Adware.viruemonde

  1. 27-11-2007  #1
    opilonies
    opilonies is offline Newbie

    Question Adware.viruemonde

    Hello, I have a problem with some adware that I can not remove.
    Symantec has a removal tool but when I run the tool it is not found on the computer. I have ran norton and spybot S&D neither can remove it.
    the file name is Pmnlifc.dll I am not sure what all information I need to provide for some one to help but I have seen the HJT files posted so I ran one and am pasting it on here.
    Thank you in advance for helping/.

    The RED txt in the HJT list is where the file is located says norton and SB S&D

    Logfile of HijackThis v1.99.1
    Scan saved at 927 AM, on 11/27/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    A:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {247BF543-4F4E-4CE5-896E-7C701736FCB7} - C:\WINDOWS\System32\vtutt.dll (file missing)
    O2 - BHO: C:\WINDOWS\System32\sder4gh.dll - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\sder4gh.dll (file missing)
    O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Mevhqush\bjugobld.dll (file missing)
    O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb2.dll (file missing)
    O2 - BHO: (no name) - {984544AB-5FA6-46AF-BE1D-E21804DAD281} - C:\WINDOWS\System32\pmnlifc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [{E9-9D-D0-07-ZN}] C:\RECYCLER\NPROTECT\00004230.EXE CHD003
    O4 - HKLM\..\Run: [eopegtpA] C:\WINDOWS\eopegtpA.exe
    O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
    O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\wwxtnogp.dll",forkonce
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [bantool] C:\Documents and Settings\Order 3\sdadlrow-t2.exe
    O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Order 3\TISKY008.exe SKY008
    O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963491.exe"
    O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
    O4 - HKLM\..\Run: [MeetGate] C:\WINDOWS\twain.exe
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win2F7.tmp.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKLM\..\Run: [ms] C:\DOCUME~1\ORDER3~1\LOCALS~1\Temp\24438\gm.exe
    O4 - HKLM\..\Run: [ghkrebel] rundll32.exe "C:\Program Files\bcbifuhs\bqpovwbq.dll",Init
    O4 - HKLM\..\Run: [efwvupkx] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\efwvupkx.dll"
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\goxfn.dll' missing
    O17 - HKLM\System\CCS\Services\Tcpip\..\{600E3627-ACF7-4284-8F3F-05464B2613E9}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O20 - AppInit_DLLs: C:\WINDOWS\System32\svch8.dll
    O20 - Winlogon Notify: awvtr - C:\WINDOWS\System32\awvtr.dll (file missing)
    O20 - Winlogon Notify: opnonmm - opnonmm.dll (file missing)
    O20 - Winlogon Notify: pmnlifc - C:\WINDOWS\SYSTEM32\pmnlifc.dll
    O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
    O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kkndo.dll (file missing)
    O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Phoipkpk.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

  3. 28-11-2007  #2
    Neal
    Neal is offline Dedicated Member
    Welcome, that sure is an very infected computer.


    1.) Download WinSockFix. (by: Option^Explicit)
    2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
    3.) Run WinsockFix.exe.
    4.) Click the Fix button.

    Reboot your computer




    Please delete the version of HiJackThis.exe you have installed, then download the new version from here:

    HIJACKTHIS

    Make sure hijackthis is in it's own folder like this:

    Program Files\hijackthis\hijackthis.exe




    Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
    and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.




    Download SDFIX and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
  4. 28-11-2007  #3
    opilonies
    opilonies is offline Newbie
    Ok here is the new log but I don't know if changing the name did anything because it still says HJT.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:58:16 PM, on 11/27/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {247BF543-4F4E-4CE5-896E-7C701736FCB7} - C:\WINDOWS\System32\vtutt.dll (file missing)
    O2 - BHO: C:\WINDOWS\System32\sder4gh.dll - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\sder4gh.dll (file missing)
    O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Mevhqush\bjugobld.dll (file missing)
    O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb2.dll (file missing)
    O2 - BHO: (no name) - {984544AB-5FA6-46AF-BE1D-E21804DAD281} - C:\WINDOWS\System32\pmnlifc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [{E9-9D-D0-07-ZN}] C:\RECYCLER\NPROTECT\00004230.EXE CHD003
    O4 - HKLM\..\Run: [eopegtpA] C:\WINDOWS\eopegtpA.exe
    O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
    O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\wwxtnogp.dll",forkonce
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [bantool] C:\Documents and Settings\Order 3\sdadlrow-t2.exe
    O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Order 3\TISKY008.exe SKY008
    O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963491.exe"
    O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
    O4 - HKLM\..\Run: [MeetGate] C:\WINDOWS\twain.exe
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win2F7.tmp.exe
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKLM\..\Run: [ms] C:\DOCUME~1\ORDER3~1\LOCALS~1\Temp\24438\gm.exe
    O4 - HKLM\..\Run: [ghkrebel] rundll32.exe "C:\Program Files\bcbifuhs\bqpovwbq.dll",Init
    O4 - HKLM\..\Run: [efwvupkx] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\efwvupkx.dll"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\ORDER3~1\APPLIC~1\RACLE~1\mshta.e xe" -vt ndrv
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
    O4 - HKCU\..\Run: [Xiteiv] "C:\Program Files\Common Files\??mantec\w?nlogon.exe"
    O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
    O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\smss.exe
    O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Order 3\smss.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [Hjsdf9ui9jkeftdf] C:\DOCUME~1\ORDER3~1\LOCALS~1\Temp\svchots.exe
    O4 - HKCU\..\Run: [XP restart system] C:\DOCUME~1\ORDER3~1\LOCALS~1\Temp\wnset.exe
    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Order 3\TISKY008.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\svch8.dll
    O20 - Winlogon Notify: awvtr - C:\WINDOWS\System32\awvtr.dll (file missing)
    O20 - Winlogon Notify: opnonmm - opnonmm.dll (file missing)
    O20 - Winlogon Notify: pmnlifc - C:\WINDOWS\SYSTEM32\pmnlifc.dll
    O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
    O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kkndo.dll (file missing)
    O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Phoipkpk.dll (file missing)
    O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\System32\winload.dll (file missing)
    O22 - SharedTaskScheduler: sdgfdgdgdtj - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\sder4gh.dll (file missing)
    O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kkndo.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\profsyrtymyk.html

    --
    End of file - 8101 bytes
  5. 28-11-2007  #4
    opilonies
    opilonies is offline Newbie
    Ok here are the 2 logs after running SDfix
    I am not sure that it worked


    SDfix


    SDFix: Version 1.115

    Run by Order 3 on Thu 11/27/2003 at 06:23 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    lanmandrv
    ldrsvc

    Path:
    \??\C:\WINDOWS\System32\lanmandrv.sys
    %SystemRoot%\System32\svchost.exe -k netsvcs

    lanmandrv - Deleted
    ldrsvc - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...

    Service asc355 - Deleted after Reboot

    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
    C:\PROGRA~1\COMPLU~1\PROFSY~1.HTM - Deleted
    C:\PROGRA~1\COMPLU~1\LAVUGA~1 - Deleted
    C:\PROGRA~1\COMPLU~1\LAVUGA~2 - Deleted
    C:\WINDOWS\system32\system\msxml4.dll - Deleted
    C:\WINDOWS\system32\system\msxml4r.dll - Deleted
    C:\Documents and Settings\Order 3\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
    C:\Temp\1cb\syscheck.log - Deleted
    C:\wintemp.log - Deleted
    C:\WINDOWS\Casino.ico - Deleted
    C:\WINDOWS\Free Online Dating.ico - Deleted
    C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
    C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
    C:\WINDOWS\system32\7_exception.nls - Deleted
    C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
    C:\WINDOWS\system32\Kernel32.exe - Deleted
    C:\WINDOWS\system32\mt_32.dll - Deleted
    C:\WINDOWS\system32\qmopt.dll - Deleted
    C:\WINDOWS\system32\totour.exe - Deleted
    C:\WINDOWS\tcb.pmw - Deleted
    C:\WINDOWS\wr.txt - Deleted



    Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
    Folder C:\Program Files\WinPop - Removed
    Folder C:\Temp\1cb - Removed
    Folder C:\Temp\fse - Removed
    Folder C:\WINDOWS\system32\system - Removed

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2003-11-27 18:27:00
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Fri 10 Aug 2007 8,357 A.SH. --- "C:\WINDOWS\system32\rtvwa.tmp"
    Thu 16 Aug 2007 1,714,923 A.SH. --- "C:\WINDOWS\system32\rtvwa.bak1"
    Fri 17 Aug 2007 1,690,901 A.SH. --- "C:\WINDOWS\system32\rtvwa.bak2"
    Fri 14 Nov 2003 2,039,508 A.SH. --- "C:\WINDOWS\system32\ttutv.tmp"
    Fri 5 Sep 2003 6,448 A.SH. --- "C:\WINDOWS\system32\ttutv.bak1"
    Fri 14 Nov 2003 2,039,508 A.SH. --- "C:\WINDOWS\system32\ttutv.tmp2"
    Sat 6 Sep 2003 2,016,586 A.SH. --- "C:\WINDOWS\system32\ttutv.bak2"

    Finished!
    __________________________________________________ _____________________________
    __________________________________________________ _____________________________
    __________________________________________________ _____________________________


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:43:30 PM, on 11/27/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\HijackThis\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {247BF543-4F4E-4CE5-896E-7C701736FCB7} - C:\WINDOWS\System32\vtutt.dll (file missing)
    O2 - BHO: C:\WINDOWS\System32\sder4gh.dll - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\sder4gh.dll (file missing)
    O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Mevhqush\bjugobld.dll (file missing)
    O2 - BHO: (no name) - {984544AB-5FA6-46AF-BE1D-E21804DAD281} - C:\WINDOWS\System32\pmnlifc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [{E9-9D-D0-07-ZN}] C:\RECYCLER\NPROTECT\00004230.EXE CHD003
    O4 - HKLM\..\Run: [eopegtpA] C:\WINDOWS\eopegtpA.exe
    O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
    O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
    O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\wwxtnogp.dll",forkonce
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\Order 3\TISKY008.exe SKY008
    O4 - HKLM\..\Run: [MeetGate] C:\WINDOWS\twain.exe
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win2F7.tmp.exe
    O4 - HKLM\..\Run: [ghkrebel] rundll32.exe "C:\Program Files\bcbifuhs\bqpovwbq.dll",Init
    O4 - HKLM\..\Run: [efwvupkx] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\efwvupkx.dll"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\ORDER3~1\APPLIC~1\RACLE~1\mshta.e xe" -vt ndrv
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
    O4 - HKCU\..\Run: [Xiteiv] "C:\Program Files\Common Files\??mantec\w?nlogon.exe"
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [Hjsdf9ui9jkeftdf] C:\DOCUME~1\ORDER3~1\LOCALS~1\Temp\svchots.exe
    O4 - HKCU\..\Run: [XP restart system] C:\DOCUME~1\ORDER3~1\LOCALS~1\Temp\wnset.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\svch8.dll
    O20 - Winlogon Notify: awvtr - C:\WINDOWS\System32\awvtr.dll (file missing)
    O20 - Winlogon Notify: opnonmm - opnonmm.dll (file missing)
    O20 - Winlogon Notify: pmnlifc - C:\WINDOWS\SYSTEM32\pmnlifc.dll
    O20 - Winlogon Notify: winjjq32 - C:\WINDOWS\SYSTEM32\winjjq32.dll
    O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kkndo.dll (file missing)
    O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Phoipkpk.dll (file missing)
    O22 - SharedTaskScheduler: COM+ Service - {2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} - C:\WINDOWS\System32\winload.dll (file missing)
    O22 - SharedTaskScheduler: sdgfdgdgdtj - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\sder4gh.dll (file missing)
    O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\kkndo.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\profsyrtymyk.html

    --
    End of file - 7237 bytes






    Thank you for the help!!!
  6. 28-11-2007  #5
    Neal
    Neal is offline Dedicated Member
    Of course it worked. Look at all the trojan files deleted, lots more to do.


    Be Advised



    You have been infected by several Trojan horses with rootkit abilities that download and execute remote files and sends confidential computer information to a remote attacker. The Trojans also allow a remote attacker to perform various unauthorized actions on the compromised computer.

    Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing other rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. The best advice we can give you is to backup your information, reformat, and reinstall.

    I also recommend that you disconnect this machine from the internet NOW! Except to come here!!!

    1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

    2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

    3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.



    If you wish to continue:



    Please download and install SUPERAntiSpyware Trial Pro Edition http://www.superantispyware.com/superantispyware.html

    * Load SUPERAntiSpyware and click the Check for Updates button.
    * Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!


    IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

    * Open SUPERAntiSpyware and click the Scan your Computer button.
    * Check Perform Complete Scan and then click Next.
    * SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
    * Make sure that they all have a check next to them, and then click Next.
    * Click Finish and you will be taken back to the main interface.
    * It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
    * I'll need a log afterwards of what has been found.
    * To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
    * Please post the results of the SUPERAntiSpyware log in your next reply.


    New hijackthis log also if you continue.
  7. 28-11-2007  #6
    opilonies
    opilonies is offline Newbie
    Thank you for your help.
    I will take your first advice and Re-Format.
    there is nothing on there I had already wiped the important off.
    Do you have any advice other than Norton and SB S&D that I should install and ways to further control this from happening again?
    Thanks again
  8. 29-11-2007  #7
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Here are some good programs:


    Here are some tips to reduce the potential for spyware infection in the future:

    Make sure you keep your Windows OS current by visiting Windows update
    regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

    I strongly recommend installing the following applications:
    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
    • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
    To protect yourself further:
    • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    And also see TonyKlein's good advice
    So how did I get infected in the first place? (My Favorite)


    Free anti virus programs:

    AVG
    Avast
    Antivir


    Free firewall:

    Comodo firewall


    Just google the names and read about them.


    Good luck
+ Reply to Thread
« Win32.P2P-Worm.Alcan.a HELP PLEASE!(RESOLVED) | After trojan is removed(RESOLVED) »