Continuous pop ups - Win32:Agent LVW(Trj) + CVE-2007-0038 found by AVAST

[Axo]

Ok, here Kaspersky log:
It still found VNC as an infection but it is voluntarily installed.
updwmaph.exe seem to be still there and locked... and also the jkevny.job!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 31, 2008 8:39:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/01/2008
Kaspersky Anti-Virus database records: 538462
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
V:\
Z:\

Scan Statistics:
Total number of scanned objects: 132564
Number of viruses found: 1
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 06:44:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Alessio Zanibelli\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbdam Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbdao Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbeam Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbeao Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbm Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\fii.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\hp Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Google\Google Desktop\e8a5e39440c9\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Dati applicazioni\Microsoft\Windows Defender\FileTracker\{BB810C75-FC8C-4DDE-B89F-172C4D5C3FF3} Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Temp\~DF769D.tmp Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Temp\~DF96A7.tmp Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Temp\~DFA497.tmp Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Temp\~DFA862.tmp Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Alessio Zanibelli\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Support\MPLog-04172007-102748.log Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\temp\MpCmdRun-30-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\temp\MpCmdRun.log Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programmi\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\updwmaph.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\jkevny.job Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_2b4.dat Object is locked skipped
C:\WINDOWS\Temp\TMP0000010614AD2DC451107159 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Z:\Lettere\VPN\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Lettere\VPN\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Lettere\VPN\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Lettere\VPN\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Lettere\VPN\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped
Z:\Virtual private network\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Virtual private network\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Virtual private network\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Virtual private network\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
Z:\Virtual private network\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped

Scan process completed.

[tetonbob]

VNC gets reported due to it's potential. As long as you've intentionally installed it, the report is not a concern.

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

C:\WINDOWS\system32\updwmaph.exe
C:\WINDOWS\Tasks\jkevny.job

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (

%systemdrive%\Deckard

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[Axo]

The aspect of the fix.bat was nothing concerning "photobucket go Pro" but a normal .bat icon like the attached one.

I clicked it and saied to me "Deleted Succesfully !!"
Hit a key to continue

[tetonbob]

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Axo]

Dear tetontob,
thank you very much for your help.

It tooked me much time in understanding all the procedures in your last post... although the work to do was poor!

Thanks to your suggestions, I will read all the proposed articles and will surf much more safely in the future!!

Going back to the beginning, I think I get stupidly infected opening a P2P file before scanning it with AVAST

If you come to Italy mail me a message !!

[tetonbob]

You're quite welcome for the help, Axo.

Surf Safely!