Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 KMS

KMS

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 02 August 2008 - 03:55 PM

Hello:
I have been pestered with "popup" ads for scamware for various antivirus products. A SpySweeper scan revealed "virtumonde" but it is proving difficult to remove.
I have tried: SpySweeper, ZoneAlarm, Kaspersky, ThreatFire, VundoFix, and Symantec Virtumonde Removal Tool without success. These programs seem to detect it, but do not remove it. Kaspersky identified:
G:\WINDOWS\SYSTEM32\gqxjrinv.dll
but will not allow me to remove it after performing a search function. I assume I have some sort of pervasive varient of this trojan. Any help is greatly appreciated!

Results of hijackthis:

Deckard's System Scanner v20071014.68
Run by Tom and Carol on 2008-08-02 16:37:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Tom and Carol.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:30 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\ActivIdentity\ActivClient\acevents.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\WLTRYSVC.EXE
G:\WINDOWS\System32\bcmwltry.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\System32\SCardSvr.exe
G:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
G:\Program Files\ActivIdentity\ActivClient\acautoup.exe
G:\Program Files\ActivIdentity\ActivClient\accoca.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Common Files\LightScribe\LSSrvc.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\svchost.exe
G:\Program Files\ThreatFire\TFService.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\system32\Rundll32.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
G:\Program Files\Roxio\Media Experience\DMXLauncher.exe
G:\WINDOWS\system32\WLTRAY.exe
G:\WINDOWS\shicoxp.exe
G:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
G:\WINDOWS\system32\rundll32.exe
G:\Program Files\ThreatFire\TFTray.exe
G:\WINDOWS\System32\alg.exe
G:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
G:\Program Files\Microsoft ActiveSync\wcescomm.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\ActivIdentity\ActivClient\acevents.exe
G:\Program Files\Picasa2\PicasaMediaDetector.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
G:\PROGRA~1\MI3AA1~1\rapimgr.exe
G:\Program Files\ActivIdentity\ActivClient\acsagent.exe
G:\Program Files\Webroot\Spy Sweeper\SSU.EXE
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINDOWS\system32\wbem\wmiprvse.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\system32\wbem\wmiprvse.exe
G:\WINDOWS\System32\svchost.exe
G:\Documents and Settings\Tom and Carol.HOME\Desktop\dss.exe
G:\PROGRA~1\TRENDM~1\HIJACK~1\Tom and Carol.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {1CA0D1CE-DBAB-4EF1-8DFF-6960EC7890C0} - G:\WINDOWS\system32\mlJBRijk.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UserFaultCheck] G:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Launch Ai Booster] "G:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [DMXLauncher] "G:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] G:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [shicoxp] G:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [accrdsub] "G:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] G:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [000000af] "rundll32.exe" "G:\WINDOWS\system32\gqxjrinv.dll",b
O4 - HKLM\..\Run: [ThreatFire] "G:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] G:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: ActivClient Agent.lnk = G:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217542857531
O16 - DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} (DynamicWebTwain Class) - https://apps.mods.army.mil/SRExchangeConfig...micWebTWAIN.cab
O20 - Winlogon Notify: ackpbsc - G:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - G:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O20 - Winlogon Notify: xxyabaxW - xxyabaxW.dll (file missing)
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - G:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - G:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - G:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - G:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - G:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - G:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - G:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - G:\Program Files\ThreatFire\TFService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - G:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9416 bytes

-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 16:37:44 0 d-------- G:\Program Files\Trend Micro
2008-08-02 09:03:08 0 d-------- G:\VundoFix Backups
2008-08-01 18:33:53 0 d-------- G:\Program Files\AVM
2008-08-01 14:42:02 0 d-------- G:\Program Files\Windows Live Safety Center
2008-07-31 19:39:39 0 d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 19:38:45 0 d-------- G:\Program Files\ThreatFire
2008-07-31 19:38:45 0 d-------- G:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-31 17:32:32 262144 --a------ G:\Documents and Settings\Tom and Carol\NTUSER.DAT
2008-07-31 17:32:32 262144 --a------ G:\Documents and Settings\Carol and Tom\NTUSER.DAT
2008-07-31 16:26:02 0 d-------- G:\Documents and Settings\All Users\Application Data\McAfee
2008-07-31 16:13:36 99712 --a------ G:\WINDOWS\system32\gqxjrinv.dll
2008-07-31 16:05:22 0 d-------- G:\Program Files\Kaspersky Lab
2008-07-30 17:09:47 0 d-------- G:\Documents and Settings\Tom and Carol.HOME\Application Data\MailFrontier
2008-07-30 17:07:05 9420576 --ahs---- G:\WINDOWS\system32\drivers\fidbox.dat
2008-07-30 17:02:03 0 d-------- G:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-30 17:01:57 4212 ---h----- G:\WINDOWS\system32\zllictbl.dat
2008-07-30 17:01:11 0 d-------- G:\WINDOWS\system32\ZoneLabs
2008-07-30 17:00:31 0 d-------- G:\WINDOWS\Internet Logs
2008-07-30 09:43:00 782469 --ahs---- G:\WINDOWS\system32\kjiRBJlm.ini2
2008-07-30 09:42:56 323840 --a------ G:\WINDOWS\system32\mlJBRijk.dll
2008-07-30 09:37:53 34176 --a------ G:\WINDOWS\system32\cbXNHxyX.dll
2008-07-09 13:17:45 0 d-------- G:\spoolerlogs


-- Find3M Report ---------------------------------------------------------------

2008-08-02 09:47:32 0 d-------- G:\Program Files\Java
2008-08-01 07:26:31 0 d-------- G:\Documents and Settings\Tom and Carol.HOME\Application Data\Mozilla
2008-07-31 17:37:08 0 d-------- G:\Program Files\Common Files
2008-07-31 16:50:26 164 --a------ G:\install.dat
2008-07-22 13:50:04 0 d-------- G:\Documents and Settings\Tom and Carol.HOME\Application Data\Canon
2008-07-05 13:30:54 0 d-------- G:\Program Files\Dvd-cloner
2008-05-02 16:18:47 32768 -------c- G:\WINDOWS\SHUTPC.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CA0D1CE-DBAB-4EF1-8DFF-6960EC7890C0}]
07/30/2008 09:42 AM 323840 --a------ G:\WINDOWS\system32\mlJBRijk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [05/03/2005 07:38 AM G:\WINDOWS\system32\P17.dll]
"UserFaultCheck"="G:\WINDOWS\system32\dumprep 0 -u" []
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" [11/15/2007 12:43 AM]
"NvMediaCenter"="RUNDLL32.exe" [02/28/2006 08:00 AM G:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [02/28/2006 08:00 AM G:\WINDOWS\system32\rundll32.exe]
"Launch Ai Booster"="G:\Program Files\ASUS\Ai Booster\OverClk.exe" [12/21/2005 05:50 PM]
"DMXLauncher"="G:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [11/14/2006 01:07 AM]
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"U.S. Robotics Wireless Manager UI"="G:\WINDOWS\system32\WLTRAY" []
"shicoxp"="G:\WINDOWS\shicoxp.exe" [05/14/2003 10:40 AM]
"@"="" []
"accrdsub"="G:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [11/10/2006 12:28 PM]
"KernelFaultCheck"="G:\WINDOWS\system32\dumprep 0 -k" []
"000000af"="rundll32.exe" [02/28/2006 08:00 AM G:\WINDOWS\system32\rundll32.exe]
"ThreatFire"="G:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"SpySweeper"="G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="G:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]
"ctfmon.exe"="G:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"Picasa Media Detector"="G:\Program Files\Picasa2\PicasaMediaDetector" []
"MSMSGS"="G:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Windows update loader"="C:\Windows\xpupdate.exe" []

G:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - G:\Program Files\ActivIdentity\ActivClient\acsagent.exe [11/10/2006 12:27:58 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1 (0x1)
"NoActiveDesktop"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
G:\WINDOWS\system32\ackpbsc.dll 01/30/2007 08:57 AM 101888 G:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
G:\Program Files\ActivIdentity\ActivClient\acunlock.dll 01/30/2007 02:57 PM 260096 G:\Program Files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyabaxW]
xxyabaxW.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 G:\WINDOWS\system32\mlJBRijk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
backup=G:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"G:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"G:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE




-- End of Deckard's System Scanner: finished at 2008-08-02 16:39:20 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:54 PM

Posted 03 August 2008 - 03:25 PM

Hello KMS and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:54 PM

Posted 04 August 2008 - 04:54 AM

Thunder:
Thanks for your help and advice. Attached are the logs:
Malwarebyte:
Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 5.1.2600 Service Pack 2

7:05:37 PM 8/3/2008
mbam-log-8-3-2008 (19-05-37).txt

Scan type: Quick Scan
Objects scanned: 45172
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
G:\WINDOWS\system32\mlJBRijk.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cd064095-2db7-45d0-8e3b-6e0de2a69432} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cd064095-2db7-45d0-8e3b-6e0de2a69432} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{28030fa8-2428-4de6-b0f3-ce9494e1a412} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update loader (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: g:\windows\system32\mljbrijk -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: g:\windows\system32\mljbrijk -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (2) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
G:\Program Files\AVM (Rogue.AntivirusMaster) -> Quarantined and deleted successfully.

Files Infected:
G:\WINDOWS\system32\mlJBRijk.dll (Trojan.Vundo) -> Delete on reboot.
G:\WINDOWS\system32\kjiRBJlm.ini (Trojan.Vundo) -> Delete on reboot.
G:\WINDOWS\system32\kjiRBJlm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
G:\WINDOWS\system32\cbXNHxyX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
G:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.


And ComboFix:
ComboFix 08-08-03.01 - Tom and Carol 2008-08-03 19:19:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1486 [GMT -4:00]
Running from: G:\Documents and Settings\Tom and Carol.HOME\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
G:\Documents and Settings\Tom and Carol.HOME\Application Data\macromedia\Flash Player\#SharedObjects\GP9W4QFZ\interclick.com
G:\Documents and Settings\Tom and Carol.HOME\Application Data\macromedia\Flash Player\#SharedObjects\GP9W4QFZ\interclick.com\ud.sol
G:\Documents and Settings\Tom and Carol.HOME\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
G:\Documents and Settings\Tom and Carol.HOME\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
G:\Documents and Settings\Tom and Carol.HOME\Favorites\.url
G:\Documents and Settings\Tom and Carol.HOME\g2mdlhlpx.exe
G:\VundoFix.txt
G:\WINDOWS\install.exe
G:\WINDOWS\system32\mcrh.tmp
G:\WINDOWS\system32\vnirjxqg.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-03 18:55 . 2008-08-03 18:55 <DIR> d-------- G:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 18:55 . 2008-08-03 18:55 <DIR> d-------- G:\Documents and Settings\Tom and Carol.HOME\Application Data\Malwarebytes
2008-08-03 18:55 . 2008-08-03 18:55 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-03 18:55 . 2008-07-30 20:07 38,472 --a------ G:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-03 18:55 . 2008-07-30 20:07 17,144 --a------ G:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 12:59 . 2008-08-03 19:22 4,652,064 --ahs---- G:\WINDOWS\system32\drivers\fidbox.dat
2008-08-03 12:59 . 2008-08-03 12:59 91,700 --a------ G:\WINDOWS\system32\drivers\klin.dat
2008-08-03 12:59 . 2008-08-03 12:59 85,860 --a------ G:\WINDOWS\system32\drivers\klick.dat
2008-08-03 12:59 . 2008-08-03 19:06 59,372 --ahs---- G:\WINDOWS\system32\drivers\fidbox.idx
2008-08-03 12:58 . 2008-08-03 12:58 <DIR> d-------- G:\Program Files\Kaspersky Lab
2008-08-03 12:58 . 2008-08-03 19:21 13,344 --ahs---- G:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-03 12:58 . 2008-08-03 19:06 1,940 --ahs---- G:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-02 19:38 . 2008-08-02 19:38 <DIR> d-------- G:\kaspersky
2008-08-02 16:37 . 2008-08-02 16:37 <DIR> d-------- G:\Program Files\Trend Micro
2008-08-02 16:30 . 2008-08-02 16:30 <DIR> d-------- G:\Deckard
2008-08-02 09:49 . 2008-06-10 02:32 73,728 --a------ G:\WINDOWS\system32\javacpl.cpl
2008-08-02 09:03 . 2008-08-02 09:03 <DIR> d-------- G:\VundoFix Backups
2008-08-01 14:42 . 2008-08-01 14:42 <DIR> d-------- G:\Program Files\Windows Live Safety Center
2008-07-31 19:39 . 2008-08-02 19:39 <DIR> d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2008-07-31 16:26 . 2008-07-31 17:37 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\McAfee
2008-07-30 17:09 . 2008-07-31 16:05 <DIR> d-------- G:\Documents and Settings\Tom and Carol.HOME\Application Data\MailFrontier
2008-07-30 17:02 . 2008-07-30 17:51 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-30 17:01 . 2008-07-30 17:01 <DIR> d-------- G:\Program Files\Zone Labs
2008-07-30 17:00 . 2008-07-31 16:06 <DIR> d-------- G:\WINDOWS\Internet Logs
2008-07-29 18:29 . 2008-07-30 09:22 54,156 --ah----- G:\WINDOWS\QTFont.qfn
2008-07-29 18:29 . 2008-07-29 18:29 1,409 --a------ G:\WINDOWS\QTFont.for
2008-07-09 13:17 . 2008-07-09 13:17 <DIR> d-------- G:\spoolerlogs
2008-07-07 19:58 . 2008-08-03 08:32 3,370 --a------ G:\WINDOWS\JIFPClient.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 23:08 --------- d-----w G:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-02 13:47 --------- d-----w G:\Program Files\Java
2008-07-31 20:50 164 ----a-w G:\install.dat
2008-07-31 19:57 1,877,504 ----a-w G:\WINDOWS\Internet Logs\xDB4.tmp
2008-07-31 10:14 91,136 ----a-w G:\WINDOWS\Internet Logs\xDB3.tmp
2008-07-30 22:29 1,860,096 ----a-w G:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-30 21:48 134,144 ----a-w G:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-30 20:03 --------- d-----w G:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-22 17:50 --------- d-----w G:\Documents and Settings\Tom and Carol.HOME\Application Data\Canon
2008-07-09 13:05 1,086,952 ----a-w G:\WINDOWS\system32\zpeng24.dll
2008-07-05 17:30 --------- d-----w G:\Program Files\Dvd-cloner
2008-06-20 17:41 245,248 ----a-w G:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w G:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w G:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w G:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w G:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w G:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="G:\Program Files\Picasa2\PicasaMediaDetector" [X]
"H/PC Connection Agent"="G:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="G:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"MSMSGS"="G:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="G:\WINDOWS\system32\dumprep 0 -u" [X]
"U.S. Robotics Wireless Manager UI"="G:\WINDOWS\system32\WLTRAY" [X]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"NvMediaCenter"="G:\WINDOWS\system32\NvMcTray.dll" [2006-12-21 11:29 81920]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2006-12-21 11:29 7774208]
"Launch Ai Booster"="G:\Program Files\ASUS\Ai Booster\OverClk.exe" [2005-12-21 17:50 3627520]
"DMXLauncher"="G:\Program Files\Roxio\Media Experience\DMXLauncher.exe" [2006-11-14 01:07 102400]
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"shicoxp"="G:\WINDOWS\shicoxp.exe" [2003-05-14 10:40 40960]
"accrdsub"="G:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 12:28 275968]
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpySweeper"="G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
"P17Helper"="P17.dll" [2005-05-03 07:38 64512 G:\WINDOWS\system32\P17.dll]

G:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - G:\Program Files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 12:27:58 77312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-01-30 08:57 101888 G:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-01-30 14:57 260096 G:\Program Files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
backup=G:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 G:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-11-15 09:05 1121016 G:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-27 20:58 221184 G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-12-21 11:29 1622016 G:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-08-17 18:39 90112 G:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"G:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"G:\Program Files\Microsoft ActiveSync\rapimgr.exe"= G:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"G:\Program Files\Microsoft ActiveSync\wcescomm.exe"= G:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"G:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= G:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"G:\\Program Files\\iTunes\\iTunes.exe"=
"G:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"G:\\kaspersky\\setup.exe"=
"G:\\KAV\\kav7\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;G:\WINDOWS\system32\DRIVERS\Si3132r5.sys [2007-01-25 23:57]
R1 DLARTL_M;DLARTL_M;G:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-09-15 09:45]
R2 acachsrv;ActivClient Authentication Service;G:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 12:29]
R2 acautoup;ActivClient Auto-Update Service;G:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 12:29]
R2 accoca;ActivClient Middleware Service;G:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 12:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;G:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 Wibukey2;Wibukey2;G:\WINDOWS\system32\drivers\wibukey2.sys [2001-04-09 23:01]
S3 PCASp50;PCASp50 NDIS Protocol Driver;G:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 17:42]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;G:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2007-10-17 23:11]
S3 SCRx31 USB Smart Card Reader;SCRx31 USB Smart Card Reader;G:\WINDOWS\system32\DRIVERS\scrccid.sys []
S3 Usblink;Usblink Driver;G:\WINDOWS\system32\Drivers\ulink.sys [2003-04-18 09:19]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-24 G:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- G:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-02 G:\WINDOWS\Tasks\wrSpySweeper_LA4991F547E834D608FED534C47625E5E.job
- G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 G:\WINDOWS\Tasks\wrSpySweeper_LA4991F547E834D608FED534C47625E5E.job
- G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 G:\WINDOWS\Tasks\wrSpySweeper_LA4991F547E834D608FED534C47625E5E.job
- A:\","C:\","D:\","E:\","F:\","G:\","H:\" []
.
- - - - ORPHANS REMOVED - - - -

Notify-xxyabaxW - xxyabaxW.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - G:\Documents and Settings\Tom and Carol.HOME\Application Data\Mozilla\Firefox\Profiles\2oq6ldxu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.comcast.net
FF -: plugin - G:\Program Files\iTunes\Mozilla Plugins\npitunes.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 19:21:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-03 19:24:37
ComboFix-quarantined-files.txt 2008-08-03 23:24:34

Pre-Run: 454,943,215,616 bytes free
Post-Run: 455,071,633,408 bytes free

179 --- E O F --- 2008-07-09 12:36:47

Thanks for your help - Glad there are folks like you who understand this stuff.
KMS
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:54 PM

Posted 04 August 2008 - 04:56 AM

Hello KMS,

Looks good now. :thumbsup:

Can I see a fresh HijackThis log please ?

Any more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:54 PM

Posted 05 August 2008 - 04:18 AM

Thunder:
Latest HijackThis log:
Since your recommended fix I have had no further popups. Interestingly I had also been having a problem with Windows Automatic Updates turning itself off - this has resolved!
Thanks so much . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:41, on 2008-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\WLTRYSVC.EXE
G:\WINDOWS\System32\bcmwltry.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
G:\Program Files\ActivIdentity\ActivClient\acautoup.exe
G:\Program Files\ActivIdentity\ActivClient\accoca.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
G:\Program Files\Common Files\LightScribe\LSSrvc.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\WINDOWS\system32\Rundll32.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Roxio\Media Experience\DMXLauncher.exe
G:\WINDOWS\system32\WLTRAY.exe
G:\WINDOWS\shicoxp.exe
G:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
G:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
G:\Program Files\Microsoft ActiveSync\wcescomm.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Picasa2\PicasaMediaDetector.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\ActivIdentity\ActivClient\acsagent.exe
G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
G:\Program Files\ActivIdentity\ActivClient\acevents.exe
G:\PROGRA~1\MI3AA1~1\rapimgr.exe
G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
G:\Program Files\Webroot\Spy Sweeper\SSU.EXE
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UserFaultCheck] G:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Launch Ai Booster] "G:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [DMXLauncher] "G:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] G:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [shicoxp] G:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [accrdsub] "G:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SpySweeper] G:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] G:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ActivClient Agent.lnk = G:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1217542857531
O16 - DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} (DynamicWebTwain Class) - https://apps.mods.army.mil/SRExchangeConfig...micWebTWAIN.cab
O20 - Winlogon Notify: ackpbsc - G:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - G:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - G:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - G:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - G:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - G:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - G:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - G:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - G:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - G:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - G:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8662 bytes
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:54 PM

Posted 05 August 2008 - 04:22 AM

Hello KMS,

You seem to have a problem to reply in this topic ? :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] G:\WINDOWS\system32\dumprep 0 -u

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 KMS

KMS
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 05 August 2008 - 05:16 AM

Thunder:
Those two files were still present in HijackThis, were checked and fixed.
No more problems.
Thanks

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:54 PM

Posted 05 August 2008 - 06:25 AM

Glad we could help, KMS :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users