[Trojan] HJT Log: Having trouble with virus/spyware in Security Cleanup

[Trojan] HJT Log: Having trouble with virus/spyware in Security Cleanup http://www.dslreports.com/forum/r20337393 en Tue, 02 Dec 2008 05:12:15 EDT Tue, 02 Dec 2008 05:12:15 EDT Re: [Trojan] HJT Log: Having trouble with virus/spyware http://www.dslreports.com/forum/remark,20338386 LoPhatPhuud : First:
Please download ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[u]If you use Firefox browser[/u]Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[u]If you use Opera browser[/u]Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Second:
Please download MalwareBytes and save it to your Desktop
[*]Make sure you are connected to the Internet.
[*]Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to
»windowshelp.microsoft.com/Window···mspx]Run As Administrator
[*]When the installation begins, follow the prompts and do not make any changes to default settings.
[*]When installation has finished, make sure you leave both of these checked:[list]
[*]Update Malwarebytes' Anti-Malware
[*]Launch Malwarebytes' Anti-Malware
[*]Then click Finish.
[*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
[*][i][color=green]If you encounter any problems while downloading the updates, manually download them from[/color] [COLOR=blue]here[/COLOR] and just double-click on mbam-rules.exe to install.
[*]On the Scanner tab:
[*]Make sure the "Perform Quick Acan" option is selected.
[*]Then click on the Scan button.
[*]The next screen will ask you to select the drives to scan. Leave [u]all the drives[/u] selected and click on the Start Scan button.
[*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
[*]When the scan is finished, a message box will say "[color=green]The scan completed successfully. Click 'Show Results' to display all objects found[/color]".
[*]Click OK to close the message box and continue with the removal process.
[*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
[*]Copy and paste the contents of that report in your next reply and exit MBAM.[/list]Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Third:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: »www.bleepingcomputer.com/combofi···combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

[color=blue]Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall[/color]

--
When angry count four; when very angry, swear.

Microsoft MVP Consumer Security

Gladiator Security Forum]]> http://www.dslreports.com/forum/remark,20338386 Tue, 15 Apr 2008 14:49:20 EDT [Trojan] HJT Log: Having trouble with virus/spyware http://www.dslreports.com/forum/remark,20337393 oofgeg : I've been having trouble with this computer. It seems like it has spyware and/or a virus because the symantec antivirus is warning me, plus there are pop ups from spybot. I am currently running both of those scans, but no results so far. This spyware/virus also has changed the background on the computer and added suspicious exe files around the computer that I have tried my best to find and delete. Do you think you can help me from this log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:24 AM, on 4/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\drivers\spools.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\MsiExec.exe
C:\WINNT\explorer.exe
C:\Program Files\HiJack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: Shell=Explorer.exe "C:\d.exe"
O2 - BHO: (no name) - {53523F59-DDD0-4A81-B85A-F7C2FFBA0DCD} - C:\WINNT\system32\pmnkLbAS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINNT\system32\tuvVNDwt.dll
O2 - BHO: 403445 helper - {9E654A16-4765-4EAA-94EC-D5A6578053A4} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\dmanning\cftmon.exe
O4 - HKLM\..\Run: [684fa9ee] rundll32.exe "C:\WINNT\system32\lgqgipsk.dll",b
O4 - HKLM\..\Run: [ntuser] C:\WINNT\system32\drivers\spools.exe
O4 - HKCU\..\Run: [invimthu] C:\WINNT\system32\bgxovizw.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ntuser] C:\WINNT\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\dmanning\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [FVQUAEwWDY] C:\Documents and Settings\All Users\Application Data\adevwvsx\wneruvsr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\outlook2k\Office\OSA9.EXE
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - »www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - »www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15905893-E335-4597-AAA6-406A02886ED6} - »www.bookingplus.com/ishield/Down···etup.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - »scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {29EF91B9-7120-477C-A5CB-2D67F2FD088C} (TeleControl Class) - »https://raritan/wrc.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - »208.254.39.208/viewer9/activeXVi···ewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »software-dl.real.com/20e9ade6431···E601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {7B2D3FF7-6016-4041-B71B-B0F25EE3EE60} - »208.254.39.202/installshield_sta···etup.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - »installs.spamblockerutility.com/···lity.cab
O16 - DPF: {95AEAF20-6005-43A3-BEBC-5CF85776C5BC} - »www.bookingplus.com/Downloads/setup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mac.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mac.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mac.ad
O20 - Winlogon Notify: tuvVNDwt - C:\WINNT\SYSTEM32\tuvVNDwt.dll
O22 - SharedTaskScheduler: hemimorphite - {12a31567-9883-4cc0-a684-ad5804394d69} - C:\WINNT\system32\vualf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7804 bytes]]> http://www.dslreports.com/forum/remark,20337393 Tue, 15 Apr 2008 12:03:10 EDT