it's baaaack. Downloader.exe back with friends.

I believe that one came pre-installed. I have it for the other one

Ah.
Well do the instructions I left on the first page of this topic.

not looking so good. everything taking a long time.

nothing will open. I noticed you locked the other chain. We got PMP 2 working again but you said the first log I sent looked clean. It ran after ATF.

PMP2, this chain, has nothing working in normal mode

And of course now, neither computer is working. PMP2 has stopped now and I'm on the wireless UPDATE: I got PMP2 back up by renewing the IP address...somehow it was lost

Internet stopped working on that too?
Tried winsock fix?

Can you do this? Follow this path:
C:\WINDOWS\erdnt\Hiv-backup\ERDNT.exe <-- run that.

I was able to get PMP2 on by going to the LAN and hitting repair. It said there was no IP address assigned...(again, PMP2 never showed a virus today, just been acting weird)

Was the last command for the one we've been working on , PMP1?

I'm not hopeful on this, but worth a shot.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log with a fresh copy of HijackThis log.

will this work in safe mode? I can't even get 'my computer' open in normal mode

Yeah, MBAM will work in safe mode.

While that is running, now PMP2 has stopped again. I ran combo fix and it says it 'detected root kit activity'...what is that? My LAn says connected and I've run WinsockFix

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

ok, i'm downloading it now. CF did reboot and finish after saying that and the log is here http://rapidshare.com/files/162586815/pmp2cflog11.10630.txt.html

Okay, will wait for gmer's log.

PMP1 - malware detected no problems. O's across the board. I"m tryng now to restart it in normal mode and it's basically frozen still.

PMP2 - has just come back up and online after running combo fix again and winsockfix with a reboot.

Did GMER run?

I'm sick of this rootkit now, this should blow it away. Run this on PMP2.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\f49f4daa.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Don't tick the box below.
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.

PMP1 - the internet loads fine in safe mode freezes in normal

PMP2 -gmer running now but it's working and online

Which do you want the new instructions run on?

On PMP2 please, that's what CF is showing it on.

PMP1 - still running fine, online, in safe mode. Stalling in normal.

PMP2- getting ready to run avenger. gmer log:

http://rapidshare.com/files/162593995/gmerpmp2.log.html

PMP1 - same

PMP2 - rootkit scan is active, no rootkits found! (do you want me to still send everything for that?...I wasn't sure what a new HJT log was)

Sigh. Yes, I need a new Hijack This log and the avengers log.

PMP2 - was working fine and now will no longer connect to the internet. LAN says connected, I"ll get the logs.

PMP1 says HP Boot OPtimizer has encountered a problem and needs to close - in normal mode

PMP2 avenger log :

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\TEMP\logishrd\LVPrcInj01.dll" deleted successfully.

Error: file "c:\windows\f49f4daa.dat" not found!
Deletion of file "c:\windows\f49f4daa.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

PMP2 HIjack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:46 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 6490 bytes

Yay, the file CF couldn't delete is gone.
Can't see anything wrong with the new Hijack This log.

RUN THIS NEXT FIX ON PMP1.
This will stop the HP boot error.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "HPBootOp"=-
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

PMP2 back up and online fast!

OMG. Holy crap.
Run the reg fix on machine PMP1.


How's machine 1 and 2 now?

PMP1 - ran reg fix in safe mode. Still barely starting in normal mode...should I try avenger on PMP1 or something?

PMP1 won't get past the login screen in normal mode after reg fix but will open internet in safe mode

Last edited by raif on 11th November 2008, 12:47 am; edited 1 time in total

No. Don't run the avenger on PMP1.
I'm looking through a CF log of PMP1.
Don't touch PMP2 for now, we've fixed that.

Can you submit this file below
c:\windows\system32\spmsg2.dll
to here for a scan.
http://virusscan.jotti.org/

Press the browse button to find the file, then double click it and hit the submit button to upload it.

PMP1

Scanner Malware name
A-Squared Trojan-Spy.Win32.Banker.JU!IK
AntiVir SPR/Tool.HideProc.O.1
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA X
Ikarus Trojan-Spy.Win32.Banker.JU
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

Okay, it's come back as showing malware.

Delete this file.
c:\windows\system32\spmsg2.dll

Any better?

sorry, hung up for a sec personally, i'll know soon!

I'll hope for the best.
Going offline, won't be back till tomorrow night, so we can continue this then.

ok, thanks man. I'll be here PMP1 started in normal mode, seemingly quick, but it did not want to connect to the internet and timed out

Hello.
At college and I can logon here, usually can't.

Glad to here it booted, an adware banker variant stopped the boot? Wow, I think someone is out to get me.
Try winsock fix to repaid net connection?

PMP 1 - I ran WinsockFix on it and let it open it normal mode. It opened but seemed to not want to connect to the internet. I just left it alone and about a half hour later the page finally loaded. Then, same thing for a page change. So...it's connecting, just running at a snails pace!

PMP 2- keeps running fine, with good speed, on the internet. Then all of a sudden it will just stop and nothing will load. As soon as I run Winsock Fix and reboot, it starts up great, with Internet, and then the same thing happens, I run Winsock......this happens over and over again. WInsock Fixes it, goes down alone.

PMP1 - I ran something called VundoFix that I saw on another blog and it found 8 corrupted files. I removed those, did a winsock fix, rebooted and Windows loads still but hasn't connected to Internet after 20 mins...finally connected but same thing with a page change.

I don't know why Vundofix found files, there was no presence of vundo in either of your logs.
From my point, it sounds like just your net connection is unstable.
I will talk to colleague and see what he thinks.

they were audio files or something

Hello.
I've asked Digitalocksmith to take a look, because I don't know what the next step is.
No matter what we do, things get worse. =/

Please stand by.

Thank you, I'm getting pretty nervous here also. Not looking good for me! I will be here for another half hour, if we need to try something quick, (10am US Eastern) then I have some shoots today and will be back at 5:00 US E

ok I'm back here...any luck?

Nope, no PM back from digital yet.
To tell you the truth, i'm thinking format.

k

when i run combo fix it says there is a newer version...but I can't get it w/o internet. Should I try to run it again in safe mode and get the newer version if I have internet in safe mode?

You can try, but I doubt a new version will do anything.

what are your thoughts on PMP2 - it's working fine, on the internet with good speed, works for a bit, stops suddenly, I run WinsockFix, reboot, it works great for a short time, over and over....(that is exactly what PMP1 does in safe mode...in normal mode internet loads in about 30 mins)

Lets not run combofix on PMP2. I don't want it to change anything.
Do this instead.

Download OTViewIt to your desktop.

• Close all windows and open it
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  
• You may need to use two posts to get it all on the forum