Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Sheara

3 Posts

2865

December 25th, 2008 18:00

Vundo (MS JUAN and MS TRACK SYSTEM) Regenerating at Reboot – Help please!

Normal 0

Hi. I was alerted to a malware infection the other night by AVG and Zone Alarm as well as by the fraudulent “scan your computer” pop ups and other IE pop ups (even though I use Firefox) and the fact that I couldn’t run Windows automatic updates.

 

Using Spybot and Malwarebytes Anit-malware (MBAM), I was able to reduce a big infection (including lots of Virtumonde/Vundo bugs and a few Smitfraud-C and MyWay.MyWebSearch bugs) and recover my access to Windows Updates. But two bugs remain, regenerating every time I reboot. They are:

 

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MS JUAN (Malware.Trace)

and

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MS TRACK SYSTEM (Trojan.Vundo)

 

When I quarantine/remove these with MBAM, the next scan shows zero infections until I reboot. Then the same two registry key infections show up, just to disappear again until reboot… I’m doing this all in safe mode, and my wireless internet radio is disabled. Also, I’ve tried scanning with Trojan Remove, AVG, VundoFix, and Spybot again and they all reveal nothing. I also uninstalled Java and manually removed remaining files (though I can see there are still files remaining in regedit that I’m afraid to mess with). And I’ve been repeatedly running RegSeeker and cleaning stuff out of some temp folders (though I’m not sure which ones matter and whether I should delete all files including desktop.ini files, etc.).

 

I keep reading about HijackThis, Super Antispyware, and ComboFix, and haven’t tried these yet. I’ve also read about using Avenger to remove certain targeted files. I don’t really understand which to choose and in what sequence or how to use them. I was hoping some kind soul with experience with this particular pattern (I’m seeing that it’s ubiquitous for folks right now) would walk me through what to do at this stage. Thanks in advance.

 

Bugbatter

20.5K Posts

December 26th, 2008 07:00

Welcome :emotion-1:

Avenger and ComboFix should be used only under supervision of someone trained in their use.  Sometimes the type of files in temp folders can be a clue to help analysts in diagnosing the specific malware, so it is not always good to remove them before an analyst works with you.

The volunteer analysts listed in the announcement at the top of the Malware Removal Forum have been having a problem posting. Until Dell fixes the new software issues, I cannot get into a long fix. I can offer a suggestion to run a couple of general scans. If that does not fix the problem, click on the link in my signature and post at SpywareHammer for a follow-up review. Include your logs from the scans along with a fresh HijackThis log and a description of your problem.

Try scans with these two programs in the following order:

Please update your MBAM.

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checkedPhotobucket
    Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Notes:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
* If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use this update link here to manually download the update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "catchjunk.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the file to the infected computer. Install the "catchjunk.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

Download and scan with Super Anti-Spyware Free for Home Users. It is available HERE:
*Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

 

Sheara

3 Posts

December 26th, 2008 08:00

Hi Bugbatter,

Thanks for your reply. Hope you had a nice holiday.

I've done what you said, and I've listed the results (first the fresh HJT log and then the MBAM and SAS logs) and the current description of my problem below.

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:08 AM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\DOCUME~1\me\LOCALS~1\Temp\clclean.0001
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {932FCE39-8F5E-42C8-A9FA-FB1251727A58} - (no file)
O2 - BHO: {a7218cfa-b438-c1e9-0824-7751a3de230a} - {a032ed3a-1577-4280-9e1c-834bafc8127a} - C:\WINDOWS\system32\gzfyll.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: KATRACK.DLL gzfyll.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) -  - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12948 bytes

 

Now for the MBAM log:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/26/2008 11:10:44 AM
mbam-log-2008-12-26 (11-10-44).txt

Scan type: Quick Scan
Objects scanned: 54773
Time elapsed: 11 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Now for the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/26/2008 at 05:10 AM

Application Version : 4.23.1006

Core Rules Database Version : 3685
Trace Rules Database Version: 1662

Scan type       : Complete Scan
Total Scan Time : 04:07:23

Memory items scanned      : 152
Memory threats detected   : 0
Registry items scanned    : 5543
Registry threats detected : 37
File items scanned        : 100747
File threats detected     : 7

Adware.Vundo Variant/Rel
    HKLM\SOFTWARE\Microsoft\MS Juan
    HKLM\SOFTWARE\Microsoft\MS Juan#RID
    HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
    HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
    HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
    HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
    HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
    HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\malware
    HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\malware#LU
    HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\malware#CT
    HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\malware#LT
    HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
    HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
    HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
    HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
    HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
    HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
    HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
    HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
    HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
    HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
    HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
    HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
    HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
    HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
    HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
    HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
    HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
    HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
    HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
    HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
    HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
    HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
    HKLM\SOFTWARE\Microsoft\MS Track System
    HKLM\SOFTWARE\Microsoft\MS Track System#Uid

Rogue.Component/Trace
    HKU\S-1-5-21-2115761505-1487292949-1136168534-1005\Software\Microsoft\CS41275
    HKU\S-1-5-21-2115761505-1487292949-1136168534-1005\Software\Microsoft\FIAS4018

Adware.Tracking Cookie
    C:\Documents and Settings\me\Cookies\me@adlegend[1].txt
    C:\Documents and Settings\me\Cookies\me@atdmt[2].txt
    C:\Documents and Settings\me\Cookies\me@collective-media[2].txt
    C:\Documents and Settings\me\Cookies\me@media.adrevolver[2].txt
    C:\Documents and Settings\me\Cookies\me@nextag[2].txt
    C:\Documents and Settings\me\Cookies\me@specificclick[1].txt
    C:\Documents and Settings\me\Cookies\me@zedo[2].txt

 

A couple notes:

I ran the SAS scan exactly as you instructed.

I was unable to get an MBAM updates (nothing happened when i asked the program to update and when i went to run the update manually, it was going to reinstall the whole program...). Is this because mine is fully updated? It's database version 1456. Also, I renamed my MBAM exe file and program folder MaByAM -- hope that works.

Also, the MBAM scan log I posted was from a scan done AFTER I ran the SAS complete scan (it was done upon the SAS recommended reboot). I have a million other logs from before identical to this one. They go back and forth between the same two registry key infections and 0 infections. It's always 0 after I removed and quarantined the 2 infections. And then upon reboot or internet exposure, it goes back to 2.

I did all of this in safe mode with the wireless internet radio disabled.

Thanks for the note about not deleting stuff from temp folders. I won't do it anymore until we are done...

My first post pretty well described the problem. Basically, in spite of doing all these things, the bug returns upon reboot or upon internet exposure, as evidenced by: 1) The MS Juan and MS Track System registry key infections shown by MBAM, and 2) pop up ads (though fewer of them than before).

I will also post this on your Spyhammer page. Thanks again.

sheara

 

Bugbatter

20.5K Posts

December 26th, 2008 10:00

Okay, thank you for letting me know.  Until Dell gets the posting problems resolved for members having difficulty, it will be easier for us to post over at SpywareHammer.

View More

View All

No Events found!

Top