This topic is locked
First, I apologize for the book you're about to read. I figured in this kind of battle you'd rather have too much information than too little.
Okay, I need help with two seemingly popular friends, Virtumonde and jkhhf.dll. In the last few weeks it's gone from annoying to debiliating and its time for it to DIE.
Known Infection History:
Infection probably began on August 25. Initial symptoms were hijacking to winfixer.com using the about:blank page, I pinned down the infection date by noting when symptoms began, and comparing with hostile files found by Adaware and Spybot S&D. Initial infection appeared to be an sp.html variant, though I see that jkhhf.dll was installed on August 25 as well and has probably been the master all along. sp.html was destroyed in a series of well...vicious purges involving the above mentioned spyware removers and a hunt for any file I felt I could safely get rid of with that start date.
Problem abated, except for browser resetting to a now blank about:blank page. Occasionally winfixer or an inappropriate site would try to load, but I blocked all such sites with Internet Explorer. (Tools/Internet Options/Security/Restricted Sites etc.)
Approximately three weeks ago I reinstalled Mcafee, which is available free through AOL. (I don't like to use it, as it slows my system down.) McAfee found jkhff.dll and other hostile programs. Deleted everything. Jkhff, needless to say, refused to die. (installed in resident memory.) Rebooted system in safe mode. Failure to delete through Windows or via DOS CMD. Used 'regedit' to find hostile registry entries. Deleted successfully, then they reloaded automatically. Used 'Textpad' (an advanced notepad) to hack into jkhhf.dll. Failed to change file. (Program in use by another program.)
Symptoms suddenly exploded. Now upon booting system instantly makes three seperate attempts to access the Internet. As I'm on a dialup modem, it fails. It will frequently repeat this attempt in twos or threes. It now redirects the browser to morwillsearch.com, search.lycos.com, and a [bleep] site at random intervals when I attempt to change the page. Attempts to block these sites like with winfixer have failed - possibly because I suspect copies of the hostile pages are being stored on computer.
Infected system is a Compaq DSDT. BIOS version 686P2 v2.11.
Processor is an Intel Pentium III x86 Family 6 Model 8 Stepping 10, 996 MHZ.
It is running Windows v 5.1.2600 HotFix Q8111114, no service packs. (I thought I downloaded some earlier, but they must have been hotfixes. Meh.) as well as Internet Explorer v 6.0.2800.1106.xpclnt_qfe.021108-21071C, 128 bit Cipher. Updated Version SP1.
A regedit search for "jkhhf" prior to taking actions resulted in the following hits:
Software/Microsoft/Windows/Current Version/Exporer/Comsig 32/Open Save Menu/DLL/a (Reg_SZ) (c:/winnot/system32/jkhhf.dll - which is the correct location of the file)
....Windows/Notify/JKHHF (6 entries - reg_szs and reg_dwords.)
No action taken, as I didn't want to compromise the hijack this file below.
Here are the actions I took in order and their results:
1. Disabled safeguards offered by Spybot R&D/Tools. I didn't want anything interfering with the clean attempt.
2. Downloaded all recommended programs for defeating Malware. Installed. AVG and Evido instantly detected hostile programs. I refused cleanup to get a complete Hijack file. Experiencing major slowdown (probable active programs in background.)
3. Disabled McAfee AV - same reason as above.
4. Ran Hijack this: Results follow:
Logfile of HijackThis v1.99.1
Scan saved at 1:44:17 PM, on 12/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\cpqalert.exe
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CHKADMIN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\TextPad 4\TextPad.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ce37709-9c80-4208-be1a-fa08c86989db} - C:\WINNT\System32\jjcbebif.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {E7B9E2BE-20BB-4FD2-8B26-4C493B631E4C} - C:\WINNT\System32\njom.dll (disabled by BHODemon)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mut: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O20 - Winlogon Notify: jkhhf - C:\WINNT\System32\jkhhf.dll
O21 - SSODL: Arachnophilia version 4.0_is1 - {A40FD18B-BFB1-4D9C-D9B4-908857372A75} - c:\program files\arachnophilia\wydij32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Unknown owner - C:\WINNT\CPQDIAG\CPQDFWAG.EXE (file missing)
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe
5. Noticed through task manager that evido, avg and McAfee were still running in background. Disabled manually. Slowdown did not abate.
6. Signed online. Updated all programs that needed one. Signed off. (I heard some malware likes to hide in resident memory when user is online.) Slowdown stopped in middle of updates. (Hmm...I wonder if my jkhhf friend was doing something.)
7. Manually cleaned Temp folders. (Documents and Settings/(User)/Local Settings/Temp) I read on cleanup's page that they are wary of doing that, but I know the only legit entries for my 'puter are the Temporary Internet Files/Cookies/History folders.
Result: 35 files to recycle bin. None failed to be deleted.
8. CleanUp: 18,664 files deleted, 344.9 MB recovered. No problems. (Wow, I really thought I took better care of my system than this. Meh.) Restarted system. Malware problem did not abate. (No surprise) Disabled McAfee, AVG, etc. again. Closed program.
9. Adaware: 2 Hostile Registry Keys. Deleted. Closed program.
A. Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : msevents.msevents
B. Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : msevents.msevents.1
10. CW Shredder: System clean. Closed program.
11. Evido:
HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\ShudderLTD -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Spyware.PSGuard : Cleaned with backup
HKU\S-1-5-21-1099856789-88436511-1547775799-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1099856789-88436511-1547775799-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1099856789-88436511-1547775799-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Colin\Application Data\Netscape\NSB\Profiles\x2im9gum.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINNT\SYSTEM32\DRIVERS\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned without backup
C:\WINNT\SYSTEM32\jkhhf.dll -> Trojan.Crypt.o : Cleaned without backup
Cleaned Evido's quarantine queue. Closed program. Evido is NOT set to act automatically.
12. SpyBot S&D: Malware attempted to activate during scan. ("This page is not available offline. Connect/Stay Offline.") It'd been quiet since Adaware. It might be coincidence, but it didn't seem to like Spybot's search for CoolWWWSearchFeatdll-ware, though as noted previously CWShredder came up negative.
VirtuMonde: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
VirtuMonde: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
VirtuMonde: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\MSEvents.MSEvents
Files deleted.
VirtuMonde: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
Could not delete, may be in resident memory. Restarted computer. Spybot started automatically. Interestingly, malware did not attempt to autolaunch.
VirtuMonde: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
VirtuMonde: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
VirtuMonde: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\MSEvents.MSEvents
Files deleted.
VirtuMonde: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}
Could not delete. Did NOT restart computer.
13. Decided NOT to pursue online options (Trend, Panda, etc) for concern that the files deleted to date might try to reload themselves automatically - and with two seperate AVs, one of them just downloaded today, one should be uncorrupted.
14. Ensured McAfee was not active (via Task Manager.) Learned McAfee did not want to restart anyway without verifying subscription online. (Possible link to malware not attempting to start??) Loaded AVG. Three .dlls removed (wcxgg32.dll, wydij32.dll, oleext.dll)
15. TrojanHunter: System clean.
16. Went online to satisfy McAfee's verification and download Windows SP. McAfee site wanted to install something... I reluctantly agreed.
Received error page: pe: text/html Cache-control: private Error: Access is Denied
Theory 1: Cleanup deleted something it shouldn't have. No real loss. I'm thinking of getting rid of AOL anyway, which would have voided my McAfee subscription and is why I d/led AVG.
Theory 2: Malware corrupted McAfee and it's looking for one of the deleted files.
17. From Microsoft site:
Downloaded Microsoft Update
Downloaded Microsoft Publisher - together this loaded the update screen.
Chose Express option (vs. custom). Recommendations All Accepted:
Security Update for Windows XP (KB835732) (2.6 MB)
Multiple security issues have been identified that could allow an attacker to compromise a computer running Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Addresses a critical security problem
Windows Malicious Software Removal Tool - December 2005 (KB890830) (1.1 MB)
After the download, this tool runs once to check your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove any infection found. If an infection is found, the tool will display a status report the next time you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center or run an online version from microsoft.com. This tool is not a replacement for an anti-virus product. To help protect your computer, you should use an anti-virus product. Details...
810833: Security Update (Windows XP) (379 KB)
A security issue has been identified that could allow an attacker to compromise a computer running Microsoft® Windows® and gain control over it. This issue is most likely to affect computers used as servers. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Details...
Security Update for Windows XP (KB824151) (404 KB)
A security issue has been identified that could allow an attacker to cause a computer running Microsoft Internet Information Services to stop responding. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Details...
Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB834707) (3.1 MB)
A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Details...
Microsoft .NET Framework 1.1 Service Pack 1 (10.2 MB)
Microsoft .NET Framework 1.1 Service Pack 1 resolves various issues found after the initial release of .NET Framework 1.1. These include both security- and non-security-related issues. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed. Details...
823559: Security Update for Microsoft Windows
Restarted system per MS request to complete update. The malware MAY have tried something right at the end. ("This page is not available offline, etc.") but it also seems possible Microsoft's restart protocol disabled AOL (and thus knocked me offline) before it finished with IE.
Upon restart, McAfee tried to reactivate. (No doubt there are starting scripts.) Because of the above I decided I didn't trust it, uninstalled McAfee (Add/Remove Program) and restarted.
Went online, checked Microsoft again as I saw no reference above to SP 1a or SP 2. (While looking through Add/Remove Programs, I did find references to SP2. I wonder if the initial help screen that told me I had no service packs was in error.) Where can I verify this?
Anyway, 18. Ran HiJack this. (Since there had been restarts since the cleanup and loading the Microsoft updates I assumed we were okay.) Results:
Logfile of HijackThis v1.99.1
Scan saved at 6:55:17 PM, on 12/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logonui.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\cpqalert.exe
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\System32\CHKADMIN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wbem\wmiprvse.exe
C:\WINNT\Explorer.EXE
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ce37709-9c80-4208-be1a-fa08c86989db} - C:\WINNT\System32\jjcbebif.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {E7B9E2BE-20BB-4FD2-8B26-4C493B631E4C} - C:\WINNT\System32\njom.dll (disabled by BHODemon)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mut: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135462529358
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135462477139
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...allNetscape.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3E953B7-AF2F-4790-AF14-A89DB5896534}: NameServer = 205.188.146.145
O20 - Winlogon Notify: jkhhf - C:\WINNT\System32\jkhhf.dll (file missing)
O21 - SSODL: Arachnophilia version 4.0_is1 - {A40FD18B-BFB1-4D9C-D9B4-908857372A75} - c:\program files\arachnophilia\wydij32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Unknown owner - C:\WINNT\CPQDIAG\CPQDFWAG.EXE (file missing)
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe
So, did I kill it? And if not, what now? I'm worried about those Virtumonde registries that Spybot couldn't take out.
Sign In
Create Account
