No idea what to do...

[Tom Delfry]

Hello all,

I really don't know a thing about computers much less viruses.  I do know, however, that my avast! siren has been going off like mad over the last few days and I'm pretty sure the malware is affecting my computer's performance.

Here are the "warnings" as noted in my event viewer.  (Unfortunately, I have already deleted some of these files from my chest without realizing that that might not have been a smart move.  Avast! found them again.)

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\88YG1EFK\KB908955[1].exe" file.

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\user\Local Settings\Temp\wJQs.exe" file.

Sign of "JS:Agent-DE [trj]" has been found in proffesionalscan.com/2009/1/en/_freescan.php?nu=770522168440" file. 

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\efcASklL.dll" file. 

Thank you for your help.  I tip my hat to those of you who understand this stuff.  If at all possible, can you render your advice in laymen's terms?

-Tom Dalfry




 




 

[DavidR]

You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

Unfortunately before you got to the investigation bit you deleted some of them, effectively choosing delete as a first option. Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

Based entirely on the file names and their location (not entirely 100% satisfactory but with no other evidence) I believe these to be good detections.

The first looks like a fake KB as they aren't normally installed by fi
The second is also associated with malware.
The third one you list promotes this question, recently have you been getting any pop-ups that your system is infected or vulnerable for anything other than avast ?
The last one efcASklL.dll is associated with a fake alert rogue program hence the above question.

Google is your friend and you can get a lot of information by googling the file name reported as infected.

So these may also have some travelling companions, so I would also suggest these applications.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

1. SUPERantispyware On-Demand only in free version. Don't worry about reported cookies they aren't a security problem, clear them out anyway.

2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[Tom Delfry]

Thanks for the quick reply.

As for the pop-ups - you're right on the mark.  I get a "You need to download this anitvirus software 2008" pop-up when I use Internet Explorer (but not Google chrome).  Also, Explorer has been opening to random pages such as the Yellow Pages.  I closed the pop-ups as soon as I could. 

Just ran a search again.  Here are some new ones - all are in the chest.  Should I do anything with them.

Sign of "Win32:Crypt-DDH [trj]" has been found in "C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP139\A0039601.dll" file.

Sign of "Win32:Crypt-DDH [trj]" has been found in "C:\WINDOWS\system32\hbwovjvy.dll" file. 

Sign of "Win32:Crypt-DDH [trj]" has been found in "C:\WINDOWS\system32\huxfml.dll" file. 

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP140\A0039731.dll" file. 

Thank you.  I'll go ahead and download those programs you recommended.

[DavidR]

The ones from C:\System Volume Information\ _restore points are hard to do any checking about but personally if there is any doubt I wouldn't want it in the C:\System Volume Information folder to possibly bite me in the rear if I use system restore in the future.

The other two look like they are randomly generated file names (zero hits on google is a clue) probably associated with vundo, which may also have friends, so given this and my previous post, what are you still doing here

Get downloading those two applications, run one and report the findings and then run and report the second.

What is your firewall ?

[Tom Delfry]

Thanks again.  I realized I had a copy of Spybot on my computer.  I updated it and ran it instead of SuperSpywear.  Is that an ok move?  It revealed Vundo, Zedo, and a few other generic pieces of spyware that seemed relatively harmless after a quick google search.  I in my haste, I already removed them.

As for my firewall, the XP control panel says its on with few exceptions.  As for my cookie settings, I just noticed that it was set to "accept all cookies."  I had no idea that was the case; I thought it was at least set to medium.  Do you think that's how this mess got started? 

Just ran Malwarebytes.  Here's what it revealed.


Memory Modules Infected:
C:\WINDOWS\system32\avpchbqd.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mlJDwXrQ.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82f304f4-0d81-4b73-988e-7ce168bd8328} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{82f304f4-0d81-4b73-988e-7ce168bd8328} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6c8ec7fa (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mljdwxrq -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljdwxrq  -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mlJDwXrQ.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\QrXwDJlm.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\QrXwDJlm.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\avpchbqd.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dqbhcpva.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\MWAO1U6O\kb600179[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\WHQL7U6L\upd[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\ZGU8VQC3\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP140\A0039712.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP141\A0039803.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fxwddmqp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nhbspl.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rxrzdo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\igpruuhk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hewowukt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> No action taken.

[DavidR]

Personally I feel S&D is in a different league to SuperAntiSpyware.
SAS would I'm sure also have revealed some of these vundo files though S&D doesn't seem to have beena washout.

Run MBAM again (as the No action taken means you didn't elect to do anything) and when it completes all the above entries should be selected (a check mark against them), if not check them all and click the Remove selected, see image.

Allowing all cookies whilst ideally you should only allow cookies for the site you are visiting (no third party cookies) they are a minor privacy issue and aren't responsible for this .

####
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

[Tom Delfry]

Thanks David.  I really appreciate your help.  I'll get a third party firewall pronto.

I have removed the malware running MBAM.  Running one more quick S&D search, it looks like I still have one virtumonde trojan.  Bleepingcomputer.com has a faq about the trojan with two fixes - vundofix and virtumondobegone.  Do you think these programs are safe to download and try?

[DavidR]

You're welcome.

Both are safe to download if the source is good and bleeping is good, the normal route is to use vundofix first and if that doesn't do it use virtumondobegone.

I believe there is a list of instruction on how to use vundofix on bleeping computers, cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html .