Re: Er......this really sucks. Help, please?
October 21, 2007, 06:56:40 AM
DSS would have given much the same information as ComboFix + HJT, had it run.

The ComboFix log should be c:\combofix.txt

Re: Er......this really sucks. Help, please?
October 21, 2007, 07:12:41 AM
I was going to get him to try again with a new copy, renamed. But if you think that the first one ran, then just wait for him to report back.

I was looking for backup copies of the files that I hoped would show up in combofix. Looking at what alex  posted, it looked like the first part of the log and combofix didn't complete.

As I told alex, I don'y know anything about DSS or why it didn't run and you'd probably know.

Stepping aside now


Re: Er......this really sucks. Help, please?
October 21, 2007, 07:20:37 AM
I was going to get him to try again with a new copy, renamed. But if you think that the first one ran, then just wait for him to report back.

I was looking for backup copies of the files that I hoped would show up in combofix. Looking at what alex  posted, it looked like the first part of the log and combofix didn't complete.
If it didn't run, renaming it could very well work.  I was just saying he should look for the log in c:\ , not in the combofix folder.

As I told alex, I don'y know anything about DSS or why it didn't run and you'd probably know.

Stepping aside now
But you and David are the main helpers in this thread - I just jumped in with an idea or two.  I'll be happy to give some input on the ComboFix log if its wanted but otherwise I consider myself an observer  :)

Re: Er......this really sucks. Help, please?
October 21, 2007, 07:29:55 AM

Okay. Really appreciate the help. Reading my post again, it may have sounded like I was in a huff, believe me I was not. I thought perhaps you wanted to try DSS.

This stared looking promising, until it seemed that combofix stalled/died. I was hoping to get to the .bak before it all started again.

I'll get alex to try again with a new renamed copy.


If you can't find the log in the location that mauserme posted, it may de in D:\ on your system, then try the following.

Delete the copy of combofix you have, Download a new one. Before you run it, rename it.
« Last Edit: October 21, 2007, 10:50:28 AM by oldman »


Re: Er......this really sucks. Help, please?
October 21, 2007, 07:36:37 AM
Okay. Really appreciate the help. Reading my post again, it may have sounded like I was in a huff, believe I was not. I thought perhaps you wanted to try DSS.
No sweat.  I'm PM'ing you some info about DSS.

Re: Er......this really sucks. Help, please?
October 21, 2007, 10:39:10 AM

I was looking at your SAS logs again. The first scan you did was a complete scan. It found a couple of downloaders,which may or may not be related.

The symptoms returning would be due to the backup copies being restored by vundo. The file names will probably be different.

SAS seems to be able to catch enough of it to make your system usable for a short period of time. But so did vundofix that DavidR had you run.

Since the popups are less, I think some of it may be gone. Combofix may have gotten some of it as there are a couple of 04 lines missing.

Perhaps another complete scan by SAS with the settings I gave you earlier before combofix. If you've already ran the renamed combofix that's fine. Or better yet if you found the combofix log. We just have to find the backup files.


Re: Er......this really sucks. Help, please?
October 22, 2007, 01:25:12 AM
Alright, this is what I've done since my last post:

Ran SAS again, see log as attached. It found 120 or so threats, all which I quarantined.
Restarted with modem turned off. Found no obvious signs of infection, ie. alerts were gone.
Ran HJT, found a couple of the Winlogon Notify entries with random file names, Fixed them.
Tried running the same copy of ComboFix.exe I had downloaded, which somehow initiated a 60-second system restart countdown so that ComboFix could not run to completion.
After the restart with modem turned off still, ran HJT again and got this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:00, on 2007-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\TELUS eCare\bin\mpbtn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

End of file - 6468 bytes

Turned modem back on and saw no alerts from Comodo about IE trying to make a connection as I previously did.
Still no symptoms of infection.
Downloaded a new copy of ComboFix from the other link that was posted and renamed it, will be running it next, or trying to. The partial ComboFix log that I posted before from my first run is in D:\ComboFix\ComboFix.txt. It's the only text document in that folder and there is nothing of the sort in just D:\.

Also I'm female, but minor detail. No worries.  ;D

Re: Er......this really sucks. Help, please?
October 22, 2007, 01:51:56 AM

Turned modem back on and saw no alerts from Comodo about IE trying to make a connection as I previously did.

I think that was from something that was removed earlier. Possibly one of the downloaders.

Downloaded a new copy of ComboFix from the other link that was posted and renamed it, will be running it next, or trying to.

Ususally when combofix has a problem it won't work again. Also the new vundo is really giving the tradional tools a workout. The renaming may work like it use to with hjt.

Ran HJT, found a couple of the Winlogon Notify entries with random file names, Fixed them.

Where these the lines

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll

I meant do ask you, I don't know if anyone did, is windows set to show all files?

If not

Open the Folder Options in the Control Panel.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  Click OK.

Also I'm female, but minor detail. No worries.  ;D

I apologize, must remember not to ass u me.  ;D
« Last Edit: October 22, 2007, 02:01:29 AM by oldman »

Re: Er......this really sucks. Help, please?
October 22, 2007, 02:14:03 AM
Tried running the same copy of ComboFix.exe I had downloaded, which somehow initiated a 60-second system restart countdown so that ComboFix could not run to completion.

I don't know if this was the result of trying to run a corrupted copy of combofix or something else at work here. Will have to check that out.

Re: Er......this really sucks. Help, please?
October 22, 2007, 05:39:54 AM
I did some checking and asking on this countdown. The opinion is it may be malware.

How are you making out with the renamed scan? I'm still concerned about there being hidden backup files.

If you still are having difficulties running combofix (countdown box appearing)

Do the following

Run a renamed ComboFix again .  If you get the countdown, quickly click the Start Button, then click Run.  Type "shutdown -a" without the quotes in the empty field and click OK.  This will sometimes abort (-a) the pending shutdown.

If we can't get a combofix log, I've requested mauserme to step in with a more sophisticated scanner.

An online scan at Kaspersky may also help. Just report back what is found. Kaspersky doesn't offer any fixes, which in my opinion is good.

Your last hjt log looks like vundo is gone, but I've noticed a pattern. It seems to be a spread of a few hours before a new file is spawned and detected. Hence my concerns about hidden backups.

The SAS detections where mostly the DSS files.

edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable

If you are having problems let me know.
« Last Edit: October 22, 2007, 07:54:31 PM by oldman »


Re: Er......this really sucks. Help, please?
October 23, 2007, 07:42:05 AM
Where these the lines

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
I believe so, I can't recall though.

is windows set to show all files?
It is now. Therefore, regarding what I said before:
Quote from: alex1234
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.
I have looked in the BHO directory and no such file is there any more.

An online scan at Kaspersky may also help. Just report back what is found.
Ran it on Critical Areas, it found 2 things. See attachment. Sorry about the formatting, had to copy and paste it from html. If it's hard to read I can upload the html file somewhere and link to it.
Ran it on Memory, it was clean.
I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.

It seems to be a spread of a few hours before a new file is spawned and detected.
Yep, though so far I have been symptom-free for about 30 hours and counting.

edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable
Okay, will do. I have not tried running it yet since I had some work going on the side and didn't want to deal with trying to restart my PC till it was done.

Thanks for the info and ongoing help, I will be updating with results.
« Last Edit: October 23, 2007, 07:44:46 AM by alex1234 »

Re: Er......this really sucks. Help, please?
October 23, 2007, 11:21:34 AM
Where these the lines

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
I believe so, I can't recall though.

That's why it's important you don't delete/fix anything until requested. We have to be able to see what you are seeing.  ;)  :)  8)

Do you remember if sivnbypf.dll had file missing behind it? ie both 020 lines had (file missing)

is windows set to show all files?
It is now. Therefore, regarding what I said before:
Quote from: alex1234
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.
I have looked in the BHO directory and no such file is there any more.

Sorry, I should have twigged on your settings before.  :-[  That's the one I thought might have be zlob. I'd have to go back over all the SAS logs, but either SAS or combofix got it.

I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.

Let us know what turns up. It may be related.

It seems to be a spread of a few hours before a new file is spawned and detected.
Yep, though so far I have been symptom-free for about 30 hours and counting.

Except for the countdown when you attempt to run combofix and the fact that DSS failed to run. This still concerns me.

I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.

Bo you recall if it was DSS that had the problem or something else. Was a reboot involved?

edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable
Okay, will do. I have not tried running it yet since I had some work going on the side and didn't want to deal with trying to restart my PC till it was done.

Don't forget about the abort shutdown command if the countdown starts again.

Thanks for the info and ongoing help, I will be updating with results.

No problem. Will be waiting for your combofix log.

I'd like you to upload these two files to

D:\WINDOWS\system32\lfonpnnv.dll    D:\WINDOWS\system32\lugaadol.dll

Just use copy and paste if you want. Please post the results. I know what kapersky called them, but would like to see what others call them.

Let me know if you have any problems. If you can't get the renamed cobofix to run we'll try something else.


Re: Er......this really sucks. Help, please?
October 23, 2007, 01:53:54 PM
ComboFix is updated almost daily and its been several days since you downloaded the copy you have.  Please delete that one and get a fresh copy from Here or Here.  Then rename it as Oldman suggested and post the log (if it runs).

Please also give us a fresh HJTAlex log.  I don't know about Oldman but I've really lost track of the state of your computer at this point.

If you can't get the new, renamed copy of ComboFix to run let's look at a WinPFind log instead.

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      <list of options>
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This log will be quite long.  You can either use multiple post or attach the log file if its easier.  In either case make sure the last line is < End of Report >.

Re: Er......this really sucks. Help, please?
October 23, 2007, 06:37:15 PM
Hi mauserme

Thanks for dropping in.

Please also give us a fresh HJTAlex log.  I don't know about Oldman but I've really lost track of the state of your computer at this point.

I'm not certain. It's been awhile since the last hjt log. I thought I had asked for one, but I can see I didn't.  ::)

But, there's still this

Except for the countdown when you attempt to run combofix and the fact that DSS failed to run. This still concerns me.

I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.

so can't honestly say.

Re: Er......this really sucks. Help, please?
October 24, 2007, 02:40:01 AM
Maybe this is a better comment on my uncertainity of this systems health.

Besides the problem of the two scanners not running, I'm looking at this.

Since the countdown timer has shown up, three scans where done. SAS, hjt and kaspersky online, in that order. SAS picked up some more vundo detections and hjt showed what seems a clean log. A day later, an online scan shows two files kaspersky classifies as adware. SAS also classifies some vundo as adware. Since there is no naming standard, I asked for the files to be submitted to see what other names came up.

This brings us back to the question of hidden backups. Are these files replacements?

Until we see the hjtalex log, results of the files in question, and at the very least a comboalex log, I'd say the jury is still out.

edited to add

In regard to the last sentence, hjt log and submitted files results and comboalex (if it runs) if not WinPFind3u log.

alex after you submit the files to virustotal move them to the chest

1. In the Virus Chest, switch to user file category.
2. In main menu, select File ® Add.
3.Browse the folders and select the file you want to add.
4.Choose Open

then delete them from their original location and out of the recyle bin. Don't worry, the chest is a safe place for the files. They can't run or be accessed from outside the chest.
« Last Edit: October 24, 2007, 02:52:43 AM by oldman »