View Full Version : Generic.Virtumod.0012FA37 - 89.188.16.10/GO
byvtr.dll
2007-11-22, 02:02
I'm getting pop ups from these two address.. I'm assuming they're the same thing, but I don't know for sure.. I get one in Mozilla and one in IE..
89.188.16.16 <--- IE
89.188.16.10/GO <-- Mozilla
I believe they are related to a file called byvtr.dll, which is located in System32 folder.
I've ran VundoFix, Adaware, Spybot, BitDefender, etc.. Nearly all of these programs detect the virus, but are unable to deletethe file.. Even on boot! I have went into SAFE MODE and tried deleting the file manually. I've downloaded a few apps that are supposed to deletethe file on the next boot up.. (Eraser, GiPo@Utilities) and they will not delete the file either..
The virus was identified by BitDefender as...
C:\WINDOWS\SYSTEM32\byvtr.dll
Infected with: Generic.Virtumod.0012FA37
C:\WINDOWS\SYSTEM32\byvtr.dll
Disinfection failed
C:\WINDOWS\SYSTEM32\byvtr.dll
Delete failed
Here's my HiJackThis Log..
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:01:30 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\kxmixer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Aim\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Josh\Desktop\ewido_micro.exe
C:\Documents and Settings\Josh\Desktop\cwshredder.exe
C:\Documents and Settings\Josh\Desktop\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: (no name) - {5B4471FB-CC15-4896-AF62-4F43485D467F} - C:\WINDOWS\system32\byvtr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIEBHO.DLL
O2 - BHO: {32e710d8-99ca-bddb-2b24-d0033140ad9f} - {f9da0413-300d-42b2-bddb-ac998d017e23} - C:\WINDOWS\system32\suekbdwf.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\htdvsrtd.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187263041895
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187517219847
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\rtejefsart.html
--
End of file - 9067 bytes
byvtr.dll
2007-11-22, 02:03
I just ran CWShredder.. Found nothing. I'm running Ewido right now.
pskelley
2007-11-22, 21:36
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, do so like this.
1) Read the directions, do not run and post the Kaspersky scan results until I reqest it.
2) I wish to check for a hidden infection, follow these directions:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
3) Delete the Beta copy of HJT and follow these directions:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Post the C:\rapport.txt along with that HJT log.
Thanks
byvtr.dll
2007-11-23, 04:26
Thanks for the help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:03 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hqdtnlcv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MythWar_en\main.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\dwrdidtx.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187263041895
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187517219847
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\hqdtnlcv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\rtejefsart.html
--
End of file - 8210 bytes
---------------------------------
SmitFraudFix v2.253
Scan done at 21:22:06.62, Thu 11/22/2007
Run from C:\Documents and Settings\Josh\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hqdtnlcv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MythWar_en\main.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\migicons.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Josh
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Josh\Application Data
C:\Documents and Settings\Josh\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JOSH\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\NetMeeting\\rtejefsart.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="131A6951-7F78-11D0-A979-00C04FD705A2"
"SubscribedURL"="131A6951-7F78-11D0-A979-00C04FD705A2"
"FriendlyName"="Internet Explorer Channel Bar"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Linksys NC100 Fast Ethernet Adapter
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E1BF5CB7-558C-4D0B-87E1-0E007C7B6BD2}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E1BF5CB7-558C-4D0B-87E1-0E007C7B6BD2}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E1BF5CB7-558C-4D0B-87E1-0E007C7B6BD2}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E1BF5CB7-558C-4D0B-87E1-0E007C7B6BD2}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
byvtr.dll
2007-11-23, 04:27
Damn, did I want to post all my ports & IPs?
Happy Thanksgiving.
pskelley
2007-11-23, 13:06
You are doing fine but you do have multiple infections. Smitfraudfix has found that infection also and you have this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
1) After we clean, the next C:\rapport.txt may have a hugh hosts file in it, please edit that hosts file out if that occurs, and make me aware you did so.
2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT, call it byvtr.dll.exe, that will work. After a reboot we should be able to see the Vundo infect.
3) http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log.
Thanks
byvtr.dll
2007-11-24, 00:36
1. I deleted the Rapport text file, so next time I scan, it'll start a new text.
2. Renamed HiJackThis.exe to byvtr.dll.exe.
3. Cleaned registry. Wasn't prompted about wininet.dll, SmitfraudFix then returned to the options screen with 1,2,3,4.. etc. (BTW, You were referring to SmitfraudFix.cmd? no SmitfraudFix.exe in my SmitfraudFix folder)
127.0.0.1 localhost
byvtr.dll
2007-11-24, 00:37
edited out the hosts file
byvtr.dll
2007-11-24, 00:38
edited out the hosts file
byvtr.dll
2007-11-24, 00:39
edited out the hosts file
byvtr.dll
2007-11-24, 00:40
edited out the hosts file
byvtr.dll
2007-11-24, 00:41
edited out the hosts file
pskelley
2007-11-24, 00:41
1) After we clean, the next C:\rapport.txt may have a hugh hosts file in it, please edit that hosts file out if that occurs, and make me aware you did so.
I DO NOT need the hosts file, I need the C:\rapport.text with the hosts file edited out of it.
I will remove the hosts file.
Thanks
byvtr.dll
2007-11-24, 00:42
edited out the hosts file
byvtr.dll
2007-11-24, 00:43
edited out the hosts file
byvtr.dll
2007-11-24, 00:44
edited out the hosts file
byvtr.dll
2007-11-24, 00:45
edited out the hosts file
byvtr.dll
2007-11-24, 00:46
edited out the hosts file
byvtr.dll
2007-11-24, 00:48
:oops::oops::red:
Sorry about that. Sad part is I read your post about 8 times.
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Made a slight error, I hope, I ran this program(Smitfraud) twice, here are the results from the second scan.
SmitFraudFix v2.253
Scan done at 17:09:48.52, Fri 11/23/2007
Run from C:\Documents and Settings\Josh\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
pskelley
2007-11-24, 00:53
2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT, call it byvtr.dll.exe, that will work. After a reboot we should be able to see the Vundo infect.
Post a new HJT log and make sure the above instructions have been followed before you do.
byvtr.dll
2007-11-24, 00:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:51 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hqdtnlcv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\kxmixer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Foxie Suite\Firewall.exe
C:\PROGRA~1\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\byvtr.dll.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {24e79dcb-6cc5-83fa-d7d4-81471fb883e3} - {3e388bf1-7418-4d7d-af38-5cc6bcd97e42} - C:\WINDOWS\system32\sltspbay.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A2B1A715-7EB5-44D1-B9C2-401D70E18147} - C:\WINDOWS\system32\byvtr.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIEBHO.DLL
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\uqecdksa.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187263041895
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187517219847
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\hqdtnlcv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 8437 bytes
pskelley
2007-11-24, 01:05
Please read and follow the instructions carefully.
1) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.
Vundofix.txt will be on the C:\
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log
Thanks
byvtr.dll
2007-11-24, 03:55
VundoFix V6.6.2
Checking Java version...
Scan started at 6:51:08 PM 11/23/2007
Listing files found while scanning....
No infected files were found.
---------
ComboFix 07-11-19.3 - Josh 2007-11-23 20:34:54.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.47 [GMT -5:00]
Running from: C:\Documents and Settings\Josh\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Josh\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Josh\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Josh\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\LocalService\Application Data\.rdr.ini
C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\Documents and Settings\NetworkService\Application Data\.rdr.ini
C:\Program Files\fnts~1
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\b147.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\G9
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{138FDEFF-91EC-4763-97B0-EAEDA68ECB21}.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\q21
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\winshow.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.
2007-11-23 17:20 775,892 ---hs---- C:\WINDOWS\SYSTEM32\askdcequ.ini
2007-11-23 17:20 85,056 --a------ C:\WINDOWS\SYSTEM32\uqecdksa.dll
2007-11-23 17:20 83,520 --a------ C:\WINDOWS\SYSTEM32\sltspbay.dll
2007-11-23 17:18 71,232 --a------ C:\WINDOWS\SYSTEM32\uswdouxt.exe
2007-11-23 17:04 71,232 --a------ C:\WINDOWS\SYSTEM32\bkokqclo.exe
2007-11-23 02:43 85,056 --a------ C:\WINDOWS\SYSTEM32\sopuioir.dll
2007-11-23 02:43 83,520 --a------ C:\WINDOWS\SYSTEM32\ohonwhle.dll
2007-11-23 02:43 71,232 --a------ C:\WINDOWS\SYSTEM32\etyiqbse.exe
2007-11-23 02:43 294 ---hs---- C:\WINDOWS\SYSTEM32\rioiupos.ini
2007-11-23 02:37 85,056 --a------ C:\WINDOWS\SYSTEM32\yywcotjh.dll
2007-11-23 02:37 294 ---hs---- C:\WINDOWS\SYSTEM32\hjtocwyy.ini
2007-11-23 02:34 83,520 --a------ C:\WINDOWS\SYSTEM32\apoicltv.dll
2007-11-23 02:32 71,232 --a------ C:\WINDOWS\SYSTEM32\anniunxg.exe
2007-11-23 02:27 83,520 --a------ C:\WINDOWS\SYSTEM32\uxyhfeoe.dll
2007-11-23 02:25 85,056 --a------ C:\WINDOWS\SYSTEM32\obxmyrrk.dll
2007-11-23 02:25 71,232 --a------ C:\WINDOWS\SYSTEM32\rlhspkuv.exe
2007-11-23 02:25 294 ---hs---- C:\WINDOWS\SYSTEM32\krrymxbo.ini
2007-11-23 00:50 83,520 --a------ C:\WINDOWS\SYSTEM32\jgmnhkts.dll
2007-11-23 00:41 85,056 --a------ C:\WINDOWS\SYSTEM32\ucjlyvfu.dll
2007-11-23 00:41 71,232 --a------ C:\WINDOWS\SYSTEM32\uxvwcark.exe
2007-11-23 00:41 294 ---hs---- C:\WINDOWS\SYSTEM32\ufvyljcu.ini
2007-11-23 00:37 <DIR> d--hs---- C:\FOUND.003
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankProtocol
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankPacManager
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankMedium
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankHandler
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankFormat
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankDevice
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankContents
2007-11-22 22:08 <DIR> d-------- C:\TEMP\Frank
2007-11-22 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 21:23 2,062 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-11-22 21:23 0 --a------ C:\WINDOWS\SYSTEM32\tmp.txt
2007-11-22 12:40 79,936 --a------ C:\WINDOWS\SYSTEM32\eenpnxwv.dll
2007-11-22 12:33 719,332 ---hs---- C:\WINDOWS\SYSTEM32\xtdidrwd.ini
2007-11-22 12:33 85,056 --a------ C:\WINDOWS\SYSTEM32\dwrdidtx.dll
2007-11-22 12:33 71,232 --a------ C:\WINDOWS\SYSTEM32\hqdtnlcv.exe
2007-11-22 04:03 719,272 ---hs---- C:\WINDOWS\SYSTEM32\qrgmdnhx.ini
2007-11-22 04:00 79,936 --a------ C:\WINDOWS\SYSTEM32\pcjultif.dll
2007-11-22 03:55 71,232 --a------ C:\WINDOWS\SYSTEM32\hprvjclt.exe
2007-11-22 03:53 <DIR> d--hs---- C:\FOUND.002
2007-11-22 03:40 71,232 --a------ C:\WINDOWS\SYSTEM32\rbrskbwp.exe
2007-11-21 22:04 714,521 ---hs---- C:\WINDOWS\SYSTEM32\gwfwimkv.ini
2007-11-21 22:04 85,056 --a------ C:\WINDOWS\SYSTEM32\vkmiwfwg.dll
2007-11-21 22:04 80,960 --a------ C:\WINDOWS\SYSTEM32\shqeofcj.dll
2007-11-21 22:00 71,232 --a------ C:\WINDOWS\SYSTEM32\ymhfubql.exe
2007-11-21 18:47 80,960 --a------ C:\WINDOWS\SYSTEM32\suekbdwf.dll
2007-11-21 18:41 714,461 ---hs---- C:\WINDOWS\SYSTEM32\dtrsvdth.ini
2007-11-21 18:35 71,232 --a------ C:\WINDOWS\SYSTEM32\ycwlrohv.exe
2007-11-20 07:36 694,724 ---hs---- C:\WINDOWS\SYSTEM32\vhixhaiy.ini
2007-11-20 07:36 84,544 --a------ C:\WINDOWS\SYSTEM32\jmjbdhdd.dll
2007-11-20 07:35 71,232 --a------ C:\WINDOWS\SYSTEM32\pyqretcq.exe
2007-11-20 07:18 694,784 ---hs---- C:\WINDOWS\SYSTEM32\qxfjwevd.ini
2007-11-20 07:18 84,544 --a------ C:\WINDOWS\SYSTEM32\drccnxbs.dll
2007-11-20 07:17 85,056 --a------ C:\WINDOWS\SYSTEM32\dvewjfxq.dll
2007-11-20 07:14 71,232 --a------ C:\WINDOWS\SYSTEM32\cviykxcd.exe
2007-11-20 05:56 84,544 --a------ C:\WINDOWS\SYSTEM32\hamgnnky.dll
2007-11-20 05:52 5,387 --a------ C:\WINDOWS\SYSTEM32\jupdate-1.6.0_03-b05.log
2007-11-20 05:51 688,600 ---hs---- C:\WINDOWS\SYSTEM32\pmvgduju.ini
2007-11-20 05:51 433,963 --a------ C:\WINDOWS\SYSTEM32\rtvyb.tmp2.malware
2007-11-20 05:50 85,056 --------- C:\WINDOWS\SYSTEM32\ujudgvmp.dll
2007-11-20 05:45 71,232 --a------ C:\WINDOWS\SYSTEM32\hovpbgaf.exe
2007-11-20 05:38 84,544 --a------ C:\WINDOWS\SYSTEM32\wvdumosw.dll
2007-11-20 05:35 688,549 ---hs---- C:\WINDOWS\SYSTEM32\bpcyqlda.ini
2007-11-20 05:35 85,056 --a------ C:\WINDOWS\SYSTEM32\adlqycpb.dll
2007-11-20 05:04 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-20 05:04 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-20 02:28 118,272 --a------ C:\VundoFix(2).exe
2007-11-17 14:50 678,127 ---hs---- C:\WINDOWS\SYSTEM32\ghbojnfa.ini
2007-11-16 19:13 677,980 ---hs---- C:\WINDOWS\SYSTEM32\utalixar.ini
2007-11-16 19:13 85,056 --a------ C:\WINDOWS\SYSTEM32\raxilatu.dll
2007-11-16 18:48 85,056 --a------ C:\WINDOWS\SYSTEM32\fdhbdqdo.dll
2007-11-16 07:02 676,009 ---hs---- C:\WINDOWS\SYSTEM32\wxcjlndg.ini
2007-11-16 07:02 85,056 --a------ C:\WINDOWS\SYSTEM32\gdnljcxw.dll
2007-11-15 06:56 675,949 ---hs---- C:\WINDOWS\SYSTEM32\icichkjw.ini
2007-11-15 06:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-15 06:39 35,840 -ra------ C:\WINDOWS\mrofinu77.exe
2007-11-15 06:38 <DIR> d-------- C:\TEMP\abW9
2007-11-15 06:38 36,352 --------- C:\WINDOWS\SYSTEM32\khfgdaw.dll
2007-11-15 05:34 671,136 ---hs---- C:\WINDOWS\SYSTEM32\qeccbltv.ini
2007-11-14 14:17 671,247 ---hs---- C:\WINDOWS\SYSTEM32\mlsvyqvs.ini
2007-11-14 14:17 85,056 --a------ C:\WINDOWS\SYSTEM32\svqyvslm.dll
2007-11-14 05:17 669,053 ---hs---- C:\WINDOWS\SYSTEM32\wovdyknf.ini
2007-11-14 01:01 668,993 ---hs---- C:\WINDOWS\SYSTEM32\jtbeivch.ini
2007-11-14 01:01 85,056 --a------ C:\WINDOWS\SYSTEM32\hcviebtj.dll
2007-11-14 00:59 <DIR> d-------- C:\Program Files\CamStudio
2007-11-14 00:11 668,993 ---hs---- C:\WINDOWS\SYSTEM32\dtnmoypj.ini
2007-11-14 00:11 85,056 --a------ C:\WINDOWS\SYSTEM32\jpyomntd.dll
2007-11-13 00:11 620,225 ---hs---- C:\WINDOWS\SYSTEM32\wlbrjvaf.ini
2007-11-12 00:06 584,485 ---hs---- C:\WINDOWS\SYSTEM32\ywjymrce.ini
2007-11-11 00:03 584,416 ---hs---- C:\WINDOWS\SYSTEM32\vynvkpft.ini
2007-11-10 04:24 584,416 ---hs---- C:\WINDOWS\SYSTEM32\dykpyrdw.ini
2007-11-10 04:24 85,056 --a------ C:\WINDOWS\SYSTEM32\wdrypkyd.dll
2007-11-09 17:55 584,536 ---hs---- C:\WINDOWS\SYSTEM32\wyfadmqs.ini
2007-11-08 17:55 582,880 ---hs---- C:\WINDOWS\SYSTEM32\bfeghphh.ini
2007-11-07 17:55 569,861 ---hs---- C:\WINDOWS\SYSTEM32\tgyiyixe.ini
2007-11-07 12:33 570,028 ---hs---- C:\WINDOWS\SYSTEM32\amumhqny.ini
2007-11-07 12:33 86,080 --a------ C:\WINDOWS\SYSTEM32\ynqhmuma.dll
2007-11-07 04:56 569,912 ---hs---- C:\WINDOWS\SYSTEM32\wblxthhp.ini
2007-11-07 01:12 563,615 ---hs---- C:\WINDOWS\SYSTEM32\bjvcjsoo.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 01:42 463,122 --sh--w C:\WINDOWS\SYSTEM32\rtvyb.ini2
2007-11-23 22:18 439,928 --sh--w C:\WINDOWS\SYSTEM32\rtvyb.bak2
2007-11-23 22:04 83,520 ----a-w C:\WINDOWS\SYSTEM32\ynfkbtdl.dll
2007-11-16 11:55 424,154 --sh--w C:\WINDOWS\SYSTEM32\rtvyb.bak1
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-16 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-16 06:26 --------- d-----w C:\Documents and Settings\Josh\Application Data\SpinTop
2007-10-15 23:01 --------- d-----w C:\Program Files\Lavasoft
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-15 23:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 22:59 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-10-13 13:30 --------- d-----w C:\Program Files\MartialHeroes
2007-10-11 10:25 294,668 ----a-w C:\WINDOWS\frexup2.exe
2007-10-08 23:07 308,320 ------w C:\WINDOWS\SYSTEM32\byvtr.dll
2007-10-08 23:02 13,824 ----a-w C:\WINDOWS\plite731.exe
2007-10-04 05:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-02 21:33 --------- d-----w C:\Program Files\DreamQuest
2007-10-01 12:16 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{D06ED270-2185-4CC6-B7AD-C4A60A9F0F51}
2007-09-24 22:37 --------- d-----w C:\Program Files\FLV Player
2007-09-24 03:48 --------- d-----w C:\Program Files\TBFDropZone
2007-09-24 03:48 --------- d-----w C:\Documents and Settings\Josh\Application Data\Axosoft
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-06-22 01:32 266 --sh--w C:\Program Files\desktop.ini
2007-06-22 01:32 11,079 ---h--w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e388bf1-7418-4d7d-af38-5cc6bcd97e42}]
2007-11-23 17:20 83520 --a------ C:\WINDOWS\system32\sltspbay.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2B1A715-7EB5-44D1-B9C2-401D70E18147}]
2007-10-08 18:07 308320 --------- C:\WINDOWS\system32\byvtr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\Aim\aim.exe" [2006-08-01 15:35]
"mount.exe"="C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 18:00 C:\WINDOWS\SYSTEM32\systray.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-24 21:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"kX Mixer"="C:\WINDOWS\system32\kxmixer.exe" [2002-05-14 03:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"3f461a73"="C:\WINDOWS\system32\uqecdksa.dll" [2007-11-23 17:20]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Josh\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Josh\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3f461a73]
rundll32.exe C:\WINDOWS\system32\eecqqbwb.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 03:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\Aim\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\nwinkndq.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
C:\Program Files\ISM2\ISMPack6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loaddll]
loaddll.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
C:\Documents and Settings\Josh\Desktop\System Tools\muBlinder.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoTrax Update Setup for All Users]
C:\Documents and Settings\All Users\Application Data\{D06ED270-2185-4CC6-B7AD-C4A60A9F0F51}\NoTraxSetup.exe /updatesetup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
2007-10-08 18:02 13824 --a------ C:\WINDOWS\plite731.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
C:\Program Files\Registry Clean Expert\RCHelper.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe C:\WINDOWS\system32\jqlufykg.dll,sitypnow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 05:17 81920 --a------ C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartFoxie]
2005-11-09 10:23 77824 --a------ C:\Program Files\Foxie Suite\StartFoxie.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:43 83608 --a------ C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{61-1A-AD-DC-ZN}]
C:\windows\system32\mjdsrngm.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"YBrowser"=C:\PROGRA~1\YAHOO!\BROWSER\ybrwicon.exe
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
"CTHelper"=CTHELPER.EXE
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 kxwdmdrv;kX WDM Driver Service;C:\WINDOWS\system32\drivers\kx.sys
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\DUBE100.sys
S3 firewall;firewall;\??\C:\Program Files\Foxie Suite\firewall.sys
S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 20:50:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-23 20:53:21 - machine was rebooted
.
--- E O F ---
byvtr.dll
2007-11-24, 03:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:11 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\byvtr.dll.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18D7F9C6-381F-45DF-A326-4AE84FFA6B7F} - C:\WINDOWS\system32\byvtr.dll
O2 - BHO: {24e79dcb-6cc5-83fa-d7d4-81471fb883e3} - {3e388bf1-7418-4d7d-af38-5cc6bcd97e42} - C:\WINDOWS\system32\sltspbay.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIEBHO.DLL
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\uqecdksa.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187263041895
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187517219847
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 8230 bytes
pskelley
2007-11-24, 15:22
Thanks for returning your information. Sometime Vundofix needs to run several times before it finds Vundofiles. You may scan a couple of more times with it if you wish.
You must keep this computer offline except when troubleshooting, there is a load of files combofix does not detect and bad, but may be Vundo files. You can see them here:
Files Created from 2007-10-24 to 2007-11-24 in the combofix log. This will require more time than I have and I will need to ask you to scan some of these files for us. As soon as I have a list, I will post it.
This appears to be about as bad a Vundo infection as I have seen. How did you get yourself this infected?
Let's start with what is in this HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:57:11 PM, on 11/23/2007
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
These are the files you will add:
C:\WINDOWS\system32\byvtr.dll
C:\WINDOWS\system32\sltspbay.dll
C:\WINDOWS\system32\uqecdksa.dll
(later when you have files you know are bad, you can either delete them manually or use this tool)
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {18D7F9C6-381F-45DF-A326-4AE84FFA6B7F} - C:\WINDOWS\system32\byvtr.dll
O2 - BHO: {24e79dcb-6cc5-83fa-d7d4-81471fb883e3} - {3e388bf1-7418-4d7d-af38-5cc6bcd97e42} - C:\WINDOWS\system32\sltspbay.dll
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\uqecdksa.dll",b
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\uqecdksa.dll <<< delete that file if there
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Vundofix report and a new HJT log.
As soon as I have the list of files to check, I will post them. Understand you may reformatt if you would prefer not to do this.
Thanks
pskelley
2007-11-24, 15:38
I will say again, I have never seen a computer with this many possible infected Vundo files. Here are the scaners to check them:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
Once you know they are bad, delete them. If you can't delete them in normal mode, boot to safe mode and do it.
C:\WINDOWS\SYSTEM32\askdcequ.ini
C:\WINDOWS\SYSTEM32\uqecdksa.dll
C:\WINDOWS\SYSTEM32\sltspbay.dll
C:\WINDOWS\SYSTEM32\uswdouxt.exe
C:\WINDOWS\SYSTEM32\bkokqclo.exe
C:\WINDOWS\SYSTEM32\sopuioir.dll
C:\WINDOWS\SYSTEM32\ohonwhle.dll
C:\WINDOWS\SYSTEM32\etyiqbse.exe
C:\WINDOWS\SYSTEM32\rioiupos.ini
C:\WINDOWS\SYSTEM32\yywcotjh.dll
C:\WINDOWS\SYSTEM32\hjtocwyy.ini
C:\WINDOWS\SYSTEM32\apoicltv.dll
C:\WINDOWS\SYSTEM32\anniunxg.exe
C:\WINDOWS\SYSTEM32\uxyhfeoe.dll
C:\WINDOWS\SYSTEM32\obxmyrrk.dll
C:\WINDOWS\SYSTEM32\rlhspkuv.exe
C:\WINDOWS\SYSTEM32\krrymxbo.ini
C:\WINDOWS\SYSTEM32\jgmnhkts.dll
C:\WINDOWS\SYSTEM32\ucjlyvfu.dll
C:\WINDOWS\SYSTEM32\uxvwcark.exe
C:\WINDOWS\SYSTEM32\ufvyljcu.ini
C:\WINDOWS\SYSTEM32\eenpnxwv.dll
C:\WINDOWS\SYSTEM32\xtdidrwd.ini
C:\WINDOWS\SYSTEM32\dwrdidtx.dll
C:\WINDOWS\SYSTEM32\hqdtnlcv.exe
C:\WINDOWS\SYSTEM32\qrgmdnhx.ini
C:\WINDOWS\SYSTEM32\pcjultif.dll
C:\WINDOWS\SYSTEM32\hprvjclt.exe
C:\WINDOWS\SYSTEM32\rbrskbwp.exe
C:\WINDOWS\SYSTEM32\gwfwimkv.ini
C:\WINDOWS\SYSTEM32\vkmiwfwg.dll
C:\WINDOWS\SYSTEM32\shqeofcj.dll
C:\WINDOWS\SYSTEM32\ymhfubql.exe
C:\WINDOWS\SYSTEM32\suekbdwf.dll
C:\WINDOWS\SYSTEM32\dtrsvdth.ini
C:\WINDOWS\SYSTEM32\ycwlrohv.exe
C:\WINDOWS\SYSTEM32\vhixhaiy.ini
C:\WINDOWS\SYSTEM32\jmjbdhdd.dll
C:\WINDOWS\SYSTEM32\pyqretcq.exe
C:\WINDOWS\SYSTEM32\qxfjwevd.ini
C:\WINDOWS\SYSTEM32\drccnxbs.dll
C:\WINDOWS\SYSTEM32\dvewjfxq.dll
C:\WINDOWS\SYSTEM32\cviykxcd.exe
C:\WINDOWS\SYSTEM32\hamgnnky.dll
C:\WINDOWS\SYSTEM32\pmvgduju.ini
C:\WINDOWS\SYSTEM32\rtvyb.tmp2.malware
C:\WINDOWS\SYSTEM32\ujudgvmp.dll
C:\WINDOWS\SYSTEM32\hovpbgaf.exe
C:\WINDOWS\SYSTEM32\wvdumosw.dll
C:\WINDOWS\SYSTEM32\bpcyqlda.ini
C:\WINDOWS\SYSTEM32\adlqycpb.dll
C:\WINDOWS\SYSTEM32\ghbojnfa.ini
C:\WINDOWS\SYSTEM32\utalixar.ini
C:\WINDOWS\SYSTEM32\raxilatu.dll
C:\WINDOWS\SYSTEM32\fdhbdqdo.dll
C:\WINDOWS\SYSTEM32\wxcjlndg.ini
C:\WINDOWS\SYSTEM32\gdnljcxw.dll
C:\WINDOWS\SYSTEM32\icichkjw.ini
C:\WINDOWS\SYSTEM32\khfgdaw.dll
C:\WINDOWS\SYSTEM32\qeccbltv.ini
C:\WINDOWS\SYSTEM32\mlsvyqvs.ini
C:\WINDOWS\SYSTEM32\svqyvslm.dll
C:\WINDOWS\SYSTEM32\wovdyknf.ini
C:\WINDOWS\SYSTEM32\jtbeivch.ini
C:\WINDOWS\SYSTEM32\hcviebtj.dll
C:\WINDOWS\SYSTEM32\dtnmoypj.ini
C:\WINDOWS\SYSTEM32\jpyomntd.dll
C:\WINDOWS\SYSTEM32\wlbrjvaf.ini
C:\WINDOWS\SYSTEM32\ywjymrce.ini
C:\WINDOWS\SYSTEM32\vynvkpft.ini
C:\WINDOWS\SYSTEM32\dykpyrdw.ini
C:\WINDOWS\SYSTEM32\wdrypkyd.dll
C:\WINDOWS\SYSTEM32\wyfadmqs.ini
C:\WINDOWS\SYSTEM32\bfeghphh.ini
C:\WINDOWS\SYSTEM32\tgyiyixe.ini
C:\WINDOWS\SYSTEM32\amumhqny.ini
C:\WINDOWS\SYSTEM32\ynqhmuma.dll
C:\WINDOWS\SYSTEM32\wblxthhp.ini
C:\WINDOWS\SYSTEM32\bjvcjsoo.ini
This is probably not all, but it is a start.
byvtr.dll
2007-11-25, 01:34
Well, I don't know how it got so bad.. I rarely visit sites with pop ups.. occasionally, I'll go to packetnews or torrent sites, but that's pretty rare. The file byvtr.dll is finally gone. i couldn't get rid of that for anything.. Thanks. I noticed that byvtr.dll was created on Oct. 8th, so it'd be active for awhile, maybe that's why it got so out of control..
Beginning removal...
Attempting to delete C:\WINDOWS\system32\sltspbay.dll
C:\WINDOWS\system32\sltspbay.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byvtr.dll
C:\WINDOWS\system32\byvtr.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:48 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Aim\aim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\uimmuryk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\byvtr.dll.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Program Files\Foxie Suite\foxietoolbaru.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O2 - BHO: (no name) - {ED7AA1BF-5414-4BBB-B331-DA8A62FCC96C} - C:\WINDOWS\system32\byvtr.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\PROGRAM FILES\YAHOO!\BROWSER\YSIDEBARIEBHO.DLL
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Program Files\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\thmtepei.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe /z
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187263041895
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187517219847
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\uimmuryk.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 8142 bytes
pskelley
2007-11-25, 01:53
Let me show you something:
ttp://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
Thousands snared by malware warning from big-name websites
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/
Some information and the Vundo infection:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
The junk actually downloads more from the malware bundled with the junk and it can morph and change in front of your eyes. The fact it stayed so long on the computer is evidenced by the amount of junk you still need to remove.
It is always bad, but most folks can not take the popups and try to fix it right away.
The thing has morphed, until you get rid of all of those files and gain some control, it is going to be tough.
O2 - BHO: (no name) - {ED7AA1BF-5414-4BBB-B331-DA8A62FCC96C} - C:\WINDOWS\system32\byvtr.dll (file missing) <<< notice the file has been deleted so the item is dead.
New files:
C:\WINDOWS\system32\uimmuryk.exe
O4 - HKLM\..\Run: [3f461a73] rundll32.exe "C:\WINDOWS\system32\thmtepei.dll",b
O23 - Service: DomainService - - C:\WINDOWS\system32\uimmuryk.exe
before uimmuryk.exe can be deleted the service must be stopped, like this:
Disable the Service
Click Start > Run and type services.msc
Scroll down to DomainService and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
You can put the files in add files in the Vundofix tool but they are going to come back. I suggest you stay offline and work on getting rid of the ones on the list that are bad. I personally think they all are but can't advise you to delete them without scanning them.
If it was my computer I would have reformatted long ago. Once you believe you have deleted all of those bad files, restart and run a new combofix scan and post the results.
Thanks
byvtr.dll
2007-11-25, 02:05
Thanks. i'm deleting those files now.. I'm not going to bother scanning them, just checking the created on date.. most of them are from within the past week or two, so I'm fairly certain they're not crucial files, if I'm not sure about one, I will scan it. I got rid of uimmuryk.exe like you said, should I start the service back up now?
pskelley
2007-11-25, 02:09
Nope, that Domain Service is something Vundo created:sad:
byvtr.dll
2007-11-25, 02:36
I see.. That's why it always started right back up after I ended it's process.
I really appreciate your help. :bigthumb:
Well.. I deleted 120 files, that I do believe are bad files.. Hopefully Windows will boot back up! Will post Combofix scan in a minute. Hopefully.
byvtr.dll
2007-11-25, 02:58
ComboFix 07-11-19.3 - Josh 2007-11-24 19:44:41.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -5:00]
Running from: C:\Documents and Settings\Josh\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.
2007-11-24 19:53 775,832 ---hs---- C:\WINDOWS\SYSTEM32\iepetmht.ini
2007-11-24 18:10 85,056 --a------ C:\WINDOWS\SYSTEM32\thmtepei.dll
2007-11-23 21:09 <DIR> d-------- C:\Program Files\DANCE!ONLINE
2007-11-23 00:37 <DIR> d--hs---- C:\FOUND.003
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankProtocol
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankPacManager
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankMedium
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankHandler
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankFormat
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankDevice
2007-11-22 22:08 <DIR> d-------- C:\TEMP\FrankContents
2007-11-22 22:08 <DIR> d-------- C:\TEMP\Frank
2007-11-22 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 03:53 <DIR> d--hs---- C:\FOUND.002
2007-11-20 05:52 5,387 --a------ C:\WINDOWS\SYSTEM32\jupdate-1.6.0_03-b05.log
2007-11-20 05:04 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-20 05:04 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-20 02:28 118,272 --a------ C:\VundoFix(2).exe
2007-11-15 06:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-15 06:39 35,840 -ra------ C:\WINDOWS\mrofinu77.exe
2007-11-15 06:38 <DIR> d-------- C:\TEMP\abW9
2007-11-14 00:59 <DIR> d-------- C:\Program Files\CamStudio
2007-11-05 00:53 53,760 --a------ C:\WINDOWS\SYSTEM32\vfwwdm32.dll
2007-11-05 00:52 33,538 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Capt905c.sys
2007-11-05 00:52 24,605 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Camd905c.sys
2007-11-03 01:15 <DIR> d-------- C:\Program Files\Phoenix Dynasty Online
2007-10-27 05:01 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\GetRight
2007-10-27 04:58 <DIR> d-------- C:\Documents and Settings\Josh\Application Data\GetRightToGo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll
2007-10-16 06:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-16 06:26 --------- d-----w C:\Documents and Settings\Josh\Application Data\SpinTop
2007-10-15 23:01 --------- d-----w C:\Program Files\Lavasoft
2007-10-15 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-15 23:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 22:59 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-10-13 13:30 --------- d-----w C:\Program Files\MartialHeroes
2007-10-11 10:25 294,668 ----a-w C:\WINDOWS\frexup2.exe
2007-10-08 23:02 13,824 ----a-w C:\WINDOWS\plite731.exe
2007-10-04 05:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-02 21:33 --------- d-----w C:\Program Files\DreamQuest
2007-10-01 12:16 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{D06ED270-2185-4CC6-B7AD-C4A60A9F0F51}
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-06-22 01:32 266 --sh--w C:\Program Files\desktop.ini
2007-06-22 01:32 11,079 ---h--w C:\Program Files\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2007-11-23_20.52.04.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\drmk.sys
+ 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\ks.sys
+ 2004-08-04 05:56:44 4,096 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\ksuser.dll
+ 2004-08-04 04:15:50 145,792 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\portcls.sys
+ 2004-08-04 04:08:04 48,640 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\stream.sys
+ 2007-11-25 00:52:52 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED7AA1BF-5414-4BBB-B331-DA8A62FCC96C}]
C:\WINDOWS\system32\byvtr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\Aim\aim.exe" [2006-08-01 15:35]
"mount.exe"="C:\Program Files\GiPo@Utilities\GiPo@FileUtilities\mount.exe" [2003-05-24 02:09]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 18:00 C:\WINDOWS\SYSTEM32\systray.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-24 21:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"kX Mixer"="C:\WINDOWS\system32\kxmixer.exe" [2002-05-14 03:04]
"3f461a73"="C:\WINDOWS\system32\thmtepei.dll" [2007-11-24 18:10]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Josh\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Josh\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3f461a73]
rundll32.exe C:\WINDOWS\system32\eecqqbwb.dll,b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 03:06 40048 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\Aim\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\nwinkndq.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
C:\Program Files\ISM2\ISMPack6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loaddll]
loaddll.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muBlinder]
C:\Documents and Settings\Josh\Desktop\System Tools\muBlinder.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoTrax Update Setup for All Users]
C:\Documents and Settings\All Users\Application Data\{D06ED270-2185-4CC6-B7AD-C4A60A9F0F51}\NoTraxSetup.exe /updatesetup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
2007-10-08 18:02 13824 --a------ C:\WINDOWS\plite731.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
C:\Program Files\Registry Clean Expert\RCHelper.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe C:\WINDOWS\system32\jqlufykg.dll,sitypnow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 05:17 81920 --a------ C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartFoxie]
2005-11-09 10:23 77824 --a------ C:\Program Files\Foxie Suite\StartFoxie.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 03:43 83608 --a------ C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{61-1A-AD-DC-ZN}]
C:\windows\system32\mjdsrngm.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"YBrowser"=C:\PROGRA~1\YAHOO!\BROWSER\ybrwicon.exe
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
"CTHelper"=CTHELPER.EXE
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 kxwdmdrv;kX WDM Driver Service;C:\WINDOWS\system32\drivers\kx.sys
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\DUBE100.sys
S3 firewall;firewall;\??\C:\Program Files\Foxie Suite\firewall.sys
S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 19:54:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-24 19:57:20 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-23 20:53
.
--- E O F ---
pskelley
2007-11-25, 03:17
Post a Kapersky scan result, let's see what it says is bad.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Probably be morning before I see the results.
Thanks
byvtr.dll
2007-11-26, 00:22
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 12:52:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 436185
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Folders
C:\
Scan Statistics
Total number of scanned objects 124318
Number of viruses found 4
Number of infected objects 22
Number of suspicious objects 10
Duration of the scan process 04:39:57
Infected Object Name Virus Name Last Action
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_4c8.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\mrofinu77.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\Program Files\NetMeeting\rtejefsart.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant5.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/win7F.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.0/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Josh\Local Settings\Temp\Perflib_Perfdata_6d4.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Temp\Perflib_Perfdata_c60.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Temp\Perflib_Perfdata_c58.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Josh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Application Data\Aim\nchporye\ShioriLynn06\cert8.db Object is locked skipped
C:\Documents and Settings\Josh\Application Data\Aim\nchporye\ShioriLynn06\key3.db Object is locked skipped
C:\Documents and Settings\Josh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Josh\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001267.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001268.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001269.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001270.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001271.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001272.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001273.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001274.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001275.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001276.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001277.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001278.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001279.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001280.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001281.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001282.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001338.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001339.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001340.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP5\A0001341.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{DF264055-0E6C-455A-9006-636AB57F6893}\RP7\change.log Object is locked skipped
Scan process completed.
pskelley
2007-11-26, 00:42
KASPERSKY ONLINE SCANNER REPORT Sunday, November 25, 2007 12:52:42 PM
Number of infected objects 22
Number of suspicious objects 10
(all 10 suspicious objects are in Spybot Recovery)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
C:\WINDOWS\mrofinu77.exe <<< delete that file
C:\Program Files\NetMeeting\rtejefsart.html <<< delete that file
Restart the computer, the balance are infected System Restore files.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If you followed the directions, the next Kaspersky scan will be clean, and I do not need to see a clean scan, just let me know how the computer is running.
Thanks...Phil
byvtr.dll
2007-11-26, 01:06
Did as you said.. Everything seems to be running good, much quicker than it was a few days ago.
As soon as I right clicked on C:\WINDOWS\mrofinu77.exe AVAST! popped up, detecting that file amd I moved the file to chest, is that okay, instead of deleting it?
Thanks for all your help!
pskelley
2007-11-26, 01:31
Did as you said.. Everything seems to be running good, much quicker than it was a few days agoI would think so, you removed a load of junk from this computer.
As soon as I right clicked on C:\WINDOWS\mrofinu77.exe AVAST! popped up, detecting that file amd I moved the file to chest, is that okay, instead of deleting it?That's fine, but the "chest" has to be like quarantine and you should know how to empty the quarantine folder of your antivirus program. If you don't, ask here:
http://www.avast.com/eng/technical_support.html or here: http://forum.avast.com/
Good job sticking with this one, it was tough:bigthumb:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.