PDA

View Full Version : New to these issues, I am trying to do this right.


blikblik
2008-05-13, 19:45
OK, yesterday I leaped into a post from someone else with similar problems, and tried the fix listed there.

Today I read the sticky and am doing this again.

I am not sure what I have. I get the occasional explorer or firefox window opening by itself to random websites. Every so often spybot will start opening little windows advising my of a Web Helper Object being changed. This happens about every 2 seconds.

Finally what ever this is has reset my windows update utility to disabled and I cannot seem to renable it.

From the sticky, I hit the link to the Kapernsky site, hit the accept button and nothing much happens, so I cannot at this time print a log from there.

If there is a way to make this work please let me know.

I went to the HiJackThis link and this is the log it gave me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:21 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\ramjbsgl.dll",s
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\swevdgiy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4910 bytes


Now, I am including the files from the fix I visisted too. Just in case it might help.

First from fixware:

Username "Brian" - 05/13/2008 11:34:10 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BM2741a295"="Rundll32.exe \"C:\\WINDOWS\\system32\\ysdqtawl.dll\",s"
"24729109"="rundll32.exe \"C:\\WINDOWS\\system32\\swevdgiy.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Next from ComboFix

Username "Brian" - 05/13/2008 11:34:10 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BM2741a295"="Rundll32.exe \"C:\\WINDOWS\\system32\\ysdqtawl.dll\",s"
"24729109"="rundll32.exe \"C:\\WINDOWS\\system32\\swevdgiy.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Thank you for any help here.
pskelley
2008-05-13, 23:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I will take just a moment to tell you that sooner or later you are going to damage your computer running tools you are not sure you need. Just because it sounds like your problem, does not mean it is. We train for years to recognize the malware so we do not (hopefully) run a tool that will damage your system.

I would still like the Kaspsersky Online Scan, but wait until I give you more instructions a little later.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) C:\Documents and Settings\Brian\Desktop\HiJackThis.exe <<< return here and create a folder called HJT, then move the log and the HJT.ext into that folder.
Now rename the HJT.exe, call it blikblik.exe, that will work. The hackers hide their junk from HJT and this may help us see it after a restart. Because two moves were required due to the location you placed HJT, this is what it will look like if you did it as instructed.
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
blikblik
2008-05-14, 00:29
I followed your instructions. I have the HJT log on the other computer, and will get it to you.

For now, I ran a new copy of combofix and it did fine, rebooted, and is now telling me that it is preparing a report, and not to do anything till it is finished.

It seems to have hung up at this point.
blikblik
2008-05-14, 01:03
OK, it worked.

Here are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:51 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O2 - BHO: (no name) - {2BD8E7E2-E68E-4C6C-AFDF-8FC9C43AAC4A} - C:\WINDOWS\system32\ssqPigee.dll
O2 - BHO: {cad89d81-4bfa-4809-01a4-4fb654304fd6} - {6df40345-6bf4-4a10-9084-afb418d98dac} - C:\WINDOWS\system32\ujhjnjyb.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {C4C6D994-A81C-495A-B8EE-1D32A93D26EF} - C:\WINDOWS\system32\ljJARiiH.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\xciomsir.dll",s
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\jljjwpuy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5389 bytes

And the combofix log:

ComboFix 08-05-12.1 - Brian 2008-05-13 17:38:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.597 [GMT -5:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe

[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\HiiRAJjl.ini
C:\WINDOWS\SYSTEM32\HiiRAJjl.ini2
C:\WINDOWS\SYSTEM32\shaimetk.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 17:43 . 2008-05-13 17:43 294 ---hs---- C:\WINDOWS\SYSTEM32\shaimetk.ini
2008-05-13 17:42 . 2008-05-13 17:42 22 --a------ C:\WINDOWS\pskt.ini
2008-05-13 17:35 . 2008-05-13 17:35 93,248 --a------ C:\WINDOWS\SYSTEM32\ktemiahs.dll
2008-05-13 17:33 . 2008-05-13 17:33 115,776 --a------ C:\WINDOWS\SYSTEM32\anvudxaq.dll
2008-05-13 17:33 . 2008-05-13 17:33 109,632 --a------ C:\WINDOWS\SYSTEM32\liykayqu.dll
2008-05-13 17:33 . 2008-05-13 17:33 2,112 --a------ C:\WINDOWS\SYSTEM32\vcoxmsck.exe
2008-05-13 17:32 . 2008-05-13 17:32 347 --ahs---- C:\WINDOWS\SYSTEM32\eegiPqss.ini
2008-05-13 17:30 . 2008-05-13 17:30 294 ---hs---- C:\WINDOWS\SYSTEM32\yupwjjlj.ini
2008-05-13 17:28 . 2008-05-13 17:28 109,632 --a------ C:\WINDOWS\SYSTEM32\vholikur.dll
2008-05-13 17:07 . 2008-05-13 17:07 115,776 --a------ C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
2008-05-13 17:05 . 2008-05-13 17:05 109,632 --a------ C:\WINDOWS\SYSTEM32\xciomsir.dll
2008-05-13 17:05 . 2008-05-13 17:05 2,112 --a------ C:\WINDOWS\SYSTEM32\hlgccqru.exe
2008-05-13 16:50 . 2008-05-13 16:50 115,776 --a------ C:\WINDOWS\SYSTEM32\xwfkepuw.dll
2008-05-13 16:48 . 2008-05-13 16:48 2,112 --a------ C:\WINDOWS\SYSTEM32\orssulxn.exe
2008-05-13 13:40 . 2008-05-13 13:40 109,632 --a------ C:\WINDOWS\SYSTEM32\cuecvhsx.dll
2008-05-13 12:53 . 2008-05-13 12:53 <DIR> d-------- C:\Deckard
2008-05-13 12:06 . 2008-05-13 12:06 93,248 --a------ C:\WINDOWS\SYSTEM32\fisrxabs.dll
2008-05-13 12:03 . 2008-05-13 12:03 115,776 --a------ C:\WINDOWS\SYSTEM32\vgvpndpp.dll
2008-05-13 12:03 . 2008-05-13 12:03 2,112 --a------ C:\WINDOWS\SYSTEM32\xeppqalk.exe
2008-05-13 12:01 . 2008-05-13 12:01 109,632 --a------ C:\WINDOWS\SYSTEM32\ramjbsgl.dll
2008-05-13 11:59 . 2008-05-13 12:00 370,688 --a------ C:\WINDOWS\SYSTEM32\ljJARiiH.dll
2008-05-13 11:55 . 2008-05-13 14:46 654 ---hs---- C:\WINDOWS\SYSTEM32\yigdvews.ini
2008-05-13 10:00 . 2008-05-13 10:00 115,776 --a------ C:\WINDOWS\SYSTEM32\ugblvkjs.dll
2008-05-13 10:00 . 2008-05-13 10:00 2,112 --a------ C:\WINDOWS\SYSTEM32\nkbetitq.exe
2008-05-13 09:57 . 2008-05-13 17:43 109,803 --a------ C:\WINDOWS\BM2741a295.xml
2008-05-13 09:57 . 2008-05-13 09:57 108,608 --a------ C:\WINDOWS\SYSTEM32\ysdqtawl.dll
2008-05-12 21:52 . 2008-05-12 21:52 370,688 --a------ C:\WINDOWS\SYSTEM32\ssqPigee.dll
2008-05-12 21:05 . 2008-05-13 11:41 <DIR> d-------- C:\fixwareout
2008-05-12 20:32 . 2008-05-12 20:32 23,981 --a------ C:\WINDOWS\SYSTEM32\datmps.dll
2008-05-12 20:32 . 2008-05-12 20:32 8,816 --a------ C:\WINDOWS\SYSTEM32\wlite.sys
2008-05-12 18:33 . 2008-05-12 18:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-12 17:13 . 2008-05-12 21:11 525 --a------ C:\WINDOWS\wininit.ini
2008-05-12 17:09 . 2008-05-12 17:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-12 17:09 . 2008-05-12 17:21 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-05-12 16:45 . 2008-05-12 16:45 <DIR> d-------- C:\My Video
2008-05-12 14:40 . 2008-05-12 16:46 56 --a------ C:\WINDOWS\cryavitompeg.ini
2008-05-12 14:39 . 2008-05-12 16:46 5 --a------ C:\WINDOWS\SYSTEM32\SySavitompeg.dat
2008-05-12 14:38 . 2008-05-12 14:38 <DIR> d-------- C:\Program Files\Crystal Software
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\winRem
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\spoolX
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\MUI2
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx05
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\1036a
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\Temp\tmpvc14
2008-05-12 14:24 . 2008-05-12 14:25 <DIR> d-------- C:\Program Files\winvi
2008-05-12 14:24 . 2008-05-12 14:24 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-12 14:23 . 2008-05-12 14:23 28,672 --a------ C:\WINDOWS\SYSTEM32\byXPFwtR.dll
2008-05-04 13:09 . 2008-05-04 13:10 <DIR> d-------- C:\Program Files\WordBiz
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-05-02 17:15 . 2008-05-02 17:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Hewlett-Packard
2008-05-02 17:14 . 2008-05-12 17:19 <DIR> d-------- C:\Documents and Settings\Admin
2008-05-02 17:14 . 2008-05-13 17:42 1,024 --ah----- C:\Documents and Settings\Admin\NTUSER.dat.LOG
2008-04-17 15:10 . 2008-04-17 15:10 107,888 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-04-17 13:53 . 2008-04-17 13:53 <DIR> d-------- C:\Program Files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 16:29 --------- d-----w C:\Program Files\LimeWire
2008-05-12 23:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-12 22:12 --------- d-----w C:\Program Files\4U Computing
2008-05-12 22:11 --------- d-----w C:\Program Files\StumbleUpon
2008-05-12 19:40 --------- d-----w C:\Program Files\Incomplete
2008-05-12 19:09 --------- d-----w C:\Documents and Settings\Brian\Application Data\LimeWire
2008-05-11 15:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-04-17 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 17:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 17:42 --------- d-----w C:\Program Files\Safer Networking
2008-04-08 20:37 --------- d-----w C:\Program Files\Scholastic
2008-04-04 22:11 --------- d-----w C:\Program Files\QuickTime
2008-03-31 15:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-20 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 23:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Netscape
2008-03-19 17:26 --------- d-----w C:\Program Files\Java
2008-03-19 16:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-03-19 15:47 --------- d-----w C:\Program Files\MSBuild
2008-03-19 15:45 --------- d-----w C:\Program Files\Reference Assemblies
2007-01-30 23:38 194,376 -c--a-w C:\Documents and Settings\Brian\Application Data\shb.dat
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-04-20 00:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_21.55.18.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 02:46:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 22:41:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 22:42:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_584.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BD8E7E2-E68E-4C6C-AFDF-8FC9C43AAC4A}]
2008-05-12 21:52 370688 --a------ C:\WINDOWS\system32\ssqPigee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6ca7d47b-09a9-4ee1-a833-0cda564568b0}]
2008-05-13 17:33 115776 --a------ C:\WINDOWS\system32\anvudxaq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7580F730-9EE7-45BF-9D0F-70C619FFD9E4}]
C:\WINDOWS\system32\urqOIXQH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
2008-05-12 14:23 28672 --a------ C:\WINDOWS\system32\byXPFwtR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9BDC073-C661-420E-804B-37DE47749842}]
2008-05-13 12:00 370688 --a------ C:\WINDOWS\system32\ljJARiiH.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 04:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 04:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 12:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 21:57 77824]
"24729109"="C:\WINDOWS\system32\ktemiahs.dll" [2008-05-13 17:35 93248]
"BM2741a295"="C:\WINDOWS\system32\liykayqu.dll" [2008-05-13 17:33 109632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\byXPFwtR.dll [2008-05-12 14:23 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPFwtR]
byXPFwtR.dll 2008-05-12 14:23 28672 C:\WINDOWS\SYSTEM32\byXPFwtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 wlite;WMV9 Codec;C:\WINDOWS\system32\wlite.sys [2008-05-12 20:32]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;C:\WINDOWS\system32\DRIVERS\HIDKbFlt.sys [2005-07-25 05:13]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 17:43:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\shaimetk.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\byXPFwtR.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ktemiahs.dll
-> C:\WINDOWS\system32\liykayqu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-13 17:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 22:50:19
ComboFix2.txt 2008-05-13 22:30:16
ComboFix3.txt 2008-05-13 17:03:30
ComboFix4.txt 2008-05-13 02:56:05

Pre-Run: 68,186,636,288 bytes free
Post-Run: 68,177,149,952 bytes free

194 --- E O F --- 2008-04-09 08:03:29


Hope this helps, and thank you.

I am shutting this computer down and will monitor responses on the laptop.

Thank you again.
pskelley
2008-05-14, 01:24
Thanks for returning your logs, I have a problem, I believe. I need to see HJT after combofix so I can see what the tool did. If I am correct:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:51 PM, on 5/13/2008
(17:09)

ComboFix 08-05-12.1 - Brian 2008-05-13 17:38:32.4

I will need a new HJT log, always run HJT after all the tools as it is our picture of what has been accomplished. Now having said that, I see a load of files I believe are Vundo files.
Files Created from 2008-04-13 to 2008-05-13 <<< you can see them in this area of the combofix log. We can remove them manually with a script, but I would like to see if another Vundo removal tool will find and remove any of them first. Looks like the hackers have changed their junk again.

I can see a lot of the junk in the log now, let's see if Vundofix will find any of it. I should mention that you can remove Fixwareout from your computer, there appears to have been no wareout infection.

Thanks to Atribune and any others who helped with this fix.

Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Follow these directions starting at: Normal Usage for Removal
http://vundofix.atribune.org/

Post the Vundofix.txt and a new HJT log
Vundofix.txt will be on the C:\

Thanks...Phil

(likely my last post tonight, I start early and shutdown about 8:00 PM EST)
blikblik
2008-05-14, 16:52
I made a HJT log just before I ran the VundoFix program.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:51 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfru07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {A2E572E9-B077-4BB6-B170-C505362615D2} - C:\WINDOWS\system32\ljJARiiH.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5335 bytes


Then I installed and ran VundoFix. It did not find or fix anything, but here is the log it created:

VundoFix V7.0.3

Scan started at 7:02:47 PM 5/13/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


Then I ran a second HJT log just a few minutes ago and this is what we have:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:05 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {8CB49199-1BA8-43EF-A28C-E8DBA4195F79} - C:\WINDOWS\system32\ljJARiiH.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5328 bytes


I hope this helps.

Thank you.

Once again I am shutting down and monitoring this on another computer.
pskelley
2008-05-14, 17:34
Ok and thanks for trying, let's communciate a little.
I do not need a HJT log prior to running a tool, only after. The more information posted that is not needed, the harder the topic is to work with. With Vundofix finding nothing I will need to Google each file that looks bad, Then I will ask you to scan a few at random prior to removing them all, looks like the hackers are trying something new so we may be the first to run into it, and combofix does not have the data yet, nor Vundofix. What you can do on your end is check each file:: in the "code box" for the CFSript or check them randomly if you wish. I am fairly certain they were put there by the infection, but it does not hurt to check. Here are free online scanners you can use:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Once you see enough to be satisfied, then go for it.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.


3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\SYSTEM32\shaimetk.ini
C:\WINDOWS\SYSTEM32\ktemiahs.dll
C:\WINDOWS\SYSTEM32\anvudxaq.dll
C:\WINDOWS\SYSTEM32\liykayqu.dll
C:\WINDOWS\SYSTEM32\vcoxmsck.exe
C:\WINDOWS\SYSTEM32\eegiPqss.ini
C:\WINDOWS\SYSTEM32\yupwjjlj.ini
C:\WINDOWS\SYSTEM32\vholikur.dll
C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
C:\WINDOWS\SYSTEM32\xciomsir.dll
C:\WINDOWS\SYSTEM32\hlgccqru.exe
C:\WINDOWS\SYSTEM32\xwfkepuw.dll
C:\WINDOWS\SYSTEM32\orssulxn.exe
C:\WINDOWS\SYSTEM32\cuecvhsx.dll
C:\WINDOWS\SYSTEM32\fisrxabs.dll
C:\WINDOWS\SYSTEM32\vgvpndpp.dll
C:\WINDOWS\SYSTEM32\xeppqalk.exe
C:\WINDOWS\SYSTEM32\ramjbsgl.dll
C:\WINDOWS\SYSTEM32\ljJARiiH.dll
C:\WINDOWS\SYSTEM32\yigdvews.ini
C:\WINDOWS\SYSTEM32\ugblvkjs.dll
C:\WINDOWS\SYSTEM32\nkbetitq.exe
C:\WINDOWS\SYSTEM32\ysdqtawl.dll
C:\WINDOWS\SYSTEM32\ssqPigee.dll
C:\WINDOWS\system32\envchjra.dll
C:\WINDOWS\system32\byXPFwtR.dll
C:\WINDOWS\system32\yjhmtoyh.dll
C:\WINDOWS\system32\rljsxsfr.dll


Folder::
C:\fixwareout

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll
O2 - BHO: (no name) - {8CB49199-1BA8-43EF-A28C-E8DBA4195F79} - C:\WINDOWS\system32\ljJARiiH.dll
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O20 - Winlogon Notify: byXPFwtR - C:\WINDOWS\SYSTEM32\byXPFwtR.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix report, a new HJT log and some feedback from you. This one is tough and very, very time consuming.

Thanks
blikblik
2008-05-14, 17:49
You wrote:

What you can do on your end is check each file:: in the "code box" for the CFSript or check them randomly if you wish. I am fairly certain they were put there by the infection, but it does not hurt to check. Here are free online scanners you can use:

I am sorry, but I am not an expert here. What is the code box for the CFS script?

I currently have the Kaspersky lab check running.

The virus total one seems to want me to send it individual files.

And should I just go ahead, and start with your step one and contiue from there also?
blikblik
2008-05-14, 17:52
I still cannot get Kaspersky to work.

It goes to the page where I have an accept/decline option and when I hit accept it shows about 2-3 brief communications between my computer and Kaspersky and then says done without actually doing anything.

Thank you again.
pskelley
2008-05-14, 18:09
Code:
File::
C:\WINDOWS\SYSTEM32\shaimetk.ini
C:\WINDOWS\SYSTEM32\ktemiahs.dll
C:\WINDOWS\SYSTEM32\anvudxaq.dll
C:\WINDOWS\SYSTEM32\liykayqu.dll
C:\WINDOWS\SYSTEM32\vcoxmsck.exe
C:\WINDOWS\SYSTEM32\eegiPqss.ini
C:\WINDOWS\SYSTEM32\yupwjjlj.ini
C:\WINDOWS\SYSTEM32\vholikur.dll
C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
C:\WINDOWS\SYSTEM32\xciomsir.dll
C:\WINDOWS\SYSTEM32\hlgccqru.exe
C:\WINDOWS\SYSTEM32\xwfkepuw.dll
C:\WINDOWS\SYSTEM32\orssulxn.exe
C:\WINDOWS\SYSTEM32\cuecvhsx.dll
C:\WINDOWS\SYSTEM32\fisrxabs.dll
C:\WINDOWS\SYSTEM32\vgvpndpp.dll
C:\WINDOWS\SYSTEM32\xeppqalk.exe
C:\WINDOWS\SYSTEM32\ramjbsgl.dll
C:\WINDOWS\SYSTEM32\ljJARiiH.dll
C:\WINDOWS\SYSTEM32\yigdvews.ini
C:\WINDOWS\SYSTEM32\ugblvkjs.dll
C:\WINDOWS\SYSTEM32\nkbetitq.exe
C:\WINDOWS\SYSTEM32\ysdqtawl.dll
C:\WINDOWS\SYSTEM32\ssqPigee.dll
C:\WINDOWS\system32\envchjra.dll
C:\WINDOWS\system32\byXPFwtR.dll
C:\WINDOWS\system32\yjhmtoyh.dll
C:\WINDOWS\system32\rljsxsfr.dll


I still cannot get Kaspersky to work.
It goes to the page where I have an accept/decline option and when I hit accept it shows about 2-3 brief communications between my computer and Kaspersky and then says done without actually doing anything.

All you do is open the link and browse to the files, then submit it. In a few minutes you should get a report. There is no way I can do this for you, the files are on your computer.

If Kaspersky does not work, try one of the other two.

this is fairly basic computing and far from needing expert knowledge.

Thanks
blikblik
2008-05-14, 18:56
OK, I ran all the files through http://virusscan.jotti.org/ and saved them as a text file. Do you want that posted? Most were infected, many did not have the note saying that these were previously viewed files, and would not be saved.

I tried putting the CFSscript.txt into ComboFix, and pretty early on got a computer shutdown, and memory dump.

I am trying that again.

From that point should I continue with the other steps, or just post the HJT and ComboFix logs?
pskelley
2008-05-14, 19:06
I was fairly sure those files were bad and I was also concerned about the reason combofix did not find them in the first scan. If you are having problems running CFScript, try deleting combofix completely and downloading it again, from the link I provided and starting from the first scan to see what happens. I think something unusual happened the first scan, and I don't believe it is combofix, since I use it all of the time.

Once you have the new copy and try the CFScript again, if it does not work, continue until you finish. We are running out of tools to remove the Vundofix, but it can be done manually, one file at a time if need be.

Thanks
blikblik
2008-05-14, 22:51
Sorry about the delay.

I ran the second Combofix, and it made it to printing the log file, I saw it and then the system went down.

While trying to do it again I lost internet. (the joys of satellite)

Anyway, here is the Combo fix log (third time was the charm, and it went much faster too):

ComboFix 08-05-12.1 - Brian 2008-05-14 15:33:27.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.697 [GMT -5:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\anvudxaq.dll
C:\WINDOWS\system32\byXPFwtR.dll
C:\WINDOWS\SYSTEM32\cuecvhsx.dll
C:\WINDOWS\SYSTEM32\eegiPqss.ini
C:\WINDOWS\system32\envchjra.dll
C:\WINDOWS\SYSTEM32\fisrxabs.dll
C:\WINDOWS\SYSTEM32\hlgccqru.exe
C:\WINDOWS\SYSTEM32\ktemiahs.dll
C:\WINDOWS\SYSTEM32\liykayqu.dll
C:\WINDOWS\SYSTEM32\ljJARiiH.dll
C:\WINDOWS\SYSTEM32\nkbetitq.exe
C:\WINDOWS\SYSTEM32\orssulxn.exe
C:\WINDOWS\SYSTEM32\ramjbsgl.dll
C:\WINDOWS\system32\rljsxsfr.dll
C:\WINDOWS\SYSTEM32\shaimetk.ini
C:\WINDOWS\SYSTEM32\ssqPigee.dll
C:\WINDOWS\SYSTEM32\ugblvkjs.dll
C:\WINDOWS\SYSTEM32\ujhjnjyb.dll
C:\WINDOWS\SYSTEM32\vcoxmsck.exe
C:\WINDOWS\SYSTEM32\vgvpndpp.dll
C:\WINDOWS\SYSTEM32\vholikur.dll
C:\WINDOWS\SYSTEM32\xciomsir.dll
C:\WINDOWS\SYSTEM32\xeppqalk.exe
C:\WINDOWS\SYSTEM32\xwfkepuw.dll
C:\WINDOWS\SYSTEM32\yigdvews.ini
C:\WINDOWS\system32\yjhmtoyh.dll
C:\WINDOWS\SYSTEM32\ysdqtawl.dll
C:\WINDOWS\SYSTEM32\yupwjjlj.ini
.

((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 19:02 . 2008-05-13 19:02 <DIR> d-------- C:\VundoFix Backups
2008-05-13 18:01 . 2008-05-13 18:01 2,112 --a------ C:\WINDOWS\SYSTEM32\rvomhbtw.exe
2008-05-13 12:53 . 2008-05-13 12:53 <DIR> d-------- C:\Deckard
2008-05-13 09:57 . 2008-05-14 11:48 109,849 --a------ C:\WINDOWS\BM2741a295.xml
2008-05-12 20:32 . 2008-05-12 20:32 23,981 --a------ C:\WINDOWS\SYSTEM32\datmps.dll
2008-05-12 20:32 . 2008-05-12 20:32 8,816 --a------ C:\WINDOWS\SYSTEM32\wlite.sys
2008-05-12 18:33 . 2008-05-12 18:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-05-12 17:13 . 2008-05-12 21:11 525 --a------ C:\WINDOWS\wininit.ini
2008-05-12 17:09 . 2008-05-12 17:09 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-05-12 17:09 . 2008-05-12 17:21 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\StumbleUpon
2008-05-12 16:45 . 2008-05-12 16:45 <DIR> d-------- C:\My Video
2008-05-12 14:40 . 2008-05-12 16:46 56 --a------ C:\WINDOWS\cryavitompeg.ini
2008-05-12 14:39 . 2008-05-12 16:46 5 --a------ C:\WINDOWS\SYSTEM32\SySavitompeg.dat
2008-05-12 14:38 . 2008-05-12 14:38 <DIR> d-------- C:\Program Files\Crystal Software
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\winRem
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\spoolX
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\MUI2
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx05
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\1036a
2008-05-12 14:24 . 2008-05-12 14:24 <DIR> d-------- C:\Temp\tmpvc14
2008-05-12 14:24 . 2008-05-12 14:25 <DIR> d-------- C:\Program Files\winvi
2008-05-12 14:24 . 2008-05-12 14:24 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-04 13:09 . 2008-05-04 13:10 <DIR> d-------- C:\Program Files\WordBiz
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-05-02 19:21 . 2008-05-02 19:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-05-02 17:15 . 2008-05-02 17:15 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Hewlett-Packard
2008-05-02 17:14 . 2008-05-12 17:19 <DIR> d-------- C:\Documents and Settings\Admin
2008-05-02 17:14 . 2008-05-14 15:30 1,024 --ah----- C:\Documents and Settings\Admin\NTUSER.dat.LOG
2008-04-17 15:10 . 2008-04-17 15:10 107,888 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-04-17 13:53 . 2008-04-17 13:53 <DIR> d-------- C:\Program Files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 16:29 --------- d-----w C:\Program Files\LimeWire
2008-05-12 23:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-12 22:12 --------- d-----w C:\Program Files\4U Computing
2008-05-12 22:11 --------- d-----w C:\Program Files\StumbleUpon
2008-05-12 19:40 --------- d-----w C:\Program Files\Incomplete
2008-05-12 19:09 --------- d-----w C:\Documents and Settings\Brian\Application Data\LimeWire
2008-05-11 15:39 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-04-17 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-12 17:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 17:42 --------- d-----w C:\Program Files\Safer Networking
2008-04-08 20:37 --------- d-----w C:\Program Files\Scholastic
2008-04-04 22:11 --------- d-----w C:\Program Files\QuickTime
2008-03-31 15:24 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-20 00:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 23:47 --------- d-----w C:\Documents and Settings\Brian\Application Data\Netscape
2008-03-19 17:26 --------- d-----w C:\Program Files\Java
2008-03-19 16:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\{36D03E21-363A-4CBC-9E13-A90BDCFAFB04}
2008-03-19 15:47 --------- d-----w C:\Program Files\MSBuild
2008-03-19 15:45 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2007-01-30 23:38 194,376 -c--a-w C:\Documents and Settings\Brian\Application Data\shb.dat
2003-08-27 19:19 36,963 -c--a-r C:\Program Files\Common Files\SM1updtr.dll
2005-04-20 00:25 53,323 ----a-w C:\Program Files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-12_21.55.18.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 02:46:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 20:30:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 20:30:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_548.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b90d1a5-1d99-4c96-9262-c79080d7879f}]
C:\WINDOWS\system32\envchjra.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7580F730-9EE7-45BF-9D0F-70C619FFD9E4}]
C:\WINDOWS\system32\urqOIXQH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
C:\WINDOWS\system32\byXPFwtR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 04:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 04:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 12:14 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-30 21:57 77824]
"24729109"="C:\WINDOWS\system32\yjhmtoyh.dll" [ ]
"BM2741a295"="C:\WINDOWS\system32\rljsxsfr.dll" [ ]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\byXPFwtR.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXPFwtR]
byXPFwtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R1 wlite;WMV9 Codec;C:\WINDOWS\system32\wlite.sys [2008-05-12 20:32]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;C:\WINDOWS\system32\DRIVERS\HIDKbFlt.sys [2005-07-25 05:13]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 15:38:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 15:43:24
ComboFix-quarantined-files.txt 2008-05-14 20:43:22
ComboFix2.txt 2008-05-14 17:32:42
ComboFix3.txt 2008-05-13 22:50:27
ComboFix4.txt 2008-05-13 22:30:16
ComboFix5.txt 2008-05-13 17:03:30

Pre-Run: 68,030,021,632 bytes free
Post-Run: 68,017,913,856 bytes free

168 --- E O F --- 2008-04-09 08:03:29

And the resulting HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:50 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O2 - BHO: {f9787d08-097c-2629-69c4-99d15a1d09b5} - {5b90d1a5-1d99-4c96-9262-c79080d7879f} - C:\WINDOWS\system32\envchjra.dll (file missing)
O2 - BHO: (no name) - {7580F730-9EE7-45BF-9D0F-70C619FFD9E4} - C:\WINDOWS\system32\urqOIXQH.dll (file missing)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\byXPFwtR.dll (file missing)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [24729109] rundll32.exe "C:\WINDOWS\system32\yjhmtoyh.dll",b
O4 - HKLM\..\Run: [BM2741a295] Rundll32.exe "C:\WINDOWS\system32\rljsxsfr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: byXPFwtR - byXPFwtR.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5039 bytes

I am proceding to the next step and will get back to you soon.

Thank you.
blikblik
2008-05-14, 23:04
I used HiJackThis to fix the boxes you asked for and ran the ATF cleaner that went really fast.

Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:32 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4449 bytes

I hope some if this is helping.

As a side note, way back when, one of the first things I noticed was wrong was that the little red shield showed up saying auto-updates was off and I could not get it restarted. The shield is now gone, and auto-updates shows as being back on again.

My first attempt to fix this was trying to go back to sysstem restore point which failed in the sense that they were all gone.

I have not checked to see if they are back.
pskelley
2008-05-14, 23:32
Thanks for the feedback, malware can sure mess up a computer, and many trojans corrupt your setting, turn off your antivirus and firewall, etc.
Some of the damage can only be repaired by a reformat or at the least a repair or reinstallation of the operating system. We do what we can.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:54:32 PM, on 5/14/2008

This HJT log looks good, but HJT can only show so much and the hackers do all they can to hide from HJT, they know our tools.
I will know more when I get a look at a Kaspersky Online Scan and in order to get to that poiint, we need to cross this bridge.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Keep an eye on how the computer runs, record any error messages word for word and post them, once you install RC, we can remove the tools we used and run a scan to see what is left.

Thanks
blikblik
2008-05-14, 23:43
OK, I would like to reinstall the recovery console. I have used it in the past and it is helpful.

I do not have the rescue disks for the infected computer, but do have them for two different laptops. Can I use those to put the recovery console back?

If not is is possible to do it another way.

Thank you.

It may be a little bit before I can get back so no rush.
pskelley
2008-05-14, 23:49
You need to slow a little and take the time to read the directions so you understand them:

From the link I provided:

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

If you have more questions, ask them...
blikblik
2008-05-15, 00:31
I installed the recovery console. My fault that I did not read past the link in the site you sent.

Here is the log from that:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-05-15, 00:58
Thanks for the feedback, you may keep ATF-Cleaner if you wish, but delete combofix, C:\Qoobox\Quarantine\ folder, Vundofix and the C:\Vundofix Backups\ folder.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
blikblik
2008-05-15, 01:46
It now goes much farther. It asked about the active x control and I allowed that. It initialized and performed an update. The up date bar made it to 100% as it filled the dialog box below listed:




Please wait to update the virus definitions...
Downloading from url: ftp://downloads4.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: http://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: ftp://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: ftp://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: http://downloads1.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: http://downloads4.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Downloading from url: ftp://downloads2.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kernel.avc
Update process FAILED. No further antivirus actions can be performed!

Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-Virus bases version must be downloaded prior to scan. Otherwise we cannot guarantee detection of latest viruses. [21]

I do not know if I am missing something, I am definitely on-line.
pskelley
2008-05-15, 02:47
I don't know, we use this scan all of the time with no problems?

Try this one:

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks
blikblik
2008-05-15, 17:57
Here is the log from the Malwarebtes scan.

Malwarebytes' Anti-Malware 1.12
Database version: 752

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 217228
Time elapsed: 1 hour(s), 16 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlite (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\winvi\dsktp (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dFrnx05 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\1036a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MUI2 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\spoolX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winRem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{3EAE14CA-FC06-455C-81C2-CC55FF3169AB}\RP293\A0133134.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Temp\dUbc1002.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dFrnx05\dFrnx051080.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MUI2\GI-dot4c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\spoolX\NsDatdsrv.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\Program Files\winvi\Uninst.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\winvi\version.ini (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\winvi\dsktp\desktop.html (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\winvi\dsktp\internetDetection.swf (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\Program Files\winvi\dsktp\settings.sol (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wlite.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\datmps.dll (Rootkit.Agent) -> Quarantined and deleted successfully.


And the HJT log that came after it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:28 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\HJT\blikblik.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=lindy68&login=d02e5a4968e1bd37043ca33a291c120a/lindy68:netzero.net/1166850547/30/sss.8.51015/&ts=458cb9f3&A=575040350000009&B=1126854000000&C=1126854000000&D=1166774400000&I=8.NH4&N=PLHS&O=I&UT=
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165792850984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4774 bytes

Thanks again
pskelley
2008-05-15, 18:05
How's the computer running? Any malware issues?
blikblik
2008-05-15, 18:14
The computer seems to be running fine. Internet windows don't seem to be popping up randomly.

With the teatimer off (I think that is what did it) Spybot is not giving me warnings every few seconds. Teatimer needs to go back on though.

As I said, the auto-update turned itself back on. And I can restart the System Restore Points. If the old ones do magically reappear, I don't think I will be using them.

The only thing I seem to be currently missing is my desktop background, somewhere along the way it disappeared and became a slate blue. Once again pretty easily fixed, and probably not a sign of continuing problems.

Are there any specific things I should be doing to prevent this in the future?

I normally run Spybot, and Avast regularly.
pskelley
2008-05-15, 19:06
OK, sounds good, I will post closing information for you so you can benefit from it and will give you a few days before I close the topic to watch the computer. Do read these instructions from experts, the information will go a long way towards preventing further infections. Before I post that information:

1) If you run TeaTimer, enable it now.

2) Use these instructions to make sure all System Restore points are clean:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

3) These may help with the Desktop issues.

1) Click Start, and then click Control Panel.
Double-click Display, click the Desktop tab, and then click Customize Desktop.
Select Restore Defaults

2) http://www.onecomputerguy.com/desktop.htm

3) http://www.kellys-korner-xp.com/xp_tweaks.htm
download a the activedesktop.vbs file

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
blikblik
2008-05-15, 21:29
Thank you for the information.

I will go through it this evening, and try to get everything reset.
blikblik
2008-05-16, 23:19
It was working fine midday yesterday.

Last night when I turned it on to try and put the rest of it back to normal, it boots almost directly to the blue screen saying that it has been shut down to prevent further damage.

I love computers.
pskelley
2008-05-16, 23:25
I must have error messages word for word. It could even be a one time thing, I have gotten that message before. When you post the error message, post also a new HJT log so I can take a look.

I am also going to advise a diagnostic here:
http://www.pcpitstop.com/pcpitstop/
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
Help with results: http://pcpitstop.invisionzone.com/index.php?showforum=6

If you post a link to the test results, I may spot something. Please make sure the link you post takes me to the test results. If you are unsure, look at what others are posting at the forum I posted a link to.

Thanks