hjt log and SDfix log... plz help

Question

JaY_2 0 Light Poster

16 Years Ago

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55:00, on 09.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nettdaten/runtime/pic/inner_pic/packages/liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7446 bytes

SDFix:


[b]SDFix: Version 1.168 [/b]
Run by Jarle Lystad on 09.04.2008 at 16:25

Microsoft Windows XP [Versjon 5.1.2600]
Running From: C:\DOCUME~1\JARLEL~1\SKRIVE~1\SDFix\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]: 

Trojan Files Found:

C:\WINDOWS\xpupdate.exe  - Deleted





Removing Temp Files

[b]ADS Check [/b]:
 


                                 [b]Final Check [/b]:

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-04-09 16:42:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000f3d058367]
"00180fd1b0fc"=hex:01,e7,11,c4,ed,cf,ed,86,02,64,4f,13,46,bd,9b,f6
"00174b654abe"=hex:74,d4,6b,6e,c4,99,df,5d,9f,8c,9d,a3,56,c5,4f,93
"0018af9d46cc"=hex:50,53,fa,29,45,86,13,0f,05,89,f8,e2,1e,4c,12,3e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000f3d058367]
"00180fd1b0fc"=hex:01,e7,11,c4,ed,cf,ed,86,02,64,4f,13,46,bd,9b,f6
"00174b654abe"=hex:74,d4,6b,6e,c4,99,df,5d,9f,8c,9d,a3,56,c5,4f,93
"0018af9d46cc"=hex:50,53,fa,29,45,86,13,0f,05,89,f8,e2,1e,4c,12,3e

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Azureus\\Azureus.exe"="C:\\Programfiler\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Programfiler\\Fellesfiler\\First Virtual Communications\\CUCore.exe"="C:\\Programfiler\\Fellesfiler\\First Virtual Communications\\CUCore.exe:*:Enabled:Conferencing Engine Server"
"C:\\Programfiler\\MSN Messenger\\msncall.exe"="C:\\Programfiler\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programfiler\\iTunes\\iTunes.exe"="C:\\Programfiler\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programfiler\\Skype\\Phone\\Skype.exe"="C:\\Programfiler\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\MSN Messenger\\msncall.exe"="C:\\Programfiler\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\DOCUME~1\JARLEL~1\SKRIVE~1\SDFix\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Thu 10 Aug 2006         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

[b]Finished![/b]

appreciate for all help
JaY

windows-virus

3 Contributors
16 Replies
163 Views
4 Weeks Discussion Span
Latest Post 15 Years Ago Latest Post by gerbil

All 16 Replies

gerbil 216 Industrious Poster

16 Years Ago

Hello, Jay, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

Good, now delete these 2 files:
C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\UIUCU.EXE
C:\WINDOWS\system32\dxvwnean.dll
.
Clean:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

Scan:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.

gerbil 216 Industrious Poster

16 Years Ago

AVG should have solved your popup problem, you had a LOP infection.
Now, that missing file warning... that is the file we deleted. Did you also fix this hijackthis entry as I mentioned - it is the one that is calling that file..

O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

Run hijackthis again and check for its presence, FIX it if it exists.
If it is not there and you are still getting the warning then please post the scan log.

crunchie 990 Most Valuable Poster

16 Years Ago

Uninstall Messenger Plus as it comes bundled with LOP, the infection you were enjoying :). You can reinstall Messenger Plus without the sponsor.
Gerbil will fix up the other for you :)

gerbil 216 Industrious Poster

16 Years Ago

No.. you seem to have a trojan downloader, and it is working.
Livly, what is the name of this folder.. C:\DOCUME~1\LIVLYS~1.DEL
It is C:\Documents and Settings\Livlys...what? My Swedish aint so good. Anyway, the stuff in it is rubbish, so let's get rid of it.
Every time you restart your system the trojan renames itself. It was dxvwnean.dll starting under this key:
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s
It is now C:\WINDOWS\system32\oyhhojsk.dll starting under this key:
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
So use hijackthis to fix these entries...
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BaseAbout] C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [ActiveOwnsCampEach] C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll",run (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [0c4bb52f] rundll32.exe "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll",b (User 'Liv Lystad')

Delete these files:
C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe
C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll
C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll
C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe
C:\WINDOWS\system32\oyhhojsk.dll

...and, I suspect, delete this folder also:
C:\DOCUME~1\LIVLYS~1.DEL\

I think that some of that stuff is a LOP infection still present, but I can't be sure, so download NoLop from the link on this page; follow the instructions given. Post the report C:\NoLop.log.
http://www.thespykiller.co.uk/index.php?action=tpmod;dl=item16
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].

Now to find what is regenerating the trojan. Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

JaY_2 0 Light Poster · Answer 1 · 2008-04-11T23:45:53+00:00

Hi,

Forgot to add to my thread... Have some problems with popups when starting IE. send me to lot of sites. The reaseon; downloadet mapsource for Garmin GPS.
Think I have got som nasties that controlls my computer...

I appreciate all help I can get, tried some programs to clean, but the problem is still there. So therefor I posted an HJT log,

JaY

JaY_2 0 Light Poster · Answer 2 · 2008-04-12T15:39:02+00:00

Hi, when I reboot my computer I get a message: can´t find and C:\WINDOWS\system32\dxvwnean.dll:

and here is the log from AVG:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:38:11 12.04.2008

+ Scan result:

C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP384\A0036142.dll -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP384\A0036165.exe -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036657.exe -> Adware.Agent : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036719.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036720.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036721.dll -> Adware.BraveSentry : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Programdata\Adverts\uninst.exe -> Adware.Lop : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036656.exe -> Not-A-Virus.Adware.Agent : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv [email]lystad@msnportal.112.2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.16:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.19:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv [email]lystad@advertising[1].txt[/email] -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv [email]lystad@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv [email]lystad@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned.
:mozilla.796:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.20:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.74:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.75:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv [email]lystad@auto.search.msn[1].txt[/email] -> TrackingCookie.Msn : Cleaned.
:mozilla.353:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv [email]lystad@bs.serving-sys[2].txt[/email] -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv [email]lystad@serving-sys[2].txt[/email] -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv [email]lystad@bs.serving-sys[2].txt[/email] -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv [email]lystad@serving-sys[1].txt[/email] -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.21:C:\Documents and Settings\Liv Lystad.DELL\Programdata\Mozilla\Firefox\Profiles\gvsv1z4v.default\cookies.txt -> TrackingCookie.Statistik-gallup : Cleaned.
:mozilla.23:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv [email]lystad@statistik-gallup[1].txt[/email] -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\Cookies\liv [email]lystad@statistik-gallup[2].txt[/email] -> TrackingCookie.Statistik-gallup : Cleaned.
C:\Documents and Settings\Liv Lystad.DELL\Cookies\liv [email]lystad@tradedoubler[1].txt[/email] -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.6:C:\Documents and Settings\Jarle Lystad\Programdata\Mozilla\Firefox\Profiles\772uy5ao.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP384\A0036143.exe -> Trojan.Agent : Cleaned.

::Report end

JaY_2 0 Light Poster · Answer 3 · 2008-04-13T14:29:23+00:00

Hmmm its strange, I am really sure that I deleted
O4 - HKLM\..\Run: [BM0f7886b3] Rundll32.exe "C:\WINDOWS\system32\dxvwnean.dll",s

first time, but now its deleted again. Looks like the computer works fine again.
dont get the message about missing file.

Thank you for all help.

JaY

JaY_2 0 Light Poster · Answer 4 · 2008-04-13T14:35:53+00:00

Hi

This is really strange. I thought that I should post a last log from HJT. After scanning and saving file. Opened my browser "firefox" and when I just hit enter for log on to daniweb, a popup window arrived. a poker site or something...

Can you see anything in this HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:45, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nettdaten/runtime/pic/inner_pic/packages/liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7676 bytes

JaY

JaY_2 0 Light Poster · Answer 5 · 2008-04-14T00:00:26+00:00

Thnx Crunchie

I scanned a new log, is the computer clean gerbil?

JaY

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:39, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\JARLEL~1\LOKALE~1\Temp\MsgPlusUninst.bat"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BaseAbout] C:\DOCUME~1\LIVLYS~1.DEL\PROGRA~1\EGGSAU~1\BALMSKIPERROR.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [ActiveOwnsCampEach] C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns\BIN META.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll",run (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [0c4bb52f] rundll32.exe "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll",b (User 'Liv Lystad')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nettdaten/runtime/pic/inner_pic/packages/liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8446 bytes

JaY_2 0 Light Poster · Answer 6 · 2008-04-15T03:52:36+00:00

Hi,
I couldn´t find these entries:
O4 - HKLM\..\Run: [0c4bb52f] rundll32.exe "C:\WINDOWS\system32\oyhhojsk.dll",b
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [MS Juan] rundll32 "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\nudxexdt.dll",run (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [0c4bb52f] rundll32.exe "C:\DOCUME~1\LIVLYS~1.DEL\LOKALE~1\Temp\uekxvetc.dll",b (User 'Liv Lystad')

And here is those logs:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Jarle Lystad\Skrivebord
[14.04.2008]
[22:41:25]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AC3EFD75912D6E71.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Npf

_______________________________________________________

Malwarebytes' Anti-Malware 1.11
Database version: 629

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 76466
Time elapsed: 32 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geebb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ddcyxyy.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a1502ad2-93ce-459d-8a0e-68022c272ec3} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a1502ad2-93ce-459d-8a0e-68022c272ec3} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e9383002-fc55-4330-b9c9-67e03bc5c840} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9383002-fc55-4330-b9c9-67e03bc5c840} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcyxyy (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e9383002-fc55-4330-b9c9-67e03bc5c840} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geebb.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\geebb.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geebb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bbeeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bbeeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hhltmggm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mggmtlhh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iytccjku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ukjcctyi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mljjk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjjlm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjjlm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uhmniimj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jmiinmhu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcyxyy.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\bloqkdew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\bygxpwnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\eckklrkn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\fdftskhn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\fhkmruve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\fqdgqoji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\ftilymfa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\mjikiska.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\mtkdmjbp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\pcmoijfi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\qqjbseah.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\skexgeps.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\stqxoebc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\vbfrrono.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Liv Lystad.DELL\Lokale innstillinger\Temp\vwwveegq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036666.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036672.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP387\A0036718.exe (Rogue.MalwareAlarm) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP388\A0036784.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2DE4DD7A-95AD-4DF3-B8BF-6094F5DD25AF}\RP388\A0037835.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mmpxsoey.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqqnki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifffec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byxyxuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuvwxwu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byxvvwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

_________________________________________________________________________

ComboFix 08-04-13.3 - Jarle Lystad 2008-04-14 23:33:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.239 [GMT 2:00]
Running from: C:\Documents and Settings\Jarle Lystad\Skrivebord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM0f7886b3.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bqocqpyt.dll
C:\WINDOWS\system32\ddcyxyy.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\guircrlk.dll
C:\WINDOWS\system32\gvpqoibb.dll
C:\WINDOWS\system32\ksjohhyo.ini
C:\WINDOWS\system32\liqpmmnb.dll
C:\WINDOWS\system32\xdtvbjoy.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 22:51 . 2008-04-14 22:51 <DIR> d-------- C:\Documents and Settings\Jarle Lystad\Programdata\Malwarebytes
2008-04-14 22:50 . 2008-04-14 22:50 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware
2008-04-14 22:50 . 2008-04-14 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes
2008-04-14 22:42 . 2008-04-14 22:44 <DIR> d-------- C:\NoLopBackups
2008-04-14 20:48 . 2008-04-14 20:48 3,648 --a------ C:\WINDOWS\system32\indfkyky.dll
2008-04-13 10:31 . 2008-04-13 10:31 3,648 --a------ C:\WINDOWS\system32\gfkbxycw.dll
2008-04-13 10:22 . 2008-04-13 10:22 <DIR> dr-h----- C:\Documents and Settings\Jarle Lystad\Siste
2008-04-12 20:27 . 2008-04-12 20:27 <DIR> d-------- C:\Documents and Settings\Liv Lystad.DELL\Programdata\Grisoft
2008-04-12 10:54 . 2008-04-12 10:54 <DIR> d-------- C:\Documents and Settings\Jarle Lystad\Programdata\Grisoft
2008-04-12 10:54 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-12 10:53 . 2008-04-12 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft
2008-04-12 10:37 . 2008-04-12 10:37 <DIR> d-------- C:\Programfiler\CCleaner
2008-04-12 10:27 . 2008-04-12 10:27 3,648 --a------ C:\WINDOWS\system32\avflsjjd.dll
2008-04-09 16:19 . 2008-04-09 16:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-09 16:01 . 2008-04-09 16:01 <DIR> d-------- C:\Documents and Settings\Jarle Lystad\Download
2008-04-09 15:32 . 2008-04-09 15:32 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d--h----- C:\Documents and Settings\Administrator\Siste
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\Mine dokumenter
2008-04-09 15:08 . 2006-02-24 19:57 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\Favoritter
2008-04-09 15:08 . 2006-02-24 20:36 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask
2008-04-09 15:08 . 2008-04-09 15:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-09 14:28 . 2008-04-09 14:28 3,648 --a------ C:\WINDOWS\system32\pfwaoppg.dll
2008-04-09 14:05 . 2008-04-09 14:05 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-09 14:05 . 2008-04-09 14:05 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-09 14:04 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-04-09 14:04 . 2002-07-24 22:43 667,648 --a------ C:\WINDOWS\system32\FreeImage.dll
2008-04-09 14:04 . 2004-03-09 10:00 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-04-09 14:04 . 2001-05-30 10:00 352,256 --a------ C:\WINDOWS\system32\ijl15.dll
2008-04-09 14:04 . 2000-12-06 10:00 209,608 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-04-09 14:04 . 2000-05-22 10:00 203,976 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-04-09 14:04 . 2000-05-22 10:00 140,488 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-04-09 14:04 . 2005-02-28 23:52 102,400 --a------ C:\WINDOWS\system32\unzip3252.dll
2008-04-09 14:04 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-04-09 14:04 . 1998-08-29 13:50 40,448 --a------ C:\WINDOWS\system32\UNACE.DLL
2008-04-09 13:51 . 2008-04-09 13:51 <DIR> d-------- C:\Programfiler\Lavasoft
2008-04-09 13:51 . 2008-04-09 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft
2008-04-09 13:49 . 2008-04-09 14:30 1,563,684 ---hs---- C:\WINDOWS\system32\vfwktotm.ini
2008-04-09 13:40 . 2008-04-09 13:40 3,648 --a------ C:\WINDOWS\system32\gtphcpxi.dll
2008-03-28 19:32 . 2008-04-09 13:32 1,584,019 ---hs---- C:\WINDOWS\system32\yxmvxtip.ini
2008-03-23 11:34 . 2008-03-23 14:44 <DIR> d-------- C:\Documents and Settings\Jarle Lystad\Programdata\GARMIN
2008-03-23 01:46 . 2008-02-18 18:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-03-22 22:04 . 2008-04-09 14:40 <DIR> d-------- C:\Garmin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 21:30 --------- d-----w C:\Documents and Settings\Jarle Lystad\Programdata\Skype
2008-04-14 20:09 --------- d-----w C:\Documents and Settings\All Users\Programdata\Site Balm Active Owns
2008-04-14 19:08 --------- d-----w C:\Programfiler\Mozilla Thunderbird
2008-04-13 18:08 --------- d-----w C:\Programfiler\IKEA HomePlanner
2008-04-13 18:08 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-04-13 17:56 --------- d-----w C:\Documents and Settings\All Users\Programdata\Messenger Plus!
2008-04-12 09:38 --------- d-----w C:\Documents and Settings\Liv Lystad.DELL\Programdata\Adverts
2008-04-09 12:45 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2008-04-09 12:45 --------- d-----w C:\Programfiler\Hewlett-Packard
2008-03-23 10:01 --------- d-----w C:\Documents and Settings\Jarle Lystad\Programdata\Azureus
2007-05-06 08:08 18,224 ----a-w C:\Documents and Settings\Liv Lystad.DELL\Programdata\GDIPFONTCACHEV1.DAT
2006-12-22 20:51 18,224 ----a-w C:\Documents and Settings\Jarle Lystad\Programdata\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" [2006-02-01 17:45 98304]
"LogitechSoftwareUpdate"="C:\Programfiler\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44 196608]
"Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]
"PcSync"="C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 17:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-02-24 19:34 122880 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 13:01 4632576]
"nwiz"="nwiz.exe" [2004-10-26 13:01 921600 C:\WINDOWS\system32\nwiz.exe]
"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 20:23 98304]
"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 10:35 536576]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"bcmwltry"="bcmwltry.exe" [2005-12-19 10:08 1200128 C:\WINDOWS\system32\BCMWLTRY.EXE]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LogitechVideoRepair"="C:\Programfiler\Logitech\Video\ISStart.exe" [2005-06-08 16:24 458752]
"LogitechVideoTray"="C:\Programfiler\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 10:08 1347584]
"RemoteControl"="C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 17:04 11776]
"MMTray"="C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-05-10 17:04 110592]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:03 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36 229376]
"QuickTime Task"="C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:03 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Belkin 802.11g Wireless Card Utility.lnk - C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe [2006-02-26 19:16:02 630872]
InterVideo WinCinema Manager.lnk - C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-03-25 13:23:48 278528]
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
NoLop.exe [2008-04-14 22:40:48 40448]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programfiler\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=
"C:\\Programfiler\\iTunes\\iTunes.exe"=
"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 13:10]
S3 OMNUSB;Omnikey AG CardMan 2020 USB-smartkortleser;C:\WINDOWS\system32\DRIVERS\sccmusbm.sys [2001-08-17 22:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-27 07:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programfiler\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 23:38:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-04-14 23:42:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 21:42:33

Pre-Run: 16,755,183,616 byte ledig
Post-Run: 16,691,212,288 byte ledig

gerbil 216 Industrious Poster · Answer 7 · 2008-04-17T11:59:40+00:00

Jay, you are really getting hit here. Did you run MWBAM before Combofix? Cos if so combofix found again some files MWBAM deleted... It appears that you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were NOT DELETED - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.

JaY_2 0 Light Poster · Answer 8 · 2008-04-17T21:37:54+00:00

Hi gerbil

downloaded vundoFix and renamed hijackthis. rebooted in safe mode an ran vundofix...
No files found and log is emty..!

Anything else I should do?

Jay

JaY_2 0 Light Poster · Answer 9 · 2008-04-18T01:07:28+00:00

and here is a new hjt log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:05:53, on 17.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\lexpps.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\imabunny.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
C:\Programfiler\Skype\Plugin Manager\skypePM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" (User 'Liv Lystad')
O4 - HKUS\S-1-5-21-436374069-602162358-682003330-1004\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime (User 'Liv Lystad')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NoLop.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nettdaten/runtime/pic/inner_pic/packages/liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8309 bytes

gerbil 216 Industrious Poster · Answer 10 · 2008-04-18T07:03:54+00:00

Jay, I was just checking to see that combofix did its job with Vundo - it seems so. Combofix did throw up the 8 malware files below as once being created... you should check that they no longer exist; if they do not then you are clean. Use hijackthis to remove this entry:
O4 - Global Startup: NoLop.exe ..by performing a scan [no log requ], checking that entry and pressing Fix Checked.

C:\WINDOWS\system32\indfkyky.dll
C:\WINDOWS\system32\gfkbxycw.dll
C:\WINDOWS\system32\avflsjjd.dll
C:\WINDOWS\system32\pgdfgsvc.exe
C:\WINDOWS\system32\pfwaoppg.dll
C:\WINDOWS\system32\vfwktotm.ini
C:\WINDOWS\system32\gtphcpxi.dll
C:\WINDOWS\system32\yxmvxtip.ini

And that is it. Good luck out there.

JaY_2 0 Light Poster · Answer 11 · 2008-04-18T20:35:45+00:00

Hi gerbil

6 of 8 files listed was found, and I deleted them.

Here is a new hjt log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:15, on 18.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programfiler\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programfiler\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Programfiler\Logitech\Video\FxSvr2.exe
C:\Programfiler\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\FELLES~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jarle Lystad\Skrivebord\imabunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programfiler\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programfiler\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Programfiler\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programfiler\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Programfiler\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nettdaten/runtime/pic/inner_pic/packages/liveupdate.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\Fellesfiler\PCSuite\Services\ServiceLayer.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7729 bytes

gerbil 216 Industrious Poster · Answer 12 · 2008-05-07T18:46:54+00:00

Hello, Jay... I guess I just missed your post.... sorry about that. Around that time Opera failed with this site and so I just did not come in so often to check. Firefox has its faults with the site also.... spose I could use IE, but I tend not to. Anyway, your log... nicley matured with age... you could fix this one entry:
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://nettdaten.meetheworld.no/nett...liveupdate.cab

Right, those file deletions... a couple of the files are hidden. It is convenient to use this tool:
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\system32\indfkyky.dll
C:\WINDOWS\system32\gfkbxycw.dll
C:\WINDOWS\system32\avflsjjd.dll
C:\WINDOWS\system32\pgdfgsvc.exe
C:\WINDOWS\system32\pfwaoppg.dll
C:\WINDOWS\system32\vfwktotm.ini
C:\WINDOWS\system32\gtphcpxi.dll
C:\WINDOWS\system32\yxmvxtip.ini

-in killbox, go File menu, choose Paste from clipboard.

Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.

hjt log and SDfix log... plz help

Recommended Answers Collapse Answers

All 16 Replies

Recommended Answers