Jump to content

Please help me clean Trojan.Vundo.H(VirtuMonde)

Kaushik

By Kaushik
in Resolved Malware Removal Logs

 Share

Recommended Posts

Kaushik

Kaushik

Posted
Posted

Dear Experts,

My machine is infected by Trojan Vundo. I cleaned it up but it appears there are still some traces left as it comes up after 10 mins or whenever i reboot it comes up again.

Could you please help me to clean this mess?

Thanks,

EMAIL REMOVED

Following are the logs:

------------------------------------------------------------

Log from MBAM (12/29)

------------------------------------------------------------

Malwarebytes' Anti-Malware 1.31

Database version: 1475

Windows 5.1.2600 Service Pack 2

12/29/2008 1:53:41 AM

mbam-log-2008-12-29 (01-53-41).txt

Scan type: Quick Scan

Objects scanned: 60619

Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 9

Registry Values Infected: 11

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 15

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm636ddce9 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jalumeteka (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6369 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd5273 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1918 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4453 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\foponiga.dll -> Delete on reboot.

Folders Infected:

D:\Documents and Settings\Kaushik Patra\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\kuvusabu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ubasuvuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pofusido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\odisufop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vativise.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\esivitav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\loguteyu.dll_old (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nukizota.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

D:\Documents and Settings\Kaushik Patra\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.

D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Delete on reboot.

D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

------------------------------------------------------------------------------------------------------------

Log from Panda securities

-------------------------------------------------------------------------------------------------------------

<will update it later..scanning going on>

--------------------------------------------------------------------------------------------------------------

Log from HijackThis(12/29)

--------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:16:47 AM, on 12/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\nsl.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

D:\Connected\AgentService.exe

C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe

D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe

C:\Program Files\Lenovo\TrackPoint\tp4serv.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

D:\DOCUME~1\KAUSHI~1\LOCALS~1\Temp\stf97.tmp

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 03.18.04

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://iedownload.intranet.mckinsey.com/ie6sp1/install.ins

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amc-proxy01:8080

O1 - Hosts: # Copyright

Link to post
Share on other sites
Kaushik

Kaushik

Posted
  • Author
Posted
Dear Experts,

My machine is infected by Trojan Vundo. I cleaned it up but it appears there are still some traces left as it comes up after 10 mins or whenever i reboot it comes up again.

Could you please help me to clean this mess?

Thanks,

EMAIL REMOVED

Following are the logs:

------------------------------------------------------------

Log from MBAM (12/29)

------------------------------------------------------------

Malwarebytes' Anti-Malware 1.31

Database version: 1475

Windows 5.1.2600 Service Pack 2

12/29/2008 1:53:41 AM

mbam-log-2008-12-29 (01-53-41).txt

Scan type: Quick Scan

Objects scanned: 60619

Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 9

Registry Values Infected: 11

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 15

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f1b7689-8f6d-4d72-8bde-8a7c9ff81ac4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm636ddce9 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jalumeteka (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb6369 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd5273 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1918 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc4453 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\foponiga.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\foponiga.dll -> Delete on reboot.

Folders Infected:

D:\Documents and Settings\Kaushik Patra\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\kuvusabu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ubasuvuk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pofusido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\odisufop.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vativise.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\esivitav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nivedusa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\foponiga.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\loguteyu.dll_old (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\nukizota.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

D:\Documents and Settings\Kaushik Patra\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.

D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Delete on reboot.

D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

------------------------------------------------------------------------------------------------------------

Log from Panda securities

-------------------------------------------------------------------------------------------------------------

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-29 10:01:15

PROTECTIONS: 1

MALWARE: 12

SUSPECTS: 5

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Symantec Antivirus Corporate Edition 10.1 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms juan

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system

00147824 Cookie/Clickbank TrackingCookie No 0 Yes No D:\Documents and Settings\Kaushik Patra\Cookies\kaushik patra@clickbank[1].txt

00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2364212-315F-46B6-BA1E-44F16976E535}\cache\Connected V8 Uninstall 1.0\nircmd.exe

00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2364212-315F-46B6-BA1E-44F16976E535}\cache\Connected V8 Restore Account 1.0\nircmd.exe

00456116 Adware/Antivirus2009 Adware No 0 Yes No D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\Temporary Internet Files\Content.IE5\9IJD21RC\freescan[1].htm

00530899 Application/NirCmd.A HackTools No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2D160D2-1505-4B9C-BC8D-73CBEF1010B6}\cache\nircmd.exe

00530899 Application/NirCmd.A HackTools No 0 Yes No C:\Compaq\tools\screen\nircmd.exe

01174115 Trj/Downloader.OXI Virus/Trojan No 0 Yes No C:\Program Files\Altiris\Altiris Agent\Software Delivery\{B2364212-315F-46B6-BA1E-44F16976E535}\cache\Connected V8 Restore Account 1.0\check_win.exe

01262593 Application/NirCmd.A HackTools No 0 Yes No C:\Compaq\tools\nircmd.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\tuvTJYOG.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\System32\shhkde.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No D:\Documents and Settings\All Users\Application Data\SecTaskMan\shhkde.dll.q_8041202_q.old

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\shhkde.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\tuvTJYOG.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\jgpfmwgx.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\shhkde.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\wvUMEWpP.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No D:\Documents and Settings\All Users\Application Data\SecTaskMan\shhkde.dll.q_8041202_q

04098656 Adware/SaveNow Adware No 0 Yes No D:\Documents and Settings\Kaushik Patra\Local Settings\TempImages\si1setup-142-SI1PRT1-silent.exe

04098656 Adware/SaveNow Adware No 0 No No D:\Documents and Settings\Kaushik Patra\Desktop\software\OneClickBlackBerryVideoConverterSetup.exe[si1setup-142-SI1PRT1-silent.exe]

04454968 Generic Trojan Virus/Trojan No 0 Yes No d:\documents and settings\kaushik patra\application data\gadcom\gadcom.exe

04454968 Generic Trojan Virus/Trojan No 0 Yes No D:\Avenger\gadcom-ren-144\gadcom.exea

04476628 Generic Trojan Virus/Trojan No 0 Yes No D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\winvsnet.tmp

04477037 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\urqRKaAq.dll

04477037 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\system32\urqRKaAq.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location y

;===============================================================================

================================================================================

=

===================

No C:\Compaq\tools\CPAU.exe y

No C:\WINDOWS\I386\fi\Altiris\SW Portal\Cpau.exe y

No C:\WINDOWS\system32\CPAU.exe y

No D:\Documents and Settings\All Users\Application Data\SecTaskMan\prunnet.exe.q_8048A00_q y

No D:\Documents and Settings\Kaushik Patra\Local Settings\Temp\prun.tmp y

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description y

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

--------------------------------------------------------------------------------------------------------------

Log from HijackThis(12/29)

--------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:16:47 AM, on 12/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\nsl.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

D:\Connected\AgentService.exe

C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe

D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe

C:\Program Files\Lenovo\TrackPoint\tp4serv.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

D:\DOCUME~1\KAUSHI~1\LOCALS~1\Temp\stf97.tmp

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 03.18.04

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://iedownload.intranet.mckinsey.com/ie6sp1/install.ins

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amc-proxy01:8080

O1 - Hosts: # Copyright

ActiveScan.txt

mbam_Hijackthislogs.txt

ActiveScan.txt

mbam_Hijackthislogs.txt

Link to post
Share on other sites
Kaushik

Kaushik

Posted
  • Author
Posted
Your defs are nearly 100 versions out of date , while you wait for help please update MBAM , scan again and post fresh MBAM and HJT logs .

Thanks.

Attaching te files and screen shot after running them.

1.Spybot screenshot (before cleaned)

2.Malware logs before and after clean up

3.Panda scan logs

4.Hijack this

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:47:35 PM, on 12/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

D:\Connected\AgentService.exe

C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe

C:\Program Files\ISS\Proventia Desktop\blackd.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe

C:\Program Files\ISS\Proventia Desktop\RapApp.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\ISS\Proventia Desktop\vpatch.exe

C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe

C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\Program Files\Lenovo\TrackPoint\tp4serv.exe

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

D:\Documents and Settings\Kaushik Patra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE

C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Logitech\Video\FxSvr2.exe

D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

D:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\regedit.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer 03.18.04

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://*.209.172.180.115

O15 - Trusted Zone: *.adobe.com

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.apple.com

O15 - Trusted Zone: *.ariba.com

O15 - Trusted Zone: http://*.ariba.com

O15 - Trusted Zone: *.bcop.com

O15 - Trusted Zone: http://*.bcop.com

O15 - Trusted Zone: *.bmitools.net

O15 - Trusted Zone: *.bymckinsey.com

O15 - Trusted Zone: *.cdw.com

O15 - Trusted Zone: http://*.cdw.com

O15 - Trusted Zone: *.compaq.com

O15 - Trusted Zone: http://*.compaq.com

O15 - Trusted Zone: http://*.gib.dealogic.com

O15 - Trusted Zone: http://*.dealogic.com

O15 - Trusted Zone: *.easybank.at

O15 - Trusted Zone: *.mckinsey.edtlearning.com

O15 - Trusted Zone: http://*.mckinsey.edtlearning.com

O15 - Trusted Zone: *.edtlearning.com

O15 - Trusted Zone: http://*.edtlearning.com

O15 - Trusted Zone: *.elementk.com

O15 - Trusted Zone: http://*.elementk.com

O15 - Trusted Zone: *.factiva.com

O15 - Trusted Zone: *.four51.com

O15 - Trusted Zone: http://*.four51.com

O15 - Trusted Zone: *.globalprofitpools.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.grandandtoy.com

O15 - Trusted Zone: http://*.grandandtoy.com

O15 - Trusted Zone: *.hallmark.com

O15 - Trusted Zone: *.hbsinteractive.hbs.edu

O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu

O15 - Trusted Zone: *.hbs.edu

O15 - Trusted Zone: http://*.hbs.edu

O15 - Trusted Zone: *.hbsinteractive.hbs.edu

O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu

O15 - Trusted Zone: *.hoovers.com

O15 - Trusted Zone: *.hp.com

O15 - Trusted Zone: http://*.hp.com

O15 - Trusted Zone: *.icp

O15 - Trusted Zone: *.infotriever.com

O15 - Trusted Zone: *.interride.com

O15 - Trusted Zone: http://*.interride.com

O15 - Trusted Zone: http://*.knowledgenet.com

O15 - Trusted Zone: *.gps.mckinsey.com

O15 - Trusted Zone: http://*.gps.mckinsey.com

O15 - Trusted Zone: icp.intranet.mckinsey.com

O15 - Trusted Zone: mb2.mckinsey.com

O15 - Trusted Zone: http://*.mckinsey.com

O15 - Trusted Zone: *.mckinsey.de

O15 - Trusted Zone: http://*.mckinsey.de

O15 - Trusted Zone: *.mckinseygiftofhope.com

O15 - Trusted Zone: *.mckinseygiftofhope.org

O15 - Trusted Zone: www.mckinseyquarterly.com

O15 - Trusted Zone: *.mckinseyquarterly.com

O15 - Trusted Zone: *.onex.com

O15 - Trusted Zone: http://*.onex.com

O15 - Trusted Zone: *.setup

O15 - Trusted Zone: *.shi.com

O15 - Trusted Zone: http://*.shi.com

O15 - Trusted Zone: *.webex.com

O15 - Trusted Zone: http://*.webex.com

O15 - Trusted Zone: *.workplace.com

O15 - Trusted Zone: http://*.workplace.com

O15 - Trusted Zone: *.wwworkplace.com

O15 - Trusted Zone: http://*.wwworkplace.com

O15 - Trusted Zone: *.209.172.180.115 (HKLM)

O15 - Trusted Zone: http://*.209.172.180.115 (HKLM)

O15 - Trusted Zone: *.adobe.com (HKLM)

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.apple.com (HKLM)

O15 - Trusted Zone: *.ariba.com (HKLM)

O15 - Trusted Zone: *.bcop.com (HKLM)

O15 - Trusted Zone: *.bmitools.net (HKLM)

O15 - Trusted Zone: *.bymckinsey.com (HKLM)

O15 - Trusted Zone: *.compaq.com (HKLM)

O15 - Trusted Zone: *.mckinsey.edtlearning.com (HKLM)

O15 - Trusted Zone: *.edtlearning.com (HKLM)

O15 - Trusted Zone: *.elementk.com (HKLM)

O15 - Trusted Zone: *.factiva.com (HKLM)

O15 - Trusted Zone: *.four51.com (HKLM)

O15 - Trusted Zone: *.globalprofitpools.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O15 - Trusted Zone: *.hallmark.com (HKLM)

O15 - Trusted Zone: *.hbs.edu (HKLM)

O15 - Trusted Zone: *.hbsinteractive.hbs.edu (HKLM)

O15 - Trusted Zone: http://*.hbsinteractive.hbs.edu (HKLM)

O15 - Trusted Zone: *.hoovers.com (HKLM)

O15 - Trusted Zone: *.hp.com (HKLM)

O15 - Trusted Zone: *.icp (HKLM)

O15 - Trusted Zone: *.infotriever.com (HKLM)

O15 - Trusted Zone: *.interride.com (HKLM)

O15 - Trusted Zone: *.knowledgenet.com (HKLM)

O15 - Trusted Zone: *.mckinsey.com (HKLM)

O15 - Trusted Zone: *.mckinsey.de (HKLM)

O15 - Trusted Zone: *.mckinseygiftofhope.com (HKLM)

O15 - Trusted Zone: *.mckinseygiftofhope.org (HKLM)

O15 - Trusted Zone: *.mckinseyquarterly.com (HKLM)

O15 - Trusted Zone: *.setup (HKLM)

O15 - Trusted Zone: *.shi.com (HKLM)

O15 - Trusted Zone: *.webex.com (HKLM)

O15 - Trusted Zone: *.workplace.com (HKLM)

O15 - Trusted Zone: *.wwworkplace.com (HKLM)

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ads.mckinsey.com

O17 - HKLM\Software\..\Telephony: DomainName = ads.mckinsey.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ads.mckinsey.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv

oli.mckinsey.com,mckinsey.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ads.mckinsey.com,firny.mckinsey.com,notes.mckinsey.com,intranet.mckinsey.com,tiv

oli.mckinsey.com,mckinsey.com

O20 - AppInit_DLLs: AMINIT.dll amzvbn.dll dyprvc.dll zjxmli.dll pqhvxx.dll yjzlau.dll shhkde.dll c:\windows\system32\ c:\windows\system32\fiyifine.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\heyayoli.dll

O20 - Winlogon Notify: awtusstr - awtusstr.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: AgentService - Iron Mountain Incorporated - D:\Connected\AgentService.exe

O23 - Service: ASR Service (ASRSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TABLET Service (TabletSVC) - Lenovo Group Limited - C:\Program Files\ThinkPad\Tablet Shortcut\TSMService.exe

O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe

O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe

O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--

End of file - 18792 bytes

post-7242-1230587783_thumb.jpg

mbam_log_2008_12_29__13_47_23__beforeclean.txt

mbam_log_2008_12_29__13_47_44_afterclean.txt

ActiveScan_panda.txt

post-7242-1230587783_thumb.jpg

mbam_log_2008_12_29__13_47_23__beforeclean.txt

mbam_log_2008_12_29__13_47_44_afterclean.txt

ActiveScan_panda.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please run the following.

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Then run HJT and do a Scan Only and place a check mark on the following entries.

O20 - AppInit_DLLs: AMINIT.dll amzvbn.dll dyprvc.dll zjxmli.dll pqhvxx.dll yjzlau.dll shhkde.dll c:\windows\system32\ c:\windows\system32\fiyifine.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\heyayoli.dll

O20 - Winlogon Notify: awtusstr - awtusstr.dll (file missing)

Then click on "Fix checked"

Please upload the following files for review uploads.malwarebytes.org

c:\windows\system32\AMINIT.dll

c:\windows\system32\amzvbn.dll

c:\windows\system32\dyprvc.dll

C:\WINDOWS\system32\zjxmli.dll

C:\WINDOWS\system32\pqhvxx.dll

C:\WINDOWS\system32\yjzlau.dll

C:\WINDOWS\system32\shhkde.dll

C:\WINDOWS\system32\fiyifine.dll

C:\WINDOWS\system32\heyayoli.dll

C:\WINDOWS\system32\awtusstr.dll

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the restart run HJT scan and save log.

Post back fresh MBAM and HJT logs.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.