Sign in to follow this  
Skiegh

Difficulty removing some trojans.

Recommended Posts

I've had a hell of a time trying to remove these three trojans but despite deleting them manually, through hijack this, bitdefender and malwarebytes, none of them have worked. They are always there. Though bit defender didn't even detect them on a full scan.

Very soon after even starting firefox I start getting pop ups and after running another quick scan through Malwarebytes I find that I have a lot more than just 3 but they all seem to be deleted fairly easily.

Anyways, I would greatly appreciate help on this as I hate virus related issues. (I am much more competent with hardware issues or uhh, no issues at all)

Malwarebytes log:

Malwarebytes' Anti-Malware 1.31

Database version: 1516

Windows 5.1.2600 Service Pack 2

12/18/2008 3:30:57 PM

mbam-log-2008-12-18 (15-30-57).txt

Scan type: Quick Scan

Objects scanned: 46106

Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hojirudeni (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\urqPghhg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:31:37 PM, on 12/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dlcgcoms.exe

C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 75.125.96.162 nprotect.lineage2.com

O1 - Hosts: 75.125.96.162 l2testauthd.lineage2.com

O1 - Hosts: 75.125.96.162 l2authd.lineage2.com

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} - C:\WINDOWS\system32\yovinumo.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKUS\S-1-5-19\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.antispyexpert.com

O15 - Trusted Zone: *.avsystemcare.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.imagesrvr.com

O15 - Trusted Zone: *.onerateld.com

O15 - Trusted Zone: *.safetydownload.com

O15 - Trusted Zone: *.spyguardpro.com

O15 - Trusted Zone: *.storageguardsoft.com

O15 - Trusted Zone: *.trustedantivirus.com

O15 - Trusted Zone: *.virusremover2008.com

O15 - Trusted Zone: *.virusschlacht.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.antispyexpert.com (HKLM)

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.imagesrvr.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.spyguardpro.com (HKLM)

O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusremover2008.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{D109365A-DB63-44F6-A541-A6C066FFF379}: NameServer = 71.243.0.12,71.250.0.12

O20 - AppInit_DLLs: C:\WINDOWS\system32\kobizube.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--

End of file - 7865 bytes

Any help on this would be greatly appreciated, thanks in advance.

Share this post


Link to post
Share on other sites

I am getting some instructions ready for you , once we start the system must not be shut down or rebooted until I have said that it is OK .

Share this post


Link to post
Share on other sites

Ran both, one of which (Find I believe) seemed to get an error somewhat but it still created some files. If I need to try and get it to work I can but if what it provided is enough then here it is.

malware.zip

malware.zip

Share this post


Link to post
Share on other sites

never mind , looks like I have what I need

I will be back in less than 15 minutes with one more thing to do

Share this post


Link to post
Share on other sites

OK , update MBAM and then scan , remove and reboot .

Let me know if a scan after reboot is clean or not .

Share this post


Link to post
Share on other sites

Did as you said (Using quick scan, if you'd like I can do full) but the problem still persists.

I was expecting Bytes to prompt me for a removal upon reboot but it was never given but never the less I did reboot anyways.

This is most likely a given just from the information in the logs but I am continually given an error for a missing "pikekise.dll" which I imagine one of the trojans is trying to run. Still, they recreate themselves instantaneously after being deleted. (Or I assume so as the quarantine list shows them as quarantined-- yes I have deleted the list on numerous accounts)

Thanks for your speedy replies and assistance, by the way.

Share this post


Link to post
Share on other sites

While I check something try this . Open internet explorer first , minimize it and then do a scan .

You are right about asking for a reboot , it should be . We are looking into making changes in 1.32 to force this more often . Opening IE first might force load one of those dlls into a spot we are looking and force the reboot .

Either way I need a fresh HJT log and MBAM scan after you try this .

Share this post


Link to post
Share on other sites

I'm a firefox person myself but I used IE as you said and ran a scan.

MalwareBytes:

Malwarebytes' Anti-Malware 1.31

Database version: 1518

Windows 5.1.2600 Service Pack 2

12/18/2008 8:34:04 PM

mbam-log-2008-12-18 (20-34-04).txt

Scan type: Quick Scan

Objects scanned: 46324

Time elapsed: 1 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hojirudeni (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HiJack This:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:34:40 PM, on 12/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dlcgcoms.exe

C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 75.125.96.162 nprotect.lineage2.com

O1 - Hosts: 75.125.96.162 l2testauthd.lineage2.com

O1 - Hosts: 75.125.96.162 l2authd.lineage2.com

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} - C:\WINDOWS\system32\yovinumo.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKUS\S-1-5-19\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.antispyexpert.com

O15 - Trusted Zone: *.avsystemcare.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.imagesrvr.com

O15 - Trusted Zone: *.onerateld.com

O15 - Trusted Zone: *.safetydownload.com

O15 - Trusted Zone: *.spyguardpro.com

O15 - Trusted Zone: *.storageguardsoft.com

O15 - Trusted Zone: *.trustedantivirus.com

O15 - Trusted Zone: *.virusremover2008.com

O15 - Trusted Zone: *.virusschlacht.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.antispyexpert.com (HKLM)

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.imagesrvr.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.spyguardpro.com (HKLM)

O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusremover2008.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O17 - HKLM\System\CCS\Services\Tcpip\..\{D109365A-DB63-44F6-A541-A6C066FFF379}: NameServer = 71.243.0.12,71.250.0.12

O20 - AppInit_DLLs: C:\WINDOWS\system32\kobizube.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--

End of file - 7949 bytes

Same as before it would seem. Those trojans sure like to respawn themselves after every deletion. Been awhile since I've seen any activity from them (Outside of this random error noise I get every now and again for some reason) but never the less, I am sure they will act up eventually and would prefer them gone. (For normal trojans they sure are a nuisance to get rid of)

Share this post


Link to post
Share on other sites

You have something hiding in protected memory and its using pending file rename to recreate itself after reboot .

I tried to capture the files to be renamed but the first try showed no files set to rename . It is also loading from a point you cant see in HijackThis (that find file confirmed that) .

Run the two files I had you run a minute ago again , I need to check something and I hope see the paths to the file being renamed .

Share this post


Link to post
Share on other sites

Ok , update MBAM but dont scan yet .

Run HijackThis without saving a log and up a check in front of the following lines :

O2 - BHO: (no name) - {1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} - C:\WINDOWS\system32\yovinumo.dll (file missing)

O4 - HKLM\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s

O4 - HKUS\S-1-5-19\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'NETWORK SERVICE')

O15 - Trusted Zone: * <- all of these lines

O20 - AppInit_DLLs: C:\WINDOWS\system32\kobizube.dll

and then use the fix checked button .

Now do a MBAM quick scn and reboot , I think it will ask for a reboot this time .

Either way I need a new HijackThis log and MBAM scan log .

Share this post


Link to post
Share on other sites

Ah, nice. This one seemed to help a lot. No warning about a missing .dll on startup and my windows security alert is actually in my toolbar which it hasn't been since this started.

Here is the HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:31:58 PM, on 12/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dlcgcoms.exe

C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 75.125.96.162 nprotect.lineage2.com

O1 - Hosts: 75.125.96.162 l2testauthd.lineage2.com

O1 - Hosts: 75.125.96.162 l2authd.lineage2.com

O1 - Hosts: 216.107.250.194 nprotect.lineage2.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKUS\S-1-5-19\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [hojirudeni] Rundll32.exe "C:\WINDOWS\system32\pikekise.dll",s (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{D109365A-DB63-44F6-A541-A6C066FFF379}: NameServer = 71.243.0.12,71.250.0.12

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--

End of file - 6511 bytes

MalwareBytes: (This is from before I restarted, during the scan)

Malwarebytes' Anti-Malware 1.31

Database version: 1519

Windows 5.1.2600 Service Pack 2

12/18/2008 9:21:45 PM

mbam-log-2008-12-18 (21-21-45).txt

Scan type: Quick Scan

Objects scanned: 46265

Time elapsed: 1 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\kobizube.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1bde1112-9e2d-48a5-b85c-3f2a1f3ef3d2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hojirudeni (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\kobizube.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\kobizube.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\kobizube.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\kobizube.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\pabuzili.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2052111302-152049171-682003330-1004\Dc11\kobizube.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2052111302-152049171-682003330-1004\Dc14\kobizube.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2052111302-152049171-682003330-1004\Dc15\kobizube.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-2052111302-152049171-682003330-1004\Dc3\kobizube.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

MalwareBytes: (This was taken right a few seconds ago)

Malwarebytes' Anti-Malware 1.31

Database version: 1519

Windows 5.1.2600 Service Pack 2

12/18/2008 9:31:30 PM

mbam-log-2008-12-18 (21-31-30).txt

Scan type: Quick Scan

Objects scanned: 46187

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Seems to have cleaned up what has been harassing me for awhile. I've been getting viruses a lot this month, yet somehow went 2 years with no protection at all without a single virus.

If something else comes up I'll be sure to post, thank you very much your help, this program and support is phenomenal. If there is something you want me to do before I go on my way, feel free to toss it out there. (I'll probably do a full scan later. One on bit defender as well before I delete it for being bloat ware.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.