As soon as I got a break I closed Firefox. I tried to reopen it so I could flush its cache, but was told it was already running, so I ended task on it then restarted it and flushed the cache. Later I also flushed IE's cache and the Java cache (my Java version is 5.0 U12).
Checking the McAfee firewall application rules to see what new programs I'd blocked, I found one for D1E.tmp and one for qdrmodule10.exe. I ran a full system scan with McAfee, which deleted a file named D1C.tmp from my temp folder, labeling it a "Generic Downloader." I then manually deleted everything else in the temp folder, including the D1E.tmp and some files with similar names.
Looking up qdrmodule online, I found out that it was a trojan dropper, so I ended task on it then deleted the folders associated with it, C:\Program Files\qdrmodule and C:\Program Files\qdrdrive along with all the files inside them (qdrmodule10.exe, qdrdrive8.dll and qdrloader.exe).
My research had indicated that qdrmodule was often associated with something called Internet Speed Monitor. I found an entry for that in Add/Remove programs and uninstalled it.
While I was in Add/Remove I looked for anything else unexpected and found an entry for Outerinfo, which turned out to be adware. When I tried to uninstall that, though, I got an error message saying that it may have already been uninstalled.
My next step was to update and run the antispyware programs I have on board, starting with Adware SE 1.06r1. It found 10 components of what it called WIN32.TROJANDOWNLOADER.SMALL - three running processes of C:\WINDOWS\system32\hggfccd.dll and some registry entries. I told it to quarantine these. I saw the word "Deleting" briefly, then Windows crashed fatally with the message, "The Windows Logon process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down."
When I got back on I looked up hggfccd.dll and learned that it's connected with the Virtumonde trojan. The file was still present on my system, but further scans with Ad-Aware did not detect it again. Here's the quarantine log that Ad-Aware made before the crash:
WIN32.TROJANDOWNLOADER.SMALL
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\system32\hggfccd.dll
obj[1]=Process : C:\WINDOWS\system32\hggfccd.dll
obj[2]=Process : C:\WINDOWS\system32\hggfccd.dll
obj[3]=Regkey : software\microsoft\tracing\fwcfg
obj[4]=RegValue : software\microsoft\tracing\fwcfg "EnableConsoleTracing"
obj[5]=RegValue : software\microsoft\tracing\fwcfg "FileTracingMask"
obj[6]=RegValue : software\microsoft\tracing\fwcfg "ConsoleTracingMask"
obj[7]=RegValue : software\microsoft\tracing\fwcfg "MaxFileSize"
obj[8]=RegValue : software\microsoft\tracing\fwcfg "FileDirectory"
obj[9]=RegData : system\currentcontrolset\services\bits "Start"
Next I ran Spybot S&D 1.4. The only thing it found was the Add/Remove entry for Outerinfo, which it flagged as a Virtumonde component. The entry pointed to a non-existent uninstall file, C:\Program Files\Common Files\Yazzle15520inUnistaller.exe. I let Spybot S&D delete the useless entry.
That was as much of the cleaning effort as I could handle for one night. The next day (Monday) I installed AVG Anti-Spyware 7.5. It immediately noticed both the hggfccd.dll (which it called Not-a-Virus.Adware.Virtumonde) and another trojan resident in memory, C:\Windows\System32\msmsgsrv.dll (which it called zapchast.bd). I told it to clean and quarantine the files, but evidently it couldn't delete them because they were in use. Every time I restarted they were still on the system and it pointed them out all over again.
After a bit more research online I discovered Hijack This 2.0, which showed that both of those files were loading at startup through Winlogon Notify. The hggfccd.dll was listed as a BHO on Internet Explorer as well, as was the qdrdrive8.dll that I had deleted earlier. I went into Internet Explorer's options and disabled those two BHO's.
Next I tried the Panda Security online AV scan in Internet Explorer. It didn't catch the hggfcc.dll at all, but it did find and delete the msmsgrsrv.dll. As a followup I used Hijack This to delete the Winlogon Notify registry entry for msmsgrsv.dll. I also let Hijack This remove whatever remained of the qdrdrive8.dll BHO.
Now the only trojan left that I knew about was the hggfccd.dll. My plan was to go into Safe Mode and see if it could be deleted. But in the evening, McAfee updated itself and started detecting the file. Unfortunately, it could neither delete nor quarantine it, just incessantly send up popups about it. After a Windows Explorer crash, I felt impelled to do something to deal with this quickly, so I told Hijack This to delete the Winlogon Notify entry for hggfcc.dll. When I ran it again I saw that the BHO entry was missing too, even though I hadn't told it to deal with that.
I tried to restart the computer, hoping that now hggfccd.dll wouldn't load at startup anymore and McAfee would finally be able to delete it. Now the system crashed with another of those fatal system errors due to Winlogon.exe unexpectedly terminating. But when I powered up again, both the hggfccd.dll and all its registry entries were finally gone.
So now of course I'm wondering if the computer is clean of all the malware, and what I can do to prevent more getting installed. Do I need later versions of Firefox and Java? My McAfee 10 is an old version at this point, but when I tried their version 11 last year it caused me and other customers a lot of problems. From what I've read at their forums, their new version 12 is also giving people headaches.
What security software would you recommend? And are there any other programs I should run right now to check for other malware and clean up traces of the trojans that I know were involved? I still have some references to qdrdrive8.dll and Outerinfo in the registry, and those fwcfg lines mentioned in the Ad-Aware log still appear to be there as well.
Thanks for any help/advice you can offer. Here is a current Hijack This log for your reference. (The work I did yesterday was done with Version 2.0 Beta, but your forum wouldn't let me post that so I made a new log with version 1.991.)
Logfile of HijackThis v1.99.1
Scan saved at 1:44:39 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis_old\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.co...3,0,0,0/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe