Help with Anti-Virus pop-up Malware

BullGuard Antivirus Forum > Virus > Virus Questions > Help with Anti-Virus pop-up Malware

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Rudi
New Member

Date Joined Jun 2008
Total Posts : 11

Posted 7-26-2008 4:01 (GMT +2)

Hello team,

I have seen people get help with their virus and spywar issues when they recruit your help so here it goes:

This is the HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:01, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
i:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
I:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
I:\Program Files\CyberLink\Shared Files\RichVideo.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
i:\program files\panda software\panda internet security 2007\WebProxy.exe
I:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
I:\WINDOWS\system32\ctfmon.exe
I:\WINDOWS\ALCXMNTR.EXE
I:\WINDOWS\system32\VTTimer.exe
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\WINDOWS\system32\rundll32.exe
I:\Program Files\MSN Messenger\msnmsgr.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\psimreal.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - I:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RemoteControl] "I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "I:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "I:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "I:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [PrinTray] I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKLM\..\Run: [+,-./0123456789:;<exe] !"#$%&'()*+,-./0123456789:;<exe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFGexe] ()*+,-./0123456789:;<=>?@ABCDEFGexe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "I:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "I:\WINDOWS\system32\pgifdjtu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKCU\..\Run: [+,-./0123456789:;<exe] !"#$%&'()*+,-./0123456789:;<exe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFGexe] ()*+,-./0123456789:;<=>?@ABCDEFGexe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177343156734
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - I:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - I:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - I:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - I:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - i:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - I:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - I:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - I:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9483 bytes

What is next for me on my path of virus-free life?

thanks in advance

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13154

Posted 7-26-2008 7:40 (GMT +2)

Hello

Next step is - take a deep breath smilewinkgrin

Then, remove one of your antivirus programs from add/remove programs in controlpanel.

Reboot.

Please download Malwarebytes' Anti-Malware:

http://www.besttechie.net/tools/mbam-setup.exe

to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with new hijackthis log.

NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Rudi
New Member

Date Joined Jun 2008
Total Posts : 11

Posted 7-26-2008 9:15 (GMT +2)

I did as you asked. Getting most of the control back on my computer. Just a couple of annoying pop-ups are still around. I finally got access to my control panel back from the Start menu.

Here are the log files:

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:01, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

--
End of file - 9483 bytes

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.23
Database version: 995
Windows 5.1.2600 Service Pack 2

3:05:13 PM 7/26/2008
mbam-log-7-26-2008 (15-05-13).txt

Scan type: Full Scan (I:\|J:\|)
Objects scanned: 86265
Time elapsed: 30 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
I:\WINDOWS\system32\opnommLf.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\pgifdjtu.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\yrjihg.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{254e2986-b506-4462-a693-bd1edc020da9} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{254e2986-b506-4462-a693-bd1edc020da9} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f08a58c4-2487-4028-81fe-c1e5c4ce4a22} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f08a58c4-2487-4028-81fe-c1e5c4ce4a22} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000000af (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: i:\windows\system32\opnommlf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: i:\windows\system32\opnommlf -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
I:\WINDOWS\system32\opnommLf.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\fLmmonpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\fLmmonpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\yrjihg.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\pgifdjtu.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\utjdfigp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110793.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110794.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110797.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110798.exe (Trojan.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110799.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110800.exe (Trojan.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110801.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110802.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP484\A0110796.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP485\A0111824.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP485\A0111901.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP485\A0111927.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP485\A0111952.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
I:\System Volume Information\_restore{136681D3-35CB-47F2-B3C5-7FB8B41D36B4}\RP486\A0112886.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\bicrvncm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\khfDSLdE.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\drivers\Wineh46.sys (Rootkit.Agent) -> Delete on reboot.
I:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
I:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\yjfhkvnu.dll (Trojan.Vundo) -> Delete on reboot.
I:\WINDOWS\system32\clbinit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

And thanks again for the help so far!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13154

Posted 7-27-2008 2:44 (GMT +2)

Sounds good smile

Go to Start - Control Panel - Add-Remove Programs

Remove the following if found or any variation:

One of Your antivirus programs

"Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."

Reboot, post new hijackthis log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Rudi
New Member

Date Joined Jun 2008
Total Posts : 11

Posted 7-27-2008 5:02 (GMT +2)

I had Panda Internet Security on my computer. As per your instructions above, I have uninstalled it on my computer.

Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:18, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\SYSTEM32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
i:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
I:\Program Files\CyberLink\Shared Files\RichVideo.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\ALCXMNTR.EXE
I:\WINDOWS\system32\VTTimer.exe
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
I:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\MSN Messenger\usnsvc.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\WINDOWS\system32\msiexec.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liverpoolfc.tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
O2 - BHO: {901e96db-5f65-3ecb-0244-6886d4e9e4a4} - {4a4e9e4d-6886-4420-bce3-56f5bd69e109} - I:\WINDOWS\system32\ppftrc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RemoteControl] "I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "I:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKLM\..\Run: [+,-./0123456789:;<exe] !"#$%&'()*+,-./0123456789:;<exe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFGexe] ()*+,-./0123456789:;<=>?@ABCDEFGexe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKCU\..\Run: [+,-./0123456789:;<exe] !"#$%&'()*+,-./0123456789:;<exe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFGexe] ()*+,-./0123456789:;<=>?@ABCDEFGexe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177343156734
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - I:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - I:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 6648 bytes

What's next for me?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13154

Posted 7-28-2008 8:29 (GMT +2)

In this log - Posted 7-26-2008 8:15 - have you two antivirus programs running - Norton an Panda.

You were not supposed to remove both ;-)

Install one one of them again.

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Rudi
New Member

Date Joined Jun 2008
Total Posts : 11

Posted 7-30-2008 1:53 (GMT +2)

Sorry this took so long. Had a out of town emergency. Now back to putting out this fire!

Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:40:06, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\CyberLink\Shared Files\RichVideo.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\ALCXMNTR.EXE
I:\WINDOWS\system32\VTTimer.exe
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\MSN Messenger\msnmsgr.exe
I:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liverpoolfc.tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RemoteControl] "I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "I:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKLM\..\Run: [+,-./0123456789:;<exe] !"#$%&'()*+,-./0123456789:;<exe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFGexe] ()*+,-./0123456789:;<=>?@ABCDEFGexe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "I:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKCU\..\Run: [+,-./0123456789:;<exe] !"#$%&'()*+,-./0123456789:;<exe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFGexe] ()*+,-./0123456789:;<=>?@ABCDEFGexe
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177343156734
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - I:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 5893 bytes

Here is the ComboFix Log:

ComboFix 08-07-29.1 - User 2008-07-29 19:27:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.185 [GMT -4:00]
Running from: I:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

I:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
I:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\2CK77YJE\iforex.com
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\2CK77YJE\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\2CK77YJE\interclick.com
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\2CK77YJE\interclick.com\pep3.sol
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\#SharedObjects\2CK77YJE\interclick.com\ud.sol
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
I:\Documents and Settings\User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
I:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
I:\WINDOWS\system32\mcrh.tmp
I:\WINDOWS\system32\mwmgbdbp.dll
I:\WINDOWS\system32\nrvxxeni.ini
I:\WINDOWS\system32\ppftrc.dll
I:\WINDOWS\system32\ttbuauop.dll
I:\WINDOWS\system32\unvkhfjy.ini
I:\WINDOWS\system32\xgeusg.dll

----- BITS: Possible infected sites -----

http://acs.pandasoftware.com:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ I:\WINDOWS\x73_lut.dat
2100-02-08 15:53 . 2008-04-21 08:54 1,438 --a------ I:\WINDOWS\GtX73.ini
2008-07-26 14:33 . 2008-07-26 14:33 <DIR> d-------- I:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 14:33 . 2008-07-26 14:33 <DIR> d-------- I:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-26 14:33 . 2008-07-26 14:33 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 14:33 . 2008-07-23 20:09 38,472 --a------ I:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 14:33 . 2008-07-23 20:09 17,144 --a------ I:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 21:15 . 2008-07-26 15:27 <DIR> d-------- I:\Program Files\SUPERAntiSpyware
2008-07-25 21:15 . 2008-07-26 15:27 <DIR> d-------- I:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-07-25 21:15 . 2008-07-25 21:15 <DIR> d-------- I:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-25 21:09 . 2008-07-25 21:09 <DIR> d-------- I:\Program Files\Trend Micro
2008-07-25 20:32 . 2008-07-25 20:32 <DIR> d-------- I:\VundoFix Backups
2008-07-25 18:38 . 2008-07-25 18:39 <DIR> d-------- I:\WINDOWS\ERUNT
2008-07-25 01:39 . 2008-07-25 01:48 <DIR> d-------- I:\Documents and Settings\User\Application Data\Symantec
2008-07-25 01:33 . 2008-07-26 14:30 <DIR> d-------- I:\Program Files\Norton 360
2008-07-25 01:24 . 2008-07-26 14:31 <DIR> d-------- I:\Program Files\Common Files\Symantec Shared
2008-07-24 23:20 . 2008-07-24 23:20 <DIR> d-------- I:\Documents and Settings\Administrator
2008-07-24 22:57 . 2003-03-31 15:00 4,224 --a------ I:\WINDOWS\system32\beep.sys
2008-07-24 22:45 . 2008-07-24 22:45 <DIR> d-------- I:\Documents and Settings\User\Application Data\Pegasys Inc
2008-07-24 21:26 . 2008-07-24 21:39 26 --a------ I:\WINDOWS\dvdSanta.INI
2008-07-24 21:23 . 2008-07-24 21:34 <DIR> d-------- I:\Program Files\dvdSanta
2008-07-24 21:23 . 2007-04-22 22:11 1,216,512 --a------ I:\WINDOWS\system32\xvidcore.dll
2008-07-24 21:23 . 2006-10-28 11:11 516,096 --a------ I:\WINDOWS\system32\ac3filter.ax
2008-07-24 21:23 . 2004-01-10 18:02 258,048 --a------ I:\WINDOWS\system32\GplMpgDec.ax
2008-07-24 21:23 . 2007-04-22 22:11 237,568 --a------ I:\WINDOWS\system32\xvidvfw.dll
2008-07-24 21:23 . 2004-03-26 16:32 116,224 --a------ I:\WINDOWS\system32\rmalt.ax
2008-07-24 21:23 . 2007-04-22 22:11 61,440 --a------ I:\WINDOWS\system32\xvid.ax
2008-07-24 21:23 . 2004-04-30 21:46 28,672 --a------ I:\WINDOWS\system32\qtalt.ax
2008-07-04 23:32 . 2008-07-04 23:32 <DIR> d-------- I:\Program Files\Adobe Media Player
2008-07-04 23:31 . 2008-07-04 23:31 <DIR> d-------- I:\Program Files\Common Files\Adobe AIR
2008-07-02 23:42 . 2008-07-02 23:41 145,504 --a------ I:\WINDOWS\system32\bgsvcgen.exe
2008-07-02 23:42 . 2008-07-02 23:41 59,488 --a------ I:\WINDOWS\system32\GenSvcInst.exe
2008-07-02 23:42 . 2008-07-02 23:41 33,408 --a------ I:\WINDOWS\system32\drivers\CDRBSDRV.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 12:11 --------- d--h--w I:\Program Files\InstallShield Installation Information
2008-07-28 12:11 --------- d-----w I:\Program Files\Common Files\Panda Software
2008-07-27 15:00 --------- d-----w I:\Program Files\Common Files\InstallShield
2008-07-27 14:47 --------- d-----w I:\Program Files\Winamp
2008-07-27 14:47 --------- d-----w I:\Program Files\QuickTime
2008-07-27 14:47 --------- d-----w I:\Program Files\MSN Messenger
2008-07-27 14:47 --------- d-----w I:\Program Files\iTunes
2008-07-27 14:47 --------- d-----w I:\Program Files\Google
2008-07-26 20:16 --------- d-----w I:\Program Files\LexmarkX73
2008-07-26 20:15 133,915 ----a-w I:\PAVVTS.DAT
2008-07-26 20:15 10,160 ----a-w I:\PAVPROT.BIN
2008-07-25 02:58 --------- d-----w I:\Documents and Settings\User\Application Data\LimeWire
2008-07-23 16:42 --------- d-----w I:\Program Files\PokerStars
2008-07-19 17:22 --------- d-----w I:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-12 15:17 --------- d-----w I:\Documents and Settings\User\Application Data\Vso
2008-07-12 15:15 --------- d-----w I:\Documents and Settings\User\Application Data\DVD Flick
2008-07-06 15:47 --------- d-----w I:\Program Files\DVD Flick
2008-07-03 03:33 --------- d---a-w I:\Documents and Settings\All Users\Application Data\TEMP
2008-07-03 03:33 --------- d-----w I:\Documents and Settings\User\Application Data\VideoReDoPlus
2008-06-20 10:45 360,320 ----a-w I:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w I:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w I:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w I:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:15 --------- d-----w I:\Documents and Settings\User\Application Data\Hamachi
2008-06-11 02:48 --------- d-----w I:\Program Files\Solveig Multimedia
2008-06-11 02:48 --------- d-----w I:\Program Files\Common Files\Solveig Multimedia
2008-05-15 02:31 21,808 ----a-w I:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2007-05-15 15:21 81,920 ----a-w I:\Documents and Settings\User\Application Data\ezpinst.exe
2007-05-15 15:21 47,360 ----a-w I:\Documents and Settings\User\Application Data\pcouffin.sys
2007-05-13 23:17 40 ----a-w I:\Documents and Settings\User\language.dat
2001-07-26 20:58 47 ----a-w I:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w I:\Program Files\OSLO3071b2.USB
2001-05-11 15:39 53,248 ----a-w I:\Program Files\ACMonitor_X73.exe
2001-05-08 20:36 114,688 ----a-w I:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w I:\Program Files\gtx73.ini
2001-02-22 13:54 768 ----a-w I:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"789:;<=>?@ABCDEFGHIJexe"="" [?]
"3456789:;<=>?@ABCDEFexe"="()*+" [?]
"3456789:;<=>?@ABCDEFGexe"="()*+" [?]
"ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"msnmsgr"="I:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"789:;<=>?@ABCDEFGHIJexe"="" [?]
"3456789:;<=>?@ABCDEFexe"="()*+" [?]
"3456789:;<=>?@ABCDEFGexe"="()*+" [?]
"RemoteControl"="I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="I:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="I:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PrinTray"="I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"SunJavaUpdateSched"="I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"QuickTime Task"="I:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="I:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"Lexmark X73 Button Monitor"="I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 16:21 53248]
"Lexmark X73 Button Manager"="I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 12:08 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 I:\WINDOWS\ALCXMNTR.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 I:\WINDOWS\system32\VTTimer.exe]

I:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - I:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wineh46.sys]
@="Driver"

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=I:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=I:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\I:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=I:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-06-19 10:07 2321600 I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-27 16:19 4670704 I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"I:\\Program Files\\Messenger\\msmsgs.exe"=
"I:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"I:\\Program Files\\MSN Messenger\\livecall.exe"=
"I:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"I:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"I:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"I:\\Program Files\\uTorrent\\uTorrent.exe"=
"I:\\Program Files\\iTunes\\iTunes.exe"=

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;I:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 08:14]
S0 Wineh46;Wineh46;I:\WINDOWS\system32\Drivers\Wineh46.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{292062a0-5a98-11dd-a924-000ea6a7bea5}]
\Shell\AutoRun\command - K:\CDGO.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 I:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- I:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-07-26 I:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- I:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []

2008-07-25 I:\WINDOWS\Tasks\Uniblue SpyEraser.job
- I:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.liverpoolfc.tv/
O8 -: E&xport to Microsoft Excel - I:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 19:31:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
I:\WINDOWS\system32\LEXBCES.EXE
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\CyberLink\Shared Files\RichVideo.exe
I:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-29 19:36:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-29 23:36:24

Pre-Run: 7,659,851,776 bytes free
Post-Run: 8,114,688,000 bytes free

211 --- E O F --- 2008-07-09 07:01:42

What do I do next sir?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13154

Posted 7-30-2008 8:47 (GMT +2)

No problem smile

Open notepad and copy/paste the text in the quote box below into it:

Quote:

-----------------------------------------------------

KILLALL::

Snapshot::

File::

I:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"789:;<=>?@ABCDEFGHIJexe"=-
"3456789:;<=>?@ABCDEFexe"=-
"3456789:;<=>?@ABCDEFGexe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"789:;<=>?@ABCDEFGHIJexe"=-
"3456789:;<=>?@ABCDEFexe"=-
"3456789:;<=>?@ABCDEFGexe"=-

----------------------------------------------

Save this as CFScript.txt

http://www.fromsej.saknet.dk/billeder/cfscript.gif

At this point, You MUST EXIT ALL BROWSERS NOW before continuing!

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

Post new hijackthis log along with fresh combofix log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Rudi
New Member

Date Joined Jun 2008
Total Posts : 11

Posted 7-31-2008 1:47 (GMT +2)

Here are the 2 logs:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:45:20, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\LEXBCES.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\ALCXMNTR.EXE
I:\WINDOWS\system32\VTTimer.exe
I:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
I:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
I:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\MSN Messenger\msnmsgr.exe
I:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\CyberLink\Shared Files\RichVideo.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\explorer.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe