Virtumonde or other nasty virus

M

Motoman

New member
Hi,

I've used Dr. Web Cure It and Vundo Fix, but have not achieved the desired result of ridding my computer of the virus. I am using the beta version of Hijack This.

I keep getting unwanted messenger service pop ups, and it seems that IEXPLORE.EXE keeps opening IE web pages without my consent.

Is there any way possible to identify who created this virus? They should go to jail.

I appreciate your help and look forward to your instructions! Thanks!
 
Hello Motoman,

Welcome to Safer Networking.

Please read Before You Post

Really can't offer you any help until I see a Hijackthis log


  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
 
Here you go:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:40:58 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Alex\Desktop\problems.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47473506-841B-425E-9399-23C6A0ED4FD4} - C:\WINDOWS\System32\mljjj.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\System32\somqjmwr.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\lpqpuhdr.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\ekjewvhe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 3477 bytes
 
You have a pretty lean log :bigthumb:

Combofix will take care of an infection you have.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


I can't see where you have HJT installed.

We need it to have HJT in its own folder for backup purposes. I would prefer that you delete HJT from where you have it installed and re install it like this

Download and install Trendmicros Hijackthis

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.



This is important
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
 
Here you go:

ComboFix 07-09-14.2 - "Alex" 2007-09-15 15:11:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.297 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Alex\MYDOCU~1\ASEMBL~1
C:\DOCUME~1\Alex\MYDOCU~1\ASEMBL~1\a?sembly\
C:\DOCUME~1\Alex\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Alex\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Alex\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\SYSTEM32\avhbdwpb.ini
C:\WINDOWS\system32\bpwdbhva.dll
C:\WINDOWS\system32\fcitclxr.exe
C:\WINDOWS\system32\fmwbrjeh.exe
C:\WINDOWS\SYSTEM32\jjjlm.bak1
C:\WINDOWS\SYSTEM32\jjjlm.bak2
C:\WINDOWS\SYSTEM32\jjjlm.ini
C:\WINDOWS\SYSTEM32\jjjlm.ini2
C:\WINDOWS\SYSTEM32\jjjlm.tmp
C:\WINDOWS\system32\lpqpuhdr.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\nfktstfk.exe
C:\WINDOWS\SYSTEM32\rdhupqpl.ini
C:\WINDOWS\system32\somqjmwr.dll
C:\WINDOWS\system32\tsuubbcr.exe
C:\WINDOWS\system32\vpeklxqm.dll
C:\WINDOWS\system32\vpxayemk.dll
C:\WINDOWS\system32\wuikhgwl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-15 15:10 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 12:17 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Viewpoint
2007-09-14 00:32 33,792 --a------ C:\WINDOWS\ieuninst.exe
2007-09-13 23:19 <DIR> d-------- C:\VundoFix Backups
2007-09-13 06:03 <DIR> d-------- C:\DOCUME~1\Alex\DoctorWeb
2007-09-09 15:50 <DIR> d-------- C:\Program Files\Google
2007-09-09 15:50 <DIR> d-------- C:\DOCUME~1\Alex\APPLIC~1\Google
2007-09-09 15:49 13,416,432 --a------ C:\Program Files\Google_Earth_BZXD.exe
2007-09-05 23:24 <DIR> d-------- C:\Deserted Seas
2007-09-03 19:57 2,109,802 --ahs---- C:\WINDOWS\SYSTEM32\mlnmp.ini2
2007-09-03 10:27 <DIR> d-------- C:\WINDOWS\backups
2007-09-01 20:51 2,088,520 --ahs---- C:\WINDOWS\SYSTEM32\mlnmp.bak1
2007-08-25 01:49 28,352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
2007-08-20 22:10 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-20 07:59 1,893,383 --a------ C:\Program Files\stinger.exe
2007-08-18 11:58 <DIR> d-------- C:\WINDOWS\pss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 21:25 --------- d-------- C:\Program Files\eMule
2007-09-08 11:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-04 07:50 --------- d-------- C:\Program Files\MUSICMATCH
2007-09-03 14:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 22:55 17 --a------ C:\Program Files\stinger.opt
2007-08-25 01:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 18:25 --------- d-------- C:\Program Files\HP DeskJet 710C Series
2007-08-23 18:24 --------- d-------- C:\Program Files\Dynamics Student Version 6.0
2007-08-23 15:38 --------- d-------- C:\Program Files\Real Alternative
2007-08-23 15:38 --------- d-------- C:\Program Files\Qwest QuickConnect
2007-08-20 22:30 --------- d-------- C:\Program Files\settings part bags
2007-08-01 07:45 --------- d-------- C:\Program Files\Audible
2007-08-01 07:11 --------- d-------- C:\DOCUME~1\Alex\APPLIC~1\AdobeUM
2007-07-31 21:31 --------- d-------- C:\DOCUME~1\Alex\APPLIC~1\eMule
2007-07-30 18:58 --------- d-------- C:\Program Files\MSN Messenger
2007-07-30 14:37 --------- d-------- C:\Program Files\Support.com
2007-07-30 14:15 27917104 --a------ C:\Program Files\downloadable_install_wizard.exe
2007-06-16 10:37 45056 --a--c--- C:\WINDOWS\NCUNINST.EXE
2006-07-01 00:59 3886407 --a------ C:\Program Files\tvc.exe
2006-06-30 23:09 98377 --a------ C:\Program Files\flvplayer_sources.zip
2006-02-05 23:15 1094021 --a------ C:\Program Files\dvdshrink32setup.zip
2005-10-13 17:28 4878136 --a--c--- C:\Program Files\Firefox Setup 1.0.7.exe
2005-08-23 17:59 5213 --a------ C:\Program Files\acttmp.dat
2005-08-23 17:58 1220 --a--c--- C:\Program Files\sonoma.conf
2005-06-13 09:37 173176 --a--c--- C:\Program Files\TSCC.codec.exe
2005-05-20 10:39 174677 --a------ C:\Program Files\GSpot.zip
2005-02-24 23:07 12637989 --a--c--- C:\Program Files\dBpowerAMP.Music.Converter.11.[Most.Used.Codecs.Included].rar
2005-02-06 19:26 107 --a--c--- C:\Program Files\Serial Iso Buster 1.6.txt
2005-02-03 01:49 30399114 --a--c--- C:\Program Files\Ahead.Nero.Burning.ROM.v6.6.0.6.Ultra.Edition.ORION.rar
2005-01-28 03:00 80 --a--c--- C:\Program Files\Boilsoft Rm Converter 2.21 Serial.txt
2005-01-22 18:30 1146750 --a--c--- C:\Program Files\audio.playback.recorder.3.6.crack-rev.rar
2005-01-03 23:57 487544 --a--c--- C:\Program Files\msgr6suite.exe
2004-12-13 20:51 3176857 --a------ C:\Program Files\JOINER.zip
2004-10-31 22:01 9449398 --a--c--- C:\Program Files\DIKOSetup.exe
2004-10-26 22:28 916452 --a--c--- C:\Program Files\DSD.EXE
2004-10-26 03:57 1228 --a--c--- C:\Program Files\INSTALL.LOG
2004-10-26 03:55 323110 --a--c--- C:\Program Files\pclepim1.exe
2004-10-13 23:32 1086226 --a--c--- C:\Program Files\ac3tool10.exe
2004-10-04 02:41 827855 --a--c--- C:\Program Files\SetupDVDDecrypter_3.5.1.0.exe
2004-09-20 23:10 8414880 --a--c--- C:\Program Files\TMPGEnc-2.521.58.169-Plus-EN-Installer-DL.exe
2004-09-18 20:34 344892 --a--c--- C:\Program Files\defs.zip
2004-09-16 17:10 370688 --a--c--- C:\Program Files\befsr-v1.46.02_code.bin
2004-09-16 08:48 67072 --a------ C:\Program Files\NOTEPAD.EXE
2004-09-16 01:18 193152 --a--c--- C:\Program Files\aviwav33.zip
2004-09-16 01:11 7680064 --a--c--- C:\Program Files\DivX521XP2K.exe
2004-09-15 09:32 10135688 --a--c--- C:\Program Files\MPSetupXP.exe
2004-09-14 21:59 2064870 --a--c--- C:\Program Files\ffdshow-20040828.exe
2004-09-14 21:35 1999576 --a--c--- C:\Program Files\ffdshow-20040725.exe
2004-09-12 22:46 614943 --a--c--- C:\Program Files\lame-3.96.1.zip
2004-09-08 02:18 4354084 --a--c--- C:\Program Files\spybotsd13.exe
2004-08-01 18:55 1004712 --a--c--- C:\Program Files\wrar330.exe
2004-05-06 22:43 2374 --a--c--- C:\DOCUME~1\Alex\sysdump.bin
2004-04-11 21:59 1291040 --a--c--- C:\Program Files\WindowsXP-KB823980-x86-ENU.exe
2004-04-04 23:16 1140084 --a--c--- C:\Program Files\Ares 1.81 setup.exe
2004-04-04 19:37 6262872 --a--c--- C:\Program Files\psa2se_us.exe
2004-04-04 19:37 16706160 --a--c--- C:\Program Files\AdbeRdr60_enu_full.exe
2004-03-19 22:26 14975879 --a--c--- C:\Program Files\stcd3setup_sonic.exe
2004-03-03 20:17 4304896 --a--c--- C:\Program Files\all_plugins.exe
2004-03-03 20:02 836608 --a--c--- C:\Program Files\iview385.exe
2004-03-03 18:17 7788331 --a--c--- C:\Program Files\Nimo50Build9Beta1.exe
2004-03-03 18:16 246816 --a--c--- C:\Program Files\DivXLight-511.exe
2004-03-03 04:46 217329 --a--c--- C:\Program Files\gspot221.exe
1998-02-10 18:34 128000 --a--c--- C:\Program Files\UNWISE.EXE
2005-10-23 04:02:09 10,022 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\System32\LVCOMSX.EXE" [2004-10-08 11:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 11:20]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-06-20 23:41:44]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\DOCUME~1\Alex\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-06-20 23:41:44]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk.disabled
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bihbaw]
C:\WINDOWS\?dobe\??chost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule2]
"C:\Program Files\ISM\ISMModule2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"kdx"=C:\WINDOWS\kdx\KHost.exe
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"DVDSentry"=C:\WINDOWS\System32\DSentry.exe
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
"MCUpdateExe"=C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
"MCAgentExe"=c:\PROGRA~1\mcafee.com\agent\McAgent.exe
"McRegWiz"=c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
"DwlClient"=C:\Program Files\Common Files\Dell\EUSW\Support.exe

S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe
S2 HPFECP13;HPFECP13;C:\WINDOWS\System32\drivers\HPFECP13.SYS
S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\System32\DRIVERS\el90xnd5.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 15:15:27
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-15 15:16:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 15:15
.
--- E O F ---

AND

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:14 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 2770 bytes

Thanks for your help!!!
 
Thanks for your help!!!
Click to expand...
No problem

Combo removed DOMAINSERVICE Which was a virus.

Svchost.exe resides in the system32 folder, any other place and its a virus. This is what we need to do.

  • Go to Start> Run and type in services.msc then press Enter
  • Scroll down to .NET Framework Service
  • Double Click that service to open it.
  • Click on Stop Service.
  • Then change the Startup Type to Disabled.
  • OK your way out of the program.


  • Open HJT > Misc Tools > Delete an NT Service
  • Type in .NET Connection Service
  • Then click on OK, it will ask you to reboot, do so.



1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: 
Files to Delete:
C:\WINDOWS\svchost.exe 

Folders to delete:
C:\Program Files\WinPop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


There is still a few things we need to remove, one step at a time, I don't want to overwhelm you

Let me see the Avenger log and a new HJT log please
 
Last edited:
After I clicked the green light icon in Avenger, I hit yes once, and when I tried to hit yes a second time, I got this error message:

Error code: 0
Error logged to errorlog.txt. Aborting now!
 
Thats a new one on me, try this program instead.

Do this after you disable the service

Please download OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\svchost.exe
    C:\Program Files\WinPop
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
Hi,

I had a problem with OT Moveit, so I tried Avenger again, and it seemed to work! Below are the text files you requested:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jpsbqadx

*******************

Script file located at: \??\C:\WINDOWS\System32\cxanjoys.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\svchost.exe not found!
Deletion of file C:\WINDOWS\svchost.exe failed!

Could not process line:
C:\WINDOWS\svchost.exe
Status: 0xc0000034



Folder C:\Program Files\WinPop not found!
Deletion of folder C:\Program Files\WinPop failed!

Could not process line:
C:\Program Files\WinPop
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

AND

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:50 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 2603 bytes
 
Lets try looking yourself and make sure there gone.

We need to make sure all hidden files are showing :
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.

Delete them if present
C:\WINDOWS\svchost.exe Be careful of this one because the one in windows\system32 is legit.
C:\Program Files\WinPop


REGEDIT4

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
Click to expand...

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.


Although your log looks clean, I see a marker in combofix for the Lop infection, lets run this tool and make sure its not present.

Please Download No Lop to your desktop

  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labeled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Post the NoLop log and let me know how your system is running now.
 
Lets try looking yourself and make sure there gone.

We need to make sure all hidden files are showing :
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.

Delete them if present
C:\WINDOWS\svchost.exe Be careful of this one because the one in windows\system32 is legit.
C:\Program Files\WinPop


REGEDIT4

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
Click to expand...

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.


Although your log looks clean, I see a marker in combofix for the Lop infection, lets run this tool and make sure its not present.

Please Download No Lop to your desktop

  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labeled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

Post the NoLop log and let me know how your system is running now.
 
Hi again. Here's the text file:

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Alex\Desktop
[9/16/2007]
[1:06:04 AM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Sonic
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Alex\Application Data\Adobe
C:\Documents and Settings\Alex\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Alex\Application Data\Ahead
C:\Documents and Settings\Alex\Application Data\Apple Computer
C:\Documents and Settings\Alex\Application Data\Arcsoft
C:\Documents and Settings\Alex\Application Data\Cyberlink
C:\Documents and Settings\Alex\Application Data\Emule
C:\Documents and Settings\Alex\Application Data\Fotowire
C:\Documents and Settings\Alex\Application Data\Google
C:\Documents and Settings\Alex\Application Data\Help
C:\Documents and Settings\Alex\Application Data\Hp
C:\Documents and Settings\Alex\Application Data\Identities
C:\Documents and Settings\Alex\Application Data\Image Zone Express
C:\Documents and Settings\Alex\Application Data\Jasc
C:\Documents and Settings\Alex\Application Data\Jasc Software Inc
C:\Documents and Settings\Alex\Application Data\Lavasoft
C:\Documents and Settings\Alex\Application Data\Macromedia
C:\Documents and Settings\Alex\Application Data\Media Player Classic
C:\Documents and Settings\Alex\Application Data\Microsoft
C:\Documents and Settings\Alex\Application Data\Mozilla
C:\Documents and Settings\Alex\Application Data\Msninstaller
C:\Documents and Settings\Alex\Application Data\Real
C:\Documents and Settings\Alex\Application Data\Sonic
C:\Documents and Settings\Alex\Application Data\Sony Corporation
C:\Documents and Settings\Alex\Application Data\Sun
C:\Documents and Settings\Alex\Application Data\Viewpoint
C:\Documents and Settings\Alex\Application Data\Vlc
C:\Documents and Settings\Alex\Application Data\Yahoo!
C:\Documents and Settings\Alex\Application Data\Yahoo! Messenger
C:\Documents and Settings\Alex.motopimp\Application Data\Microsoft
C:\Documents and Settings\Alex.motopimp\Application Data\Real
C:\Documents and Settings\Alex.motopimp\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Dell
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Jasc Software Inc
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Real
C:\Documents and Settings\Default User\Application Data\Sonic
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

My computer seems to be running better now!

I have one concern though about this part that you asked me to perform:


Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dumb Roam"=C:\PROGRA~1\SETTIN~1\Copy Seek Bows.exe
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

We got rid of the WinPop file and the mljjj file, but now according to your instructions, it appears that we are adding them back into my registry? Could you please explain this? Thanks so much for all of your help!!!
 
How to delete keys and values from the registry:
Create a reg file like this, notice the hyphen inside the first bracket

REGEDIT4
[-HKEY_CURRENT_USER\SomeKey]
Click to expand...
Notice the - sign inside the bracket. This will remove them, But if you feel uncomfortable with this you can bypass it.

How is everything running now??
 
My computer seems to be running a lot better, thanks!!! Internet Explorer is no longer starting automatically like before, and I am no longer receiving the annoying 'messenger service message pop ups'.

I still have a text file named "check_LSA7", and I noticed in the regfix file we have Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\mljjj

I suspected that this text file is associated with the virus. Should I also delete this text file? Also, is this text file responsible for the production of the mljjj file?

Thanks!!!
 
mljjj This was part of the infection you had, yes delete them both.

Glad things are better :bigthumb:
 
Red Alert! Code Blue! Emergency! I performed the regedit fix (where I copied and pasted the text you had indicated to a notepad file and named it regfix), and now after I rebooted my computer, I get a stopping error (the red button with the white X) that says, “lsass.exe-system error object not found”. Windows won’t even start now! I tried re-installing windows (which is a valid legal version), and I keep getting this same error message! I am in panic mode right now, and would greatly appreciate any help to resolve this. :oops: Thanks.
 
Restart your computer and immediately tap the F8 key, it will bring up a menu, use your up and down arrow keys to scroll to LAST KNOWN GOOD and hit enter on your keyboard.
 
I don't know what the configuation is on your computer but try starting it and look for the set up key, may be F1 or F2 and try getting into the Recovery Mode and do a Repair.

It looks like you did the regfix and all was well, did this happen after you deleted check_LSA7?
 
Using the F8 key, are you able to get into safemode. Normally if you can get into safemode you can restart your computer and it will boot normally. Once in windows try doing a system restore.

Go to Start> Control Panel> ( you need to be in Catagory View) Performance and Maintenance> System Restore> Restore My Computer to an Earlier Time



If not the best way to go is to do a repair of windows, this is not a full reinstall, it just repairs your current copy of windows.

http://www.help2go.com/Tutorials/Windows/How_To_Repair_XP_and_Avoid_a_Full_Reinstall.html
http://www.michaelstevenstech.com/XPrepairinstall.htm

Let me know if this helped
 
You must log in or register to reply here.
Back
Top