Jump to content

Help with Trojan.Vundo


Recommended Posts

Hello all (and thanks in advance for any help)

So, I got this Trojan.Vundo virus and I can't get rid of it. I have pop-ups and such going on.

I had Norton AV running and it said it cleaned it up, but to no luck.

I ran the SpyBot S&D - it got rid of some things, but still not completely clean.

Here are some of the reports that the "how to" asks for:

Here's the mbam log:

****************************************************************

Malwarebytes' Anti-Malware 1.18

Database version: 895

11:23:29 PM 6/28/2008

mbam-log-6-28-2008 (23-23-29).txt

Scan type: Full Scan (C:\|)

Objects scanned: 126570

Time elapsed: 37 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

****************************************************************

From Pandasecurity.com I got this info:

Suspicious files (1)

C:\WINDOWS\SYSTEM32\LKNCSFUR.DLL

****************************************************************

And finally the hijackthis report is as follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:24:16 PM, on 6/28/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\drivers\trcboot.exe

C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\Drivers\ldlcserv.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.cybershift.net

O15 - Trusted Zone: http://*.nycboe.net

O15 - Trusted Zone: http://*.nycenet.edu

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205880193718

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205879976296

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Root Admin

Hello John and Welcome to Malewarebytes.

Before I help you, let me ask you a question.

Reviewing the information provided, this appears to be a Corporate work computer and not a personal home computer.

Normally most Companies have policies about working on computers and often have their own support people or an outside contractor that provides such help.

Now I can help you to fix this but just want to ensure that you're not going to be in trouble with work by you working on the computer doing this.

Link to post
Share on other sites

Hello John and Welcome to Malewarebytes.

Before I help you, let me ask you a question.

Reviewing the information provided, this appears to be a Corporate work computer and not a personal home computer.

Normally most Companies have policies about working on computers and often have their own support people or an outside contractor that provides such help.

Now I can help you to fix this but just want to ensure that you're not going to be in trouble with work by you working on the computer doing this.

Yes, the computer was provided by a company, but through a grant program. We have no real affiliation with the company (and can get no support through them), so no I can not/will not get in any trouble.

Thanks!

Link to post
Share on other sites

  • Root Admin

Please upload the file below to JOTTI Online malware scan

C:\WINDOWS\SYSTEM32\LKNCSFUR.DLL

If Jotti lists it as any type of Virus or Trojan Malware then delete that file.

If the system is now yours and you do not connect to New York City Department of Education then you should probably remove this entry which is designed to setup configuration options for Internet Explorer while on their Network.

http://proxy.nycboe.org/proxy.pac

You alos have these Trusted Sites which are okay but if not used anymore can be removed as well

O15 - Trusted Zone: http://*.cybershift.net

O15 - Trusted Zone: http://*.nycboe.net

O15 - Trusted Zone: http://*.nycenet.edu

To remove any you can start HJT and do a Scan Only and place a check mark on those you want to remove.

Start your Malwarebytes program and go to the UPDATE tab and update to the new version of MB and then do a Quick Scan

If anything is found let MB remove and quarantine it.

Then run another HJT scan and post back those 2 logs as well as what was found from the JOTTI site above.

Link to post
Share on other sites

Start your Malwarebytes program and go to the UPDATE tab and update to the new version of MB and then do a Quick Scan

If anything is found let MB remove and quarantine it.

Then run another HJT scan and post back those 2 logs as well as what was found from the JOTTI site above.

Okay, uploaded the file to JOTTI ... it had a virus, so I deleted it. Updated MB and ran it, it found 2 things which I deleted.

Here are the logs:

***************************************************************

JOTTI Log:

File: lkncsfur.dll

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: 452e744c536910287550622a84bba2a2

Packers detected: -

Scanner results

Scan taken on 29 Jun 2008 20:45:07 (GMT)

A-Squared Found nothing

AntiVir Found TR/Monder.WF.1

ArcaVir Found nothing

Avast Found Win32:Trojan-gen {Other}

AVG Antivirus Found Generic10.ATLS

BitDefender Found Trojan.Vundo.EWZ

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found Trojan.Virtumod.based.16

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found Trojan.Win32.Monder.wf

Fortinet Found Virtum!tr

Ikarus Found Trojan.Win32.Vundo.N

Kaspersky Anti-Virus Found Trojan.Win32.Monder.wf

NOD32 Found nothing

Norman Virus Control Found Vundo.gen192

Panda Antivirus Found nothing

Sophos Antivirus Found Troj/Virtum-Gen

VirusBuster Found nothing

VBA32 Found nothing

***************************************************************

***************************************************************

MB Log:

Malwarebytes' Anti-Malware 1.19

Database version: 904

Windows 5.1.2600 Service Pack 3

5:00:34 PM 6/29/2008

mbam-log-6-29-2008 (17-00-34).txt

Scan type: Quick Scan

Objects scanned: 49586

Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\DBMO5ZG2\p[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

***************************************************************

***************************************************************

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:01:11 PM, on 6/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\drivers\trcboot.exe

C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE

C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\Drivers\ldlcserv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: {48f72a07-8a76-c3cb-9134-9fa4b5816476} - {6746185b-4af9-4319-bc3c-67a870a27f84} - C:\WINDOWS\system32\lkncsfur.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')

O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')

O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')

O4 - .DEFAULT User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')

O4 - Global Startup: Bluetooth Manager.lnk = ?

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205880193718

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205879976296

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: ldlcserv - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Documents and Settings\admin\Application Data\SMART Technologies Inc\Bridgit\monitorservice.exe

O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\system32\drivers\trcboot.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 11832 bytes

***************************************************************

Thanks again for the help.

Link to post
Share on other sites

FWIW, the problems seem to be gone. No pop-ups, MB scan showed nothing. I am going to run full scans and SpyBot and then Norton scans to see if they find anything else. I'll let you know if I have any more problems.

Thanks again so much for the help in fixing this!

Link to post
Share on other sites

  • Root Admin

Sounds good.

Please run this tool to clean out unneeded temporary files on your system.

Download
CCleaner
from
here
to clean temp files from your computer.

  • Double click on the ccsetup.exe file to start the installation of the program.
  • Select your language and click
    OK
    , then
    next
    .

  • Read the license agreement and click
    I Agree
    .

  • Click
    next
    to use the default install location.

  • Under Install Options, choose all the default settings except
    I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.

  • Click
    Install
    then
    finish
    to complete installation.

  • Double click the
    CCleaner
    shortcut on the desktop to start the program.

  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).

  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.

  • Click on the "Options" icon at the left side of the window, then click on "Advanced."

    deselect
    "Only delete files in Windows Temp folders older than 48 hours."

  • Caution:
    It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
    Click on Issues and make sure Registry Integrity is UNchecked!

  • Click on the "Cleaner" icon on the left side of the window, then click
    Run Cleaner
    to run the program.

  • After
    CCleaner
    has completed its process, click
    Exit.

Then update MB and do another Quick Scan again and post back those results please.

Link to post
Share on other sites

I ran CCleaner --- cleaned out about a gig of stuff....

ran MB again, no malware found, here's the log:

Thanks again!!!

Malwarebytes' Anti-Malware 1.19

Database version: 904

Windows 5.1.2600 Service Pack 3

6:59:21 PM 6/29/2008

mbam-log-6-29-2008 (18-59-21).txt

Scan type: Quick Scan

Objects scanned: 45901

Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.5.2

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster 4.1

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install MVPS Hosts File

from here

The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

You can find a tutorial here :
http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. If you're not running one from Symantec already I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will soon close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.