[Leonius]

Hello,

I recently opened an unsafe executable file, and was hit with a barrage of viruses/malware/trojans, etc. I attempted to remove them through Ad-Aware SE, and it detected them, but it took too long to delete them, and I replaced the program with Ad Aware 2007. Upon attempting to run an Ad Aware 2007 I get the infamous Blue Screen of Death, with the message IRQL_LESS THAN_EQUAL TO, or something like that, with the full error code submitted to Windows as:
BCCode : 1000000a BCP1 : 006900A8 BCP2 : 000000FF BCP3 : 00000001
BCP4 : 80543425 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

Further, I believe the the viruses were Virtuemonde and a Win32.Trojan.zlob or something along those lines. I have followed the instructions for fixing those programs, but they still seem to persist. The log for those is:

IEDefender:

Operating System : Microsoft Windows XP Professional
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\Program Files\helper\1207589134.dll
C:\WINDOWS\system32\actskn45.ocx

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

C:\Program Files\Helper

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr.1



Virtufix:
VundoFix V7.0.3

Scan started at 5:03:36 PM 4/8/2008

Listing files found while scanning....

C:\WINDOWS\system32\jnaojmwp.ini
C:\WINDOWS\system32\pwmjoanj.dll
C:\WINDOWS\system32\wvUMfefc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jnaojmwp.ini
C:\WINDOWS\system32\jnaojmwp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pwmjoanj.dll
C:\WINDOWS\system32\pwmjoanj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wvUMfefc.dll
C:\WINDOWS\system32\wvUMfefc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pwmjoanj.dll
C:\WINDOWS\system32\pwmjoanj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvUMfefc.dll
C:\WINDOWS\system32\wvUMfefc.dll Has been deleted!

Performing Repairs to the registry.
Done!



My Hijackthis log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:54 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McGill NetConnect 2.0\ArubaService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McGill NetConnect 2.0\NetConnect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Leonid\Desktop\HiJackThis.exe
c:\dell\E-center\gtb2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShowLOMControl]

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] "c:\dell\E-Center\gtb.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [c0d84ad1] rundll32.exe "C:\WINDOWS\system32\pwmjoanj.dll",b
O4 - HKLM\..\Run: [BMc3eb794d] Rundll32.exe "C:\WINDOWS\system32\bkiwbkue.dll",s
O4 - HKCU\..\Run: [WintelUpdate] c:\flciijjq.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A31463-05BD-4403-A56B-F0A3975E972C}: NameServer = 132.206.44.21 132.216.44.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Aruba VPN Service - Unknown owner - C:\Program Files\McGill NetConnect 2.0\ArubaService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Prevx Agent (prevxagent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6975 bytes



I cannot access my hotmail account, the sign in page simply will not work. When I use the internet in Internet Explorer, I receive multiple pop-ups. I am not sure specifically what problems I am having, I cannot run an Ad-Aware scan, and I have followed all the other instructions for posting previously as well. My internet is quite slow in general.

Please help me, I am desperate, I am a University student with numerous papers due very soon that I cannot work on until this is resolved.

Thank you,
Leonius

[Advertisements]

Hi Leonius and welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [c0d84ad1] rundll32.exe "C:\WINDOWS\system32\pwmjoanj.dll",b
O4 - HKLM\..\Run: [BMc3eb794d] Rundll32.exe "C:\WINDOWS\system32\bkiwbkue.dll",s
O4 - HKCU\..\Run: [WintelUpdate] c:\flciijjq.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\pwmjoanj.dll
C:\WINDOWS\system32\bkiwbkue.dll
c:\flciijjq.exe

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

[greyknight17]

Hi Leonius and welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [c0d84ad1] rundll32.exe "C:\WINDOWS\system32\pwmjoanj.dll",b
O4 - HKLM\..\Run: [BMc3eb794d] Rundll32.exe "C:\WINDOWS\system32\bkiwbkue.dll",s
O4 - HKCU\..\Run: [WintelUpdate] c:\flciijjq.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\pwmjoanj.dll
C:\WINDOWS\system32\bkiwbkue.dll
c:\flciijjq.exe

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.