Hello All!

I am new here, so I hope I do this right. I have a PC that is a customer's of mine. It appears as though he decided to download Pro Antispyware 2009 which was a costly mistake to begin with. Anyway...I seem to have removed everything I could find using Malwarebytes, but I still seem to have an issue.

The PC has 2 users on it. When I scan under one user with Malwarebytes, it comes up clean. When I scan while logged in under the other user, it keeps telling me about MS Juan and MS Tracking system being infected in the registry. No matter how many times I tell malware to remove the items, they keep coming back. Here are the Malwarebytes, Panda Active Scan, and Hijack This logs. I hope someone can help me get rid of what's left that's indicated by these logs.

Please get back to me as soon as you can.

Thanx!

Jim

Malwarebytes' Anti-Malware 1.30
Database version: 1368
Windows 5.1.2600 Service Pack 3

11/6/2008 8:49:20 AM
mbam-log-2008-11-06 (08-49-20).txt

Scan type: Quick Scan
Objects scanned: 48063
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Panda Active Scan
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-11-06 11:08:28
PROTECTIONS: 1
MALWARE: 30
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@7search[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@com[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@statcounter[1].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@counter.hitslink[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@bs.serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@bs.serving-sys[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@adrevolver[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@target[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\user\Cookies\user@ads.addynamix[1].txt
00442549 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\System32\pdxdnl.dll
00442549 Spyware/Virtumonde Spyware No 1 Yes No C:\RECYCLER\S-1-5-21-220523388-1292428093-839522115-1004\Dc1.dll
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-220523388-1292428093-839522115-1004\Dc2.txt
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-220523388-1292428093-839522115-1004\Dc3.txt
03967136 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\System32\lmxpbb.dll
03967136 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\lmxpbb.dll
03967136 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\nyubxsuw.dll
03967136 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\lmxpbb.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location =a
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description =a
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:57 AM, on 11/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?f5a9241209154da698a18e18943860c5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?f5a9241209154da698a18e18943860c5
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll dbzggn.dll crjqyz.dll tqvqxc.dll bunpjm.dll hoznmb.dll zguqkt.dll lmxpbb.dll qjeiar.dll pdxdnl.dll
O20 - Winlogon Notify: qoMgeFYs - qoMgeFYs.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4644 bytes

Hi there.

Please find these files:
C:\WINDOWS\System32\lmxpbb.dll
C:\WINDOWS\system32\nyubxsuw.dll

Zip them up and attack that zipped file here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

Same file, Trojan.Vundo Variant

Will be added to defs, thanks!

Any idea how long until I find out how to get rid of this problem? I'm not trying to push, I just don't know what your reply means to me.

Thanx!

Jim

Update Malwarebytes and scan again please and post the log.

Sorry we cannot continue to help because this is a customers PC.