Need Help one more time!

Unknown · July 2007

I don't know where this came from! Computer started acting funny then Zonelab started freaking out on me. A buddy of mine sent an email then I scanned it nothing found when I tried to open it Bam! Here are the results!

Highjack this log!

Logfile of HijackThis v1.99.1
Scan saved at 12:44:29 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/wind.main/welcome.htm?ver=13898&
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\lpnxkfph.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\mljgfda.dll
O2 - BHO: (no name) - {AE991800-05CB-4862-9372-2211B7D5326C} - C:\WINDOWS\system32\pmkhi.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: mljgfda - C:\WINDOWS\SYSTEM32\mljgfda.dll
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here is the comboFix Log!

ComboFix 07-06-17 - C:\Documents and Settings\Eric Stallard\Desktop\ComboFix.exe
"Eric Stallard" - 2007-07-02 12:45:01 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-07-02 11:10 66,112 --a

C:\WINDOWS\system32\lpnxkfph.dll
2007-07-02 11:07 128,576 --a

C:\WINDOWS\system32\syvsoeef.dll
2007-07-02 11:04 122,944 --a

C:\WINDOWS\system32\wqihrtak.exe
2007-07-02 11:04 1,855,075 ---hs---- C:\WINDOWS\system32\ihkmp.bak2
2007-07-02 07:50 914 --a

C:\WINDOWS\system32\scchk32.exe
2007-07-02 07:50 88,576 --a

C:\WINDOWS\system32\6Bwm5zDC.exe
2007-07-02 07:50 14,848 --a

C:\WINDOWS\system32\ggf.1002.dll
2007-07-01 23:50 5,632 --a

C:\WINDOWS\system32\drivers\Entech64.sys
2007-07-01 23:04 6,369 ---hs---- C:\WINDOWS\system32\ihkmp.bak1
2007-07-01 23:04 266,336 --a

C:\WINDOWS\system32\pmkhi.dll
2007-07-01 23:00 11,776 --a

C:\WINDOWS\mgrs.exe
2007-07-01 22:59 67,072 --a

C:\WINDOWS\system32\butulkhc.exe
2007-07-01 22:59 31,254 --a

C:\WINDOWS\system32\rqrooon.dll
2007-07-01 22:59 31,254 --a

C:\WINDOWS\system32\mljgfda.dll
2007-07-01 22:45 <DIR> d

C:\DOCUME~1\ERICST~1\APPLIC~1\WinRAR
2007-07-01 09:51 <DIR> d

C:\Program Files\Electronic Arts
2007-06-30 22:31 <DIR> d

C:\DOCUME~1\ERICST~1\APPLIC~1\Azureus
2007-06-30 22:31 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-30 22:25 <DIR> d

C:\WINDOWS\system32\URTTEMP
2007-06-30 22:19 3,972 --a

C:\WINDOWS\system32\drivers\PciBus.sys
2007-06-30 22:19 21,664 --a

C:\WINDOWS\system32\drivers\Entech.sys
2007-06-30 22:19 <DIR> d

C:\WINDOWS\system32\Futuremark
2007-06-30 22:19 <DIR> d

C:\Program Files\Futuremark
2007-06-30 00:10 75,932 --a

C:\WINDOWS\system32\drivers\klick.dat
2007-06-30 00:10 75,248 --a

C:\WINDOWS\zllsputility.exe
2007-06-30 00:10 74,396 --a

C:\WINDOWS\system32\drivers\klin.dat
2007-06-30 00:10 2,234,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-30 00:10 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-06-30 00:09 110,360 --a

C:\WINDOWS\system32\drivers\kl1.sys
2007-06-30 00:09 1,086,952 --a

C:\WINDOWS\system32\zpeng24.dll
2007-06-30 00:09 <DIR> d

C:\WINDOWS\system32\ZoneLabs
2007-06-24 16:18 <DIR> d

C:\DOCUME~1\ERICST~1\APPLIC~1\Apple Computer
2007-06-19 08:34 10,872 --a

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-19 08:24 17,920 --a

C:\WINDOWS\system32\mdimon.dll
2007-06-19 08:24 <DIR> d

C:\Program Files\Microsoft ActiveSync
2007-06-19 08:23 <DIR> d

C:\WINDOWS\SHELLNEW
2007-06-18 20:41 <DIR> d

C:\WINDOWS\system32\Kaspersky Lab
2007-06-18 20:25 4,212 ---h

C:\WINDOWS\system32\zllictbl.dat
2007-06-18 20:25 11,264 --a

C:\WINDOWS\system32\SpOrder.dll
2007-06-18 20:25 <DIR> d

C:\WINDOWS\Internet Logs
2007-06-17 14:37 49,152 --a

C:\WINDOWS\nircmd.exe
2007-06-17 00:12 118,784 --a

C:\WINDOWS\system32\MSSTDFMT.DLL
2007-06-17 00:12 <DIR> d

C:\Program Files\SpywareBlaster
2007-06-16 15:02 1,156 --a

C:\WINDOWS\mozver.dat
2007-06-16 14:22 <DIR> d

C:\DOCUME~1\ERICST~1\APPLIC~1\Talkback
2007-06-16 14:21 0 --a

C:\WINDOWS\nsreg.dat
2007-06-16 12:15 524,288 --ah

C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-16 11:00 <DIR> dr

C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-16 10:52 89,088 --a

C:\WINDOWS\system32\atl71.dll
2007-06-14 20:55 <DIR> d

C:\WINDOWS\system32\AGEIA
2007-06-14 20:55 <DIR> d

C:\Program Files\AGEIA Technologies
2007-06-11 23:51 <DIR> d

C:\WINDOWS\system32\NtmsData
2007-06-03 12:04 83,536 --a

C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-03 12:04 626,688 --a

C:\WINDOWS\system32\msvcr80.dll
2007-06-03 12:04 59,984 --a

C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-03 12:04 52,304 --a

C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-03 12:04 39,248 --a

C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-03 12:04 26,064 --a

C:\WINDOWS\system32\drivers\kcom.sys
2007-06-03 12:04 <DIR> d

C:\Program Files\Spyware Doctor
2007-06-03 12:04 <DIR> d

C:\DOCUME~1\ERICST~1\APPLIC~1\PC Tools
2007-06-02 00:03 <DIR> d

C:\Program Files\Jnes 0.6

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-02 16:32:51

d--h--w C:\Program Files\InstallShield Installation Information
2007-07-02 03:50:12 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-07-01 21:20:41 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-01 21:19:51 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-07-01 04:26:55

d

w C:\Program Files\Lavasoft
2007-07-01 04:26:55

d

w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 02:42:48

d

w C:\DOCUME~1\ERICST~1\APPLIC~1\LimeWire
2007-06-23 22:25:56

d

w C:\DOCUME~1\ERICST~1\APPLIC~1\U3
2007-06-19 12:23:51

d

w C:\Program Files\Microsoft.NET
2007-06-17 23:07:12

d

w C:\Program Files\Windows NT
2007-06-17 03:58:16

d

w C:\Program Files\Common Files\Motive
2007-06-02 23:25:59

d

w C:\Program Files\ConsoleClassix.com
2007-05-31 00:32:19

d

w C:\Program Files\CCleaner
2007-05-29 11:58:59 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-29 11:55:36 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-05-29 11:55:36

d

w C:\Program Files\OpenAL
2007-05-27 13:42:49 45,056 ----a-w C:\WINDOWS\ssunstl.exe
2007-05-27 13:42:41 754,688 ----a-w C:\WINDOWS\Caption It!.scr
2007-05-21 22:51:10

d

w C:\DOCUME~1\ERICST~1\APPLIC~1\Ahead
2007-05-13 15:33:37

d

w C:\Program Files\AMD
2007-05-13 15:31:40

d

w C:\Program Files\Yahoo!
2007-05-12 19:00:18

d

w C:\Program Files\MultiExtractor
2007-05-12 17:42:22

d

w C:\DOCUME~1\ERICST~1\APPLIC~1\CoreFTP
2007-05-12 02:26:05

d

w C:\Program Files\Common Files\Ahead
2007-05-12 02:23:59

d

w C:\Program Files\Nero
2007-05-12 01:59:13

d

w C:\Program Files\TightVNC
2007-05-11 03:38:30

d

w C:\Program Files\QuickTime
2007-05-11 03:36:47

d

w C:\Program Files\Apple Software Update
2007-05-11 03:25:14

d

w C:\Program Files\Common Files\AMD
2007-05-06 13:55:27

d

w C:\Program Files\LimeWire
2007-05-05 19:11:27 95,674 ----a-w C:\WINDOWS\ShocknAwe Uninstaller.exe
2007-04-20 10:09:55 0 --sha-r C:\MSDOS.SYS
2007-04-20 10:09:55 0 --sha-r C:\IO.SYS
2007-04-20 10:09:55 0 ----a-w C:\CONFIG.SYS
2007-04-20 10:09:55 0 ----a-w C:\AUTOEXEC.BAT
2007-04-20 10:07:27 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-18 16:16:59 733,824 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-18 16:06:59 90,112 ----a-w C:\WINDOWS\system32\AvastSS.scr

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\lpnxkfph.dll [2007-07-02 11:10]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{930D35D2-094D-41B9-8E89-D1B76F2C6E97}=C:\WINDOWS\system32\mljgfda.dll [2007-07-01 22:59]
{AE991800-05CB-4862-9372-2211B7D5326C}=C:\WINDOWS\system32\pmkhi.dll [2007-07-01 23:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 02:45 C:\WINDOWS\soundman.exe]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 12:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{930D35D2-094D-41B9-8E89-D1B76F2C6E97}"="C:\WINDOWS\system32\mljgfda.dll" [2007-07-01 22:59]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgfda]
mljgfda.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhi]
C:\WINDOWS\system32\pmkhi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmqx32]
winmqx32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\butulkhc.exe]
C:\WINDOWS\system32\butulkhc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gf1.0.0.2]
C:\WINDOWS\system32\6Bwm5zDC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\syvsoeef.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\WINDOWS\system32\scchk32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"gusvc"=2 (0x2)
"ATI Smart"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"Net Agent"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)
"DomainService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0347fe7c-f094-11db-a6c8-00192133f896}]
AutoRun\command- F:\LaunchU3.exe

Contents of the 'Scheduled Tasks' folder
2007-06-22 00:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 12:46:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-02 12:46:45
C:\ComboFix-quarantined-files.txt ... 2007-06-17 19:10
C:\ComboFix2.txt ... 2007-06-17 19:10
C:\ComboFix3.txt ... 2007-06-17 14:41

musicman · July 2007

Not sure what "Bam!" means but I do see problems with your log.

For the vundo infection run the procedure here starting from step 2 ....

http://www.help2go.com/Tutorials/Spyware_Information/Winfixer_Removal.html

But note that this is the best downloiad link for the vundofix tool mentioned in step 3 .....

http://www.atribune.org/content/section/4/30/

You will be able to see the randomly named 02 & 020 log entries mljgfda.dll and pmkhi.dll.

When completed post a fresh HJT log here with an update on how the computer is working now.

Any more Bams?

MM

Eric1134 · July 2007

Here is the Panda Scan!

Incident Status Location
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Eric Stallard\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\HijackThis\backups\backup-20070616-235241-279.inf
Virus:Trj/Downloader.OZB Disinfected C:\VundoFix Backups\hmcyejqi.exe.bad
Adware:Adware/DriveCleaner Not disinfected C:\WINDOWS\mgrs.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/Yazzle Not disinfected E:\Software\install.exe

Here is the HJL!

Logfile of HijackThis v1.99.1
Scan saved at 9:38:04 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/wind.main/welcome.htm?ver=13898&
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

musicman · July 2007

HJT log is clean.

You can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

Install and scan with both these (free) programs ...

Adaware > http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Superantispyware > http://www.superantispyware.com/

Let them fix what they find.

Run another Panda scan and post the results again.

Post a fresh HJT log AND LET US KNOW how things are going now.

Better?

MM

Eric1134 · July 2007

Hey Thanks for the help Computer is running smooth and Fast!

musicman · July 2007

Glad to hear it. I guess that you are not posting any more logs because you are happy with the way your system is running.

If you are certain you have no more trouble you should clear out all old System Restore points then immediately create a new one so you have something to fall back on should anything go awry again. Also remember to make SR points on a regular basis.

More on System Restore ...

http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx

What may have lead up to your infection and help keep your computer free of malware …

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

http://www.help2go.com/Tutorials/Protect_Your_PC/Avoid_Web_Browser_Hijackers.html

http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html

There is a little duplication/crossover but all these tutorials are well worth reading.

Don’t forget to keep Superantispyware updated and use it to scan/disinfect your computer from time to time.

If you do suffer an infection again you should run first Ccleaner to clean out your system. Get Ccleaner here but ensure you install it WITHOUT the optional Yahoo Toolbar download (you must untick/uncheck the relevant box on download) …

http://www.ccleaner.com/

Also run through this before posting another HijackThis log …

http://icrontic.com/forum/showthread.php?t=43902

Best wishes.

MM

Need Help one more time!

Comments