I'm not really strong in security, but i run antivirus and firewall, and stay away from dangerous places online. I accidentally downloaded something that appears to be attacking and infecting my computer. What ive found so far using tea timer are the following 2 new files: wvuvsrq.dll and iiiii.dll. I have downloaded the vundofix from online. But I have no reason to believe a rootkit wasnt installed, or other backdoor trojans.

I was impressed by this site and how many people it has helped, so i signed up. I noticed many people being asked to run HiJackThis and share the log file. So I did that. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:39 PM, on 2/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINNT\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\freeCommander2006\FreeCommander.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Download\VundoFix.exe
D:\Download\HiJackThis_v202(3).exe

O1 - Hosts: 169.254.140.213 HP000D9D198CD5
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8C25665A-11E3-4B3E-A8C0-6B83A9179366} - C:\WINNT\system32\iiiii.dll
O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINNT\system32\wvuvsrq.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-21-789336058-746137067-1343024091-1000\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User '?')
O4 - HKUS\S-1-5-21-789336058-746137067-1343024091-1000\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-789336058-746137067-1343024091-1000\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (User '?')
O4 - HKUS\S-1-5-21-789336058-746137067-1343024091-1000\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Device Detector 3.lnk.disabled
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk.disabled
O4 - Global Startup: NCProTray.lnk.disabled
O4 - Global Startup: SnagIt 8.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - https://ra.qwest.com/sdccommon/download/tgctlins.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1188052524374
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160624034873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1182649791054
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://63.146.72.174/xplugLite.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: wvuvsrq - C:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XI.SP1\RpcSandraSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8445 bytes

Thanks for any help that you can provide tonight.

- Aric

Windows 2000

ConHook aka Chisyne trojan variant of VirtuMonde/Vundo adware downloader

Please follow through these preliminary removal instructions and post back in this thread with 3 logs

1)Hijackthis
2)Combofix
3)AVG log

*Also can you please post the logs as attachments by using the icon above your reply that looks like a paperclip.

This thread is for the use of AricCougar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Judging from this rapport.txt should I run this option 2 to clean in safe mode?

Attached Files

rapport.txt (4.2 KB, 3 views)

yes you should

Run Smitfraudfix

• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

attach C;\rapport.txt when you attach the other logs

I've followed instructions up through step 10 so far.

However a few comments to mention. (I hope something here is helpful for either someone to help me, or for this site owner to improve the instructions. I hope nothing here comes off rude, because i am very grateful to have found this site, so hopefully nothing is taken the wrong way below. Thanks.)

The online scanner in step 3 clearly states on its website that you can use Firefox, even version 1.5, however dont worry, i followed the instructions and used my IE 6. Unfortunately, after 10 hours of work to find everything, shortly after it began to remove things, the IE browser crashed and lost everything. I started it again, but it didnt save any data so i did not start it over. Besides the time, it mentioned that the step was not required in the instructions.

The downloads and config settings all went fine, however:

Step 8: It says to download Ad-Aware SE Personal, but it actually downloads Ad-adware 2007... and isn't there a new Ad-aware 2008 out now anyway?

Step 9: ccleaner does not appear to have the option any longer that we are told not to click, or has changed the label to it. Perhaps the instructions should be updated.

Step 10: My antivirus NOD had a fit with these, i had to turn it off in order to download them and run them. Also after booting into safemode, and running the Tool#1, it gave this error in the blue screen: File not found - c:\......temp\*.* And then after clicking Y to clean registry, it gave a popup screen with a RED X and OK button with the text: "Cannot import cleanup.reg: Error accessing the registry."

So anyway, Tool#2 and Tool#3 luckily stated that there was no infection (however Tool#3 I had run prior to beginning this instructions and it DID find and clean an infection, with problems, and errors even after rebooting, but I used Runscanner.exe to finish cleaning the garbage out, and that is probably why Tool#3 didnt find any error this time through.)

Well, I can continue on to Step 11 now. But its taking me soo long since i only have an hour or two a night to work on this, and ive had all these problems above, that i thought you might not mind if i share my experience to this point. If you have additional recommendations, id be happy to hear them. Thanks. I'll go do step 11 now.

First of all the instructions are in the process of being updated.

This is obviously being updated but the link is to the correct version.

It's appears after you check the advanced box, and is automatically checked

You were supposed to disable real time protection at the very beginning. That includes your anti-virus and tea timer on spybot. If you need further instruction on how to do this please just ask.


Outside of here I work my *** off to support a family of 4. I come here for free and DONATE my time to help victims of malware. I also try to have a life around cleaning up peoples crap that they become infected with. I know how you feel not having much free time. After you are clean you should try to be more careful. But it is worth the time to ensure that you are clean. Even after cleaning there are no 100% garuntees.

Thanks for the message. I definitely feel like you understand what its taking to follow-through with everything after i read how you are here donating your personal free time to help others out of their malware problems. Thank you for that. I hope people express gratitude enough to you for it.

Step 8: Understood. I did use only the link provided. It sounds like you already have plans for updates and didnt need my observations.

Step 9: I see it right now, just where you said it should be. I have no idea why i didnt spot it before. Either way, its clearly the only one that is unchecked. So i believe it was unchecked when i ran it as well.

Step 10: I did disable realtime, but after rebooting in many of the steps, i forgot this once to disable the antivirus. You are right. That was the issue. I fixed it and continued.

--

Okay I've finished!! Yea~ So attaching the 3 logs requested now. (oh and since you dont want the vundofix log, ill just state that i was definitely infected with that and it cleaned it.)

I uploaded 2 logs. The third log will not upload. Report-Scan-20080229-081504.txt is 16,330KB which is more than the 100KB limit. I think i can explain the reason for this. Even though i ran cclean to remove all cookies. That went for the C drive only. I have many many backups on varoius drives, and AVG checked them all, and reported all those tracking cookies. Should I rerun it, only on the C drive? Or should i rerun it ignoring all cookies? Or do you have another way to upload the full 16mb actual file? Thanks for any help.

Attached Files

	ComboFix.txt (22.8 KB, 3 views)
	hijackthis.log (7.6 KB, 3 views)

Oh i just remembered that i was supposed to mention what was found in the antirootkit report.

Tons of unknown rootkits were listed. A whole lot, more than i could count. However, not one of them was recognized with a label. So im not sure if thats good or bad. Let me know if there is any specific things you want me to look for.

I saved it as a CSV, but unfortunately my Excel wont open it. So i suppose id just have to run it again to get a new log if you need it.

This isn't your major infection but let's give this a try. I am going to message somebody else to have a look at your logs.

1)Uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Netpumper
BitRoll
Browser Enhancer
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger Plus
Ultimate Browser Enhance
Window Search
Window Searching
Zone Media

2)Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3)The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4)If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5)Reboot your computer

6)Run another scan with Hijackthis and attach a new log

Hi,

In addition to his instructions, please do the following for ComboFix.

1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   
   Quote:

   File:: C:\WINNT\system32\kmd.exe C:\WINNT\{00000000-00000000-0000000F-00001102-00000004-20021102}.BAK C:\WINNT\system32\sssru.ini C:\WINNT\system32\yxxyb.ini C:\WINNT\system32\abefe.ini C:\WINNT\system32\442E4E C:\WINNT\system32\1E37.tmp

2. Save this as CFScript on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.

Blind Dragon: You're doing fine. Continue from here.


Regards,
momok =)

This thread is for the use of AricCougar only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

I checked my installed programs, and i dont have any of the above except Messenger Plus 3. I use that daily, its not really spyware or a virus, and i chose to install it without the ads (option). Why is Messenger Plus on the list? Is ok to keep this one? Thanks.

It is ok to keep unless you have problems with pop-ups or redirects. If you don't have problems with that, and you have none of the other programs you are okay to keep it.

Please follow Momok's post and get the requested logs

Thank you. I have no popups at all, and no redirects. I will do Momok's instructions now. Thanks.

I've done it. Here it is. However, i want to mention that the program did not put my clock back correctly. I'll have to go reset it in control panel along with the other regional settings.

Attached Files

ComboFix.txt (674 Bytes, 4 views)

For the clock, try right clicking it and check the time zone

please run hijackthis again and attach the log here

Yes that worked. Thank you. I still had to fix the date format though in regional settings in control panel back to normal. Metric had to be changed to US measurement setting too.

Sorry, I just realized that i need to now run the other programs and post all the logs together. I'll go do that now.

That combofix log is not complete. Could you post a fresh one?

That is not good. I followed instructions. And the blue window disappeared after a few minutes in the deleting files/folders process. I waited about 20 minutes. There was no harddrive activity for all that time, and my screen was blank, so i ctrl-shift-esc and ran a new explorer.exe and everything came back correct. I found the log and submitted.

I guess its not just the log that was the problem. The combofix seems to have not functioned properly. I will run it again when i get home tonight. But if you have any other advice, id be happy to hear it. Thanks.

Go to the attach icon (paperclip icon) above your reply and navigate to C:\combofix.txt and attach it

The file last time probably matches this one. It does not appear to be an upload problem. The ComboFix.exe fails to work. It gets to the same point everytime and then the process just quits with no warning and no errors.

I always have to restart my explorer.exe to see the desktop again, and i have to reset all my regional settings. The Log file always appears where it should, but always ends in the same place, as you can see in this new upload. I have repeated it 3 more times tonight, creating the CFScript.txt each time. No change. It won't work.

Any other ideas?

Oh also, it might be good to note that every time i reboot im hammered by svchost.exe which runs me up to over 120MB of ram, and 99% CPU for 10 to 20 minutes before releasing control to me to start any programs except the mouse. That's definitely not right. I've got 3 of them in the process window, but now after 20 minutes since the last reboot, the heaviest one only is using 18MB RAM. The other two are 9 and 4. Is this a problem? Thanks.

Attached Files

ComboFix.txt (671 Bytes, 3 views)