PDA

View Full Version : stubborn infection


Ledders
2006-07-24, 11:31
I've got a nasty little infection on on of my machines that refuses to go away. I've tried several times now to run my full de-funking routine and it seems within a day or so all the crap is back. It's been 2 days since I last tried to get rid of everything and here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:49 AM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\applications\DAEMON Tools\daemon.exe
C:\PROGRA~1\APPLIC~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Applications\RivaTuner v2.0 RC 16\RivaTuner.exe
C:\Program Files\Applications\Gaim\gaim.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Applications\Logitech\SetPoint\SetPoint.exe
C:\Documents and Settings\User\My Documents\icons\tclock2\tclock2.exe
C:\Documents and Settings\User\My Documents\icons\yz shadow\YzShadow.exe
C:\Documents and Settings\User\My Documents\icons\yz toolbar\YzToolBar.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\APPLIC~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\APPLIC~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\applications\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Applications\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\Tweaks & Maintenance\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\applications\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DB5AB74-E2F7-4897-9150-6A681B9FB73B} - C:\WINDOWS\system32\geede.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\applications\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\applications\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\APPLIC~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\Applications\RivaTuner v2.0 RC 16\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\Applications\RivaTuner v2.0 RC 16\RivaTuner.exe" /T
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\applications\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\applications\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Applications\Gaim\gaim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: TClock2.lnk = C:\Documents and Settings\User\My Documents\icons\tclock2\tclock2.exe
O4 - Startup: YzShadow.lnk = C:\Documents and Settings\User\My Documents\icons\yz shadow\YzShadow.exe
O4 - Startup: YzToolBar.lnk = C:\Documents and Settings\User\My Documents\icons\yz toolbar\YzToolBar.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Applications\Logitech\SetPoint\SetPoint.exe
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\APPLIC~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\APPLIC~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\applications\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\applications\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\applications\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
tashi
2006-07-28, 16:59
Hello, sorry for the wait.

If you are still in need of assistance we have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
pskelley
2006-07-31, 21:06
Hello and welcome to the forum. I would like to help you but:
a nasty little infection on on of my machines that refuses to go awayis just not enough information for me to proceed. It looks like a Vundo trojan infection, so I will try that. You need to describe problems to the best of your ability, post error message "word for word", keep in mind you are in front of the computer and I am in Clearwater, Florida, thanks.

Your Java program needs an update: http://forums.spybot.info/showpost.php?p=12880&postcount=2

This stuff, do you know what it is, and that they are safe. If not use the scans I provide to find out and post the information for me.
C:\Documents and Settings\User\My Documents\icons\tclock2\tclock2.exe
C:\Documents and Settings\User\My Documents\icons\yz shadow\YzShadow.exe
C:\Documents and Settings\User\My Documents\icons\yz toolbar\YzToolBar.exe
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Thanks
tashi
2006-08-05, 18:37
This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.

Thank you Phil.