Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumundo!


  • This topic is locked This topic is locked
21 replies to this topic

#1 imabitdizzy

imabitdizzy

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 14 November 2007 - 09:02 AM

I have had SO many problems with this virus. In all I have tried 12 different programs including:
Panda
House Call
Bit Defender
Spy Bot
Ad-Aware
AVG anti-virus
Virtumondobegone
Vundo fix Zone Alarm
Avira AntiVir
McAfee Stinger

And, others that I am forgetting! After I did ALL of those repeatedly, I ran most of them in safe mode as well. I can't get rid of this completely. It keeps coming back and attacking it. Here is my hijack this log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:14 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [9408dc87] rundll32.exe "C:\WINDOWS\system32\lndpphut.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5891 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 14 November 2007 - 11:20 PM

Hello imabitdizzy,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

After you have installed the antivirus program and run a complete scan, then post a fresh Hijackthis log.

Edited by SifuMike, 14 November 2007 - 11:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 15 November 2007 - 12:51 AM

ok, I have tried two of the three you had mentioned. I just did 4 different scans RIGHT before I read your reply. I have, umm, 7 or 8 anti-virus programs on my computer, but I only keep one active. I JUST scanned with AVG, Ad-aware, Spy-bot, and Stinger. There were detections with all four programs. I am not quite understanding what you mean by not having more than one at a time. Should I delete all but Zone alarm? Or should I just run them independently and keep the others inactive? Ya gotta just put things as clearly as possible because I tend to read into things too much and confuse myself! LOL (yes, I am blonde!)
Oh, by the way, I do have anti-virus software. I have AVG anti-virus, Zone Alarm, and Avira AntiVir

Here are the results of the scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:55 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [9408dc87] rundll32.exe "C:\WINDOWS\system32\lndpphut.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5911 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 15 November 2007 - 01:43 PM

Hello imabitdizzy,

I have, umm, 7 or 8 anti-virus programs on my computer, but I only keep one active. I JUST scanned with AVG, Ad-aware, Spy-bot, and Stinger. There were detections with all four programs. I am not quite understanding what you mean by not having more than one at a time. Should I delete all but Zone alarm? Or should I just run them independently and keep the others inactive? Ya gotta just put things as clearly as possible because I tend to read into things too much and confuse myself! LOL (yes, I am blonde!)


Which antivirus program do you have active? I dont see any in your log.

You should have only ONE antivirus program active in memory. I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
A notepad file will open.
Post the content here in your reply.
Close HijackThis.

Edited by SifuMike, 15 November 2007 - 01:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 15 November 2007 - 06:54 PM

ok, I only have zone alarm running. that is my firewall and my anti-virus.
I did the exact thing you said, but no notepad document showed. What else should I do?

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 15 November 2007 - 11:24 PM

Hi imabitdizzy,

Lets run ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

Edited by SifuMike, 15 November 2007 - 11:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 16 November 2007 - 09:27 AM

ok... here is the combofix log:

ComboFix 07-11-08.1 - Administrator 2007-11-16 8:10:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.156 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\geedb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 08:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-15 08:39 79,936 --a------ C:\WINDOWS\system32\ixfyltxo.dll
2007-11-14 08:42 79,424 --a------ C:\WINDOWS\system32\jxaqwbik.dll
2007-11-14 07:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 23:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 23:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-13 08:41 80,448 --a------ C:\WINDOWS\system32\gkpbyepj.dll
2007-11-13 08:38 144,480 --a------ C:\WINDOWS\system32\thmxwnue.dll
2007-11-13 08:35 88,128 --a------ C:\WINDOWS\system32\afvikiog.dll
2007-11-12 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-12 18:05 <DIR> d-------- C:\VundoFix Backups
2007-11-12 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-12 14:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-12 12:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2007-11-12 08:37 81,472 --a------ C:\WINDOWS\system32\xngjiguy.dll
2007-11-11 21:45 <DIR> d-------- C:\Program Files\iTunes
2007-11-11 21:36 <DIR> d-------- C:\Program Files\QuickTime
2007-11-11 21:30 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-11 21:11 6,433,312 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 21:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-11 20:28 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-11 20:25 134 --a------ C:\n.bat
2007-11-11 20:25 0 --a------ C:\z.dat
2007-11-11 20:25 0 --a------ C:\x.dat
2007-11-11 19:59 <DIR> d-------- C:\Program Files\Preclick
2007-11-11 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Preclick Photo Organizer
2007-10-31 13:03 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-28 19:17 <DIR> d-------- C:\pra
2007-10-26 23:45 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-25 08:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-23 07:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-18 10:58 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-18 10:58 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-18 10:58 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-18 10:58 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-18 07:40 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete
2007-10-16 21:06 <DIR> d-------- C:\Documents and Settings\Administrator\Shared
2007-10-16 21:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-10-16 14:01 <DIR> d-------- C:\Program Files\MySpace
2007-10-16 14:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2007-10-16 12:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-16 14:18 87,212 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-16 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-14 06:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-12 03:45 --------- d-----w C:\Program Files\iPod
2007-11-12 02:14 --------- d-----w C:\Program Files\Photo Pos Pro
2007-10-27 05:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-10-27 05:47 --------- d-----w C:\Program Files\Kodak
2007-10-11 19:28 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-10-11 19:20 --------- d-----w C:\Program Files\PAMO Picture WaterMarker
2007-10-11 16:26 --------- d-----w C:\Program Files\Java
2007-10-11 16:25 --------- d-----w C:\Program Files\Common Files\Java
2007-10-10 01:47 --------- d-----w C:\Program Files\AIM
2007-10-10 01:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-10-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-09 21:04 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-09 21:04 --------- d-----w C:\Program Files\AIM6
2007-10-09 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-09 21:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\acccore
2007-10-09 01:58 --------- d-----w C:\Program Files\AOD
2007-10-05 08:06 --------- d-----w C:\Program Files\Google
2007-10-04 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-04 16:02 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-02 19:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-02 18:38 --------- d-----w C:\Program Files\Infogrames
2007-10-02 18:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-10-02 18:36 --------- d-----w C:\Program Files\Yahoo!
2007-10-02 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-06 22:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 22:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01CD0B31-9154-45F2-9414-F5D64B74EAF6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA5F53E-83FA-419D-9E5E-CA5A355BC57B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c01211c6-e53c-4c30-a478-332358a495dc}]
2007-11-15 08:39 79936 --a------ C:\WINDOWS\system32\ixfyltxo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"9408dc87"="C:\WINDOWS\system32\lndpphut.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 12:39]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-03-19 21:10:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lslrfbli]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhggf]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 02:49:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 08:21:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 8:22:48 - machine was rebooted
.
--- E O F ---




Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:10 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89E369E1-9284-4F7A-8E91-4F3EF0364C76} - (no file)
O2 - BHO: (no name) - {8EA5F53E-83FA-419D-9E5E-CA5A355BC57B} - (no file)
O2 - BHO: {cd594a85-3233-874a-03c4-c35e6c11210c} - {c01211c6-e53c-4c30-a478-332358a495dc} - C:\WINDOWS\system32\ixfyltxo.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [9408dc87] rundll32.exe "C:\WINDOWS\system32\lndpphut.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: lslrfbli - C:\WINDOWS\
O20 - Winlogon Notify: mljhggf - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4534 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 16 November 2007 - 12:30 PM

Hello imabitdizzy,


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folder
C:\Program Files\Viewpoint

*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************


I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable it again.



Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {89E369E1-9284-4F7A-8E91-4F3EF0364C76} - (no file)
O2 - BHO: (no name) - {8EA5F53E-83FA-419D-9E5E-CA5A355BC57B} - (no file)
O2 - BHO: {cd594a85-3233-874a-03c4-c35e6c11210c} - {c01211c6-e53c-4c30-a478-332358a495dc} - C:\WINDOWS\system32\ixfyltxo.dll
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [9408dc87] rundll32.exe "C:\WINDOWS\system32\lndpphut.dll",b
O20 - Winlogon Notify: lslrfbli - C:\WINDOWS\
O20 - Winlogon Notify: mljhggf - C:\WINDOWS\



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
C:\WINDOWS\system32\lndpphut.dll 
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\ixfyltxo.dll
C:\WINDOWS\system32\jxaqwbik.dll
C:\WINDOWS\system32\gkpbyepj.dll
C:\WINDOWS\system32\thmxwnue.dll
C:\WINDOWS\system32\afvikiog.dll
C:\WINDOWS\system32\xngjiguy.dll
C:\n.bat
C:\z.dat
C:\x.dat

Folder:: 
C:\VundoFix Backups

Registry:: 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 17 November 2007 - 03:51 PM

ok... I did what you said, but I did something you didnt say... oooops !! LOL!!! I accidentally selected all of the boxes in hijackthis, instead of only the ones you said. It didnt seem to do anything. lets hope it didnt.

Here are the logs:



Hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:19 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 1144 bytes



Combofix log:

ComboFix 07-11-08.1 - Administrator 2007-11-17 14:36:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.243 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\afvikiog.dll
C:\WINDOWS\system32\gkpbyepj.dll
C:\WINDOWS\system32\ixfyltxo.dll
C:\WINDOWS\system32\jxaqwbik.dll
C:\WINDOWS\system32\lndpphut.dll
C:\WINDOWS\system32\thmxwnue.dll
C:\WINDOWS\system32\xngjiguy.dll
C:\x.dat
C:\z.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\VundoFix Backups
C:\WINDOWS\system32\afvikiog.dll
C:\WINDOWS\system32\gkpbyepj.dll
C:\WINDOWS\system32\jxaqwbik.dll
C:\WINDOWS\system32\thmxwnue.dll
C:\WINDOWS\system32\xngjiguy.dll
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 14:30 <DIR> d-------- C:\Program Files\CCleaner
2007-11-16 08:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 07:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 23:28 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-13 23:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-13 23:24 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-11-12 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-12 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-12 14:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-12 12:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2007-11-11 21:45 <DIR> d-------- C:\Program Files\iTunes
2007-11-11 21:36 <DIR> d-------- C:\Program Files\QuickTime
2007-11-11 21:30 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-11 21:11 6,521,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 21:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-11 20:28 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-11 19:59 <DIR> d-------- C:\Program Files\Preclick
2007-11-11 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Preclick Photo Organizer
2007-10-31 13:03 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2007-10-28 19:17 <DIR> d-------- C:\pra
2007-10-26 23:45 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-25 08:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-23 07:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-18 10:58 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-18 10:58 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-18 10:58 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-18 10:58 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-18 07:40 <DIR> d-------- C:\Documents and Settings\Administrator\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 20:40 88,364 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-16 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-14 06:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-12 18:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-11-12 03:45 --------- d-----w C:\Program Files\iPod
2007-11-12 02:14 --------- d-----w C:\Program Files\Photo Pos Pro
2007-10-27 05:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-10-27 05:47 --------- d-----w C:\Program Files\Kodak
2007-10-20 00:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2007-10-16 20:01 --------- d-----w C:\Program Files\MySpace
2007-10-16 20:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MySpace
2007-10-11 19:28 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-10-11 16:26 --------- d-----w C:\Program Files\Java
2007-10-11 16:25 --------- d-----w C:\Program Files\Common Files\Java
2007-10-10 01:47 --------- d-----w C:\Program Files\AIM
2007-10-10 01:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-10-09 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-09 21:04 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-09 21:04 --------- d-----w C:\Program Files\AIM6
2007-10-09 21:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-09 21:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\acccore
2007-10-09 01:58 --------- d-----w C:\Program Files\AOD
2007-10-05 08:06 --------- d-----w C:\Program Files\Google
2007-10-04 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-04 16:02 --------- d-----w C:\Program Files\Apple Software Update
2007-10-04 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-02 19:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-02 18:38 --------- d-----w C:\Program Files\Infogrames
2007-10-02 18:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-10-02 18:36 --------- d-----w C:\Program Files\Yahoo!
2007-10-02 18:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-06 22:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 22:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-16_ 8.21.57.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-15 04:03:15 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
+ 2007-11-17 05:26:17 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2007-11-16 14:19:23 890,020 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-11-17 20:41:17 890,356 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-11-15 14:11:20 6,718,345 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-11-16 15:11:30 6,735,429 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
- 2007-11-16 00:15:51 1,524,736 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2007-11-17 20:43:03 1,716,736 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 02:49:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 14:43:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 14:44:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-16 08:22
.
--- E O F ---

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 17 November 2007 - 03:58 PM

ok... I did what you said, but I did something you didnt say... oooops !! LOL!!! I accidentally selected all of the boxes in hijackthis, instead of only the ones you said. It didnt seem to do anything. lets hope it didnt.


You just deleted many registry entrys that make you computer work. :blink: Very bad! If you delete items, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.

Please be more careful using Hijackthis.

Lucky for us HijackThis comes with a backup and restore procedure in the event that you erroneously remove an entry that is actually legitimate.



Start HijackThis, press the Open Misc Tools Section and then the Backup button
You will have a listing of all the items that you had fixed previously and have the option of restoring them.
Once you restore an item that is listed in this screen, upon scanning again with HijackThis, the entries will show up again.

Please RESTORE all the items you mistakenly deleted. Then post a fresh Hijackthis log.

We will have to start over with Hijackthis. :thumbsup:

Edited by SifuMike, 17 November 2007 - 04:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 17 November 2007 - 05:07 PM

here is the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:22 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3148 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 17 November 2007 - 05:27 PM

It looks like you did not restore everything. :thumbsup: This log does not look like the first log you posted.


I dont see H/P connection Agent.

Where are all the O16's you deleted? They should be restored.

Go back and restore every thing you removed previously

Then post a fresh Hijackthis log.

Edited by SifuMike, 17 November 2007 - 05:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 17 November 2007 - 06:29 PM

I restored everything but those 9 things you told me to fix. I just restored everything.. here it is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:25 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89E369E1-9284-4F7A-8E91-4F3EF0364C76} - (no file)
O2 - BHO: (no name) - {8EA5F53E-83FA-419D-9E5E-CA5A355BC57B} - (no file)
O2 - BHO: {cd594a85-3233-874a-03c4-c35e6c11210c} - {c01211c6-e53c-4c30-a478-332358a495dc} - C:\WINDOWS\system32\ixfyltxo.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [9408dc87] rundll32.exe "C:\WINDOWS\system32\lndpphut.dll",b
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: lslrfbli - C:\WINDOWS\
O20 - Winlogon Notify: mljhggf - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3806 bytes

#14 imabitdizzy

imabitdizzy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Killeen TX
  • Local time:09:14 PM

Posted 17 November 2007 - 06:31 PM

There was only one O16 in the original log and it says Bit Defender

I deleted every bit of that from my computer a day or two ago.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 17 November 2007 - 07:27 PM

Hello imabitdizzy,


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"
DO NOT FIX ANYTHING ELSE EXCEPT THE FOLLOWING

O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {89E369E1-9284-4F7A-8E91-4F3EF0364C76} - (no file)
O2 - BHO: (no name) - {8EA5F53E-83FA-419D-9E5E-CA5A355BC57B} - (no file)
O2 - BHO: {cd594a85-3233-874a-03c4-c35e6c11210c} - {c01211c6-e53c-4c30-a478-332358a495dc} - C:\WINDOWS\system32\ixfyltxo.dll
O4 - HKLM\..\Run: [9408dc87] rundll32.exe "C:\WINDOWS\system32\lndpphut.dll",b
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: lslrfbli - C:\WINDOWS\
O20 - Winlogon Notify: mljhggf - C:\WINDOWS\





Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
C:\WINDOWS\system32\lndpphut.dll
C:\WINDOWS\Fonts\svchost.exe


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users