aBetterINternet.nail
having already deleted many fiels that were infecting my computer through windows recovery console, some prgoram/malware that is started when windows logs on is running two suspicious (to me) programs:
xbrfxn.exe and qfyfobrA. Everytime i run adaware, the ABetterINternet.nail malware is detected, deleted, then when run again, found again. THe betterinternet points to a okjjx.exe in my win registry under local_macihne/software/microsoft/windows NT/winLogon. Whenever i delete this, it pops back up after i go to a different folder. It seems to be selfsustaining. I am also intermittently seeing popups thourgh internet explorer. Here is the HijackTHis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:39 AM, on 6/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\qfyfobr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\okjjx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ygpnisq.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [qfyfobrA] C:\WINDOWS\qfyfobrA.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems Gatorlink VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qfyfobr.exe
-
ok, so i definitely did not even touch anything other than hitting 'Y' and 'enter' when prompted, this is the log:
COmboFiX:
Start Time= Sun 06/11/2006 19:53:55.90
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-06-11 14:02:52 ( .D... ) "C:\Program Files\combofix"
2006-06-11 14:02:02 327 ( A.... ) "C:\WINDOWS\vvymo.dll"
2006-06-11 12:00:36 ( .D... ) "C:\Program Files\Messenger"
2006-06-11 10:31:16 ( .D... ) "C:\Program Files\HijackThis"
2006-06-10 14:55:00 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Skype"
2006-06-10 14:54:52 ( .D... ) "C:\Program Files\Skype"
2006-06-06 08:59:38 ( .D... ) "C:\Program Files\ETS"
2006-06-04 14:40:08 ( .D... ) "C:\Program Files\ImTOO"
2006-05-31 18:36:44 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-05-31 08:26:40 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-05-31 08:26:36 ( .D... ) "C:\Program Files\Ahead"
2006-05-18 18:34:48 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Lavasoft"
2006-05-18 18:34:40 ( .D... ) "C:\Program Files\Lavasoft"
2006-05-11 20:28:26 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Syntrillium"
2006-05-11 20:27:48 ( .D... ) "C:\Program Files\Cooledit"
2006-05-09 12:11:02 ( .D... ) "C:\Program Files\EPSON"
2006-05-09 10:48:38 ( .D... ) "C:\Program Files\Cakewalk"
2006-05-04 00:26:22 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-05-02 23:19:06 ( .D... ) "C:\Program Files\Viewpoint"
2006-05-02 23:19:06 ( .D... ) "C:\Program Files\AOD"
2006-05-02 23:09:10 ( .D... ) "C:\Program Files\AIM95"
2006-04-30 16:31:42 ( .D... ) "C:\Program Files\Audio Encoder"
2006-04-27 13:37:16 ( .D... ) "C:\Documents and Settings\Jon\Application Data\MathWorks"
2006-04-24 21:26:44 ( .D... ) "C:\Program Files\MSXML 4.0"
2006-04-23 22:33:50 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Microsoft Web Folders"
2006-04-23 18:32:14 ( .D... ) "C:\Documents and Settings\Jon\Application Data\AdobeUM"
2006-04-23 15:55:30 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Adobe"
2006-04-23 15:46:00 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-04-23 15:43:06 ( .D... ) "C:\Program Files\Adobe"
2006-04-23 11:55:16 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-04-23 03:30:32 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Help"
2006-04-23 03:30:30 ( .D... ) "C:\Program Files\GoldWave"
2006-04-23 03:29:32 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Macromedia"
2006-04-22 23:54:20 ( .D... ) "C:\Documents and Settings\Jon\Application Data\PTC"
2006-04-22 22:55:48 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-04-22 22:55:48 ( .D... ) "C:\Program Files\Common Files\Deterministic Networks"
2006-04-22 22:55:48 ( .D... ) "C:\Program Files\Cisco Systems"
2006-04-22 22:55:34 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-04-22 22:53:08 ( .D... ) "C:\Documents and Settings\Jon\Application Data\SolidWorks"
2006-04-22 22:52:30 ( .D... ) "C:\Documents and Settings\Jon\Application Data\DWGEditor"
2006-04-22 22:50:04 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-04-22 22:48:10 ( .D... ) "C:\Program Files\Common Files\SolidWorks Shared"
2006-04-22 22:47:20 ( .D... ) "C:\Program Files\Common Files\Bluebeam Software"
2006-04-22 22:47:18 ( .D... ) "C:\Program Files\Microsoft Office"
2006-04-22 22:47:12 ( .D... ) "C:\Program Files\SolidWorks"
2006-04-22 22:47:12 ( .D... ) "C:\Program Files\Common Files\Solidworks Data"
2006-04-22 22:47:12 ( .D... ) "C:\Program Files\Bluebeam Software"
2006-04-22 22:43:32 ( .D... ) "C:\Program Files\Winamp"
2006-04-22 22:43:00 ( .D... ) "C:\Program Files\WinRAR"
2006-04-22 21:16:18 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Identities"
2006-04-22 21:16:10 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-04-22 21:16:02 ( .DS.. ) "C:\Documents and Settings\Jon\Application Data\Microsoft"
2006-04-22 21:08:40 ( .D... ) "C:\Program Files\xerox"
2006-04-22 21:08:40 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-04-22 21:08:06 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-04-22 21:05:20 ( .D... ) "C:\Program Files\Movie Maker"
2006-04-22 21:04:50 ( .D... ) "C:\Program Files\Windows Media Player"
2006-04-22 21:04:44 ( .D... ) "C:\Program Files\NetMeeting"
2006-04-22 21:04:44 ( .D... ) "C:\Program Files\Common Files\Services"
2006-04-22 21:04:38 ( .D... ) "C:\Program Files\Outlook Express"
2006-04-22 21:04:34 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-04-22 21:04:30 ( .D... ) "C:\Program Files\Common Files\System"
2006-04-22 21:04:26 ( .D... ) "C:\Program Files\Internet Explorer"
2006-04-22 21:03:24 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-04-22 21:03:08 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-04-22 21:03:06 ( .D... ) "C:\Program Files\Online Services"
2006-04-22 21:02:48 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-04-22 21:02:36 ( .D... ) "C:\Program Files\Windows NT"
2006-04-22 15:53:22 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-04-22 15:53:18 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-04-22 15:53:16 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-04-22 15:53:16 ( .D... ) "C:\Program Files\Common Files"
2006-04-22 15:52:48 62 ( A.SH. ) "C:\Documents and Settings\Jon\Application Data\desktop.ini"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
WinUpdate.exe REG_SZ C:\Program Files\Windows\WinUpdate.exe
kbdshu REG_SZ C:\WINDOWS\System32\kbdshu.exe
Scheduled Tasks Folder Contents
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
Completion time: Sun 06/11/2006 19:55:21.69
ComboFix ver 06.06.06 - This logfile is located at C:\ComboFix.txt
HERE IS THE HIJACKTHIS RAN AGAIN
Logfile of HijackThis v1.99.1
Scan saved at 7:57:28 PM, on 6/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems Gatorlink VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
thANKS FOR YOUR CONTINUAL HELP!!!
0 -
It may seem fixed, but not quite. A few things still left to do.
First I need to examine a file found by Combofix.
Go here to upload the file as an attachment
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from jonny at LS ),
fill in a short message & then press the browse button and then navigate to & select this file on your computer.
File to upload:
C:\WINDOWS\vvymo.dll
(Do not post HJT logs there as they will not get dealt with)
You DO NOT need to be a member to upload, anybody can upload the files
You will not see the files that have been uploaded as they only show to the authorized users who can download them
......................
After you have uploaded the file, please come back to this thread and follow these steps next:
Open HijackThis and do a *scan only*
Checkmark these items in the list and then press the *fix checked* button:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O20 - AppInit_DLLs: repairs303169590.dll
Delete this file (if found) repairs303169590.dll
(Press *fix checked*...then close HijackThis)
Reboot your computer.
Scan once more and post a fresh HijackThis log please.
0 -
ok, so that seemed to catch the fiels i have been deleting easily enough, here are the two logs:
COMBOFIX
Start Time= Sun 06/11/2006 14:04:38.89
(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))
14:06:21.05
Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\System32\xbrfxn.exe
C:\WINDOWS\System32\xbrfxn.exe
C:\WINDOWS\System32\okjjx.exe
C:\WINDOWS\SYSTEM32\YGPNISQ.EXE
* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\vvymo.dll
C:\WINDOWS\System32\ygpnisq.exe
C:\WINDOWS\System32\xbrfxn.exe
C:\WINDOWS\System32\xbrfxn.exe
C:\WINDOWS\System32\xbrfxn.exe
C:\WINDOWS\System32\okjjx.exe
C:\WINDOWS\System32\eirfovc.dll
C:\WINDOWS\System32\eirfovc.dll
C:\WINDOWS\System32\dyhij.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\piege.exe
* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
2006-06-04 13:26:24 127,488 "C:\WINDOWS\system32\xbrfxn.exe"
2006-06-04 13:26:24 28,672 "C:\WINDOWS\system32\okjjx.exe"
2006-06-04 01:33:10 23,552 "C:\WINDOWS\system32\ygpnisq.exe"
2006-06-04 13:26:24 51,712 "C:\WINDOWS\system32\eirfovc.dll"
2006-06-04 13:26:24 127,488 "C:\WINDOWS\system32\dyhij.dat"
2006-06-11 14:02:02 327 "C:\WINDOWS\vvymo.dll"
2006-06-03 12:51:20 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\piege.exe"
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
06/04/2006 01:26 PM 127,488 xbrfxn.exe.vir
06/04/2006 01:26 PM 127,488 dyhij.dat.vir
06/03/2006 12:51 PM 127,488 piege.exe.vir
06/04/2006 01:26 PM 51,712 eirfovc.dll.vir
06/04/2006 01:26 PM 28,672 okjjx.exe.vir
06/04/2006 01:33 AM 23,552 ygpnisq.exe.vir
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
2006-06-11 14:02:02 327 "C:\WINDOWS\vvymo.dll"
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-06-11 14:02:52 ( .D... ) "C:\Program Files\combofix"
2006-06-11 14:02:02 327 ( A.... ) "C:\WINDOWS\vvymo.dll"
2006-06-11 12:00:36 ( .D... ) "C:\Program Files\Messenger"
2006-06-11 10:31:16 ( .D... ) "C:\Program Files\HijackThis"
2006-06-10 14:55:00 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Skype"
2006-06-10 14:54:52 ( .D... ) "C:\Program Files\Skype"
2006-06-06 08:59:38 ( .D... ) "C:\Program Files\ETS"
2006-06-04 14:40:08 ( .D... ) "C:\Program Files\ImTOO"
2006-05-31 18:36:44 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-05-31 08:26:40 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-05-31 08:26:36 ( .D... ) "C:\Program Files\Ahead"
2006-05-18 18:34:48 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Lavasoft"
2006-05-18 18:34:40 ( .D... ) "C:\Program Files\Lavasoft"
2006-05-11 20:28:26 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Syntrillium"
2006-05-11 20:27:48 ( .D... ) "C:\Program Files\Cooledit"
2006-05-09 12:11:02 ( .D... ) "C:\Program Files\EPSON"
2006-05-09 10:48:38 ( .D... ) "C:\Program Files\Cakewalk"
2006-05-04 00:26:22 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-05-02 23:19:06 ( .D... ) "C:\Program Files\Viewpoint"
2006-05-02 23:19:06 ( .D... ) "C:\Program Files\AOD"
2006-05-02 23:09:10 ( .D... ) "C:\Program Files\AIM95"
2006-04-30 16:31:42 ( .D... ) "C:\Program Files\Audio Encoder"
2006-04-27 13:37:16 ( .D... ) "C:\Documents and Settings\Jon\Application Data\MathWorks"
2006-04-24 21:26:44 ( .D... ) "C:\Program Files\MSXML 4.0"
2006-04-23 22:33:50 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Microsoft Web Folders"
2006-04-23 18:32:14 ( .D... ) "C:\Documents and Settings\Jon\Application Data\AdobeUM"
2006-04-23 15:55:30 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Adobe"
2006-04-23 15:46:00 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-04-23 15:43:06 ( .D... ) "C:\Program Files\Adobe"
2006-04-23 11:55:16 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-04-23 03:30:32 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Help"
2006-04-23 03:30:30 ( .D... ) "C:\Program Files\GoldWave"
2006-04-23 03:29:32 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Macromedia"
2006-04-22 23:54:20 ( .D... ) "C:\Documents and Settings\Jon\Application Data\PTC"
2006-04-22 22:55:48 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-04-22 22:55:48 ( .D... ) "C:\Program Files\Common Files\Deterministic Networks"
2006-04-22 22:55:48 ( .D... ) "C:\Program Files\Cisco Systems"
2006-04-22 22:55:34 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-04-22 22:53:08 ( .D... ) "C:\Documents and Settings\Jon\Application Data\SolidWorks"
2006-04-22 22:52:30 ( .D... ) "C:\Documents and Settings\Jon\Application Data\DWGEditor"
2006-04-22 22:50:04 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-04-22 22:48:10 ( .D... ) "C:\Program Files\Common Files\SolidWorks Shared"
2006-04-22 22:47:20 ( .D... ) "C:\Program Files\Common Files\Bluebeam Software"
2006-04-22 22:47:18 ( .D... ) "C:\Program Files\Microsoft Office"
2006-04-22 22:47:12 ( .D... ) "C:\Program Files\SolidWorks"
2006-04-22 22:47:12 ( .D... ) "C:\Program Files\Common Files\Solidworks Data"
2006-04-22 22:47:12 ( .D... ) "C:\Program Files\Bluebeam Software"
2006-04-22 22:43:32 ( .D... ) "C:\Program Files\Winamp"
2006-04-22 22:43:00 ( .D... ) "C:\Program Files\WinRAR"
2006-04-22 21:16:18 ( .D... ) "C:\Documents and Settings\Jon\Application Data\Identities"
2006-04-22 21:16:10 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-04-22 21:16:02 ( .DS.. ) "C:\Documents and Settings\Jon\Application Data\Microsoft"
2006-04-22 21:08:40 ( .D... ) "C:\Program Files\xerox"
2006-04-22 21:08:40 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-04-22 21:08:06 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-04-22 21:05:20 ( .D... ) "C:\Program Files\Movie Maker"
2006-04-22 21:04:50 ( .D... ) "C:\Program Files\Windows Media Player"
2006-04-22 21:04:44 ( .D... ) "C:\Program Files\NetMeeting"
2006-04-22 21:04:44 ( .D... ) "C:\Program Files\Common Files\Services"
2006-04-22 21:04:38 ( .D... ) "C:\Program Files\Outlook Express"
2006-04-22 21:04:34 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-04-22 21:04:30 ( .D... ) "C:\Program Files\Common Files\System"
2006-04-22 21:04:26 ( .D... ) "C:\Program Files\Internet Explorer"
2006-04-22 21:03:24 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-04-22 21:03:08 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-04-22 21:03:06 ( .D... ) "C:\Program Files\Online Services"
2006-04-22 21:02:48 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-04-22 21:02:36 ( .D... ) "C:\Program Files\Windows NT"
2006-04-22 15:53:22 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-04-22 15:53:18 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-04-22 15:53:16 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-04-22 15:53:16 ( .D... ) "C:\Program Files\Common Files"
2006-04-22 15:52:48 62 ( A.SH. ) "C:\Documents and Settings\Jon\Application Data\desktop.ini"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSConfig REG_SZ C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
WinUpdate.exe REG_SZ C:\Program Files\Windows\WinUpdate.exe
kbdshu REG_SZ C:\WINDOWS\System32\kbdshu.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
flags REG_DWORD 8 (0x8)
Scheduled Tasks Folder Contents
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
Completion time: Sun 06/11/2006 14:09:19.11
ComboFix ver 06.06.06 - This logfile is located at C:\ComboFix.txt
and
HIJCAKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 2:12:50 PM, on 6/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems Gatorlink VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
0 -
Hi jonny, Welcome!
You've got a very difficult to remove combo of nasties - but the good news, this is a free tool that should be able to remove it
Download Combofix.zip
http://www.bleepingcomputer.com/forums/ind...ype=post&id=866
Unzip it to its own folder.
Read here how to unzip/extract properly.
http://metallica.geekstogo.com/xpcompressedexplanation.html
Open the Combofix folder and doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog.
0 -
It doesn't look like everything ran correctly on Combofix. Could you please try to run that again and be sure that you do not mouseclick combofix's window while it's running. That may cause it to stall
Post the new log please
0 -
Well, it seems as if the problem is fixed, (from the first time i ran combofix), no more popups, adaware does not pick up the usual "a better internet.nail", msconfig does not have xbrfxn.exe or qfyfobr repetitively added, and regedit does not have errors such as okjjx.exe in the WinLogon category. Thank you so much for your help. I thought i was going to have to reinstall Windows. Which is not that big of a deal, but nevertheless.
0 -
Hi jonny,
I examined the file you uploaded. It's a fake planted by malware or disabled by one of the cleanup steps.
You can delete it:
C:\WINDOWS\vvymo.dll <--delete file
0 -
It seems to have worked, but an error occured when i presed 'fix checked':
<<An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: repairs303169590.dll)
Error #5 - Invalid procedure call or argument
Please email me at , reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2600.0000
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.>>
HIJACK LOG after reboot<<
Logfile of HijackThis v1.99.1
Scan saved at 2:23:14 PM, on 6/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems Gatorlink VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
0 -
oh yes, i did delete the file vvymo.dll as instructed
0 -
Looks ok. My instruction had an extra *fix checked* below the delete file...that may have caused the error but it looks like it took ok. Were you able to delete: repairs303169590.dll ?
Finish up with a full system scan with Adaware and the latest updates: latest Definition file
SE1R111 08.06.2006
Everything looks ok on the logs, how is your computer acting?
0
Vous devez vous connecter pour laisser un commentaire.
Commentaires
10 commentaires