics
Scanned:

* Files: 71945
* System: 3130
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 17
* Submitted: 14

Files not scanned:

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\USER1\LOCAL SETTINGS\TEMP\ETILQS_RA7TDCSR76E3BYGVQZKJ

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2008-11-10
* F-Secure AVP: 7.0.171, 2008-11-10
* F-Secure Pegasus: 1.20.0, 2008-10-09
* F-Secure Blacklight: 2.4.1093

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics



And the OTScanIt txt file is uploaded.

Everything went fine during the scans.

Thanks.

Attached Files


Edited by evil joe, 10 November 2008 - 08:42 PM.

  • 0

#8
OldTimer
Posted 10 November 2008 - 09:32 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi evil joe. That looks pretty good. There are just a couple of left-over items to take care of. Follow the steps below in order:

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {E0BCC603-3693-4063-AA8A-41615CCCB7C3} [HKLM] -> %SystemRoot%\system32\rqRLBSLB.dll [Reg Error: Value  does not exist or could not be read.]
[Files/Folders - Created Within 30 Days]
NY -> vjrngenj.ini -> %SystemRoot%\System32\vjrngenj.ini
NY -> jnegnrjv.dll -> %SystemRoot%\System32\jnegnrjv.dll
NY -> fdvuhhtr.ini -> %SystemRoot%\System32\fdvuhhtr.ini
[Files/Folders - Modified Within 30 Days]
NY -> vjrngenj.ini -> %SystemRoot%\System32\vjrngenj.ini
NY -> jnegnrjv.dll -> %SystemRoot%\System32\jnegnrjv.dll
NY -> fdvuhhtr.ini -> %SystemRoot%\System32\fdvuhhtr.ini
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time.

Post that infomation back here.

Cheers.

OT
  • 0

#9
evil joe
Posted 11 November 2008 - 07:56 PM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Well, I did what you said, but when the scan was over, it asked me to reboot. I said OK and it didn't do anything. I tried the scan again and the same thing happened. OTScanIt2 was the only thing on the screen, so I restarted the computer. When it came back, it wouldn't start up. It froze at the Windows XP logo. I used the Windows XP installation disk to repair it and when I came back to my desktop, there was an error message that said something like, "ERROR: Could not find jnegnrjv.dll".

I use WinPatrol and when I did the scan the first time, something came up saying that OTScanIt2 was trying to do something, so I allowed it. I thought that may have had something to do with why it didn't work. So I retried the scan without WinPatrol running and it did the same thing.

I've attached the two logs from the first attempt and the log from the second attempt.

Thanks.

Attached Files


  • 0

#10
OldTimer
Posted 11 November 2008 - 09:47 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi evil joe. Most likely WinPatrol is causing some interference. I saw it in the startups but did not see it in the running processes. Applications like that attempt to block changes to the registry, which would prevent the removal of the infected registry items.

It appears that the infection was gone after the second run but was back when the third run was done. Let's see if it is still there. Run a new OTScanIt2 scan and attach that back here. If it's back, We'll disable WinPatrol to make sure that it won't interfere and run a new fix.

Cheers.

OT
  • 0

Advertisements

#11
evil joe
Posted 12 November 2008 - 12:39 AM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
New scan is attached.

After using the repair feature on the Windows XP installation disc, I did a system restore. That may be why the files are back. Here's what I did: http://everything2.c...0...%20fix%20it

I'm thinking that if I didn't use system restore, the error message that said, "ERROR: Could not find jnegnrjv.dll" may come up every time I start my computer.

And when I did the second OTScanIt fix, I right clicked the WinPatrol icon in the taskbar and exited out of it. After doing that, the process WinPatrol.exe didn't show up in the Task Manager anymore.

I just checked and it's letting me turn on Automatic Updates again.

If the files are back, maybe I should just run the fix on all of them except for jnegnrjv.dll, because I really don't want to go through the whole start-up-not-working thing again.

Thanks.

Attached Files


  • 0

#12
OldTimer
Posted 12 November 2008 - 08:55 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi evil joe. Well, the system restore brought back those and more. So the options are: remove them or leave them. It depends on if the machine should be clean or infected.

To begin with, permanently turn off WinPatrol (don't just exit out and have it start again on reboot). If it doesn't have that option then uninstall it for now.

Now let's try this again. Follow the steps below in order:

Step #1

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {E0BCC603-3693-4063-AA8A-41615CCCB7C3} [HKLM] -> %SystemRoot%\system32\rqRLBSLB.dll [Reg Error: Value  does not exist or could not be read.]
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YN -> C:\WINDOWS\system32\rqRLBSLB -> 
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
[Files/Folders - Created Within 30 Days]
NY -> ~$ice's Restaurant Tab.docx -> %UserProfile%\My Documents\~$ice's Restaurant Tab.docx
NY -> vjrngenj.ini -> %SystemRoot%\System32\vjrngenj.ini
NY -> jnegnrjv.dll -> %SystemRoot%\System32\jnegnrjv.dll
NY -> yntcpg.dll -> %SystemRoot%\System32\yntcpg.dll
NY -> xurmalrj.dll -> %SystemRoot%\System32\xurmalrj.dll
NY -> fdvuhhtr.ini -> %SystemRoot%\System32\fdvuhhtr.ini
NY -> rthhuvdf.dll -> %SystemRoot%\System32\rthhuvdf.dll
[Files/Folders - Modified Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> ~$ice's Restaurant Tab.docx -> %UserProfile%\My Documents\~$ice's Restaurant Tab.docx
NY -> vjrngenj.ini -> %SystemRoot%\System32\vjrngenj.ini
NY -> jnegnrjv.dll -> %SystemRoot%\System32\jnegnrjv.dll
NY -> yntcpg.dll -> %SystemRoot%\System32\yntcpg.dll
NY -> xurmalrj.dll -> %SystemRoot%\System32\xurmalrj.dll
NY -> fdvuhhtr.ini -> %SystemRoot%\System32\fdvuhhtr.ini
NY -> rthhuvdf.dll -> %SystemRoot%\System32\rthhuvdf.dll
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #2

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Run a new OTScanIt2 scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located.
  • Attach that file back here in your next reply.
Step #4

Copy/paste the following back here in your next reply:
  • The latest OTScanIt2 fix log (look in the OTScanIt2 folder for a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt2 scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
  • 0

#13
evil joe
Posted 12 November 2008 - 06:51 PM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
STEP 1
I turned off WinPatrol and set it so it won't run on startup, but my computer did the same thing. This time I didn't do the system recovery, though. But now every time I log on, an error comes up that says,
"Error loading c:\WINDOWS\system32\jnegnrjv.dll

The specified module could not be found."

I attached the log.

STEP 2
Here's the F-Secure report:

Scanning Report
Wednesday, November 12, 2008 15:11:56 - 16:37:53

Computer name: HAL
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 17 malware found
AdWare.Win32.SuperJuan (spyware)

* System

Trojan.Win32.Agent.amng (virus)

* C:\_OTSCANIT\MOVEDFILES\11122008_144725\C_WINDOWS\SYSTEM32\RTHHUVDF.DLL (Renamed & Submitted)

Trojan:W32/Vundo.BK (virus)

* C:\_OTSCANIT\MOVEDFILES\11122008_144725\C_WINDOWS\SYSTEM32\JNEGNRJV.DLL (Submitted)

Vundo.FBW (virus)

* C:\_OTSCANIT\MOVEDFILES\11122008_144725\C_WINDOWS\SYSTEM32\FDVUHHTR.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11122008_144725\C_WINDOWS\SYSTEM32\VJRNGENJ.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\GGQRCJJL.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\GXOPYHIN.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\ICPPOQTW.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\OAOESBKO.INI (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\QRRNJDHY.INI (Submitted)
* C:\WINDOWS\SYSTEM32\QESTLACQ.INI (Submitted)

W32/Packed_FSG.D (virus)

* C:\DOCUMENTS AND SETTINGS\USER1\MY DOCUMENTS\DOWNLOADS\MACROMEDIA DREAMWEAVER CS3 + PLUGINS AND CRACK\PLUGINS\LAB_PLUGS_IN\PLUGINLAB COMBO BOX MENU V1.4.0 FOR ADOBE DREAMWEAVER\KEYGEN\KEYGEN.EXE (Submitted)

W32/Vundo.ESD (virus)

* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\PMNKKAAR.DLL (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\QOMFECYS.DLL (Submitted)
* C:\_OTSCANIT\MOVEDFILES\11102008_150101\C_WINDOWS\SYSTEM32\VTUOLFWP.DLL (Submitted)
* C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20021108-133437-609.DLL (Submitted)
* C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20021108-133514-839.DLL (Submitted)

Statistics
Scanned:

* Files: 71679
* System: 3095
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 1
* Deleted: 0
* None: 16
* Submitted: 16

Files not scanned:

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\USER1\LOCAL SETTINGS\TEMP\ETILQS_EQTFNLIADEVRFTJWUDT1

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2008-11-12
* F-Secure AVP: 7.0.171, 2008-11-12
* F-Secure Pegasus: 1.20.0, 2008-10-09
* F-Secure Blacklight: 2.4.1093

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics


STEP 3
The log is uploaded.

Attached Files


Edited by evil joe, 12 November 2008 - 06:54 PM.

  • 0

#14
OldTimer
Posted 12 November 2008 - 07:11 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
=====OTScanIt2 Short Fix

Hi evil joe. That looks pretty good. The startup message would be expected if the infected file was removed. Windows cannot find it anymore so that is what we wanted. There are just a couple of left-over items to take care of. Follow the steps below in order:

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {E0BCC603-3693-4063-AA8A-41615CCCB7C3} [HKLM] -> %SystemRoot%\system32\rqRLBSLB.dll [Reg Error: Value  does not exist or could not be read.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "2c0b4e63" -> %SystemRoot%\system32\jnegnrjv.DLL [rundll32.exe "C:\WINDOWS\system32\jnegnrjv.dll",b]
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YN -> C:\WINDOWS\system32\rqRLBSLB -> 
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time.

Post the resutls back here.

Cheers.

OT
  • 0

#15
evil joe
Posted 13 November 2008 - 04:58 PM

evil joe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
New log uploaded.

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP