Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer And Other Stuff


  • Please log in to reply
5 replies to this topic

#1 elblaino

elblaino

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 January 2006 - 03:36 AM

Hi,

I've got a winfixer-related bug that is nasty and won't leave me alone.

I run Windows XP Pro English Edition, Japanese language enabled, on a Sony VAIO laptop.

The first thing I noticed was things got slower. I thought this might be due to the Google Sidebar, which I'd installed recently, so I tended to ignore it. But it got worse. Mostly what I noticed was that if I had Windows Explorer open, as I often did, it would "flicker" rather frequently. Not sure if that has anything to do with anything. But eventually I uninstalled the sidebar to see if performance improved. I can't say one way or the other because the other problems began occuring right about the same time.

Then things started to get serious.

(1) I got a pop-up for Viewpoint software, which I had never heard of. Perhaps this was the second or third time that I'd gotten a pop-up in a very very long time. I had noted at the time as odd, given that I have both the Win XP service pack 2 (yup) security pop-up blocker and the Google Toolbar pop-up blocker, but I just wrote it off as "well, nothing's perfect." But the odd one asked me to install some 3-D viewing software, apparently it was once used in Adobe or something. If you wanted to make it go away you'd have to know to click "Tell Me More" or something. Rather than close it with the x, I did something else, which instead of making it go away started to launch it on my machine. I then chased down some info online and uninstalled it. But that wasn't the end of my problems.

(2) I later began to get more and more pop-ups for winfixer, originating from winfixer dot come and also jp dot winfixer dot com, which I thought was at least sneaky, since here I was in Japan. I closed these with the x but they grew annoying, and I was unable to stop them. They usually launched whenever I did anything "computer-related" such as visiting Microsoft.com or C/Net.com or any such site, or looking in any one of a number of WINDOWS directories, etc.

(3) I went to a website and my Trend Micro went off and told me it had found one trojan and one virus: what it calls TROJ_NASCENE.D and EXPL_WMF.GEN . Trend Micro informed me that the "quarrantine" worked for the former, but not for the latter, so I went into the appropriate directory and deleted that xml/wmf file. I then read all about them and ran Trend Micro about eleven more times, and it assured me there was nothing.

(4) Things got much worse with the winfixer virus. I found I could no longer put my computer into "Stand By" mode. The computer will "wake itself up" after 1-2 seconds and go back to the login screen (as per my settings on "waking up" from a stand by). I suspect that my computer is trying to stay awake and follow commands of some bug.

Also, as I mentioned above in (2), my computer began to randomly tell me "The Page You Requested Is Unavailable Offline" and the dialog asked me to choose either "Try Again"/"Connect Now" or something like that, or else "Stay Offline." I always "either" closed the dialog by closing it with the "x" or else chose "Stay Offline". It would stay quiet if I surfed around a website or a certain directory, but then if I went to another location that seemed to be on it's list it would launch again.

I can't seem to get to the Trend Mico free virus scanning site -- that seems to have become off-limits to my machine.

(5) Trend Micro's site suggests that the winfixer virus comes with an uninstaller, but not on my machine. I went looking for it, but couldn't find it. I did find some cookies related to it -- "firstname lastnameATwinfixerDOTcom" or "... ATjpDOTwinfixerDOT com". I deleted these, but my troubles didn't end.

(6) I used TrendMicro's website-blocking function to add some suspicious websites to the "don't allow" exception list. I noticed two separate number-only addresses, so I noted these and added them, and that proved to be a very smart thing to do. Mostly one, but also the other, keeps trying to send me to the winfixer page, as I can tell because now Trend Micro raises a huge alarm when I am getting redirected (in a separate browser window) towards that site.

This doesn't just happen when I am viewing webpages. For example:

Running SpyScan on my TrendMicro, I found some cookies and clicked to learn more. I got a message instead:

QUOTE

Access to the requested URL has been blocked.

To view this Web site, open Trend Micro PC-cillin Internet Security and modify the settings at Network Control > URL Filter.

URL: http://62.4.84.53/trafc-2/rfe.php?cmp=wav2...&lid=trendmicro
Category: User Define

UNQUOTE

(7) I had noticed a TON of junk in my TEMP files -- both on the C drive where almost all the programs are, and on the D drive where almost all the datafiles are. I just went into my computer to get some names to write for you and when I selected the view tab and selected "View Protected File Types" or whatever, the ones that are needed and that MS warns you against seeing, a few more folders appeared on the D drive. One was System Volume Information. I clicked on it to see what was inside and two things happened:

(1) I got an error dialog: "D\System Volume Information is not accessible. Access is denied. OK."
(2) My browser -- which had been closed completely -- launched and then TM displayed a warning:

QUOTE:

Access to the requested URL has been blocked.

To view this Web site, open Trend Micro PC-cillin Internet Security and modify the settings at Network Control > URL Filter.

URL: http://62.4.84.53/trafc-2/rfe.php?cmp=pp_t...lid=information
Category: User Define

: UNQUOTE

Note that that 62.4 whatever address was one that I had found after a bout of winfixer pop-ups and added to my blocked sites "on a whim."

http://www.networksolutions.com/whois/ says that that domain is "RIPE Network Coordination Centre" out of Amsterdam. "These addresses have been further assigned to users in the RIPE NCC region. Contact information can be found in the RIPE database at [url="http://www.ripe.net/whois""]http://www.ripe.net/whois"[/url]. But I didn't go there.

The other websites I knew by number from this problem were

202 dot 67 dot 220 dot 227, and
202 dot 67 dot 220 dot 248,

If I ask "Whois" about one that is on my "approved" list, wustat.windows.com, then I get a similar URL block from TM:

QUOTE:
Access to the requested URL has been blocked.

To view this Web site, open Trend Micro PC-cillin Internet Security and modify the settings at Network Control > URL Filter.

URL: http://202.67.220.227/trafc-2/rfe.php?nid=...archAgain.jhtml
Category: User Define

: UNQUOTE

After the block alert is closed I can look in the other browser window to see the information I had requested - the results page, etc. But in this case the Whois webiste doesn't appear able to look at websites with a dot in the middle of their name. So AppleTree woudl get cuaght, but Apple.Tree not, I think.


(8) Note that I also added the suspicious website names, not the numbers, to Window's blocker, but when I logged in again the restricted sites area had been cleaned out somehow!

(9) Just for kicks, here is the complete list in my Approved URL tab of TM -- and I didn't put any of these in there!

www.trendmicro.com/*
kb.trendmicro.com/*
windowsupdate.microsoft.com/*
wustat.windows.com/wutrack.bin?*
download.windowsupdate.com/*
office.microsoft.com/*
c.microsoft.com/*
download.microsoft.com/*

(9) By now I had read a lot of your website and some others and downloaded some of the software you recommend.

It's probably not related, but after a bunch of downloading -- but prior to installation -- my wallpaper picture vanished and was replaced by a solid color. Also, the taskbar would periodically "vanish" and then after some whirring of the computer reappear.

The first up was Spybot S&D, which found nothing. I left the teatimer running. After a second re-boot most tasks are not in the try; no Orange Juice, etc.

(10) I then ran the SpywareBlaster.

(11) I ran HijackThis v1.99.1 (1.99.0.1) and can show you the log if you like. But your instructions said to do some other things first, so I did some of those instead.

(13) I ran and installed AdAware to use it in tandem with Spybot as recommended.

(14) AdAware found 16 tracing cookies and 1 file to fix, so I deleted all those. I rebooted and ran the program again and only got one.

(15) Ran Spybot S&D and it found one item: "Windows Security Auto-Update" had the wrong setting apparently. I had myself set it to notify me before hand rather than automatic download of updates, but I decided to change it to please Spybot until things got sorted out. I left Spybot and used the Control Panel to navigate to the setting and change it in the security panel itself. I rebooted the computer and ran Spybot again: Again the same problem was found, this time with an icon, "Registry edited" or something like that. I went back through the Control Panel and found the setting showed "ON" as it should. So I went back to Spybot and asked Spybot to fix it for me. It took a very long time but appeared to do the trick.

(16) I then decided to try some of the tools in SpyBot. I tried the System Internals and got many hits -- that log is below. I didn't do any of the recommended changes, though, but I did go through Add/Remove programs and uninstall the HyperCD.

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-20 Includes\Cookies.sbi
2006-01-20 Includes\Dialer.sbi
2006-01-20 Includes\Hijackers.sbi
2006-01-20 Includes\Keyloggers.sbi
2006-01-20 Includes\Malware.sbi
2006-01-20 Includes\PUPS.sbi
2006-01-20 Includes\Revision.sbi
2006-01-20 Includes\Security.sbi
2006-01-20 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-01-20 Includes\Trojans.sbi

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\HyperCD
Filename: C:\HyperCD\HyperCD
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\SoundMAX WDM Driver
Filename: C:\Program Files\Analog Devices\SoundMAX WDM Driver\SoundMAX WDM Driver
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\SoundMAX
Filename: C:\Program Files\Analog Devices\SoundMAX\SoundMAX
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Filename: C:\WINDOWS\System32\cmmgr32.exe
Data:

Category: Missing shared DLL
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\System32\MSXML3A.DLL
Filename: C:\WINDOWS\System32\MSXML3A.DLL
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe
Filename: C:\WINDOWS\TEMP\LCD\yourapp.Exe
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help\CHTPADEN.CHM
Filename: CHTPADEN.CHM
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\en.hlp
Filename: en.hlp
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csAppControls.hlp
Filename: esri_csAppControls.hlp
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csArcCatalog.HLP
Filename: esri_csArcCatalog.HLP
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csCatalog.HLP
Filename: esri_csCatalog.HLP
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csDataSourcesFile.HLP
Filename: esri_csDataSourcesFile.HLP
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csDataSourcesOleDB.HLP
Filename: esri_csDataSourcesOleDB.HLP
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csDataSourcesSMUUI.HLP
Filename: esri_csDataSourcesSMUUI.HLP
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\esri_csMaplexUI.HLP
Filename: esri_csMaplexUI.HLP
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help\GPQuickReference.chm
Filename: GPQuickReference.chm
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwind9.cnt
Filename: nwind9.cnt
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwind9.hlp
Filename: nwind9.hlp
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwindcs9.cnt
Filename: nwindcs9.cnt
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Help\nwindcs9.hlp
Filename: nwindcs9.hlp
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe
Filename: setup.exe
Data:

Category: Missing helpfile
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HTML Help\spatial_analyst_functional_reference.chm
Filename: spatial_analyst_functional_reference.chm
Data:

Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\table30.exe
Filename: table30.exe
Data:

= = =

(8) Still with me? Then I went to my Cookies folder and found all the "firstname lastname" at such-and-such[nbr].txt "cookies". I decided to nose around.

firstname_lastname@62.4.84[1].txt ==

ghrnc
0
62.4.84.53/
1536
795923200
30128300
271338272
29761168
*

firstname_lastname@202.67.220[2].txt ==

ghrnc
0
202.67.220.227/
1536
2515726976
30128294
936098272
29761168
*

firstname_lastname@202.67.220[3].txt ==

uid
GqkN`XqGNJXXyyqcXKKJGGGX9c=JccK!
202.67.220.248/
1024
3573963776
29899369
1429661840
29761210
*
guid
9GJkWnhhCJXk!K`GqXNky,ckK-`Xq9!J,J`k-`NX!KK
202.67.220.248/
1024
3573963776
29899369
1431171840
29761210
*
cn
J
202.67.220.248/
1024
3573963776
29899369
1431771840
29761210
*

firstname_lastname@com[1].txt ==

XCLGFcgversion
1
com.com/
1024
1550712832
30050933
1234628272
29761168
*
XCLGFbrowser
zhAAX0PSOd5+AAAAPGM
com.com/
1024
1550712832
30050933
1236228272
29761168
*


firstname_lastname@stats1.reliablestats[1].txt ==

tid
Q9I50UL0-sUAADc-%40X8
stats1.reliablestats.com/
1024
2949070464
29781191
1127768272
29761168
*
siteID
winfixer
stats1.reliablestats.com/
1024
2949070464
29781191
1128168272
29761168
*
siteAID_winfixer
vm_tz_wfx6h_5
stats1.reliablestats.com/
1024
2949070464
29781191
1128668272
29761168
*
siteLID_winfixer
keyin
stats1.reliablestats.com/
1024
2949070464
29781191
1128978272
29761168
*
siteLP_winfixer
http%3A%2F%2Fwww.winfixer.com%2Fdownload%2F2006%2F
stats1.reliablestats.com/
1024
2949070464
29781191
1128978272
29761168
*

Well that last one was an eye-catcher, huh! I went into TrendMicro and added "http:\\ stats1 DOT reliablestats DOT com" (with proper typology) to my restricted sites list. Then I went back to my computer, nosing around for trouble. When I clicked on one of the subfolders of the TEMP directory under WINDOWS I got that error unable to connect while offline message and left.

= = =

OK, I restarted the computer after this bout and one, two, three times right in a row I got that "The Website is unavailable while offline" message.

I don't know if this has anything to do with anything, but twice I've pressed the Immunize button in Spybot and both times it takes FOREVER for that program to finish what it is doing, though it eventually does. It said on both occasions all known bad programs were blocked.

I made it to BitDefender's site after one more pop-up, and then began the online scan. The ActiveX app launched by BitDefender caused my SpyBot to warn me, but I was unable to read the two buttons -- just the ? mark. So I closed it with the x, and was notified that the registry change was denied (by teatimer I presume?). I'm not sure that was the best option, but I couldn't make the dialog window any larger to enable me to make the buttons legible.

About halfway through this three-hour process, my TrendMicro popped up to warn me that it had denied access to a trojan, "ADW_MINIBUG.A," which was in C\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll . Not what I was expecting to have happen while in the midst of a virus scan!

At the end of the BitDefender scan, the system "hung." It was while it was looking at the D:\System Value Information directory. I let it wait until it said "(Not Responding)" and then I tried it again, but no dice. The scan said it had 0:00 left and had spent 3:00:42 on the scan. When I said OK to close it, all the IE browser windows closed with it.

I then went to TrendMicro's site -- and of course the winfixer tried to launch from 227 portal.

Incidentally, the TM website says the latest engine is 7.0.0 but my computer says I have 8.0.1001. Also, I can't navigate to a free Spy scan page or to the CoolWebShredder page -- I just get blank pages.

I navigated with WindowsExplorer to the dll and deleted the entire folder, not that that really did anything for sure.

Then I downloaded a zipped set of spyware data files from TM, re-booted my computer, and scanned it again as suggested. It said there was nothing to find. But when I navigated to this site to send this message, the popup tried to launch again (and was blocked again).



Logfile of HijackThis v1.99.1
Scan saved at 5:28:00 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NTTW\Flets\app\TangoService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\PROGRA~1\NTTW\Flets\app\TangoManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Blaine Connor\My Documents\Computer - Applications & Patches\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\opnll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Business Objects\JRE\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E165BA7-A80F-4A8A-83E5-EA9B09C60A31}: NameServer = 211.129.12.47 211.129.14.138
O20 - Winlogon Notify: opnll - C:\WINDOWS\system32\opnll.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\NTTW\Flets\app\TangoService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe


There it all is. Sorry if this was TOO detailed.

El Blaino

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 January 2006 - 04:04 PM

Way too much info - but at least you tried to inform that's better than most :thumbsup:

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Edited by MFDnSC, 22 January 2006 - 04:04 PM.

"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 elblaino

elblaino
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 January 2006 - 09:50 PM

Dear MFDnSC and BleepingComputer,

Thanks for the advice -- and I'll try to be succinct this time! ; )

I downloaded and ran VundoFix and clicked Scan for Vundo.

The desktop didn't go blank.

After I clicked "YES" to remove the infected files, SpyBot S&D launched to tell me "Browser Helper Object Found". I can't read the SpyBot buttons -- the dialog box cuts them off -- so I don't know which would have said yes or no, so I just moved the dialog out of the way without pressing yes or no or closing it, and then hit "OK" to shut down the computer.

Upon restart, I didn't get messages that it was trying to connect to a web page. Great! I opened up IE and it didn't happen then, either.

Three things follow:
1. vundofix.txt contents
2. hijackthis.log contents
3. Some questions about Internet Explorer changes that have occurred

(Item 1) vundofix log

VundoFix V4.0

Listing files found while scanning....

C:\WINDOWS\system32\opnll.dll
C:\WINDOWS\system32\llnpo.ini
C:\WINDOWS\system32\llnpo.bak1
C:\WINDOWS\system32\llnpo.bak2
C:\WINDOWS\system32\llnpo.ini2
C:\WINDOWS\system32\llnpo.tmp

C:\WINDOWS\system32\llnpo.bak1
C:\WINDOWS\system32\llnpo.bak2
C:\WINDOWS\system32\llnpo.tmp
C:\WINDOWS\system32\llnpo.ini
C:\WINDOWS\system32\llnpo.ini2
C:\WINDOWS\system32\opnll.dll
Attempting to delete C:\WINDOWS\system32\opnll.dll
C:\WINDOWS\system32\opnll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnpo.ini
C:\WINDOWS\system32\llnpo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnpo.bak1
C:\WINDOWS\system32\llnpo.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnpo.bak2
C:\WINDOWS\system32\llnpo.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnpo.ini2
C:\WINDOWS\system32\llnpo.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnpo.tmp
C:\WINDOWS\system32\llnpo.tmp Has been deleted!

Performing Repairs to the registry.
Done!

= = =

(Item 2) hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:01:37 AM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NTTW\Flets\app\TangoService.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Blaine Connor\My Documents\Computer - Applications & Patches\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TSC.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Business Objects\JRE\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Business Objects\JRE\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\NTTW\Flets\app\TangoService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

= = =

(Item 3) IE questions

In IE I found some add-ons:
1. {numbers and letters} by Safer Networking
2. AcroIEHlprObj Class by Adobe Systems
3. Google by Google Inc.
4. Google Toolbar Helper by Google
5. Sun Java Console by JavaSoft/Sun Microsystems
6. Uninstall BitDefender Online Scanner v8
7. Windows Messenger

Question 1: May I uninstall Windows Messenger? I don't use instant messaging.

Question 2: May I uninstall BitDefender now that I've used it? Or do you recommend to leave it?

Comment: I found a new Custom Imported format to my Security and Privacy tabs in Internet Explorer. I presume this is OK -- it looks OK. Nothing funny named "Always Except" or anything like that. Instead, there was a huge list of dangerous-looking websites in my "Restricted" sites and a similar list with the status "Always Block" for cookies. I presume one of these new anti-spy programs did this for me. Cool. Wish I'd known to do that before!

= = =

This is so nice, what you are doing for everyone.

El Blaino

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 January 2006 - 09:56 PM

Log is clean
====
Safe Networking is the DL site for SPyBot
All the others are normal

YOu can uninstall bit defender

Kill Windows Messenger - http://vlaurie.com/computers2/Articles/messenger.htm

You are good to go
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 elblaino

elblaino
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 23 January 2006 - 12:11 AM

Dear MFDnSC and BleepingComputer,

Thank you, thank you, thank you! *flowers*

When I had the Vundo virus could someone have recorded keystrokes, seen web pages, grabbed files on my computer, or done anything truly evil like that?

After I got your reply I updated and ran Trend Micro and it found nothing. I also uninstalled bit defender, and I confirmed the messenger service was set to disable. Interesting article.

Is it true that HijackThis shouldn't be moved from one directory to another? I tried dragging and dropping it into another folder just now but it only created a shortcut. I can live with it where it is, in a subdirectory within My Documents, which is on my D drive (C is where I have most of my programs, D most of my documents). But if it could or should be elsewhere I will move it if there is a way to do so.

That was scary. I hadn't gotten a virus in so long I'd forgotten what it was like. If you hadn't been here I was thinking about dragging a magnet over everything and starting over.

I'm not a coder or anything but I will drop in now and again and hopefully I can be of some use to the forum. I can easily recommend it to any of my friends and will be happy to do so.

El Blaino

#6 Guest_bg fun_*

Guest_bg fun_*

  • Guests
  • OFFLINE
  •  

Posted 16 February 2006 - 07:15 PM

"that it calls TROJ_NASCENE.D and EXPL_WMF.GEN . Trend Micro informed me that the "quarrantine" worked for the former, but not for the latter, so I went into the appropriate directory and deleted that xml/wmf file."

How do you get to the appropriate directory and delete the EXPL_WMF.GEN file?

I've been trying to figure this thing out for hours......need help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users