Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo on my Computer -HELP!


  • This topic is locked This topic is locked
12 replies to this topic

#1 davetz

davetz

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 25 October 2008 - 06:48 PM

Recently got a virus on my Dell Latitude D400 running XP. I think part of it may be Vundo. A few details:

INITIAL SYMPTOMS:
-initial symptoms were deletions of icons on desktop, deletions from start menu and text "VIRUS ALERT!" next to Windows Clock-- I ran a smitfraudfix.exe and it fixed these problems (as far as i can tell)

PROBLEMS STILL REMAINING:
-any time I open Internet Explorer, several popups to legitimate-looking ad sites are opened, sometimes many pages at once. When I use Opera browser, no problems noted--this problem may have supsided since I ran Spybot S&D.

-most egrigious: occasionally, like when I try to run a virus scan (running eEye Blink Personal), windows gives me an error message about "stopping lsass.exe" because something is trying to access it and the system shuts down.



Did all prerequisite steps including doing a scan with eEye Blink Personal and AVG (now uninstalled since it could not remove Vundo), Spybot S&D, AdAware, Stinger, and HiJack This log (below).


Tried removing Vundo with "Vundmundobegone" but still get popups and attacks on lsass.exe.
eEye Blink Personal still says it finds Malware called "W32/Vundo.FBF" and "Vundo.FPH" but while it claims to disinfect my system, it keeps popping up in Blink Personal and the lsass.exe attack still occurs.

THANKS FOR YOUR HELP!!!
Dave



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:06 PM, on 10/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eEye Digital Security\Blink\blink.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crewtrac.flypinnacle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 76.176.120.172:3128
O2 - BHO: {72437242-e81f-1b18-b794-3fe5bfc25c91} - {19c52cfb-5ef3-497b-81b1-f18e24273427} - C:\WINDOWS\system32\svtjgp.dll
O2 - BHO: (no name) - {4D2FDB7A-2B7F-4D49-BA64-676B86F7BF0D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AF9B00A9-DFA6-4925-9252-3316B5B69832} - C:\WINDOWS\system32\ljJDUnol.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [SpybotDeletingA741] command /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7543] cmd /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB194] command /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5183] cmd /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\blink.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O18 - Filter hijack: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - AppInit_DLLs: svtjgp.dll
O21 - SSODL: ngwstxfd - {12349E4B-D50D-4AD6-BA5C-0D8BC2AA2657} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6293 bytes

BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 26 October 2008 - 05:42 PM

Hello! davetz and welcome to the Bleeping Computer forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


#3 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 26 October 2008 - 05:49 PM

You do indeed have vundo, it can be often be quite stubborn to remove.

Step 1:
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools, this is very important.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Step 2:
Run HijackThis, do a system scan and in your next reply please post:
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log


#4 davetz

davetz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 October 2008 - 12:51 PM

Ran combofix and hjt again as instructed.
thank you so much for the help!
dave

CF and HJT logs below:



ComboFix 08-10-26.01 - David 2008-10-27 10:58:07.1 - NTFSx86
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aehfgrsd.dll
C:\WINDOWS\system32\eaibybos.ini
C:\WINDOWS\system32\fbaegduj.ini
C:\WINDOWS\system32\gxnovacy.dll
C:\WINDOWS\system32\ibaevtuf.ini
C:\WINDOWS\system32\jeriov.dll
C:\WINDOWS\system32\kqxtgrhl.ini
C:\WINDOWS\system32\ljJDUnol.dll
C:\WINDOWS\system32\lonUDJjl.ini
C:\WINDOWS\system32\lonUDJjl.ini2
C:\WINDOWS\system32\lpblubud.ini
C:\WINDOWS\system32\svtjgp.dll
C:\WINDOWS\system32\vqlcolyo.ini
C:\WINDOWS\system32\winsusrm.dll
C:\WINDOWS\system32\wpyxiujo.dll
C:\WINDOWS\system32\xaipoh.dll
C:\WINDOWS\system32\ycavonxg.ini

.
((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-24 17:31 . 2008-10-24 17:31 95 --a------ C:\WINDOWS\wininit.ini
2008-10-24 15:03 . 2008-10-24 15:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-24 15:03 . 2008-10-24 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 09:07 . 2008-10-24 09:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-24 09:07 . 2008-10-24 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-24 09:06 . 2008-10-24 09:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-23 23:07 . 2008-10-23 23:07 <DIR> d-------- C:\VundoFix Backups
2008-10-23 22:43 . 2008-10-23 22:43 <DIR> d-------- C:\Program Files\eEye Digital Security
2008-10-23 22:43 . 2008-10-23 22:44 <DIR> d-------- C:\Program Files\Common Files\eEye Digital Security
2008-10-23 22:39 . 2008-10-23 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-23 21:42 . 2008-10-23 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-10-23 18:02 . 2008-10-23 18:01 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-23 18:01 . 2008-10-23 21:09 <DIR> d-------- C:\Documents and Settings\David\.housecall6.6
2008-10-20 14:20 . 2008-10-20 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-10-20 14:10 . 2008-10-20 14:10 92,016 --a------ C:\WINDOWS\system32\drivers\eeyeh.sys
2008-10-20 14:10 . 2008-10-20 14:10 70,000 --a------ C:\WINDOWS\system32\drivers\eeyet.sys
2008-10-20 14:10 . 2008-10-20 14:10 52,592 --a------ C:\WINDOWS\system32\drivers\eeyen.sys
2008-10-20 13:50 . 2008-10-20 13:50 20,448 --a------ C:\WINDOWS\system32\drivers\Ndiskio.sys
2008-10-20 10:01 . 2008-10-20 10:01 <DIR> d-------- C:\Documents and Settings\David\Application Data\Home Designer Suite 8.0
2008-10-20 10:00 . 2006-04-30 21:10 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-10-20 09:23 . 2008-10-22 22:22 <DIR> d-------- C:\Program Files\Chief Architect Inc
2008-10-18 15:25 . 2008-10-18 15:25 <DIR> d-------- C:\Program Files\WMP Codecs
2008-10-18 03:57 . 2008-10-18 03:57 <DIR> d-------- C:\Program Files\Rainbow Technologies
2008-10-18 03:55 . 1996-01-11 23:00 722,192 -ra------ C:\WINDOWS\system32\VB40032.DLL
2008-10-18 03:55 . 1998-06-17 18:08 57,344 --a------ C:\WINDOWS\system32\Mfc42loc.dll
2008-10-18 03:54 . 2008-10-18 04:11 <DIR> d-------- C:\Program Files\autokitchen
2008-10-17 15:53 . 2008-10-17 15:53 <DIR> d-------- C:\Documents and Settings\David\Application Data\DivX
2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Program Files\DivX
2008-10-17 09:34 . 2008-10-17 09:34 1,049,968 --a------ C:\WINDOWS\system32\elic.dll
2008-10-09 14:21 . 2008-10-09 14:21 284,016 --a------ C:\WINDOWS\system32\DebugRpt.dll
2008-10-09 14:21 . 2008-10-09 14:21 193,904 --a------ C:\WINDOWS\system32\LocalStorage.dll
2008-10-09 14:19 . 2008-10-09 14:19 119,296 --a------ C:\WINDOWS\system32\zlibwapi.dll
2008-10-09 14:19 . 2008-10-09 14:19 119,296 --a------ C:\WINDOWS\system32\zlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 16:07 1,893 ----a-w C:\WINDOWS\bcmwltrytmp.reg
2008-10-23 03:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-22 13:03 --------- d-----w C:\Program Files\Steam
2008-10-22 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-10-20 19:03 2,634 ----a-w C:\WINDOWS\system32\tmp.reg
2008-10-20 15:52 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-10-20 12:55 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-10-18 19:37 --------- d-----w C:\Program Files\The Rosetta Stone
2008-10-16 13:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-10 13:58 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe
2008-10-10 13:58 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-10-01 20:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-09-16 00:14 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-09 04:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-05 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PictureMover
2008-08-29 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 23:26 99,728 ----a-w C:\WINDOWS\system32\seccommutil.dll
2008-08-26 23:26 333,240 ----a-w C:\WINDOWS\system32\seccomm.dll
2008-08-26 23:26 308,696 ----a-w C:\WINDOWS\system32\EMSAgent.dll
2008-08-26 23:26 251,328 ----a-w C:\WINDOWS\system32\FileStore.dll
2008-08-26 23:26 210,320 ----a-w C:\WINDOWS\system32\eEyePKI.dll
2008-08-26 23:26 202,136 ----a-w C:\WINDOWS\system32\eevtc.dll
2008-08-26 23:26 181,632 ----a-w C:\WINDOWS\system32\DeploySupport.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-18 17:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-25 118784]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 176128]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Blink.lnk - C:\Program Files\eEye Digital Security\Blink\blink.exe [2008-10-20 578968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 04:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xaipoh.dll jeriov.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PictureMover.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PictureMover.lnk
backup=C:\WINDOWS\pss\PictureMover.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-02-25 18:42 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
--a------ 2006-07-14 15:03 107008 C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-14 07:22 1410296 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"C:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"=

R0 eeyen;eEye NDIS driver;C:\WINDOWS\system32\Drivers\eeyen.sys [2008-10-20 52592]
R1 eeyeh;eEye API driver;C:\WINDOWS\system32\Drivers\eeyeh.sys [2008-10-20 92016]
R1 eeyet;eEye TDI driver;C:\WINDOWS\system32\Drivers\eeyet.sys [2008-10-20 70000]
R2 blinksvc;eEye Blink Engine;C:\Program Files\eEye Digital Security\Blink\blinksvc.exe [2008-10-20 169416]
R2 ndiskio;eEye DirectDisk Access Driver;C:\WINDOWS\system32\Drivers\ndiskio.sys [2008-10-20 20448]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-10-23 76160]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6ce34df-d19e-11dc-9609-009096c46ba3}]
\shell\play\command - C:\Program Files\VideoLAN\vlc.exe --started-from-file dvd:%1
.
- - - - ORPHANS REMOVED - - - -

BHO-{4D2FDB7A-2B7F-4D49-BA64-676B86F7BF0D} - (no file)
BHO-{AF9B00A9-DFA6-4925-9252-3316B5B69832} - (no file)
BHO-{E9E98F8B-7F57-4B6D-829A-5430CC9CF658} - C:\WINDOWS\system32\ljJDUnol.dll
ShellExecuteHooks-{A54E6E01-88D4-4F38-9EFF-7DA7CDAD2C2D} - (no file)
SSODL-ngwstxfd-{12349E4B-D50D-4AD6-BA5C-0D8BC2AA2657} - (no file)
MSConfigStartUp-DAEMON Tools Lite - C:\Program Files\DAEMON Tools Lite\daemon.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://crewtrac.flypinnacle.com/
R1 -: HKCU-Internet Settings,ProxyServer = 76.176.120.172:3128
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O18 -: Filter: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 11:07:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\eEye Digital Security\Blink\blinkrm.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Apoint\hidfind.exe
.
**************************************************************************
.
Completion time: 2008-10-27 11:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-27 16:14:32

Pre-Run: 7,889,743,872 bytes free
Post-Run: 8,180,596,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2008-10-16 13:33:06






Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:54 AM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crewtrac.flypinnacle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 76.176.120.172:3128
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [SpybotDeletingA741] command /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7543] cmd /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB194] command /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5183] cmd /c del "C:\WINDOWS\system32\sobybiae.dll_old"
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\blink.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: xaipoh.dll jeriov.dll
O21 - SSODL: ngwstxfd - {12349E4B-D50D-4AD6-BA5C-0D8BC2AA2657} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5559 bytes

#5 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 27 October 2008 - 04:16 PM

Hello Dave,

You seem to have posted to other forums looking for help: http://forums.techguy.org/malware-removal-...exe-attack.html

Please have this and any other topic you have open closed as it only wastes time for the helpers and can cause damage for you if you follow 2 different sets of instructions.


Step 1:
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.


Step 2:
Make sure all your security programs are disabled including your AV before doing the following:
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\WINDOWS\bcmwltrytmp.reg
    C:\WINDOWS\system32\404Fix.exe
    C:\WINDOWS\system32\o4Patch.exe
    C:\WINDOWS\system32\VACFix.exe
    C:\WINDOWS\system32\IEDFix.C.exe
    
    Folder::
    C:\VundoFix Backups
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step 3:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 76.176.120.172:3128<<<<<<If you haven't purposely set this proxy
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O20 - AppInit_DLLs: xaipoh.dll jeriov.dll
    O21 - SSODL: ngwstxfd - {12349E4B-D50D-4AD6-BA5C-0D8BC2AA2657} - (no file)


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.
Step 4:
Run HijackThis, do a system scan and in your next reply please post:
  • The ComboFix report (C:\ComboFix.txt)
  • The new HijackThis log


#6 davetz

davetz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 27 October 2008 - 10:53 PM

Rodav-Thanks again. How can i repay you?
I will not use any instructions other than yours, i was just looking from a resopnse initially but I am only using yours since you have responded so promptly. Thanks!

Did as instructed, here are new CF and HJT logs: (as of 10-28-08, 2300hrs cst)


ComboFix 08-10-27.02 - David 2008-10-27 22:22:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.513 [GMT -5:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\bcmwltrytmp.reg
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\o4Patch.exe
C:\WINDOWS\system32\VACFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\o4Patch.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\winsusrm.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-24 17:31 . 2008-10-24 17:31 95 --a------ C:\WINDOWS\wininit.ini
2008-10-24 15:03 . 2008-10-24 15:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-24 15:03 . 2008-10-24 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 09:07 . 2008-10-24 09:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-24 09:07 . 2008-10-24 09:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-24 09:06 . 2008-10-24 09:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-23 22:43 . 2008-10-23 22:43 <DIR> d-------- C:\Program Files\eEye Digital Security
2008-10-23 22:43 . 2008-10-23 22:44 <DIR> d-------- C:\Program Files\Common Files\eEye Digital Security
2008-10-23 22:39 . 2008-10-23 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-23 21:42 . 2008-10-23 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-10-23 18:02 . 2008-10-23 18:01 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-23 18:01 . 2008-10-23 21:09 <DIR> d-------- C:\Documents and Settings\David\.housecall6.6
2008-10-20 14:20 . 2008-10-20 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-10-20 14:10 . 2008-10-20 14:10 92,016 --a------ C:\WINDOWS\system32\drivers\eeyeh.sys
2008-10-20 14:10 . 2008-10-20 14:10 70,000 --a------ C:\WINDOWS\system32\drivers\eeyet.sys
2008-10-20 14:10 . 2008-10-20 14:10 52,592 --a------ C:\WINDOWS\system32\drivers\eeyen.sys
2008-10-20 14:00 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-20 14:00 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-20 14:00 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-10-20 14:00 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-10-20 14:00 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-10-20 14:00 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-20 14:00 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-20 14:00 . 2008-10-20 14:03 2,634 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-20 13:50 . 2008-10-20 13:50 20,448 --a------ C:\WINDOWS\system32\drivers\Ndiskio.sys
2008-10-20 10:01 . 2008-10-20 10:01 <DIR> d-------- C:\Documents and Settings\David\Application Data\Home Designer Suite 8.0
2008-10-20 10:00 . 2006-04-30 21:10 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-10-20 09:23 . 2008-10-22 22:22 <DIR> d-------- C:\Program Files\Chief Architect Inc
2008-10-18 15:25 . 2008-10-18 15:25 <DIR> d-------- C:\Program Files\WMP Codecs
2008-10-18 03:57 . 2008-10-18 03:57 <DIR> d-------- C:\Program Files\Rainbow Technologies
2008-10-18 03:55 . 1996-01-11 23:00 722,192 -ra------ C:\WINDOWS\system32\VB40032.DLL
2008-10-18 03:55 . 1998-06-17 18:08 57,344 --a------ C:\WINDOWS\system32\Mfc42loc.dll
2008-10-18 03:54 . 2008-10-18 04:11 <DIR> d-------- C:\Program Files\autokitchen
2008-10-17 15:53 . 2008-10-17 15:53 <DIR> d-------- C:\Documents and Settings\David\Application Data\DivX
2008-10-17 15:45 . 2008-10-17 15:45 <DIR> d-------- C:\Program Files\DivX
2008-10-17 09:34 . 2008-10-17 09:34 1,049,968 --a------ C:\WINDOWS\system32\elic.dll
2008-10-09 14:21 . 2008-10-09 14:21 284,016 --a------ C:\WINDOWS\system32\DebugRpt.dll
2008-10-09 14:21 . 2008-10-09 14:21 193,904 --a------ C:\WINDOWS\system32\LocalStorage.dll
2008-10-09 14:19 . 2008-10-09 14:19 119,296 --a------ C:\WINDOWS\system32\zlibwapi.dll
2008-10-09 14:19 . 2008-10-09 14:19 119,296 --a------ C:\WINDOWS\system32\zlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-23 03:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-22 13:03 --------- d-----w C:\Program Files\Steam
2008-10-22 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-10-20 15:52 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-10-20 12:55 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-10-18 19:37 --------- d-----w C:\Program Files\The Rosetta Stone
2008-10-16 13:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-16 00:14 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-05 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PictureMover
2008-08-29 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 23:26 99,728 ----a-w C:\WINDOWS\system32\seccommutil.dll
2008-08-26 23:26 333,240 ----a-w C:\WINDOWS\system32\seccomm.dll
2008-08-26 23:26 308,696 ----a-w C:\WINDOWS\system32\EMSAgent.dll
2008-08-26 23:26 251,328 ----a-w C:\WINDOWS\system32\FileStore.dll
2008-08-26 23:26 210,320 ----a-w C:\WINDOWS\system32\eEyePKI.dll
2008-08-26 23:26 202,136 ----a-w C:\WINDOWS\system32\eevtc.dll
2008-08-26 23:26 181,632 ----a-w C:\WINDOWS\system32\DeploySupport.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-27_11.14.03.29 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-25 118784]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 176128]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Blink.lnk - C:\Program Files\eEye Digital Security\Blink\blink.exe [2008-10-20 578968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 04:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xaipoh.dll jeriov.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PictureMover.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PictureMover.lnk
backup=C:\WINDOWS\pss\PictureMover.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-02-25 18:42 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
--a------ 2006-07-14 15:03 107008 C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-14 07:22 1410296 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"C:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"=

R0 eeyen;eEye NDIS driver;C:\WINDOWS\system32\Drivers\eeyen.sys [2008-10-20 52592]
R1 eeyeh;eEye API driver;C:\WINDOWS\system32\Drivers\eeyeh.sys [2008-10-20 92016]
R1 eeyet;eEye TDI driver;C:\WINDOWS\system32\Drivers\eeyet.sys [2008-10-20 70000]
R2 ndiskio;eEye DirectDisk Access Driver;C:\WINDOWS\system32\Drivers\ndiskio.sys [2008-10-20 20448]
R3 GTICARD;GTICARD;C:\WINDOWS\system32\DRIVERS\gticard.sys [2003-10-23 76160]
S2 blinksvc;eEye Blink Engine;C:\Program Files\eEye Digital Security\Blink\blinksvc.exe [2008-10-20 169416]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6ce34df-d19e-11dc-9609-009096c46ba3}]
\shell\play\command - C:\Program Files\VideoLAN\vlc.exe --started-from-file dvd:%1
.
- - - - ORPHANS REMOVED - - - -

SSODL-ngwstxfd-{12349E4B-D50D-4AD6-BA5C-0D8BC2AA2657} - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 22:27:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-27 22:28:50
ComboFix-quarantined-files.txt 2008-10-28 03:28:46
ComboFix2.txt 2008-10-27 16:14:39

Pre-Run: 8,233,902,080 bytes free
Post-Run: 8,221,151,232 bytes free

184 --- E O F --- 2008-10-16 13:33:06







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:24 PM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crewtrac.flypinnacle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\blink.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4669 bytes

#7 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 28 October 2008 - 03:04 PM

No need to repay me, a simple thank you is more than enough. :thumbsup:
You may like to offer a donation to the site where I was trained to remove malware, but again there's no obligation.
http://www.malwareremoval.com/donations.php

Things are looking good, how is the computer running?

Step 1:
Older versions of Java have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel > Add/Remove Programs.
  • Check any item with Java Runtime Environment, JRE, J2SE, or Java Webstart in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all installed versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment(JRE) and install it to your computer.


Step 2:
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post along with a new HijackThis log.


#8 davetz

davetz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 29 October 2008 - 08:16 AM

Thanks again Rodav-
I will gladly contribute. You are a volunteer, not an employee, right? What does the money go towards?
Two other quick questions: any recommendations on best AV software? Free or not, just something that will not slow my computer too much when running but will provide good security? Also, is there a forum you know of or some software or other resource which will analyze the processes running on my comupter? It seems since we've tackled this virus, the machine is runnning much better, but I am still thinking it might have way too much stuff running at startup/in the background. Thanks again!
dave

ESET and HJT logs follow:



ESET logfile:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3564 (20081028)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=86f32dc860e20f40a3087403d87c1052
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-29 04:50:31
# local_time=2008-10-28 11:50:31 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=187058
# found=21
# scan_time=4665
C:\Program Files\Common Files\eEye Digital Security\SyncIt\SyncItSvc.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\blink.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\BlinkAVScan.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\blinkrm.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C93592-87F5CEC0-0-Vundo%2Egen253.QRN Win32/Adware.Virtumonde application 46B8BF44833A691EE67A4B2E38FC7427
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C93592-87F5CEC0-0-Vundo%2Egen253.QRN »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP99/A0017454%2Edll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C93616-0506D530-0-Vundo%2Egen253.BAK Win32/Adware.Virtumonde application 7D7B340CAABB91F25C41CFD11721CCE3
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C93616-0506D530-0-Vundo%2Egen253.BAK »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP99/A0017455%2Edll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9362C-77EC29E0-0-Vundo%2Egen253.BAK Win32/Adware.Virtumonde application CA0F7D690BB521241F893EE915582139
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9362C-77EC29E0-0-Vundo%2Egen253.BAK »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP99/A0017456%2Edll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C93638-DF794570-0-Vundo%2Egen253.BAK Win32/Adware.Virtumonde application C46F31D7F7C7DA1B50F0D15101ABD290
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C93638-DF794570-0-Vundo%2Egen253.BAK »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP99/A0017473%2Edll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9384C-CF8DF4D0-0-EICAR_Test_file_not_a_virus!.BAK Eicar test file D2C40F42CC22789F487BB611B97F2EA7
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9384C-CF8DF4D0-0-EICAR_Test_file_not_a_virus!.BAK »ZIP »files/C/DOCUME~1/David/LOCALS~1/Temp/Av-test%2Etxt Eicar test file 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9386B-B137F070-0-W32%2FVirtumonde%2EABKW.BAK Win32/Adware.Vapsup.AP application 102F9AD79A1ED2964F6A5FE15BEDAA60
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9386B-B137F070-0-W32%2FVirtumonde%2EABKW.BAK »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP97/A0016328%2Edll Win32/Adware.Vapsup.AP application 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9386B-B1DCF8B0-0-W32%2FVirtumonde%2EABKX.BAK Win32/Adware.Vapsup application 16D76713CC9F7120E6E3EA91211F1B53
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9386B-B1DCF8B0-0-W32%2FVirtumonde%2EABKX.BAK »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP97/A0016329%2Edll Win32/Adware.Vapsup application 00000000000000000000000000000000
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9386B-B2774EA0-0-W32%2FVirtumonde%2EABKX.BAK Win32/Adware.Vapsup application B11094A3D90A49FB9E516EB58BB4AF9C
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C9386B-B2774EA0-0-W32%2FVirtumonde%2EABKX.BAK »ZIP »files/C/System Volume Information/_restore{AE80271B-4BB0-4D63-AF2D-44A50D024F5F}/RP97/A0016330%2Edll Win32/Adware.Vapsup application 00000000000000000000000000000000






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:29 PM, on 10/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crewtrac.flypinnacle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\blink.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4528 bytes

#9 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 29 October 2008 - 03:08 PM

Hi Dave,

Yes I am a volunteer, as is everybody else at that site. Nobody is employed or earns a penny from it. Any money made through donations solely goes to the hosting costs for the site, if there is any excess money made in a month that will cover the hosting costs, (I'm fairly certain this has never happened) then the money will be distributed with the people who develop the specialist freeware tools that remove infections that we use in these forums.

NOD32 is a good AV which is quite light on resources although it seems to have wrongly flagged your version of eEye. It doesn't have a free version. A good free AV which is reasonably light is Antivir. Both have excellent detection rates. I will leave some other recommendations later on in this post.

You can use http://www.processlibrary.com/ to check your running processes and http://www.bleepingcomputer.com/startups/ to check your startups. You can always ask at the forums here at BC if you are unsure of any process or with any other questions. You might like to uninstall adaware as it has a service running constantly that is of no benefit at all. This is a good resource if your pc is slow; http://users.telenet.be/bluepatchy/miekiem...owcomputer.html


Step 1:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
You can also delete any logs we have produced, and empty your Recycle bin. You can also empty the quarantine from eEye.


Your logs are now clean. :thumbsup:
If you still feel you are having any issues please let me know now, otherwise read through the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Two good antivirus programs free for non-commercial home use are Avast and Antivir
    Two good paid for antivirus programs are NOD32 and Kaspersky
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection level. It may also impair the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • Install Malwarebytes & update and scan with it regularly
    Malwarebytes is a free for personal use on demand scanner which is developed by active members of the Malware Removal community. It detects and removes many modern infections. The paid version offers realtime protection.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.
Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.

#10 davetz

davetz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 29 October 2008 - 08:01 PM

Thanks again Rodav--
I really appreicate the help. I do have two more questions.. is there any way I can get in touch with you directly via email--specifically if I have question about another machine that may be infected?
Also, my eEye blink personal av software says it still detectgs an "FKWP" trojan on the system. Is that possible? Is this a realy virus or just legit spyware software? Can we remove it?
Thanks again for all the help.. I am in the process of implementing the final changes you suggest.
dave

#11 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 30 October 2008 - 02:43 PM

The best way to get help if you have another computer that may be infected is to start another topic and somebody will pick it up. I only take on logs when I have a bit of free time and I have been really busy with work recently so it would be pointless emailing me, I hope you can understand.

I'm hoping the FKWP infection eEye is flagging is a false positve, it certainly hasn't showed up so far. What path is the file? eg. C:\WINDOWS\system32\something.exe

#12 davetz

davetz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 01 November 2008 - 08:34 PM

Rodav-
Thanks again. I think the last virus eeye was detecting was just something in a quarantine folder. All my best,
dave

#13 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 02 November 2008 - 05:47 PM

Glad we could be of some assistance. :thumbsup:

Since this issue appears resolved ... this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users