Avast WEBforum
Other => Viruses and worms => Topic started by: alex1234 on October 18, 2007, 10:56:25 PM
-
Greetings,
I will be very happy and grateful if anyone can help me get rid of this thing...
Info, as accurate as I can make it:
I recently (a few days ago) reformatted my hard drive (let's call it D since I have another partition called C which I did not make any changes to.) So this means I reinstalled WinXP Pro on it; the reason why I reformatted was because I was having severe issues with booting my PC.
The next day I installed avast Home Edition, 3 hours later it tells me I have a trojan horse associated with the lsass.exe file.
The day after, it tells me of another Trojan.
Today, yet another.
Now I do not remember the names it gave me and they do not seem to be in the avast log even though I didn't erase it. All times it recommended me to 'move to chest' and so that's what I did in all cases.
Yesterday while I was browsing the net with my beloved MSIE v.6 I started getting random browser windows opening to various sites: some porn, some dating sites, etc. So I did some research and found out some stuff about BHOs which I did find running as processes, so I disabled them in IE. Upgrading to IE7 did not solve the problems. So I installed Firefox. The windows do not pop up in Firefox browsing windows. But, they still popped up in IE windows even when I did not have any IE windows running. I haven't yet discerned a pattern to when they do appear.
This still happened today. However, the big problem of today is that all of a sudden I started getting stuff that you see in the screenshot. Obviously, these messages are fake and not alerts from my OS but are caused by the virus/trojan/worm/whatever that I have. The messages that they bring up are persistent and varied and involve notifying me of infection and the need to download software to fix it (software which undoubtedly leads to more infection. No I have not downloaded any of it.) Also, I see I have two new icons on my desktop as you see.
So I ran avast virus cleaner and made sure I closed programs, disabled on-access protection. It found nothing.
Er.......also the problem I had prior to reformatting about not being able to boot up Windows with any amount of ease persists though it is definitely better than before. However, I do not know if this is related to this virus/trojan/worm/whatever or just some hardware issue.
Help, please. I have tried to be as detailed as I can. Yes it is messing up some of my programs.
-
Welcome to the forum.
The virus cleaning tool is for certain specific viruses, and is not intended for general scanning puposes.
Schedule a boottime scan. Open the avast interface and from the menu select schedule boottime scan. Move anything found to the chest.
You can run these also avg antispyware http://www.ewido.net/en/ , and superantispyware http://www.superantispyware.com/
And
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
The hjt log will probably have to be broken into multiple posts.[/list]
-
Click here to download HJTsetup.exe
There is no link in the click 'here' to download.
-
Here (http://www.thespykiller.co.uk/files/HJTsetup.exe) you go.
-
Hello, thanks for the quick responses.
I cannot find an option for a boottime scan for avast.
AVG tells me I have a bunch of Tracking cookies.
The superantispyware tells me it found 42 Tracking cookie adware items and 6 items called Trojan.WinFixer (4 of which in my registry keys, and one of these is a BHO). It gives me the option to quarantine, should I do this? This is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/18/2007 at 05:13 PM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Quick Scan
Total Scan Time : 00:09:50
Memory items scanned : 523
Memory threats detected : 1
Registry items scanned : 620
Registry threats detected : 4
File items scanned : 8450
File threats detected : 43
Trojan.WinFixer
D:\WINDOWS\SYSTEM32\JKHHH.DLL
D:\WINDOWS\SYSTEM32\JKHHH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3286B9A3-A792-463A-A3F2-7CE38B878BEB}
HKCR\CLSID\{3286B9A3-A792-463A-A3F2-7CE38B878BEB}
HKCR\CLSID\{3286B9A3-A792-463A-A3F2-7CE38B878BEB}\InprocServer32
HKCR\CLSID\{3286B9A3-A792-463A-A3F2-7CE38B878BEB}\InprocServer32#ThreadingModel
Adware.Tracking Cookie
D:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@clicksor[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads.mytelus[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ad.zanox[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads1.nsamedia[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@network-ca.247realmedia[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@microsoftwlmessengermkt.112.2o7[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@interclick[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@www.popundersupply[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ehg-mybc.hitbox[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@adcentriconline[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@adserver.adreactor[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tremor.adbureau[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@advertising[3].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@toplist[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@247realmedia[1].txt
D:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@3.adbrite[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
D:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
-
Thanks guys.
This is the log file after running the Hijack program:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:43 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\vopijige.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "D:\WINDOWS\system32\skthcmav.dll",sitypnow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
--
End of file - 6297 bytes
-
@ alex1234
This likely to be scum/scam/rogueware and Should be caught by the rogue malware removal tool.
Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php)
-
Re you HJT log.
First you don't appear to have an active firewall, what is your firewall ?
Upload both of the files below, vopijige.dll and skthcmav.dll to VirusTotal (VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/)) and report the results. If as suspected multiple scanners report infection, send the samples to avast, see below. A google search on the above filenames returns zero hits, which in itself is suspicious
This one appears to be Vundo/Virtumonde
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\vopijige.dll
See VundoFix below.
This one is suspect.
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "D:\WINDOWS\system32\skthcmav.dll",sitypnow
If the above items are confirmed as infected at VirusTotal, then run HJT again and fix both the entries.
####
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
####
VunodFix
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html (http://www.bleepingcomputer.com/forums/topic18610.html)
Download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
-
Click here to download HJTsetup.exe
There is no link in the click 'here' to download.
Sorry about that, I'll have to fix that. :-[ Thanks mauserme.
-
This likely to be scum/scam/rogueware and Should be caught by the rogue malware removal tool.
Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php
Ran it and all it found was one of the icon .lnk files that's been created on my desktop by this thing.
Also as far as I know I have the Windows Firewall on (just checked it), though I have exceptions enabled for Windows Live Messenger, µtorrent and Remote Assistance.
VirusTotal returned this on my vopijige.dll file:
File vopijige.dll received on 10.19.2007 02:34:22 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/31 (35.49%)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 ADSPY/SecToolBar.F.1
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 Adware Generic2.TWW
BitDefender 7.2 2007.10.19 -
CAT-QuickHeal 9.00 2007.10.18 AdWare.SecToolBar.f (Not a Virus)
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 Trojan.Hammer
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.19 -
Fortinet 3.11.0.0 2007.10.19 W32/Agent.ADAG!tr
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.19 -
Ikarus T3.1.1.12 2007.10.19 -
Kaspersky 7.0.0.125 2007.10.19 not-a-virus:AdWare.Win32.SecToolBar.f
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.19 -
NOD32v2 2601 2007.10.18 Win32/Adware.SecToolbar
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 Adware/SecurityToolbar
Prevx1 V2 2007.10.19 Heuristic: Suspicious File With Bad Parent Associations
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 Mal/Behav-010
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.19 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.19 AdWare.Win32.SecToolBar.f
VirusBuster 4.3.26:9 2007.10.18 -
And on the skthcmav.dll file:
File skthcmav.dll received on 10.19.2007 02:44:12 (CET)
Current status: Loading ... queued waiting scanning finished
Result: 11/32 (34.38%)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 Lop
BitDefender 7.2 2007.10.19 Trojan.Vundo.DNR
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.19 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.19 Vundo.gen41
Ikarus T3.1.1.12 2007.10.19 -
Kaspersky 7.0.0.125 2007.10.19 -
McAfee 5144 2007.10.18 Vundo
Microsoft 1.2908 2007.10.19 Trojan:Win32/Vundo.K
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 Vundo.gen41
Panda 9.0.0.4 2007.10.18 Suspicious file
Prevx1 V2 2007.10.19 Trojan.Vundo
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 Virtumundo
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.19 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.19 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.19 Trojan.Dldr.ConHook.Gen
I'm going to wait to hear your opinions on the results before I take any action. The second file seems to be that Vundo thing you mentioned.
-
Windows XP's firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn't provide outbound protection. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Send samples of both the files to avast (I would suggest you add them to the user files section of the avast chest and send from there), before you download Read and print the VundoFix instructions so you can follow them and then run VundoFix.
Once you have done that run HJT and check if these entries that I mentioned before have gone, if not, tick the fix box to the left of the entry and click the Fix button.
The first file would seem to be a toolbar also related to vundo so hopefully that too will be picked up when you run vundofix.
-
Okay, is there a good firewall you recommend?
I ran VundoFix.exe and the alerts are now gone! WOoot! I still got a few pop up ads in IE but then I found yet another BHO add-on, disabled it and so far it seems to be alright. I think I've just been converted to Firefox.
As well, I suppose I should have sent the two files to avast before I ran the fix, now I don't think I can send them so sorry about that.
Also I ran Hijack and did not find these two entries:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:23 PM, on 18/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
D:\Program Files\D-Tools\daemon.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\WINDOWS\system32\spider.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
--
End of file - 6440 bytes
Hopefully it is gone, thanks to all of you for your help, especially DavidR. And hopefully I won't have the misfortune to come back for more help...you guys were very quick and efficient, nice to know some people give their time and skills to help people they don't even know, especially considering that others only use their time and skills to screw over people they also don't even know. ::)
-
Okay, is there a good firewall you recommend?
Comodo firewall 8)
-
@ alex1234
This needs fixed as it is a remnant of having cleaned out Vundo.
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
This isn't really needed to run on boot, but also see my comments below.
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
I'm assuming that IE opens automatically after boot (?) for me I don't feel this is a good idea, especially if your considering Firefox as your default browser. I hate things loading automatically on or after boot unless they are absolutely essential.
The strange thing about this is it is supposed to be related to IE 5.5, the other strange thing is it wasn't on your first HJT log and being a suspicious sod. I would suggest you upload iernonce.dll to VirusTotal for checking also, though this file should be a legit in that system32 folder.
Other than that I don't see anything else obvious in your HJT log.
It is a shame that you didn't send the files to avast to help improve detections, but it is hard to think logically when your a** is in the fire.
Comodo firewall as Tech mentions works well with avast.
In my view firefox is much less susceptible to these pop-ups, etc. as for one it doesn't have BHOs that can blight IE. There are also many, many, extensions that can improve your browser experience and make you more secure, NoScript should be a mandatory pick for an extension.
We're glad that we could help, welcome to the forums.
Stick around and browse the forums, especially the sticky topics at the top of each of the forums, not to mention the avast help file. They provide a wealth of information to help you get the best from avast.
-
This needs fixed as it is a remnant of having cleaned out Vundo.
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
Done.
I'm assuming that IE opens automatically after boot (?)
It doesn't.
I would suggest you upload iernonce.dll to VirusTotal for checking also
Done and it came out clear.
Er, just as I typed the above, I started to get the fake alerts that appear in the taskbar again. I can almost laugh. Never mind, I am laughing. Ah well, at least I can send the files to avast this time. I believe that this started at about the same time of day as yesterday. Coincidence?
Well, I ran Hijack This again and found another suspicious file that VirusTotal tells me is bad (O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\ixnnajpv.dll) so I guess I'll run VundoFix again; if that doesn't work there's always the VirtumundoBeGone.
-
hello guys.. i'm collecting undetected Virtumonde variants now, so you can expect a detection to be done soon... ;)
-
If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
I don't know what it does I thought wrongly it start, but from some google hits it doesn't seem to be a required start/run item, I would check if it is in the startup tab of msconfig (windows start, run type msconfig) if there is an entry there uncheck it (don't delete the entry) and see if there is any negative impact. If so it can always be checked again, which is why I said not to delete the entry.
I would also upload the new probable Vundo file to VT and send to avast if confirmed infected.
If you haven't downloaded the new firewall I would suggest you get on it with urgency as it is often difficult to get your system clean without an effective firewall.
Since this is back there may be something hidden that is restoring this.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm (http://www.antirootkit.com/software/index.htm). Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip).
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5 (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5).
-
hello guys.. i'm collecting undetected Virtumonde variants now, so you can expect a detection to be done soon... ;)
8)
Good to hear - lots of tough ones out there right now.
-
yep.. vundo and autorun are current points of pain for many users.. we'll target on them in next few days..
-
If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
I don't know what it does I thought wrongly it start,
Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn't already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.
Then I ran msconfig as you said and looked at the Startup Tab and found something that's obviously related to the problem (screenshot provided as attachment--edit---sorry my PC is starting to mess up now and I can't attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh
The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.
And yes I have sent the ixnnajpv.dll file to avast. :P
-
yep.. vundo and autorun are current points of pain for many users.. we'll target on them in next few days..
It is nice to see some guided targeting on issues which are more prevalent to users, as seen in the forums.
I wonder if there is any mileage in checking for autorun.inf on fixed drives, if found is it possible to check the files listed in the commands within the autorun.inf ?
-
If you didn't fix that
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe D:\WINDOWS\system32\iernonce.dll,RunOnceExProcess
I don't know what it does I thought wrongly it start,
Actually you might not be wrong, I just installed Comodo and it told me that iexplorer.exe was trying to make a connection right after I restarted and without me running anything that wasn't already running with the bootup. Out of curiousity I allowed it but no IE windows opened, ie. nothing that I could see happened.
Then I ran msconfig as you said and looked at the Startup Tab and found something that's obviously related to the problem (screenshot provided as attachment--edit---sorry my PC is starting to mess up now and I can't attach anything, will do it with next post after restart). Should I uncheck that box then? I can see it spawning itself again regardless. *sigh
The Panda Rootkit Cleaner found nothing. AVG Anti-Rootkit does not seem to want to run.
And yes I have sent the ixnnajpv.dll file to avast. :P
You could try fixing it in HJT and see if that stops it running and making any connection attempt. When you fix something in HJT the default is to backup the fix, so if need be your can restore it later.
I would also suggest that you find the entry for iexplorer.exe in comodo that would force the same challenge if it were to do it again. Lets see if that stops it spawning again.
-
@ DavidR
In the last week or so superantispyware has added a bunch of vundo detections. Might be worth a try with the following settings. Update first.
Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.
Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.
leave the others unchecked.
Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
ยท Click Next to start the scan.
When the scan is done, quaretine everthing found . Reboot if asked.
-
alex1234 has SuperAntiSpyware and ran it earlier in this topic, reply #4, you suggested it and ewido in reply #2.
The runonce entry is just something that isn't required and may be starting IE.
-
Attached is the screenshot I said I'd post a few posts back.
You could try fixing it in HJT
Did, ran HJT again and it was still there. Repeated fix, still there.
Also I ran vundofix.exe again and it found two files. It removed one but could not remove the other which was the same ixnnajpv.dll file I sent to avast so you can be sure it's an infected file. After a reboot, it again was not able to remove it.
alex1234 has SuperAntiSpyware and ran it earlier in this topic,
I did but I only ran a Quick scan. Now I ran a complete scan as oldman suggested and it found 406 threats which I have quarantined, including the ixnnajpv.dll file which was picked up. But I have not restarted yet since I have tremendous difficulty getting Windows to boot up, safemode or normal mode, and I want to report this before I make the 50 or so attempts that are necessary before a successful boot.
-
I found a lot of cases of this. The dll is a random name and the key to the search was sitypnow. All are vundo with a smitfraud case thrown in.
Could you post the SAS log of the last scan, there may be some clues in it as to what it picked up? At any rate some garbage may be gone.
Rename highjack.exe to highjackalex.exe or whatever you want. Vundo is capable of hiding from hijackthis. Post the log.
-
Also I ran vundofix.exe again and it found two files. It removed one but could not remove the other which was the same ixnnajpv.dll file I sent to avast so you can be sure it's an infected file. After a reboot, it again was not able to remove it.
some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html (http://www.snapfiles.com/get/moveonboot.html)
- Unlocker http://ccollomb.free.fr/unlocker/ (http://ccollomb.free.fr/unlocker/) is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
-
DavidR: we don't want to check autoruns at fixed drives and flag them as malware or suspicious... ~95% of autorun viruses are written in VB (that's quite lame.. ehm, using VB generally isn't coding in its real sense imho) and sometimes repacked with an supported packer.. there are more ways to catch VB programs effectively (i can't tell you more), so the only thing to do is to make some order between samples from users and samples from other sources and the detection is then a question of a few hours..
about Virtumonde/Vundo.. authors of this spyware/adware using a batch creation of new variants... that's good for them, because they are able to produce new variant each five hours e.g. (the same, but more frequented update technique is used by Tibs/Zhelatin).. fortunately - all the variants have the same basics and could be detected..
-
Having a look at recent file creations and some additional reg entries might prove usefull here.
Download Deckard's System Scanner (DSS) (http://deckard.geekstogo.com/dss.exe) to your Desktop.- Close all applications and windows.
- Double-click on DSS.exe to run it, and follow the prompts.
- The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the main.txt from the C:\Deckard\System Scanner folder into your next reply.
-
fortunately - all the variants (of Virtumondo) have the same basics and could be detected..
Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?
-
the older variants were a simple dll's registered as BHO's.. the newer versions came with an user-mode rootkit, which is hiding the libraries etc..
-
I can't recall where I read it but I believe some of the Vundo infections are hidden by rootkit.
I must improve my typing skills ;D
-
Well, many have been rooted (or stealthy, at least) for a while and were able to hide from HijackThis for example (the reason for renaming HJT in some cases). But now VundoFix is less effective and ComboFix doesn't always find it. In the case of ComboFix it's not just that the detection is lacking - they don't show up in the 30 day list of file creations in some cases.
And I had a recent thread in this forum where the file couldn't be deleted with OTMoveIt or in safe mode. A user mode rootkit probably explains the lack of success with OTMoveIt but failure to delete in safe mode surprised me.
But maybe we should let alex1234 have his thread back and continue this in the Cafe. I would be interested if you would post more there.
-
fortunately - all the variants (of Virtumondo) have the same basics and could be detected..
Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?
The ones that I was looking at with sitypnow, removal was accomplished with a combination of smitfraud(not sure if that did anything), sas, combofix, vundofix etc. Nothing that I haven't seen used here.
The common thing was a line similar to "04 Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\incfejqn.dll",sitypnow ", with [xxx] variable as was xxx.dll. It seems that the xxx.dll can change from one instance of hjt to the next. Of course there was a number of random letter filenames, that went along with them.
These threads where in the last 3 weeks.
-
The common thing was a line similar to "04 Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\incfejqn.dll",sitypnow ", with [xxx] variable as was xxx.dll. It seems that the xxx.dll can change from one instance of hjt to the next. Of course there was a number of random letter filenames, that went along with them.
I actually worked on one of those just last month
http://forum.avast.com/index.php?topic=30529.msg252635#msg252635
And yes, the file name did change.
But look at the list of WinPFind file deletions on page 4 of that thread after running the tools you mention (well, I don't remember any SmitFraud in that thread, but the rest). It's fine - that's what WinPFind is for. But it wasn't necessary not so long ago.
-
The post I was refering from came from a google search. As I said I not sure about smitfraudfix, as no log posted and that line was abandoned in favor of combofix and SAS.
http://forums.techguy.org/malware-removal-hijackthis-logs/630961-solved-urfwgsq-dll-sitypnow.html
But you're right, should give this thread back to alex.
-
fortunately - all the variants (of Virtumondo) have the same basics and could be detected..
Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?
In a word YES
-
But you're right, should give this thread back to alex.
No problem, I really don't mind at all. Anyways I'm learning more about these things as I read your comments. :)
I'm happy to say that I updated and ran SuperAntispyware as oldman suggested, in fact I ran it twice. First time it came up with 406 infected but I did not restart immediately as I said. Then some time later I ran it again and it found 135. Both times I quarantined and immediately after the second run I rebooted. Now all signs of infection seem to be gone (no more alerts and pop-ups thus far), and I actually physically shut off my modem as well just in case stuff was coming in after start up.
As oldman requested, I will attach the logs of the two SuperAntispyware runs with this post.
I'll run DSS next as mauserme suggested and post the log in the next post since I need to close this window.
I've renamed the HJT program and ran it just now, this is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:33 PM, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\WINDOWS\system32\spider.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BHO32 - {717833AD-7A96-11DC-8314-0800200C9A66} - D:\Program Files\BH0\ie-improver.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BB3D133B-253E-4995-B14F-2BA165B591F7} - D:\WINDOWS\system32\jkhhh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
--
End of file - 7050 bytes
I see it is still there as
O2 - BHO: (no name) - {BB3D133B-253E-4995-B14F-2BA165B591F7} - D:\WINDOWS\system32\jkhhh.dll
but my symptoms are gone, which is good.
-
You should Fix this.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
You should Fix these when confirmed as bad.
O2 - BHO: (no name) - {BB3D133B-253E-4995-B14F-2BA165B591F7} - D:\WINDOWS\system32\jkhhh.dll
This would appear to be a Virtumonde entry, it may be that this is just the registry entry but check if the file is there too, (http://www.spywaredata.com/spyware/malware/jkhhh.dll.php (http://www.spywaredata.com/spyware/malware/jkhhh.dll.php)), upload to VT and send to avast if detected by multiple scanners.
O2 - BHO: BHO32 - {717833AD-7A96-11DC-8314-0800200C9A66} - D:\Program Files\BH0\ie-improver.dll
See http://www.sophos.com/security/analyses/trojbhodv.html (http://www.sophos.com/security/analyses/trojbhodv.html)
When Troj/BHO-DV is installed the following files are created:
<Program Files>\IE bho\ie-improver.dll
<Program Files>\IE bho\uninstall.exe
The file ie-improver.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
Upload to VT to confirm and send to avast if detected by multiple scanners.
-
There's still some signs in th hjt log. Also what might be zlob. This might be a good time to clean out some old restore points, just in case system restore is restoring some of it.
Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point
Remove old restore points
Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
Good choice in turning of the modem, in case there is a downloader.
-
There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
-
I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.
jkhhh.dll returned 11/32 (34.38%). I will sent it to avast.
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.
(http://www.spywaredata.com/spyware/malware/jkhhh.dll.php)
I'm guessing this is a collection of jkhhh.dll files that people have uploaded, I do not see mine there, if judging by file size is a good indication of a match.
Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point
Remove old restore points
Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
Unless system restore points are created automatically, I do not have any since I recently reformatted. But will do.
some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Will be looking into this as well.
There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
Hmm, that's what VundoFix tried to delete twice but said it failed.
-
What about this file
D:\WINDOWS\system32\jkhhh.dll
Is it present on your computer?
I don't know anthing about DSS, will have to wait for mauserme or someone who does.
-
Unless system restore points are created automatically, I do not have any since I recently reformatted. But will do.
SAS quarintined some from your system restore. Yes they are created automatically.
some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Will be looking into this as well.
Hold off on a bit for that.
There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
Hmm, that's what VundoFix tried to delete twice but said it failed.
We might be able to remove that one, but first let's see what combofix has to say.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
My symptoms have now come back though the frequency of IE pop-ups have decreased dramatically.
What about this file
D:\WINDOWS\system32\jkhhh.dll
Is it present on your computer?
It was, and is no longer. The ComboFix might have deleted it since that's the only thing I've really done of late, see below.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you.
I ran it though I don't think it made it to completion. At one point in the window it did list a bunch of those randomly named files, then it restarted my PC after telling me it would, and after that continued running, but then the system restarted again with no warning from ComboFix and so I believe this second restart was some sort of failure....though I am not sure. Also it said it would restore my clock settings when done but they've not been restored. I have looked in the ComboFix folder that was created and see no log, the only text file I see contains
ComboFix 07-10-21.1** - Administrator 2007-10-20 21:58:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1011 [GMT -6:00]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
I made sure to never click in the ComboFix window. But should I try to run it again?
Here is my Hijack This log anyways:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37, on 2007-10-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\sivnbypf.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\sivnbypf.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
--
End of file - 6845 bytes
As well I just want to attach a screenshot from Comodo's Traffic section in case any of you can see something suspicious there. MotiveSB is related to my ISP software, I believe. I'm just wondering what the System and svchost.exe are.
-
DSS would have given much the same information as ComboFix + HJT, had it run.
The ComboFix log should be c:\combofix.txt
-
I was going to get him to try again with a new copy, renamed. But if you think that the first one ran, then just wait for him to report back.
I was looking for backup copies of the files that I hoped would show up in combofix. Looking at what alex posted, it looked like the first part of the log and combofix didn't complete.
As I told alex, I don'y know anything about DSS or why it didn't run and you'd probably know.
Stepping aside now
-
I was going to get him to try again with a new copy, renamed. But if you think that the first one ran, then just wait for him to report back.
I was looking for backup copies of the files that I hoped would show up in combofix. Looking at what alex posted, it looked like the first part of the log and combofix didn't complete.
If it didn't run, renaming it could very well work. I was just saying he should look for the log in c:\ , not in the combofix folder.
As I told alex, I don'y know anything about DSS or why it didn't run and you'd probably know.
Stepping aside now
But you and David are the main helpers in this thread - I just jumped in with an idea or two. I'll be happy to give some input on the ComboFix log if its wanted but otherwise I consider myself an observer :)
-
@mauserme
Okay. Really appreciate the help. Reading my post again, it may have sounded like I was in a huff, believe me I was not. I thought perhaps you wanted to try DSS.
This stared looking promising, until it seemed that combofix stalled/died. I was hoping to get to the .bak before it all started again.
I'll get alex to try again with a new renamed copy.
@alex
If you can't find the log in the location that mauserme posted, it may de in D:\ on your system, then try the following.
Delete the copy of combofix you have, Download a new one. Before you run it, rename it.
-
Okay. Really appreciate the help. Reading my post again, it may have sounded like I was in a huff, believe I was not. I thought perhaps you wanted to try DSS.
No sweat. I'm PM'ing you some info about DSS.
-
alex
I was looking at your SAS logs again. The first scan you did was a complete scan. It found a couple of downloaders,which may or may not be related.
The symptoms returning would be due to the backup copies being restored by vundo. The file names will probably be different.
SAS seems to be able to catch enough of it to make your system usable for a short period of time. But so did vundofix that DavidR had you run.
Since the popups are less, I think some of it may be gone. Combofix may have gotten some of it as there are a couple of 04 lines missing.
Perhaps another complete scan by SAS with the settings I gave you earlier before combofix. If you've already ran the renamed combofix that's fine. Or better yet if you found the combofix log. We just have to find the backup files.
-
Alright, this is what I've done since my last post:
Ran SAS again, see log as attached. It found 120 or so threats, all which I quarantined.
Restarted with modem turned off. Found no obvious signs of infection, ie. alerts were gone.
Ran HJT, found a couple of the Winlogon Notify entries with random file names, Fixed them.
Tried running the same copy of ComboFix.exe I had downloaded, which somehow initiated a 60-second system restart countdown so that ComboFix could not run to completion.
After the restart with modem turned off still, ran HJT again and got this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:00, on 2007-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\TELUS eCare\bin\mpbtn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
--
End of file - 6468 bytes
Turned modem back on and saw no alerts from Comodo about IE trying to make a connection as I previously did.
Still no symptoms of infection.
Downloaded a new copy of ComboFix from the other link that was posted and renamed it, will be running it next, or trying to. The partial ComboFix log that I posted before from my first run is in D:\ComboFix\ComboFix.txt. It's the only text document in that folder and there is nothing of the sort in just D:\.
Also I'm female, but minor detail. No worries. ;D
-
Turned modem back on and saw no alerts from Comodo about IE trying to make a connection as I previously did.
I think that was from something that was removed earlier. Possibly one of the downloaders.
Downloaded a new copy of ComboFix from the other link that was posted and renamed it, will be running it next, or trying to.
Ususally when combofix has a problem it won't work again. Also the new vundo is really giving the tradional tools a workout. The renaming may work like it use to with hjt.
Ran HJT, found a couple of the Winlogon Notify entries with random file names, Fixed them.
Where these the lines
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
I meant do ask you, I don't know if anyone did, is windows set to show all files?
If not
Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK.
Also I'm female, but minor detail. No worries. ;D
I apologize, must remember not to ass u me. ;D
-
Tried running the same copy of ComboFix.exe I had downloaded, which somehow initiated a 60-second system restart countdown so that ComboFix could not run to completion.
I don't know if this was the result of trying to run a corrupted copy of combofix or something else at work here. Will have to check that out.
-
I did some checking and asking on this countdown. The opinion is it may be malware.
How are you making out with the renamed scan? I'm still concerned about there being hidden backup files.
If you still are having difficulties running combofix (countdown box appearing)
Do the following
Run a renamed ComboFix again . If you get the countdown, quickly click the Start Button, then click Run. Type "shutdown -a" without the quotes in the empty field and click OK. This will sometimes abort (-a) the pending shutdown.
If we can't get a combofix log, I've requested mauserme to step in with a more sophisticated scanner.
An online scan at Kaspersky (http://www.kaspersky.com/virusscanner) may also help. Just report back what is found. Kaspersky doesn't offer any fixes, which in my opinion is good.
Your last hjt log looks like vundo is gone, but I've noticed a pattern. It seems to be a spread of a few hours before a new file is spawned and detected. Hence my concerns about hidden backups.
The SAS detections where mostly the DSS files.
edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable
If you are having problems let me know.
-
Where these the lines
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
I believe so, I can't recall though.
is windows set to show all files?
It is now. Therefore, regarding what I said before:
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.
I have looked in the BHO directory and no such file is there any more.
An online scan at Kaspersky may also help. Just report back what is found.
Ran it on Critical Areas, it found 2 things. See attachment. Sorry about the formatting, had to copy and paste it from html. If it's hard to read I can upload the html file somewhere and link to it.
Ran it on Memory, it was clean.
I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.
It seems to be a spread of a few hours before a new file is spawned and detected.
Yep, though so far I have been symptom-free for about 30 hours and counting.
edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable
Okay, will do. I have not tried running it yet since I had some work going on the side and didn't want to deal with trying to restart my PC till it was done.
Thanks for the info and ongoing help, I will be updating with results.
-
Where these the lines
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
I believe so, I can't recall though.
That's why it's important you don't delete/fix anything until requested. We have to be able to see what you are seeing. ;) :) 8)
Do you remember if sivnbypf.dll had file missing behind it? ie both 020 lines had (file missing)
is windows set to show all files?
It is now. Therefore, regarding what I said before:
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.
I have looked in the BHO directory and no such file is there any more.
Sorry, I should have twigged on your settings before. :-[ That's the one I thought might have be zlob. I'd have to go back over all the SAS logs, but either SAS or combofix got it.
I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.
Let us know what turns up. It may be related.
It seems to be a spread of a few hours before a new file is spawned and detected.
Yep, though so far I have been symptom-free for about 30 hours and counting.
Except for the countdown when you attempt to run combofix and the fact that DSS failed to run. This still concerns me.
I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.
Bo you recall if it was DSS that had the problem or something else. Was a reboot involved?
edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable
Okay, will do. I have not tried running it yet since I had some work going on the side and didn't want to deal with trying to restart my PC till it was done.
Don't forget about the abort shutdown command if the countdown starts again.
Thanks for the info and ongoing help, I will be updating with results.
No problem. Will be waiting for your combofix log.
I'd like you to upload these two files to www.virustotal.com
D:\WINDOWS\system32\lfonpnnv.dll D:\WINDOWS\system32\lugaadol.dll
Just use copy and paste if you want. Please post the results. I know what kapersky called them, but would like to see what others call them.
Let me know if you have any problems. If you can't get the renamed cobofix to run we'll try something else.
-
ComboFix is updated almost daily and its been several days since you downloaded the copy you have. Please delete that one and get a fresh copy from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe). Then rename it as Oldman suggested and post the log (if it runs).
Please also give us a fresh HJTAlex log. I don't know about Oldman but I've really lost track of the state of your computer at this point.
If you can't get the new, renamed copy of ComboFix to run let's look at a WinPFind log instead.
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.
-
Hi mauserme
Thanks for dropping in.
Please also give us a fresh HJTAlex log. I don't know about Oldman but I've really lost track of the state of your computer at this point.
I'm not certain. It's been awhile since the last hjt log. I thought I had asked for one, but I can see I didn't. ::)
But, there's still this
Except for the countdown when you attempt to run combofix and the fact that DSS failed to run. This still concerns me.
I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.
so can't honestly say.
-
Maybe this is a better comment on my uncertainity of this systems health.
Besides the problem of the two scanners not running, I'm looking at this.
Since the countdown timer has shown up, three scans where done. SAS, hjt and kaspersky online, in that order. SAS picked up some more vundo detections and hjt showed what seems a clean log. A day later, an online scan shows two files kaspersky classifies as adware. SAS also classifies some vundo as adware. Since there is no naming standard, I asked for the files to be submitted to see what other names came up.
This brings us back to the question of hidden backups. Are these files replacements?
Until we see the hjtalex log, results of the files in question, and at the very least a comboalex log, I'd say the jury is still out.
edited to add
In regard to the last sentence, hjt log and submitted files results and comboalex (if it runs) if not WinPFind3u log.
alex after you submit the files to virustotal move them to the chest
1. In the Virus Chest, switch to user file category.
2. In main menu, select File ยฎ Add.
3.Browse the folders and select the file you want to add.
4.Choose Open
then delete them from their original location and out of the recyle bin. Don't worry, the chest is a safe place for the files. They can't run or be accessed from outside the chest.
-
I agree that this is not clean yet - at least not according to what she's posted in this thread. But Alex is working on her own too and maybe an updated SAS or other program has solved this for her.
In any event the ball is in her court at the moment ...
-
Ok, will have to split my responses to the last few posts in multiple posts.
That's why it's important you don't delete/fix anything until requested. We have to be able to see what you are seeing.
Sorry, the last time I had entries like that I was told to fix them, so I did this time as well.
Do you remember if sivnbypf.dll had file missing behind it? ie both 020 lines had (file missing)
Nope...
Bo you recall if it was DSS that had the problem or something else. Was a reboot involved?
No reboot was involved. It was one of the dialog boxes that popped up....er, I get them for other programs as well, they usually say "X program has encountered an error and needs to close. Sorry for the inconvenience."
I'd like you to upload these two files to www.virustotal.com
D:\WINDOWS\system32\lfonpnnv.dll D:\WINDOWS\system32\lugaadol.dll
File lfonpnnv.dll received on 10.25.2007 07:56:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)
AhnLab-V3 2007.10.25.0 2007.10.25 -
AntiVir 7.6.0.27 2007.10.24 ADSPY/SecToolBar.H.3
Authentium 4.93.8 2007.10.24 -
Avast 4.7.1074.0 2007.10.25 -
AVG 7.5.0.488 2007.10.24 Adware Generic2.UCQ
BitDefender 7.2 2007.10.25 -
CAT-QuickHeal 9.00 2007.10.23 AdWare.SecToolBar.h (Not a Virus)
ClamAV 0.91.2 2007.10.25 -
DrWeb 4.44.0.09170 2007.10.24 Trojan.Hammer
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5239 2007.10.25 -
Ewido 4.0 2007.10.24 -
FileAdvisor 1 2007.10.25 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.24 -
F-Secure 6.70.13030.0 2007.10.25 -
Ikarus T3.1.1.12 2007.10.25 not-a-virus:AdWare.Win32.SecToolBar.h
Kaspersky 7.0.0.125 2007.10.25 not-a-virus:AdWare.Win32.SecToolBar.h
McAfee 5148 2007.10.24 -
Microsoft 1.2908 2007.10.25 -
NOD32v2 2614 2007.10.24 a variant of Win32/Adware.SecToolbar
Norman 5.80.02 2007.10.24 W32/SecToolBar.D
Panda 9.0.0.4 2007.10.25 Spyware/Virtumonde
Prevx1 V2 2007.10.25 Malware.Gen
Rising 19.46.30.00 2007.10.25 -
Sophos 4.22.0 2007.10.25 Mal/Behav-010
Sunbelt 2.2.907.0 2007.10.24 -
Symantec 10 2007.10.25 Trojan.Vundo
TheHacker 6.2.9.107 2007.10.25 Adware/SecToolBar.h
VBA32 3.12.2.4 2007.10.24 AdWare.Win32.SecToolBar.h
VirusBuster 4.3.26:9 2007.10.24 -
Webwasher-Gateway 6.6.1 2007.10.25 Ad-Spyware.SecToolBar.H.3
Additional information
File size: 340032 bytes
MD5: 66e98b5eee8448d55c22d8d2e7eadbdf
SHA1: ae0f0f1856da8757779c463284b18793124bdbce
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=90A1A0204041EFA930240535385171006B19A939
File lugaadol.dll received on 10.25.2007 08:08:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 15/32 (46.88%)
Antivirus Version Last Update Result
AhnLab-V3 2007.10.25.0 2007.10.25 -
AntiVir 7.6.0.27 2007.10.25 ADSPY/SecToolBar.H.2
Authentium 4.93.8 2007.10.24 -
Avast 4.7.1074.0 2007.10.25 -
AVG 7.5.0.488 2007.10.24 Adware Generic2.UCQ
BitDefender 7.2 2007.10.25 -
CAT-QuickHeal 9.00 2007.10.23 AdWare.SecToolBar.h (Not a Virus)
ClamAV 0.91.2 2007.10.25 -
DrWeb 4.44.0.09170 2007.10.24 Trojan.Hammer
eSafe 7.0.15.0 2007.10.22 -
eTrust-Vet 31.2.5239 2007.10.25 -
Ewido 4.0 2007.10.24 -
FileAdvisor 1 2007.10.25 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.24 -
F-Secure 6.70.13030.0 2007.10.25 -
Ikarus T3.1.1.12 2007.10.25 not-a-virus:AdWare.Win32.SecToolBar.h
Kaspersky 7.0.0.125 2007.10.25 not-a-virus:AdWare.Win32.SecToolBar.h
McAfee 5148 2007.10.24 -
Microsoft 1.2908 2007.10.25 -
NOD32v2 2614 2007.10.24 a variant of Win32/Adware.SecToolbar
Norman 5.80.02 2007.10.24 W32/SecToolBar.C
Panda 9.0.0.4 2007.10.25 Spyware/Virtumonde
Prevx1 V2 2007.10.25 Malware.Gen
Rising 19.46.30.00 2007.10.25 -
Sophos 4.22.0 2007.10.25 Mal/Behav-010
Sunbelt 2.2.907.0 2007.10.24 -
Symantec 10 2007.10.25 Trojan.Vundo
TheHacker 6.2.9.107 2007.10.25 Adware/SecToolBar.h
VBA32 3.12.2.4 2007.10.24 AdWare.Win32.SecToolBar.h
VirusBuster 4.3.26:9 2007.10.24 -
Webwasher-Gateway 6.6.1 2007.10.25 Ad-Spyware.SecToolBar.H.2
Additional information
File size: 340032 bytes
MD5: 2066d9a6e38a877b1b30bf6457045b19
SHA1: d2186bfe4acca39fad034b5862fdfe78f0cdf8bf
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=90A1A02040A91C95309B053538517100485DFC2E
alex after you submit the files to virustotal move them to the chest
1. In the Virus Chest, switch to user file category.
2. In main menu, select File ยฎ Add.
3.Browse the folders and select the file you want to add.
4.Choose Open
then delete them from their original location and out of the recyle bin. Don't worry, the chest is a safe place for the files. They can't run or be accessed from outside the chest.
Will do. Want me to send them to avast too?
Quote from: alex1234 on October 23, 2007, 05:42:05 AM
I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.
Let us know what turns up. It may be related.
I've uploaded the log as html so it's easier to read:
http://www.sarah-brightman-online.com/frosty/kaspersky_harddrives_oct23-07.html
-
Also got a notice from avast a couple hours ago about a Trojan again (only an alert from avast though, no symptoms of infection have come up yet).
Here's the full log from avast:
2007-10-15 18:45 Administrator 1456 Sign of "Win32:MoSucker-044 [trj]" has been found in "D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe" file.
2007-10-17 13:12 SYSTEM 1456 Sign of "Win32:Agent-LAP [trj]" has been found in "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gobcqdyi.exe" file.
2007-10-18 13:11 Administrator 1448 Sign of "Win32:Tiny-IF [trj]" has been found in "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ycraeyuj.exe" file.
2007-10-18 13:17 Administrator 1448 Sign of "Win32:Tiny-IF [trj]" has been found in "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ndqsgwqc.exe" file.
2007-10-19 13:20 SYSTEM 1464 Sign of "Win32:Tiny-IF [trj]" has been found in "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jmlxafhw.exe" file.
2007-10-20 18:50 SYSTEM 1424 Sign of "Win32:Tiny-IF [trj]" has been found in "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mruwycel.exe" file.
2007-10-21 02:19 SYSTEM 1588 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
2007-10-21 02:19 SYSTEM 1588 An error has occured while attempting to update. Please check the logs.
2007-10-21 14:14 SYSTEM 1588 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
2007-10-21 14:14 SYSTEM 1588 An error has occured while attempting to update. Please check the logs.
2007-10-24 18:33 SYSTEM 1396 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
2007-10-24 18:36 SYSTEM 1396 An error has occured while attempting to update. Please check the logs.
2007-10-24 23:24 SYSTEM 1396 Sign of "Win32:MoSucker-044 [trj]" has been found in "D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe" file.
Ok, trying to be methodical about this. This is the HJTAlex log I just ran, BEFORE attempting to run a new, renamed and updated copy of ComboFix. I tried to download a fresh copy of HJT too but the site seems to be down where I linked to in post#2 to get the program.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:28, on 2007-10-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Comodo\Firewall\cpf.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\system32\WISPTIS.EXE
D:\WINDOWS\system32\ctray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Microsoft task tray monitor] ctray.exe
O4 - HKLM\..\RunServices: [Microsoft task tray monitor] ctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
--
End of file - 6610 bytes
And now, off to run renamed ComboFix...
-
Okay, I renamed it as Combo25.exe. It was running, but then after the restart, it said that it was preparing the log file and not to open any programs until it was done. A couple minutes later, my cursor froze, which is a good indication that my PC had frozen, but I waited about 5 more minutes anyways and it was still frozen. I didn't really think it'd take that long to create a text file, so I rebooted and this is the new ComboFix log that I have in its entirety, whether it is complete or not is your guys' call but it still looks incomplete to me:
ComboFix 07-10-23.1 - Administrator 2007-10-25 0:44:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1084 [GMT -6:00]
Running from: D:\Documents and Settings\Administrator\Desktop\Combo25.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
D:\WINDOWS\system32\sivnbypf.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.
Hopefully I hadn't interrupted it while it was still going but I'm fairly certain it was stalled since my PC stalls quite a bit and I can recognize the signs.
This is the HJTAlex log AFTER I did this second run of ComboFix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:17, on 2007-10-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\ctray.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Microsoft task tray monitor] ctray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\RunServices: [Microsoft task tray monitor] ctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
--
End of file - 6434 bytes
Now if it seems to you guys that ComboFix still hasn't run to completion then I shall run WinPFind3u.exe tomorrow, thanks. I'm also completely willing to try running ComboFix again if advised to. Could there be something wrong with my hardware that's causing it to not run completely?
-
Hi alex
The combofix log is incomplete, but the description you gave may indicate it did in fact complete the scan. Unfortunately the log ends just when it is getting to the important part. But it does show one file it removed that your last SAS log showed as quarintined.(I don't recognize the extention though) I think this confirms my belief of backups that we haven't been able to get to.
I think we have to move past combofix for now. Go ahead and run WinPFind3u.exe . Follow mauserme's instructions. I'm going to hand him the wheel and let him drive for awhile. (the windows cleaner on the passenger side. ;D )
I'll try to address the rest of your post. (excuse my thinking out loud) :-X
Will do. Want me to send them to avast too?
Yes, mail them to avast as they didn't detect them during the online scan. Open the chest, right click on the files, select mail to alwil software. Give a brief description and maybe a link to this topic. No need to zip when sending from the chest. Make sure the dot is beside "mapi".
Quote
Quote from: alex1234 on October 23, 2007, 05:42:05 AM
I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.
Let us know what turns up. It may be related.
I've uploaded the log as html so it's easier to read:
http://www.sarah-brightman-online.com/frosty/kaspersky
re: c drive- a toolbar in nero and a nero update that came in a 7zip file
Looking at the d:\ detections, it looks like your first run of combofix did remove some vundo, but none with the .bak extention. However, I do see a jkhhh.dll that was in 7zip folder in the comdofix quarintine. I'm tempted to say that vundo came via the nero update. (maybe a phoney update)
**What say you mauserme? I'll note that SAS quit detecting jkhhh after the first combofix run, but started it stared detecting another random letter file The majority of the detections where in combofix and vundofix quarintine.
Also got a notice from avast a couple hours ago about a Trojan again (only an alert from avast though, no symptoms of infection have come up yet).
Here's the full log from avast:
Did you move it to the chest?
I can see detections going back to the 15th oct. and a lot from the 17th to the 20th.
I also see that avast stopped updating on the 21st. I don't know if it's one of these critters or your firewall. Does comdo allow avast.setup internet access?
hijackthis logs
Did you add a internet explorer plugin?
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Could there be something wrong with my hardware that's causing it to not run completely?
I honestly can't say. you mention a lot of freezes, maybe just bad timing.
Are you still experiencing the countdown timer?
-
alex
this should not be running in your temp files
2007-10-24 23:24 SYSTEM 1396 Sign of "Win32:MoSucker-044 [trj]" has been found in "D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe" file
Please clear the temp files
See images below...are these what you see?
You said you recently formatted and reinstalled windows, can you recall the date?
When you reinstalled what level where the disks you used at? ie: xp no service packs, sp1 or sp2
If you weren't at sp2 how did you get there, online, disks ?
When did these freezes, programs stopping start to happen?
-
I think we have to move past combofix for now. Go ahead and run WinPFind3u.exe .
Agreed.
But first open HJTAlex and click Open the Misc. Tools Section, then click Open Uninstall Manager. Now click Save List and post the list here.
After posting the uninstall list run WinPFind. I'll include the directions again below to make it easier for you to find (and with a little correction):
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.
Looking at the d:\ detections, it looks like your first run of combofix did remove some vundo, but none with the .bak extention. However, I do see a jkhhh.dll that was in 7zip folder in the comdofix quarintine. I'm tempted to say that vundo came via the nero update. (maybe a phoney update)
**What say you mauserme? I'll note that SAS quit detecting jkhhh after the first combofix run, but started it stared detecting another random letter file The majority of the detections where in combofix and vundofix quarintine.
I think we still have Vundo plus the junk its downloading, but if the Nero update was done from the Nero web site its probably OK. Keep in mind too that malware backups may not always have a .bak extension. Often they are .sys or .dll, sometimes other things. They don't necessarily follow our naming conventions.
-
Agreed, I think vundo is still hiding somewhere.
Having looked at the kaspersky log again, I think the nero update is alright, probably just the toolbar. The quarintined file (D:\qoobox\Quarantine\catchme2007-10-20_221051.07.zip/jkhhh.dll), in the smaller print I didn't see the . between the 7 and zip.
:-X
-
But first open HJTAlex and click Open the Misc. Tools Section, then click Open Uninstall Manager. Now click Save List and post the list here.
Attached.
Please clear the temp files
Done, except a few things would not clear because I got an alert saying they're being used by a program. Please see jpg attachment.
See images below...are these what you see?
What I saw, yes, although for the first one there, I am not sure if that bit about lsass.exe was there.
You said you recently formatted and reinstalled windows, can you recall the date?
Yes, it was the day before I installed avast and got the first Trojan alert, so Oct. 14 was the day.
When you reinstalled what level where the disks you used at? ie: xp no service packs, sp1 or sp2
sp2.
When did these freezes, programs stopping start to happen?
Months ago, it was mostly games doing the freezing and it was more or less fixed after I opened up the case and cleaned the dust off my fans. ;D But then I started having problems with booting XP, and then (as now) my system freezes while the OS loads.
Did you move it to the chest?
Yes, just got another one in fact and moved it to the chest as well. To be honest, I think your Nero theory is coming close to the truth because when the alert came yesterday it was right after I ran a Nero keygen (yes, I know...may all my toenails fall off...) and today I ran it again and when I closed it, up pops an alert from avast. And considering what's in the jpg attachment, ie. one of the files that couldn't be cleared out of Local Settings/Temp ... enough said. But the upgrade exe itself came from the Nero site.
I also see that avast stopped updating on the 21st. I don't know if it's one of these critters or your firewall. Does comdo allow avast.setup internet access?
The firewall, I believe that was when I started booting up with my modem turned off.
Did you add a internet explorer plugin?
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
I don't actively remember this but then I might have added it to view some website, not sure to be honest.
Are you still experiencing the countdown timer?
No, I only got that once when I first tried to run ComboFix.
Edit: The WinPFind3 log is attached too, thanks.
-
Thanks for the info alex. I was trying to establish a timeline, mostly for myself.
As for the countdown, was trying to find some clues, just in case I encounter it again or find a situation where it might happen, could the at least include the abort command in the pre scan instructions. Maybe mauserme can comment on it.
Is avast updated now?
To be honest, I think your Nero theory is coming close to the truth because when the alert came yesterday it was right after I ran a Nero keygen (yes, I know...may all my toenails fall off...) and today I ran it again and when I closed it, up pops an alert from avast. And considering what's in the jpg attachment, ie. one of the files that couldn't be cleared out of Local Settings/Temp ... enough said. But the upgrade exe itself came from the Nero site.
No, I think I'm off base with that. I missed the dot and read it as 7zip. The nero detectionsby kav online are probably just the toolbar. The file, in temp, may have been still in use by something you hadn't closed yet.
edit to add bold
-
Hi alex
While mauserme is checking over the WinPFind log, I've got couple of more questions.
When you reinstalled, did you do a format and full reinstall or just a repair install of windows?
I'm asking because there's few folder dates prior to the install date.
Did you restore some folders/programs from a backup source after your reinstall?
Also, could you check which version of UTORRENT you are using.
When mauserme checks in we should know more.
Hang in there. ;D
-
Hi alex
A bit of homework for you. We need some files checked at virustotal
D:\Program Files\uTorrent\uTorrent.exe
D:\windows\imsins.BAK
D:\program files\Frostwire.exe
I'm just guessing frostwire.exe is in the program files, it could be located elsewhere.(the info I have is a poosible 500 paths). Please do a search and record each instance. You can submit each to virustotal, I can't really see there being more than 1 though.
Thanks
-
I've been though the WinPFind log several times and I'm not seeing anything I can identify as malware. The log is long since you reinstalled the OS so its possible I'm missing something, but after 3 times through I don't think I've missed anything.
I do have several observations that lead to some questions:
In your initial post you say you reformatted the D: drive and the WinPFind log confirms that the OS was reinstalled on 14 October. Yet I also see files with modified dates prior the 14 October. Are you sure you reformatted, or did you do a repair install instead?
Also in your initial post you included a screen shot thats shows a Windows Security Center warning icon and a red line through the avast! icon. Do these still appear this way? If so what is the Windows warning and what part(s) of avast! are not functioning?
I'm beginning to think the re-infection is coming form somewhere other than your D: drive. Have you been downloading via uTorrent or Frostwire while we're trying to clean this? I see uTorrent as a running process in 2 of your HJT logs so I suppose you must have been, but I don't like to make assumptions.
And did you install uTorrent? While I saw it running I do not see it in the uninstall list.
What type of network are you in? If wireless is it password protected?
Please post the answers to oldman's and my questions, then see if you can run ComboFix from the C: partition.
-
Hello all,
I did a reformat of my D drive but restored some important files that I had previously backed up onto my C drive because I didn't want to lose them. Yes, avast is now updated.
I have uTorrent 1.7.5 build 4602.
Also in your initial post you included a screen shot thats shows a Windows Security Center warning icon and a red line through the avast! icon. Do these still appear this way? If so what is the Windows warning and what part(s) of avast! are not functioning?
No, the avast icon now alternates between spinning and staying still, no red line through it. I don't know why it had the red line through it before, I'm guessing when that happens it means it's disabled but I don't recall disabling it at the time. I don't think there's anything not functioning. As for the Windows Security Center thing, I assume you meant the yellow shield icon in the picture. No it is not appearing any longer, I think it had something to do with security updates that it wanted me to download since I had just freshly installed XP.
Have you been downloading via uTorrent or Frostwire while we're trying to clean this?
uTorrent yes, Frostwire no. Yes I had to reinstall both of them after reformatting.
What type of network are you in? If wireless is it password protected?
I have ADSL home internet, not wireless. Is that what you mean?
see if you can run ComboFix from the C: partition.
Just to clarify, you want me to save ComboFix to my C partition and run it just like that?
Because I also have a second copy of XP on C which means I can also boot up my computer with that copy, assuming it wants to that is.
Ran a search, only found one Frostwire.exe in D:\Program Files\Frostwire\
VirusTotal results:
File uTorrent.exe received on 10.28.2007 20:42:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/30 (3.34%)
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Kaspersky 7.0.0.125 2007.10.28 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 -
Norman 5.80.02 2007.10.26 -
Prevx1 V2 2007.10.28 -
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 -
Additional information
File size: 219952 bytes
MD5: 8df7f16f3da69893cef9f74dddb767fd
SHA1: 24ccb90f3fbddbd5a45e8b336266267f77950ce8
packers: UPX_LZMA
File imsins.BAK received on 10.28.2007 21:04:23 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 -
Kaspersky 7.0.0.125 2007.10.28 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 -
Prevx1 V2 2007.10.28 -
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 -
Additional information
File size: 1393 bytes
MD5: 50953e631c4527786e20e8d3042374e0
SHA1: 3f745b261a476751a4b726df25d89b412c43f029
File FrostWire.exe received on 10.28.2007 21:16:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 -
Kaspersky 7.0.0.125 2007.10.28 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 -
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 -
Prevx1 V2 2007.10.28 -
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 -
Additional information
File size: 114688 bytes
MD5: 4939d0506630168e691c7d389435a773
SHA1: 07b98d813387de30dfe82a1033fa7c851d3cfdec
-
Also, about what I said earlier:
I think your Nero theory is coming close to the truth because when the alert came yesterday it was right after I ran a Nero keygen (yes, I know...may all my toenails fall off...) and today I ran it again and when I closed it, up pops an alert from avast.
Maybe it's just a coincidence that two notices from avast about a Trojan came up just as I finished running the keygen but I uploaded the file to VirusTotal just now and came out with this, is it significant?
File keygen.exe received on 10.28.2007 21:27:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 -
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 -
CAT-QuickHeal 9.00 2007.10.26 -
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 Backdoor.Win32.Bifrose.aci
Kaspersky 7.0.0.125 2007.10.28 -
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 -
Norman 5.80.02 2007.10.26 W32/Ardamax.DED
Panda 9.0.0.4 2007.10.28 -
Prevx1 V2 2007.10.28 -
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 Backdoor.Win32.Bifrose.aci
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 -
Additional information
File size: 328400 bytes
MD5: eb2aea484fdd151885994ebcb4fdb59f
SHA1: ff0d4a62291f902d1f691a98d6f82752f6667096
-
Hi alex, I tried to post earlier when you where on, but was having problems with forum ,really slow
re:avast
I don't think there's anything not functioning.
If you hover the mouse over the "a" icon, it will tell you how many providers running.
What type of network are you in? If wireless is it password protected?
I have ADSL home internet, not wireless. Is that what you mean?
Yes that was the question. Do you have more than comuter connected via a router?
see if you can run ComboFix from the C: partition.
Just to clarify, you want me to save ComboFix to my C partition and run it just like that?
I believe that what he wants, but should wait for him to confirm.
Ran a search, only found one Frostwire.exe in D:\Program Files\Frostwire\
Do you have a version number?
Maybe it's just a coincidence that two notices from avast about a Trojan came up just as I finished running the keygen but I uploaded the file to VirusTotal just now and came out with this, is it significant?
According to the virustotal scan, avast isn't detecting anything in the keygen file you uploaded. Please check the avast log-warning.
Sometimes the path is too long to see completely even by expanding the columns. If that's the case...
right click the "a" icon, click log viewer, warning tab
click edit, filter
in the "time range" section set a range just prior to and after the detection
click select defined, ok
click the export icon
type a name and save as all files(*.*)
This will give you the file avast is detecting, please submit that one.
I'm going to do some more checking on those files.
You can also scan your c:\ with SAS, I should have mentioned this earlier. :-[
-
I have Frostwire 4.13.2.
There are 6 out of 7 providers running in avast. If I am reading it right it might be Outlook/Exchange that isn't running since all others show up under the Pause Provider option.\
No, there is only this computer.
This will give you the file avast is detecting, please submit that one.
Both times that the alert came up after running the keygen, it was D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe
but earlier I was asked to empty out my Temp folder so it is no longer there, nor is it in my Recycle Bin, so I cannot upload it to VirusTotal.
I ran SAS (complete scan) with only my C drive checked, it seemed to also want to check D as well. At any rate, it found 6 tracking cookies...but in D....the log is attached. *shrugs*
-
There are 6 out of 7 providers running in avast. If I am reading it right it might be Outlook/Exchange that isn't running since all others show up under the Pause Provider option.\
Avast seems to be functioning fine.
Both times that the alert came up after running the keygen, it was D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe]
If you moved it to the chest, you can submit that one. You will have to extract it to a temp folder to submit. In the chest right click the file and extract. You can delete the temp folder after.
As for the SAS scan, c:\ must be very clean, or something is well hidden. I haven't heard from mauserme, but I'm sure he wants you to d/l combofix to C:\ and run it from there.
As for the keygen submission not many detected it so it could just be the behavior of a keygen.
This will make accessing the chest easier.
right click on your desktop, select new, shortcut, paste the following line in the box
"D:\Program Files\Alwil Software\Avast4\ASHCHEST.EXE"
or use the browse.
-
Sorry - I've been under the weather this weekend.
In regard to ComboFix, please download a new copy to C: and run it from here.
But I have to tell you the P2P is risky enough and keygens almost guarantee infection. I'm not being judgemental about it - just saying the reality is we could spend weeks cleaning this only to find its back the next time you use a kegen. If you're going to keep doing this remormatting every so often might be the most efficient solution.
-
But I have to tell you the P2P is risky enough and keygens almost guarantee infection. I'm not being judgemental about it - just saying the reality is we could spend weeks cleaning this only to find its back the next time you use a kegen. If you're going to keep doing this remormatting every so often might be the most efficient solution.
I couldn't agree more, keygens and cracks are high risk exercises (who are you going to complain to if something bad happens), without getting into the potential moral and legal arguments.
If I were you I would invest in some pro-active measures if you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days as in this case.
1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.
2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.
I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.
So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.
Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
-
If you moved it to the chest, you can submit that one. You will have to extract it to a temp folder to submit. In the chest right click the file and extract.
I submitted the most recent version of lsass.exe and it came out with 13/32 or about 40%.
ComboFix was run from C:\ and this time it was complete for sure, log is attached. It didn't require a restart this time.
Thanks for the advice, DavidR. I don't use my system to store anything earth-shatteringly important so I am willing to let a lot of it go if I have to so I am not averse to wiping it clean, however it is true that it was annoying that I had to reinstall everything and get XP updated again. So I will certainly do some hunting around and be a bit more careful about what I do.
Also, there is a program in the Windows\system32 directory called msnmgr.exe that keeps on wanting to make connections that I now deny. At first I thought it was MSN Messenger (now Windows Live Messenger) but the executable that is in the MSN Program Files is called msnmsgr.exe, not msnmgr.exe. Moreover, msnmgr.exe wants to make connections even without MSN Messenger running. Is this another security risk? I did a Google on this file and some sites seem to call it a Trojan, others suggest it's part of the MSN Messenger program. Thanks.
-
Your welcome.
I would advise you also upload this windows\system32\msnmgr.exe to virustotal and report the findings here. If multiple detections, also send a sample to avast.
-
Hi
Submit the file, msnmgr.exe, to virustotal. I got some hits on that name. If positve add it ot the users section of the chest and see below. Post the result, it would be good to know what it was detected as.
edit: just a bit more to what DavidR posted
edit2
Can you also look for this file?
D:\WINDOWS\system32\cmbvuyuo.dll
Just check the files and add to the users section.
-
alex
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer. Save it to your desktop
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
D:\WINDOWS\system32\msnmgr.exe
D:\WINDOWS\system32\cmbvuyuo.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Do not run it yet. See end of this post.
To run SDFix
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.
From the C: partition please do the following, run in the following order
Fresh ComboFix log
Fresh HJAlex log
SDFix log (if it runs)
-
Another suspicious thing about the msnmgr.exe file is that the icon for it is the same as the one for the Nero keygen. It looks basically like a maroon-coloured letter 'e' inside a maroon-coloured rounded rectangular border.
File msnmgr.exe received on 11.01.2007 20:41:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 13/32 (40.63%)
AhnLab-V3 2007.11.2.0 2007.11.01 -
AntiVir 7.6.0.30 2007.11.01 HEUR/Crypted
Authentium 4.93.8 2007.11.01 -
Avast 4.7.1074.0 2007.11.01 -
AVG 7.5.0.503 2007.11.01 BackDoor.RBot
BitDefender 7.2 2007.11.01 DeepScan:Generic.Sdbot.2E946E80
CAT-QuickHeal 9.00 2007.11.01 Win32.Backdoor.Rbot.bmr
ClamAV 0.91.2 2007.11.01 PUA.Packed.Themida
DrWeb 4.44.0.09170 2007.11.01 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5259 2007.11.01 -
Ewido 4.0 2007.11.01 -
FileAdvisor 1 2007.11.01 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.11.01 -
F-Secure 6.70.13030.0 2007.11.01 Backdoor.Win32.Rbot.esb
Ikarus T3.1.1.12 2007.11.01 Backdoor.Win32.Rbot.esb
Kaspersky 7.0.0.125 2007.11.01 Backdoor.Win32.Rbot.esb
McAfee 5154 2007.11.01 -
Microsoft 1.2908 2007.11.01 -
NOD32v2 2632 2007.11.01 -
Norman 5.80.02 2007.11.01 W32/Spybot.CJCM
Panda 9.0.0.4 2007.11.01 -
Prevx1 V2 2007.11.01 Heuristic: Suspicious Self Modifying EXE
Rising 20.16.31.00 2007.11.01 -
Sophos 4.23.0 2007.11.01 -
Sunbelt 2.2.907.0 2007.10.31 VIPRE.Suspicious
Symantec 10 2007.11.01 W32.Spybot.Worm
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.31 -
VirusBuster 4.3.26:9 2007.11.01 -
Webwasher-Gateway 6.6.1 2007.11.01 Heuristic.Crypted
Additional information
File size: 616541 bytes
MD5: 33f56658331dcee83f0591d90ec9f08a
SHA1: 7435923c1611eb9b0f0596b4517af4f3fad528c8
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=8AF4E2395DFA3C39689309F0A598E600DC1104DB
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
As for the cmbvuyuo.dll file, it is no longer in D:\WINDOWS\system32\ but I found it in D:\qoobox\Quarantine\D\WINDOWS\system32 where it was renamed to cmbvuyuo.dll.vir
Now this file cmbvuyuo.dll.vir is the one I uploaded to VirusTotal and this is what I got:
File cmbvuyuo.dll.vir received on 11.01.2007 20:58:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 21/32 (65.63%)
AhnLab-V3 2007.11.2.0 2007.11.01 -
AntiVir 7.6.0.30 2007.11.01 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.11.01 -
Avast 4.7.1074.0 2007.11.01 Win32:Vundo-gen57
AVG 7.5.0.503 2007.11.01 Lop
BitDefender 7.2 2007.11.01 Trojan.Vundo.DNR
CAT-QuickHeal 9.00 2007.11.01 -
ClamAV 0.91.2 2007.11.01 -
DrWeb 4.44.0.09170 2007.11.01 Trojan.Click.4739
eSafe 7.0.15.0 2007.10.28 Suspicious File
eTrust-Vet 31.2.5259 2007.11.01 Win32/Nisrest.C
Ewido 4.0 2007.11.01 -
FileAdvisor 1 2007.11.01 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.11.01 -
F-Secure 6.70.13030.0 2007.11.01 Vundo.gen41
Ikarus T3.1.1.12 2007.11.01 Trojan.Vundo.DNR
Kaspersky 7.0.0.125 2007.11.01 not-a-virus:AdWare.Win32.Virtumonde.ady
McAfee 5154 2007.11.01 Vundo
Microsoft 1.2908 2007.11.01 Trojan:Win32/Vundo
NOD32v2 2632 2007.11.01 Win32/Adware.Virtumonde
Norman 5.80.02 2007.11.01 Vundo.gen41
Panda 9.0.0.4 2007.11.01 Spyware/Virtumonde
Prevx1 V2 2007.11.01 -
Rising 20.16.31.00 2007.11.01 -
Sophos 4.23.0 2007.11.01 Troj/Virtum-Gen
Sunbelt 2.2.907.0 2007.10.31 Virtumonde
Symantec 10 2007.11.01 Trojan Horse
TheHacker 6.2.9.110 2007.10.27 Adware/Virtumonde.ady
VBA32 3.12.2.4 2007.10.31 AdWare.Win32.Virtumonde.ady
VirusBuster 4.3.26:9 2007.11.01 -
Webwasher-Gateway 6.6.1 2007.11.01 Trojan.Dldr.ConHook.Gen
So in this light, with regards to oldman's instructions for me, do I just run OTMoveIt on D:\WINDOWS\system32\msnmgr.exe? Or on both, but change the file path to point to where the cmbvuyuo.dll now is in quarantine?
Also, to clarify, should I run OTMoveIt before doing this:
From the C: partition please do the following, run in the following order
Fresh ComboFix log
Fresh HJAlex log
SDFix log (if it runs)
and do I still run OTMoveIt from the D partition or do I do it from C?
And I have sent both the msnmgr.exe and cmbvuyuo.dll.vir files to avast.
I'll wait for replies before proceeding. Thanks.
-
So in this light, with regards to oldman's instructions for me, do I just run OTMoveIt on D:\WINDOWS\system32\msnmgr.exe? Or on both, but change the file path to point to where the cmbvuyuo.dll now is in quarantine?
Run Combofix from the C: drive using the 2 paths oldman originally posted.
The cmbvuyuo.dll you're finding is in the ComboFix quarantine - its quite safe to leave it there. Using the paths oldman posted will kill it again if it's come back, or just report it as missing if that's the case.
Also, to clarify, should I run OTMoveIt before doing this ...
Yes - run OTMoveIt first to kill the file(s). Then the 3 scans.
do I still run OTMoveIt from the D partition or do I do it from C?
From the C: side.
Let's figure on running everything from C: from this point forward unless otherwise specified.
-
Can you check this again, it may have beeb reset.
Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK
Thanks
-
So in this light, with regards to oldman's instructions for me, do I just run OTMoveIt on D:\WINDOWS\system32\msnmgr.exe? Or on both, but change the file path to point to where the cmbvuyuo.dll now is in quarantine?
Run Combofix from the C: drive using the 2 paths oldman originally posted.
I believe that is a typo, it should be "Run OTMOVEIIT from the C: drive using the 2 paths oldman originally posted. "
-
I believe that is a typo, it should be "Run OTMOVEIIT from the C: drive using the 2 paths oldman originally posted. "
Yes, exactly so - run OTMoveIt from the C: drive to kill the 2 files oldman mentioned that are located on the D: drive.
Sorry about that.
-
Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK
Done and it is correct.
Results of OTMoveIt:
D:\WINDOWS\system32\msnmgr.exe moved successfully.
File/Folder D:\WINDOWS\system32\cmbvuyuo.dll not found.
Created on 11/02/2007 16:13:43
ComboFix log attached.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:21 PM, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\msnmgr.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Comodo\Firewall\cpf.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
C:\HiJackThisAlexC.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Messenger Service] msnmgr.exe
O4 - HKLM\..\RunServices: [Microsoft Messenger Service] msnmgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
--
End of file - 6777 bytes
I could not get my PC to boot up in safemode and it wasn't for lack of trying, so I could not run SDFix as was specified. Can I run it in normal mode?
-
The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:
http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/ (http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/)
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/ (http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/)
-
could not get my PC to boot up in safemode and it wasn't for lack of trying, so I could not run SDFix as was specified. Can I run it in normal mode?
The program was designed for safe mode.
Did you get errors? system lock up? etc
edit: Good thought DavidR
alex are you using a usb keyboard?
-
Nope, I do not have a USB-anything hooked up.
This is related to my (separate?) problem of not being able to boot up XP; it extends to not being able to boot in Safe Mode, or Last Good Configuration, etc.
This is the most succinct description I have found so far:
Symptoms: 1. When booting in normal mode my windows XP system hangs after displaying the XP logo and progress bar. A black screen appears and then..
or 2. When booting windows XP in safe mode the last driver that shows loaded is mup.sys. Then...
or 3. Instead of XP freezing at mup.sys windows reboots itself repeatedly just after that driver loads.
from the site http://www.aitechsolutions.net/mupdotsysXPhang.html
Though in Symptom 1, my system can hang anywhere during the display of the XP logo and progress bar, and during loading of the desktop.
Again, I don't think this is related to this particular malware since this has been going on for months and months and was essentially the reason why I reformatted in the first place. And that didn't fix it for long, of course, though it was better for a time. That's why I've since thought it must be a hardware issue.
Incidentally, for professional curiosity's sake, it is much improved ever since my D: drive got marked with a dirty Chkdsk bit so that Chkdsk will often start after the XP logo disappears, and if I cancel it then XP will load successfully 1 time out of 5, whereas without this happening, XP loads successfully 1 time out of 50.
So in the first link that DavidR just posted, I don't think it'll help me in this case because I do not have any restore points prior to this particular malware, in fact the oldest one I have is Oct. 30, 2007. As for the second link, maybe I can try it but in all honesty I believe this problem separate. As well, the explanation on the link kinda went way over my head after a couple reads and I hesitate to apply fixes that I don't understand though I suppose it couldn't hurt.
-
Now that you have described what happens when you try to get into safe mode, it doesn't sound like malware blocking the safe boot as that normally doesn't allow you any progression to the logo.
-
I'm still looking for a resolution for not being able to boot to safe mode. I think somethin is still there and am hoping that the scan in safe mode will reveal it.
-
alex do you get a blue screen with a error code on it during a failed startup, or does your computer just attempt to restart?
If the later, turn off the auto restart
1. Go to Start -> Control Panel -> System (Windows key+Pause works, too)
2. Go to Advanced
3. Under the Startup and Recovery section, click Settings...
4. Under System Failure un-check "Automatically restart
Now a failed boot will give a BSOD with a error code. Write it down everything), post it, we may be able to determine your startup problems. You will have to manually restart your computer with the power button.
-
This is related to my (separate?) problem of not being able to boot up XP; it extends to not being able to boot in Safe Mode, or Last Good Configuration, etc.
This is the most succinct description I have found so far:
Symptoms: 1. When booting in normal mode my windows XP system hangs after displaying the XP logo and progress bar. A black screen appears and then..
or 2. When booting windows XP in safe mode the last driver that shows loaded is mup.sys. Then...
or 3. Instead of XP freezing at mup.sys windows reboots itself repeatedly just after that driver loads.
from the site http://www.aitechsolutions.net/mupdotsysXPhang.html
Though in Symptom 1, my system can hang anywhere during the display of the XP logo and progress bar, and during loading of the desktop.
...
Incidentally, for professional curiosity's sake, it is much improved ever since my D: drive got marked with a dirty Chkdsk bit so that Chkdsk will often start after the XP logo disappears, and if I cancel it then XP will load successfully 1 time out of 5, whereas without this happening, XP loads successfully 1 time out of 50.
See if running chkdsk in the recovery console helps. It may take a long time and appear to hang so be patient. I've done this successfully to clear the dirty bit and allow normal boots to either mode.
-
Hi alex
A bit more cleaning for you to do. Any progress on safe mode, or an error code?
WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine
First we must back up the entire registry.To do this
REGISTRY BACKUP
Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg (http://img127.imageshack.us/img127/433/regtg8.jpg)
REGISTRY FIX
Regedit4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Messenger Service"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Messenger Service"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop (http://img127.imageshack.us/img127/433/regtg8.jpg)
To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.
After a reboot, could you run combofix and hjalex again and post the logs? We want to see if the keys are receated.
-
REGISTRY BACKUP
Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg (http://img127.imageshack.us/img127/433/regtg8.jpg)
This does not allow recovering. Just test. You won't be able to restore the registry file because Windows will block a lot of 'in-use' keys.
ERUNT is a good and fully working tool for XP\Vista registry backup and restore.
http://www.larshederer.homepage.t-online.de/erunt/
-
Thanks Tech, I was just about to post the link for ERUNT.
@alex
When doing the reg fix, use the program in Tech's post to backup your registry. Use either that link or this one.
http://www.snapfiles.com/get/erunt.html
Here's something that may help the safe boot situation.
Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let us know if you can access Safe Mode now?
-
Agree with erunt but I keep forgetting to use it :o
-
Agree with erunt but I keep forgetting to use it :o
I set it as an automated task to run at startup (delayed).
It makes a backup every first boot of the day.
<path>\AUTOBACK.EXE <path>\#Date# /noconfirmdelete /noprogresswindow
-
Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt.
Attached.
do you get a blue screen with a error code on it during a failed startup, or does your computer just attempt to restart?
Neither really, at least not very often. I very very rarely get the blue screen, and an automatic restart occurs a little more frequently but still is rare. What happens almost always is that some time during the loading of Windows or the desktop, the screen will freeze, keyboard/mouse locks up, no error code at all.
I've just unchecked Automatic restart as instructed.
See if running chkdsk in the recovery console helps. It may take a long time and appear to hang so be patient.
Can you give me an idea of how long it might take, please? I'm not impatient at all when it comes to stuff like this but with my PC freezing so much during these things, it's hard to know when it's frozen and when it's still chugging along. I have ran CHKDSK before (though not from the recovery console) and once I left it on overnight (eg. 12+ hours) and when I went back to it the next day, it was still stuck at the same line it had printed when I left it, something about inserting an entry into an index at location something something, or vice versa.
I have not rebooted since my last post, and will next try out what was posted, just wanted to post this first in case I'm unable to come back on here for some time afterwards.
-
thanks alex. Mauserme may be able to answer your question on the time frame. I'll try to decipher the log.
-
This will create a fix.reg file on your desktop
To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.
At this step, I get an error from the Registry Editor:
Cannot import D:\Documents and Settings\Administrator\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.
I made sure there was no space.
-
Okay, when it rains it pours. Hang on a minute let me check the script.
Did you use erunt for a backup?
-
Can you give me an idea of how long it might take, please? I'm not impatient at all when it comes to stuff like this but with my PC freezing so much during these things, it's hard to know when it's frozen and when it's still chugging along. I have ran CHKDSK before (though not from the recovery console) and once I left it on overnight (eg. 12+ hours) and when I went back to it the next day, it was still stuck at the same line it had printed when I left it, something about inserting an entry into an index at location something something, or vice versa.
30 to 40 minutes, give or take. It depends on the size of the data. For sure not 12 hours.
-
At this step, I get an error from the Registry Editor:
Cannot import D:\Documents and Settings\Administrator\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.
Were you trying to import this from within the regedit interface?
EDIT:
Cannot import D:\Documents and Settings\Administrator\Desktop\fix.reg
The reg fix oldman wrote was based on the ComboFix log run on the C: drive. Because of this it reflects registry entries on that partition so you should run the fix from C: if this is a dual boot set up.
-
Did you use erunt for a backup?
Yes.
Were you trying to import this from within the regedit interface?
Uh........sorry I don't know what you mean. All I did was save the file to the desktop on D:, then right-clicked it and selected Merge as instructed. After running Erunt, that is.
The reg fix oldman wrote was based on the ComboFix log run on the C: drive. Because of this it reflects registry entries on that partition so you should run the fix from C: if this is a dual boot set up.
Hmmm, so what you are saying is that I should save the fix.reg file to my desktop on D: but restart my PC and boot up my copy of XP on C: and then try right-clicking and merging it?
-
Hmmm, so what you are saying is that I should save the fix.reg file to my desktop on D: but restart my PC and boot up my copy of XP on C: and then try right-clicking and merging it?
Not exactly.
Boot to C:, create the file of the C: deskop, and merge it from there. Leave D: out of it.
-
re: safebootfix log. All I had was another log that the fix was successful on to compare it to. It was pretty much identical except for a reference to DcomLaunch. Different machine, different settings.
I also found this
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"
The info I found on it was that it could be a legitamte file or malware.
could you submit it to virustotal?
D:\windows\system32\\drivers\ip6fw.sys
-
The reg fix oldman wrote was based on the ComboFix log run on the C: drive. Because of this it reflects registry entries on that partition so you should run the fix from C: if this is a dual boot set up.
It never occurred to me that it would be different since the computer had been booted from D: Another little lesson.
-
How are things going?
If the file I asked about is clean, I think you can try safe mode. If it works, you should be able to run SDFix. But do the other things first. No point jumpimg all over.
-
Hello,
could you submit it to virustotal?
D:\windows\system32\\drivers\ip6fw.sys
The file was clean, the result was 0%.
Okay, I'll be attempting to boot up XP from C: now......I got no dirty CHKDSK bit to help me there as far as I know so it's rather touch and go as to whether it'll work. ::)
-
Ok good luck. Did you try safe mode after the safe mode fix?
-
Er, if by safe mode fix, you mean running Erunt followed by the thing with the fix.reg file, no....because I just spent the last hour trying to boot from C: (and failing) and so I couldn't do this:
The reg fix oldman wrote was based on the ComboFix log run on the C: drive. Because of this it reflects registry entries on that partition so you should run the fix from C: if this is a dual boot set up.
And then when that didn't work I had an absolute whale of a time ::) trying to boot from D: in normal mode so I could come back on here, guess I should have given SafeMode a try again but then considering how I couldn't do the fix in the first place...
However, I did manage to get the blue screen of death 4 times in the process! So I'm happy to report the following errors:
the first time I got this one:
IRQL_NOT_LESS_OR_EQUAL
Stop 0x0000000A (0x00000F18, 0x00000002, 0x00000000, 0x805B9BFE)
and then the next 3 times it was similar:
IRQL_NOT_LESS_OR_EQUAL
Stop 0x0000000A (0x00000F18, 0x00000002, 0x00000000, 0x805B7166)
-
Also, I have another idea which I forgot to post. I saved a copy of the fix.reg file to my other desktop on C: by saving it to the Desktop folder-thingamajigger on that partition. Is it safe to try right-clicking that particular copy from within Windows Explorer and selecting Merge from there (ie, while running XP from D: like I usually do)?
-
Okay, we'll research those error codes.
I meant did you try safe mode after running the safemode fix. You posted the log and I compared it to one that the fix worked on. We can leave the regfix for now. If you do get into safe mode, try the program mauserme wanted you to run. You should copy/print the instruction as you will be without internet.
Luck. I'll post anything I can find on the codes.
Also, I have another idea which I forgot to post. I saved a copy of the fix.reg file to my other desktop on C: by saving it to the Desktop folder-thingamajigger on that partition. Is it safe to try right-clicking that particular copy from within Windows Explorer and selecting Merge from there (ie, while running XP from D: like I usually do)?
I'd best let mauserme comment on that.
-
alex, I found a couple of things for you to read. you don't have to try them, as you know best how close the problem is to yours. It may just be a matter of unplugging a printer.
http://support.microsoft.com/?kbid=244617&sd=RMVP
http://aumha.org/a/stop.htm
Let us know wat you think the problem is. There people here that may be able to help identify the problem.
-
Thanks very much, that second link looks especially helpful. It will take me some time to paw through it.
-
Sorry to be so long in adding my $0.02 but I've been busy with my very own computer problems lately.
With the constant chkdsk and the stop errors I'm thinking hardware too, unfortunately.
-
Hello everyone,
Sorry about bringing up an old topic.
I didn't want to leave this hanging in case anyone's wondering how it ends so I just thought I'd put an end to it.
Basically my PC went completely dead some time ago, hence the cessation of my pestering ::), after some testing I became 100% sure it was a hardware problem so I took it into a couple of shops so they could test the hardware.
My video card has been replaced (also my power supply, most likely due to it crapping out after all the resets/restarts I had to do) and now my system is working like a charm so far.
Just want to send a last note of thanks for all your guys' help with the Trojan, and later help and advice about my other problem.
-
Thanks for the feedback, I'm glad that things are now OK.
-
Hi alex, long time no hear.
Well at least, it died a "clean" death. ::)
If you are interested I may have found why the regfix didn't work. I used lower case letters. It happened in another thread and changing to upper case made the fix work, (REGEDIT4). I've edited the fix, but use erunt first. It's no big deal, it was just for the last two item we removed.
keep safe and thanks for letting us know how you made out.