0

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:37:48 PM 5/31/2007

+ Scan result:

C:\WINDOWS\system32\mljkigf.dll -> Adware.Virtumonde : Cleaned.
[2928] C:\WINDOWS\system32\mljkigf.dll -> Adware.Virtumonde : Cleaned.
[624] C:\WINDOWS\system32\mljkigf.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\system32\nso12k.sys -> Downloader.Agent.bnz : Cleaned.


::Report end

ALSO,
I uninstalled and reinstalled firefox because everytime that I would try to browse it would change the Proxy configuration under Options/Network/settings to localhost port 8182. Still, I have the same issue and everytime I have launched firefox I have to manually go into the settings and change it to direct connection to the internet.

Another thing, iexplorer launches on its own with popups, eventhough it is not in use. And when I shut it down from the taskmanager the popups sometimes start in firefox, i think, as I can no longer see iexplorer running but there is a new popup on the screen.
Any help would be greatly appreciated as I have been trying to deal with this on my for 4 days.
Thanks,
--Fuega24

4
Contributors
10
Replies
11
Views
10 Years
Discussion Span
Last Post by ajojddy
0

whot spy-ware have you got? do you get pop ups all the time? if you have remore or Uninstall some thing some of it will be on your pc still. Spybot - Search & Destroy is a good program it get ito your register on you pc and it will find whot ever on your pc whot shod not be thay

0

I originally used S&D but it was not able to delete many things. So, I began using AVG instead and there were two that it was not able to get rid of even after 3 restarts. I went in to the registry and deleted entries related to this dll --> mljkigf because I can not delete it in the system32 folder. There are also a few other irrelevant .dll 's that don't belong that I am not able to delete. Now I am running AVG again after I deleted the registry entries and one key, however there are now more tracker cookies than before. I will post a new entry when this scan is complete. NOTE: though the post says that AVG "cleaned" those, Adware.Virtumonde still remains.

The pop ups have become intermittent, I would say about every 15 minutes, rather than before where they were there constantly. I believe it is because of those that the new tracker cookies have showed up in this scan. (will post as soon as scan is complete)
Thanks for the help, will be waiting.
--rk

0

ok. have you got Norton Internet Security? or mcafee them 2 are good packages thay stop all the pop ups but mcafee is cheaper

0

I have Mcafee. But it was not able to detect most of the problems. However, it detects that iexplorer is trying to take up all the memory, so it stops it with buffer underun protection. But it doesn't stop the pop ups from appearing. Thus far, on the AVG scan, two new exploits have shown up. One is notavirus.exploit.win32 and the other is notavirus.exploit.html.ieslice.i

0

Get ATF Cleaner:
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
Now run AVG AS in safe mode.
Get HiJackThis, and be sure to run it in Normal mode:
===download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here along with the AVG log. Then we may be able to help.

0

Here are both the AVG and HJT logs:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:19:54 PM 6/1/2007

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : No action taken.
HKU\S-1-5-21-1292428093-1965331169-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : No action taken.
C:\System Volume Information\_restore{FAA220B7-F795-490F-BC05-06B9E1726475}\RP522\A0091762.dll -> Adware.Virtumonde : No action taken.
[228] C:\WINDOWS\system32\pmkhe.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\drivers\core.sys -> Rootkit.Agent.eq : No action taken.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 1:08:52 PM, on 6/2/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HijackThis\SillyRabbit.exe

O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\mljkigf.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\eponfetp.dll
O2 - BHO: (no name) - {78DE6F19-A78C-4ADF-B0B9-796C0DE3FB7F} - C:\WINDOWS\system32\pmkhe.dll
O2 - BHO: (no name) - {8A06A1A7-9E64-4359-8556-B6EA03D69814} - C:\WINDOWS\system32\boott3g.dll (file missing)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\xfpbmdmu.dll
O2 - BHO: (no name) - {f0d4931b-365c-4f6f-981f-f5fbd5f7fd9c} - C:\WINDOWS\system32\boott3g.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\yflpclwl.dll",realset
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljkigf - mljkigf.dll (file missing)
O20 - Winlogon Notify: pmkhe - C:\WINDOWS\system32\pmkhe.dll
O20 - Winlogon Notify: PRISMAPI.DLL - C:\WINDOWS\SYSTEM32\PRISMAPI.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

Would appreciate the help.
Thanks.

0

Ah! A nice, shiny rootkit to play with.
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\yflpclwl.dll",realset


Good, now start Avenger, select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:-
_____________________________________
Files to delete:
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\yflpclwl.dll
_____________________________________
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

F-Secure Blacklight Beta:
==Download the latest trial version of Blacklight beta from http://www.f-secure.com/blacklight/
Dclick the .exe [they change the name occasionally when they update it so I am not giving it here...], click Run, agree to the terms and Scan. Post the results if positive.
Post the contents of C:\vundofix.txt, C:\avenger.txt plus a new HijackThis log.

0

Here are the logs for Vundo, Avenger and HJT:


VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:01:54 AM 6/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\boott3g.dll
C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\ehkmp.bak2
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini2
C:\WINDOWS\system32\ehkmp.tmp
C:\WINDOWS\system32\kgewtdpf.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\vxqessxv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ehkmp.bak1
C:\WINDOWS\system32\ehkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehkmp.bak2
C:\WINDOWS\system32\ehkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehkmp.ini2
C:\WINDOWS\system32\ehkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehkmp.tmp
C:\WINDOWS\system32\ehkmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\kgewtdpf.dll
C:\WINDOWS\system32\kgewtdpf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vxqessxv.dll
C:\WINDOWS\system32\vxqessxv.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ssxjicxi

*******************

Script file located at: \??\C:\ycxpumwq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\core.sys deleted successfully.
File C:\WINDOWS\system32\cssrss.exe deleted successfully.
File C:\WINDOWS\system32\yflpclwl.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 11:28:06 AM, on 6/3/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\HijackThis\SillyRabbit.exe

O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\mljkigf.dll (file missing)
O2 - BHO: (no name) - {41296711-6B37-413E-8417-CF1FB0AEFB33} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\eponfetp.dll
O2 - BHO: (no name) - {B1C23631-67FE-4DCD-9A53-10E75D2EC349} - C:\WINDOWS\system32\xixpifqy.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\xfpbmdmu.dll
O2 - BHO: (no name) - {f0d4931b-365c-4f6f-981f-f5fbd5f7fd9c} - C:\WINDOWS\system32\boott3g.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ycoiohch.dll",realset
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljkigf - mljkigf.dll (file missing)
O20 - Winlogon Notify: PRISMAPI.DLL - C:\WINDOWS\SYSTEM32\PRISMAPI.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

fsbl came up clean.

However, another note: Firefox (the browser I always use), sets itself to a manual proxy configuration HTTP proxy: localhost port 8182 and doesn't allow me to connect when I open. I must go into settings everytime and erase this and then reload all the pages that I am looking at. I don't know what this is associated with.
Thank you for your help.

0

A decent start - AVG pointed out the rootkit, avenger removed it.
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Restart your pc in safe mode -
To restart your computer in Safe Mode: press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.
Start hijackthis, do a Scan Only, and place checkmarks against the following for fixing:

O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\mljkigf.dll (file missing)
O2 - BHO: (no name) - {41296711-6B37-413E-8417-CF1FB0AEFB33} - C:\WINDOWS\system32\pmkhe.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\eponfetp.dll
O2 - BHO: (no name) - {B1C23631-67FE-4DCD-9A53-10E75D2EC349} - C:\WINDOWS\system32\xixpifqy.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\xfpbmdmu.dll
O2 - BHO: (no name) - {f0d4931b-365c-4f6f-981f-f5fbd5f7fd9c} - C:\WINDOWS\system32\boott3g.dll (file missing)
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\ycoiohch.dll",realset
O20 - Winlogon Notify: mljkigf - mljkigf.dll (file missing)

Next start Vundofix again, and click the Scan for Vundo button.
When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINDOWS\system32\eponfetp.dll
C:\WINDOWS\system32\ptefnope.*

Click the Add Files button, and next the Remove Vundo button.

You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Start Avenger as before and paste into the box as one block all the text between the lines:

_____________________________________
Files to delete:
C:\WINDOWS\system32\xixpifqy.dll
C:\WINDOWS\system32\xfpbmdmu.dll
C:\WINDOWS\system32\ycoiohch.dll
_____________________________________

and follow through as before to remove them.
click combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post also the contents of C:\vundofix.txt, C:\avenger.txt plus a new HijackThis log along with any comments on performance please.

Edited by mike_2000_17: Fixed formatting

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.