Trojan.vundo

Lenton

By Lenton,
in Malware Removal

 Share Followers 0

Recommended Posts

Lenton

Lenton

Posted
Posted

Hey guys, I've got a nasty little infection going on and haven't been able to fight it off on my own. At the moment I have a Symantic AntiVirus Notification just counting up informing me that I have Trojan.Vundo that is infecting C:\WINDOWS\system32\iifdbxv.dll, this notification will continue to count forever apparently (accidently left the computer on for two days to come back to 70,000 notifications). Symantic can't do anything to get rid of it apparently and restarting in safemode and running their VundoFix tool didn't do anything, in fact it didn't find any infected files even though right beside it the notification window was still counting... I also found a few troubleshooting guides reguarding removing some registry entries but none of the ones mentioned were in my registery.

So all and all... HELP! :)

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:10:40 PM, on 7/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DAP\DAP.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Power DVD Player\PowerDVDPlayer.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\ksmpvkrt.dll",forkonce

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html

O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 6494 bytes

Thanks in advance,

-Lenton

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted (edited)

Go to the folder C:\Program Files\Trend Micro\HijackThis\ and Right click on HijackThis.exe then choose Rename. Change it to newhj.exe (If you have a short cut on your desktop for HijackThis it will no longer work.) You can just run the file from here when needed or right click the newly renamed file and create a new shortcut and place it on your desktop.

Please download VundoFix.exe (by Atribune) to your Desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Run the Vudnofix at LEAST 2 times OR until you get a "No vundo found message"

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply. Please post the contents of C:\vundofix.txt.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Edited by jwbirdsong
Link to post
Share on other sites
Lenton

Lenton

Posted
  • Author
Posted

Alrighty, when running VundoFix it errors on removal (Error 75: Path/File access error) and then says it can't remove iifdbxv.dll and pmkjh.dll and will run on reboot. The first time it did run on reboot but it gave the same errors. Farther reboots explorer seems to hang and there are at least 10 Symantec AntiVirus Notifications before VundoFix even comes up (if it comes up at all). Just wondering if Symantec is causing problems with these other tools?

Here's the VundoFix Log:

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 9:23:23 PM 7/16/2007

Listing files found while scanning....

C:\windows\system32\ccytdmyy.dll

C:\windows\system32\dhtbpjeu.dll

C:\WINDOWS\system32\hjkmp.bak1

C:\WINDOWS\system32\hjkmp.bak2

C:\WINDOWS\system32\hjkmp.ini

C:\WINDOWS\system32\hjkmp.ini2

C:\WINDOWS\system32\hjkmp.tmp

C:\WINDOWS\system32\hsxeunjb.dll

C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\jhxbxhln.dll

C:\windows\system32\kkfjmvpa.dll

C:\windows\system32\ksmpvkrt.dll

C:\windows\system32\mivxevsl.dll

C:\windows\system32\pjswronc.dll

C:\WINDOWS\system32\pmkjh.dll

C:\windows\system32\trkvpmsk.ini

C:\windows\system32\uejpbthd.ini

C:\windows\system32\yymdtycc.ini

Beginning removal...

Attempting to delete C:\windows\system32\ccytdmyy.dll

C:\windows\system32\ccytdmyy.dll Could not be deleted.

Attempting to delete C:\windows\system32\dhtbpjeu.dll

C:\windows\system32\dhtbpjeu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.bak1

C:\WINDOWS\system32\hjkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.bak2

C:\WINDOWS\system32\hjkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.ini

C:\WINDOWS\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.ini2

C:\WINDOWS\system32\hjkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.tmp

C:\WINDOWS\system32\hjkmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\hsxeunjb.dll

C:\WINDOWS\system32\hsxeunjb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\iifdbxv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jhxbxhln.dll

C:\WINDOWS\system32\jhxbxhln.dll Has been deleted!

Attempting to delete C:\windows\system32\kkfjmvpa.dll

C:\windows\system32\kkfjmvpa.dll Has been deleted!

Attempting to delete C:\windows\system32\ksmpvkrt.dll

C:\windows\system32\ksmpvkrt.dll Has been deleted!

Attempting to delete C:\windows\system32\mivxevsl.dll

C:\windows\system32\mivxevsl.dll Could not be deleted.

Attempting to delete C:\windows\system32\pjswronc.dll

C:\windows\system32\pjswronc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjh.dll

C:\WINDOWS\system32\pmkjh.dll Could not be deleted.

Attempting to delete C:\windows\system32\trkvpmsk.ini

C:\windows\system32\trkvpmsk.ini Has been deleted!

Attempting to delete C:\windows\system32\uejpbthd.ini

C:\windows\system32\uejpbthd.ini Has been deleted!

Attempting to delete C:\windows\system32\yymdtycc.ini

C:\windows\system32\yymdtycc.ini Has been deleted!

Performing Repairs to the registry.

Done!

Beginning removal...

Attempting to delete C:\windows\system32\ccytdmyy.dll

C:\windows\system32\ccytdmyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.ini

C:\WINDOWS\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkmp.ini2

C:\WINDOWS\system32\hjkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\iifdbxv.dll Could not be deleted.

Attempting to delete C:\windows\system32\mivxevsl.dll

C:\windows\system32\mivxevsl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjh.dll

C:\WINDOWS\system32\pmkjh.dll Could not be deleted.

Performing Repairs to the registry.

Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:13:35 PM 7/16/2007

Listing files found while scanning....

C:\windows\system32\hjkmp.ini

C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\pmkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkmp.ini

C:\windows\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\iifdbxv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmkjh.dll

C:\WINDOWS\system32\pmkjh.dll Could not be deleted.

Performing Repairs to the registry.

Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:22:09 PM 7/16/2007

Listing files found while scanning....

C:\windows\system32\hjkmp.ini

C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\pmkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkmp.ini

C:\windows\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\iifdbxv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmkjh.dll

C:\WINDOWS\system32\pmkjh.dll Could not be deleted.

Performing Repairs to the registry.

Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:26:42 PM 7/16/2007

Listing files found while scanning....

C:\windows\system32\hjkmp.ini

C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\pmkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkmp.ini

C:\windows\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\iifdbxv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pmkjh.dll

C:\WINDOWS\system32\pmkjh.dll Could not be deleted.

Performing Repairs to the registry.

Done!

Alrighty, Here's the ComboFix Log:

"Adari" - 2007-07-16 22:33:07 - ComboFix 07-07-14.6 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\hjkmp.ini

C:\WINDOWS\system32\pmkjh.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bfchyjrh.exe

C:\WINDOWS\system32\dfnoqerv.exe

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\gkwiflvf.exe

C:\WINDOWS\system32\mwopvsqv.exe

C:\WINDOWS\system32\Packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\swgbqneg.exe

C:\WINDOWS\system32\WanPacket.dll

C:\WINDOWS\system32\wpcap.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NPF

-------\NPF

((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))

2007-07-16 22:32 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-16 21:23 <DIR> d-------- C:\VundoFix Backups

2007-07-16 21:08 <DIR> d-------- C:\Program Files\Trend Micro

2007-07-04 13:50 <DIR> d-------- C:\Program Files\FileZilla

2007-07-04 13:47 31,254 --a------ C:\WINDOWS\system32\iifdbxv.dll

2007-06-30 20:34 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-06-26 18:51 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Plantronics

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Common Files\Plantronics

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 22:51:27 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-02 22:11:44 -------- d-----w C:\Program Files\Google

2007-06-01 03:15:18 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys

2007-06-01 03:15:18 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys

2007-06-01 03:15:16 120,992 ----a-w C:\WINDOWS\system32\drivers\snapman.sys

2007-06-01 03:15:07 -------- d-----w C:\Program Files\Common Files\Seagate

2007-06-01 03:14:55 -------- d-----w C:\Program Files\Seagate

2007-05-31 18:00:03 -------- d-----w C:\Program Files\Silicon Image

2007-05-21 02:49:02 -------- d-----w C:\DOCUME~1\Adari\APPLIC~1\Uniblue

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-03 21:20:37 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-20 01:30:10 14,368 ----a-w C:\WINDOWS\system32\relog_ap.dll

2007-04-20 00:07:20 17,440 ----a-w C:\WINDOWS\system32\acrotls.dll

2007-04-19 22:49:14 210,464 ----a-w C:\WINDOWS\system32\snapapi.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 23:44:33 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-14 02:55:24 26,336 ----a-w C:\DOCUME~1\Adari\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C6301ED-0F78-4AF2-8150-D9C052361A8E}]

2006-07-13 03:05 241664 --a------ C:\Program Files\ATLAS V13\ATLIECP.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634C7583-74C6-4FEF-BD06-9721761A6815}]

2007-07-04 13:47 31254 --a------ C:\WINDOWS\system32\iifdbxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-06-01 20:19 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

2007-06-01 20:19 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-04-14 23:01 C:\WINDOWS\SOUNDMAN.EXE]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]

"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-04 00:05]

"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2006-10-19 14:06]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24]

"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38]

"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-10 18:37]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

"Power DVD Player"="C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" [2007-03-23 04:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{634C7583-74C6-4FEF-BD06-9721761A6815}"="C:\WINDOWS\system32\iifdbxv.dll" [2007-07-04 13:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbxv]

iifdbxv.dll --a------ 2007-07-04 13:47 31254 C:\WINDOWS\system32\iifdbxv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\NullAutorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

AutoRun\command- I:\UFOExtraterrestrials-SetupRelease-DVD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f60001-538b-11db-aa48-806d6172696f}]

AutoRun\command- D:\ASUSACPI.exe

Contents of the 'Scheduled Tasks' folder

2007-07-11 00:51:20 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job

2007-05-28 01:31:55 C:\WINDOWS\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-16 22:36:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-16 22:37:19 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-16 22:37

--- E O F ---

And Last, but not Least. HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:39:09 PM, on 7/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DAP\DAP.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Power DVD Player\PowerDVDPlayer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\hjnew.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O2 - BHO: (no name) - {634C7583-74C6-4FEF-BD06-9721761A6815} - C:\WINDOWS\system32\iifdbxv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html

O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O20 - Winlogon Notify: iifdbxv - C:\WINDOWS\SYSTEM32\iifdbxv.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 6761 bytes

Still have the Symantic AntiVirus Notification error coming up at startup with the counter slowly counting up, if that helps any.

Thanks again,

Lenton

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted (edited)

Sorry connection problems last two days..

Just wondering if Symantec is causing problems with these other tools?

Yeah iot seems to as often as not.

Copy the following to Notepad and save to your desktop as combofix-do.txt

Files::
C:\WINDOWS\SYSTEM32\iifdbxv.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbxv] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634C7583-74C6-4FEF-BD06-9721761A6815=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634C7583-74C6-4FEF-BD06-9721761A6815}]

Now drag the file you just made on top of ComboFix and drop it..It will start combofix running by it's self

Combo-Do.gif

After reboot

Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab.

Click the "Delete Cookies" button and then the "Delete Files" button next to it.

When prompted, place a check in: "Delete all offline content",

(You will have to re-enter passwords at websites that require them.)

Click OK

Clean other Temporary files + Recycle bin:

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log AND the combofix log ...geez what a pain I am huh??

Edited by jwbirdsong
Link to post
Share on other sites
Lenton

Lenton

Posted
  • Author
Posted

No worries man, I really appreciate the assistance. If you guys can help me get rid of this sucker without a format I'd more than happy to run circles around the computer if thats what your instructing me to do ;)

Here's the ComboFix Log:

"Adari" - 2007-07-19 9:14:17 - ComboFix 07-07-14.6 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Adari\Desktop\combofix-do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\VundoFix Backups

C:\VundoFix Backups\addmorefiles.txt

C:\VundoFix Backups\ccytdmyy.dll.bad

C:\VundoFix Backups\dhtbpjeu.dll.bad

C:\VundoFix Backups\hjkmp.bak1.bad

C:\VundoFix Backups\hjkmp.bak2.bad

C:\VundoFix Backups\hjkmp.ini.bad

C:\VundoFix Backups\hjkmp.ini2.bad

C:\VundoFix Backups\hjkmp.tmp.bad

C:\VundoFix Backups\hsxeunjb.dll.bad

C:\VundoFix Backups\jhxbxhln.dll.bad

C:\VundoFix Backups\kkfjmvpa.dll.bad

C:\VundoFix Backups\ksmpvkrt.dll.bad

C:\VundoFix Backups\mivxevsl.dll.bad

C:\VundoFix Backups\pjswronc.dll.bad

C:\VundoFix Backups\pmkjh.dll.bad

C:\VundoFix Backups\trkvpmsk.ini.bad

C:\VundoFix Backups\uejpbthd.ini.bad

C:\VundoFix Backups\yymdtycc.ini.bad

((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))

2007-07-16 22:32 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-16 21:08 <DIR> d-------- C:\Program Files\Trend Micro

2007-07-04 13:50 <DIR> d-------- C:\Program Files\FileZilla

2007-07-04 13:47 31,254 --a------ C:\WINDOWS\system32\iifdbxv.dll

2007-06-30 20:34 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-06-26 18:51 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Plantronics

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Common Files\Plantronics

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 22:51:27 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-02 22:11:44 -------- d-----w C:\Program Files\Google

2007-06-01 03:15:18 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys

2007-06-01 03:15:18 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys

2007-06-01 03:15:16 120,992 ----a-w C:\WINDOWS\system32\drivers\snapman.sys

2007-06-01 03:15:07 -------- d-----w C:\Program Files\Common Files\Seagate

2007-06-01 03:14:55 -------- d-----w C:\Program Files\Seagate

2007-05-31 18:00:03 -------- d-----w C:\Program Files\Silicon Image

2007-05-21 02:49:02 -------- d-----w C:\DOCUME~1\Adari\APPLIC~1\Uniblue

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-03 21:20:37 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-20 01:30:10 14,368 ----a-w C:\WINDOWS\system32\relog_ap.dll

2007-04-20 00:07:20 17,440 ----a-w C:\WINDOWS\system32\acrotls.dll

2007-04-19 22:49:14 210,464 ----a-w C:\WINDOWS\system32\snapapi.dll

2007-04-14 02:55:24 26,336 ----a-w C:\DOCUME~1\Adari\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C6301ED-0F78-4AF2-8150-D9C052361A8E}]

2006-07-13 03:05 241664 --a------ C:\Program Files\ATLAS V13\ATLIECP.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634C7583-74C6-4FEF-BD06-9721761A6815}]

2007-07-04 13:47 31254 --a------ C:\WINDOWS\system32\iifdbxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-06-01 20:19 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

2007-06-01 20:19 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-04-14 23:01 C:\WINDOWS\SOUNDMAN.EXE]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]

"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-04 00:05]

"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2006-10-19 14:06]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24]

"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38]

"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-10 18:37]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

"Power DVD Player"="C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" [2007-03-23 04:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{634C7583-74C6-4FEF-BD06-9721761A6815}"="C:\WINDOWS\system32\iifdbxv.dll" [2007-07-04 13:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbxv]

iifdbxv.dll --a------ 2007-07-04 13:47 31254 C:\WINDOWS\system32\iifdbxv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\NullAutorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

AutoRun\command- I:\UFOExtraterrestrials-SetupRelease-DVD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f60001-538b-11db-aa48-806d6172696f}]

AutoRun\command- D:\ASUSACPI.exe

Contents of the 'Scheduled Tasks' folder

2007-07-11 00:51:20 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job

2007-05-28 01:31:55 C:\WINDOWS\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-19 09:15:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-19 9:16:08

C:\ComboFix-quarantined-files.txt ... 2007-07-19 09:16

C:\ComboFix2.txt ... 2007-07-16 22:37

--- E O F ---

And here's the Active Scan Log:

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\iifdbxv.dll

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Adari\Cookies\adari@burstnet[2].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Adari\Cookies\adari@statcounter[1].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Adari\Desktop\ComboFix.exe[nircmd.exe]

Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\VundoFix Backups\hsxeunjb.dll.bad.vir

Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\VundoFix Backups\kkfjmvpa.dll.bad.vir

Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\VundoFix Backups\pjswronc.dll.bad.vir

Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\bfchyjrh.exe.vir

Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\dfnoqerv.exe.vir

Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\gkwiflvf.exe.vir

Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\mwopvsqv.exe.vir

Virus:Trj/Downloader.OZB Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\swgbqneg.exe.vir

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Dialer:Dialer.Gen Not disinfected D:\Game Files\Patches and Cracks\Battle Realms CRACK.exe[GO.exe]

Virus:W32/Klez.I Disinfected J:\My Files\Backup\download\normal.zip[normal.mim][normal.exe]

And now the latest HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:43:45 AM, on 7/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DAP\DAP.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Power DVD Player\PowerDVDPlayer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\hjnew.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O2 - BHO: (no name) - {634C7583-74C6-4FEF-BD06-9721761A6815} - C:\WINDOWS\system32\iifdbxv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html

O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: iifdbxv - C:\WINDOWS\SYSTEM32\iifdbxv.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 7020 bytes

This'n is a stubborn bastard, still have the notification counting up even after the Activescan :-/

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted (edited)

Let me have a look at this son-of-a-gun before we getr rid of it.

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\iifdbxv.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\system32\iifdbxv.dll
    C:\QooBox\
    J:\My Files\Backup\download\normal.zip
    D:\Game Files\Patches and Cracks\Battle Realms CRACK.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot if OTMoveIt didn't boot for you..(I'm betting it did)

Then redo the last step where you drug combofix-do.txt over Combofix and let it run..

(IF you get any popups about changes to the registry make sure to ALLOW them)

Post the latest Combofix log please.

Edited by jwbirdsong
Link to post
Share on other sites
Lenton

Lenton

Posted
  • Author
Posted (edited)

Two things, when I went to upload the file I got a page can not be displayed message. Tried again and it seemed like it worked but I didn't get any sort of confirmation to it working or not. Second thing was when I first ran OTMoveIt and it asked to reboot I didn't act quick enough to copy the log file for you before it rebooted, but even so OTMoveIt never loaded on startup. I tried again (getting the log file this time) and it still didn't boot on startup.

NOTE: I did turn off Symantic and try to upload the file, I then got a confirmation that the file was uploaded.

MoveIt Log:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\iifdbxv.dll

C:\WINDOWS\system32\iifdbxv.dll NOT unregistered.

File move failed. C:\WINDOWS\system32\iifdbxv.dll scheduled to be moved on reboot.

Folder C:\QooBox\ not found.

File/Folder J:\My Files\Backup\download\normal.zip not found.

File/Folder D:\Game Files\Patches and Cracks\Battle Realms CRACK.exe not found.

Created on 07/20/2007 08:43:25

ComboFix Log:

"Adari" - 2007-07-20 8:46:01 - ComboFix 07-07-14.6 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Adari\Desktop\combofix-do.txt.txt

((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))

2007-07-19 09:29 8,576 --a------ C:\WINDOWS\system32\drivers\lteskkxsifka.sys

2007-07-19 09:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-07-16 22:32 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-16 21:08 <DIR> d-------- C:\Program Files\Trend Micro

2007-07-04 13:50 <DIR> d-------- C:\Program Files\FileZilla

2007-07-04 13:47 31,254 --------- C:\WINDOWS\system32\iifdbxv.dll

2007-06-30 20:34 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-06-26 18:51 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Plantronics

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Common Files\Plantronics

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 13:54:08 -------- d-----w C:\Program Files\Winamp

2007-07-19 13:53:47 -------- d-----w C:\Program Files\QuickTime

2007-07-19 13:53:47 -------- d-----w C:\Program Files\Power DVD Player

2007-07-19 13:52:34 -------- d-----w C:\Program Files\Messenger

2007-07-19 13:51:09 -------- d-----w C:\Program Files\Google

2007-07-19 13:50:57 -------- d-----w C:\Program Files\DAP

2007-07-19 13:50:51 -------- d-----w C:\Program Files\D-Tools

2007-07-19 13:49:29 -------- d-----w C:\Program Files\ATLAS V13

2007-06-26 22:51:27 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-01 03:15:18 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys

2007-06-01 03:15:18 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys

2007-06-01 03:15:16 120,992 ----a-w C:\WINDOWS\system32\drivers\snapman.sys

2007-06-01 03:15:07 -------- d-----w C:\Program Files\Common Files\Seagate

2007-06-01 03:14:55 -------- d-----w C:\Program Files\Seagate

2007-05-31 18:00:03 -------- d-----w C:\Program Files\Silicon Image

2007-05-21 02:49:02 -------- d-----w C:\DOCUME~1\Adari\APPLIC~1\Uniblue

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-03 21:20:37 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-20 01:30:10 14,368 ----a-w C:\WINDOWS\system32\relog_ap.dll

2007-04-20 00:07:20 17,440 ----a-w C:\WINDOWS\system32\acrotls.dll

2007-04-14 02:55:24 26,336 ----a-w C:\DOCUME~1\Adari\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C6301ED-0F78-4AF2-8150-D9C052361A8E}]

2006-07-13 03:05 241664 --a------ C:\Program Files\ATLAS V13\ATLIECP.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634C7583-74C6-4FEF-BD06-9721761A6815}]

2007-07-04 13:47 31254 --a------ C:\WINDOWS\system32\iifdbxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-06-01 20:19 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

2007-06-01 20:19 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-04-14 23:01 C:\WINDOWS\SOUNDMAN.EXE]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]

"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-04 00:05]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24]

"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38]

"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-10 18:37]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

"Power DVD Player"="C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" [2007-03-23 04:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{634C7583-74C6-4FEF-BD06-9721761A6815}"="C:\WINDOWS\system32\iifdbxv.dll" [2007-07-04 13:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbxv]

iifdbxv.dll --a------ 2007-07-04 13:47 31254 C:\WINDOWS\system32\iifdbxv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\NullAutorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

AutoRun\command- I:\UFOExtraterrestrials-SetupRelease-DVD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f60001-538b-11db-aa48-806d6172696f}]

AutoRun\command- D:\ASUSACPI.exe

Contents of the 'Scheduled Tasks' folder

2007-07-11 00:51:20 C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job

2007-05-28 01:31:55 C:\WINDOWS\tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-20 08:47:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-20 8:48:08

C:\ComboFix-quarantined-files.txt ... 2007-07-19 09:16

C:\ComboFix2.txt ... 2007-07-19 09:16

C:\ComboFix3.txt ... 2007-07-16 22:37

--- E O F ---

And he's still kicking :-/

Edited by Lenton
Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

Would you repeat the OEMoveIt instructions from above except start your computer to SafeMode first.

(The only file you really need to copy/paste into the box is C:\WINDOWS\system32\iifdbxv.dll. You don't need to do the rest of the list.

That should get rid of it.

Post a fresh Combofix log plz.

Also post a Panda log (below)

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Link to post
Share on other sites
Lenton

Lenton

Posted
  • Author
Posted

I found a tool (VirtumondeBeGone) via another forum and had gotten impacient (sorry) and it seemed to do the trick (iidbvx.dll is gone now without using the OEMoveIT). I don't have the Symantic Virus Notifications anymore. Here's the rest of the scans you requested:

Here's the ComboFix Log:

"Adari" - 2007-07-23 20:20:15 - ComboFix 07-07-14.6 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))

2007-07-19 09:29 8,576 --a------ C:\WINDOWS\system32\drivers\lteskkxsifka.sys

2007-07-19 09:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-07-16 22:32 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-16 21:08 <DIR> d-------- C:\Program Files\Trend Micro

2007-07-04 13:50 <DIR> d-------- C:\Program Files\FileZilla

2007-06-30 20:34 <DIR> d-------- C:\WINDOWS\system32\appmgmt

2007-06-26 18:51 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Plantronics

2007-06-25 18:44 <DIR> d-------- C:\Program Files\Common Files\Plantronics

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 22:21:36 -------- d-----w C:\Program Files\Winamp

2007-07-22 22:21:16 -------- d-----w C:\Program Files\QuickTime

2007-07-22 22:21:15 -------- d-----w C:\Program Files\Power DVD Player

2007-07-22 22:20:15 -------- d-----w C:\Program Files\Messenger

2007-07-22 22:18:58 -------- d-----w C:\Program Files\Google

2007-07-22 22:18:41 -------- d-----w C:\Program Files\D-Tools

2007-07-22 22:17:30 -------- d-----w C:\Program Files\ATLAS V13

2007-07-19 13:50:57 -------- d-----w C:\Program Files\DAP

2007-06-26 22:51:27 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-01 03:15:18 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys

2007-06-01 03:15:18 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys

2007-06-01 03:15:16 120,992 ----a-w C:\WINDOWS\system32\drivers\snapman.sys

2007-06-01 03:15:07 -------- d-----w C:\Program Files\Common Files\Seagate

2007-06-01 03:14:55 -------- d-----w C:\Program Files\Seagate

2007-05-31 18:00:03 -------- d-----w C:\Program Files\Silicon Image

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-03 21:20:37 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-14 02:55:24 26,336 ----a-w C:\DOCUME~1\Adari\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C6301ED-0F78-4AF2-8150-D9C052361A8E}]

2006-07-13 03:05 241664 --a------ C:\Program Files\ATLAS V13\ATLIECP.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

2007-06-01 20:19 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

2007-06-01 20:19 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]

"SoundMan"="SOUNDMAN.EXE" [2005-04-14 23:01 C:\WINDOWS\SOUNDMAN.EXE]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]

"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-12 20:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-04 00:05]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 21:24]

"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 21:38]

"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

"Power DVD Player"="C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" [2007-03-23 04:40]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\NullAutorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

AutoRun\command- I:\UFOExtraterrestrials-SetupRelease-DVD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f60001-538b-11db-aa48-806d6172696f}]

AutoRun\command- D:\ASUSACPI.exe

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-23 20:21:27

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-23 20:21:50

C:\ComboFix-quarantined-files.txt ... 2007-07-19 09:16

C:\ComboFix2.txt ... 2007-07-21 22:44

C:\ComboFix3.txt ... 2007-07-20 08:48

--- E O F ---

Here's the ActiveScan Log:

Incident Status Location

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Adari\Cookies\adari@adrevolver[2].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Adari\Cookies\adari@adrevolver[3].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Adari\Cookies\adari@atdmt[2].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Adari\Cookies\[email protected][1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Adari\Cookies\adari@burstnet[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Adari\Cookies\adari@doubleclick[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Adari\Cookies\adari@serving-sys[2].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Adari\Cookies\adari@statcounter[1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Adari\Cookies\adari@tribalfusion[2].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Adari\Desktop\ComboFix.exe[nircmd.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Adari\Desktop\VirtumundoBeGone.exe

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Dialer:Dialer.Gen Not disinfected C:\_OTMoveIt\MovedFiles\Game Files\Patches and Cracks\Battle Realms CRACK.exe[GO.exe]

Spyware:Spyware/Virtumonde Not disinfected C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\VundoFix Backups\kkfjmvpa.dll.bad.vir

Spyware:Spyware/Virtumonde Not disinfected

And even though you didn't ask for it figure'd you might want it:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:23:16 PM, on 7/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\WINDOWS\ATKKBService.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Power DVD Player\PowerDVDPlayer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Trend Micro\HijackThis\hjnew.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: ATLAS Toolbar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Program Files\ATLAS V13\ATLIECP.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: &Translate with ATLAS - C:\Program Files\ATLAS V13\Atlscript.html

O8 - Extra context menu item: ATLAS Translation &Editor - C:\Program Files\ATLAS V13\AtlscriptEdit.html

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Program Files\ATLAS V13\Atlscript.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--

End of file - 6550 bytes

I did run an AdAware Scan, and it found the Virtumonde and was able to remove it (along with 11 other tracking cookies)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing