PDA

View Full Version : Popups + system slowing down + errors



Kingdiablo
2007-07-30, 23:14
Hi people..

Ive recently returned from holiday and i left my computer with a friend to use and its come back with problems i cant seem to fix...

to begin with every now and then popups occur with reference to my pc security e.g:

[Quote]
Notice: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes.
Fixing these errors can increase your computer's performance and prevent data loss.

Would you like to install errorsafe to check you computer for free (recommended)
[/End Quote]

Also my system usually runs like a dream but since ive got it back its never run so slow.. this and the constant crashing of programs etc are slowly driving me insane.

prior to my going on holiday my pc was working great... it was very rare anything crashed and ive never had a problem with any virii since i made it..

i would very much appreciate any help to fix the problems its displaying because at the moment i cant seem to identify anything wrong with it

ive scanned the system using zone alarms virus/malware scanners and found nothing, also adaware scanners only tell me of a few mru entries..
so im at a loss as to why my system is having the problems its currently having

thank you for your time

KingDiablo

pskelley
2007-07-30, 23:23
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Sounds like you are infected, errorsafe is a rouge program which usually indicates the presence of a Vundo trojan. Posted at the top of the forum and this post are the instructions you need to follow to get started. At the very least I need to see a HijackThis log. Use "Post Reply", stay in this same topic.


Thanks

Kingdiablo
2007-07-31, 09:53
hi again,

thank you for your prompt reply, unfortunately just after reading your response and whilst composing my reply my system had a set of problems that firstly prevented me from having any internet connectivity as well multiple program crashes, after several failed attempts at regaining internet use back i gave up but i feel i owe you an apology and if your still willing and able to help i would like to carry on with your request for further information.

---------------------------------------------------
System specs:

Intel P4 3.2Ghz Cpu
1GB Ram
Windows XP sp2
ATI Radeon 9800
2x 180GB IDE HDD
---------------------------------------------------

as i mentioned earlier my system had several problems shortly after your reply, e.g:

windows cannot find "rundll32 cmicnfg.cpl" make sure you typed the name correctly, and then try again.

[ ^^ above was a dialog message upon rebooting system]

[Did another system virus scan and this result was shown]
not-a-virus:adware.win32.virtumonde.kp x2

@

c:\windows\system32\hsttbmmd.dll
c:\windows\system32\vxlirfqh.dll


---------------------------------------------------
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 07:50:27, on 31/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRAM FILES\BT BROADBAND DESKTOP HELP\bin\BTHELPNOTIFIER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\PROGRAM FILES\REGISTRY CLEAN EXPERT\RCHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinBar\WinBar.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kingdiablo\Desktop\Unsorted Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\PROGRAM FILES\BT BROADBAND DESKTOP HELP\bin\BTHELPNOTIFIER.EXE
O4 - HKLM\..\Run: [Cmaudio] RUNDLL32 CMICNFG.CPL ,CMICtrlWnd
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] C:\PROGRAM FILES\REGISTRY CLEAN EXPERT\RCHelper.exe /startup
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Flash - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--------------------------------------------------

I do not know how long i have the internet back for so i will try and keep it together long enough to hopefully resume this thread

If you do not hear from me for a few days it would be safe to assume ive made the decision to make a clean install of windows xp and therefore bypass all these problems in one go.. there seems to be a lot of problems so prehaps a clean install would be the best course of action.

i hope to avoid having to do that of course so i await your reply eagerly.

thanks again for your time

Kingdiablo

pskelley
2007-07-31, 14:27
Thanks for returning your information and the feedback. I have little doubt this is a Vundo infection, the slime have leaned to hide it from HJT. So we can have a look, and it will appear in 020 BHO's and 020 Winlogon, please do this:
C:\Documents and Settings\Kingdiablo\Desktop\Unsorted Downloads\HijackThis.exe <<< rename HJT.exe, call it Kingdiablo.exe or whatever you wish.
I also need to suggest that HJT needs it's own folder to safely store logs and backups. You have called that folder Unsorted Downloads. Please store nothing but HJT stuff in that folder.

Once you rename HJT then restart the computer and post a new HJT log. You have a little adware that needs to go and we will address that once we kick Vundo off your computer.

Thanks...Phil

Kingdiablo
2007-07-31, 14:37
hi again,
obviously due to the timezone differences between florida and the uk i wasnt sure you would be around for a while so ive taken the liberty to find a vundo fixer application from http://www.atribune.org
its currently scanning for any infections as i type this.. so as soon as it finishes i will rebooting after ive followed the steps youve outlined.

thanks

Kingdiablo
2007-07-31, 14:38
sorry forgot to add that yes i found out through good old wiki that it belonged to a vundo infection

Kingdiablo
2007-07-31, 14:53
just a quick note to let you know what the results were:

vundofix found vundo in these files:

c:\windows\system32\jkkll.dll
c:\windows\system32\llkkj.bak
c:\windows\system32\llkkj.ini2
c:\windows\system32\llkkj.tmp

no doubt the fact its there a few times is avoid being deleted i guess, it did a good job of avoiding my attempts at manual deletion.

Also as i was running that scan my zonelabs spyware scanner found:

trojan.spy.win32.banker.cji

you may or may not have already figured it was on this system from the logs but i thought id tell you anyway

i also have some questions related to general security as well as services running on this machine and firewall rules that i would like answered if you have the time and inclination at some point

thanks

p.s ive renamed hijackthis and given its own folder as you requested - ill reboot now and post a new log hopefully without being infected by vundo if this little application has done its job correctly

pskelley
2007-07-31, 14:59
Well, to tell you the truth after probably 20,000 of these remote repairs, I have found they work best when one leads and the other follows. My next step may have been Vundofix or it may not have according to the log once you renamed HJT. Since you seem to know what you want to do, have at it.

Ta

Kingdiablo
2007-07-31, 15:15
lol im sorry i didnt mean backseat drive the situation but im sitting at a computer thats having major difficulty even staying online and so whilst you werent around i thought id just see if theres anything i can do to stabalize the situation a little but of course if you dont want to help i understand, my aim was to help the situation not hinder it, but i see that my effort was not appriciated

thanks for the help

Kingdiablo
2007-07-31, 15:18
do you still want me to post this new hjt log?

Kingdiablo
2007-07-31, 15:28
yes no?

pskelley
2007-07-31, 15:44
Topic closed at this members request via a PM.

Thanks