29 replies to this topic

[Sean R D]

Greetings,

My PC is running Windows XP. I've tried several rounds of AdAware, Spybot S&D, and Malwarebyte's Anti- Malware.

Some fun things that are occurring:

-When I go to change my desktop background in display properties, the area to choose the background image, the "browse" tab, and "Position" tab are frozen. I can only select a color for the background.
-Pop Ups when using Internet Explorer
-A virus or spyware acting almost like a screensaver that animates little beatles on my desktop and slowly eats away the screen. (It hasn't happened since the last time I ran Spybot, but might still be in there
-I'm not sure if this is a coincidence, but when I tried Googling "hijackthis" forums on the infected PC, every link I click did not load. Also, www.whatthetech.com won't load either. I'm posting this with my Mac.
-Every time I try to update Ad-Aware through the in program update, the update fails.

Thank you very much!

Hijackthis Log;

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1131296374\ee\AOLSoftware.exe
C:\MOUSES~1.2\wh_exec.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\pcntlkdm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\QdrModule\QdrModule16.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1131296374\ee\services\antiSpywareApp\ver2_0_25_1\AOLSP Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1131296374\ee\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1131296374\ee\anotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {502B160A-2418-4A85-B11A-71570F29919D} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5702A91F-5B91-4CAB-80B2-9D70BFBF5740} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {97183E8E-4C6D-45E2-90EA-C025D826A661} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\rqRJcyyv.dll
O2 - BHO: (no name) - {DCDF2EB2-1614-4E1A-914C-369D29233F19} - C:\WINDOWS\system32\fcccbccb.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\SHELLEX.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131296374\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WheelMouse] C:\MOUSES~1.2\wh_exec.exe
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [{8fc15ed6-680f-f3eb-f579-6bcfffd00fec}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{4fc6477b-f2d3-56aa-8336-020ef1aa911c}.dll" DllInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcntlkdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZJxdm128MHUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\SHELLEX.DLL
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\SHELLEX.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1151416643968
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: rqRJcyyv - C:\WINDOWS\SYSTEM32\rqRJcyyv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

[Gary R]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hi Sean R D

I'm Gary R, I'll be glad to help you with your computer problems.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with it till you're given the all clear.
• Remember, absence of symptoms does not mean the infection is all gone.

If you can do these things, everything should go smoothly.

• If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
• If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

You've got a pretty badly infected computer, so it's likely to take a little time before we can get you fully clean, stick with it and we should be able to get you up and running again.

First

Please go to Control Panel > Add/Remove Programs and Uninstall the following:

Viewpoint Manager

(and/or any other programme with Viewpoint in the name)

Next

Download HostsXpert and unzip it to your computer, somewhere where you can find it.

• Double click on HostsXpert.exe (the icon that's an orange circle with a big letter h) to launch the programme.
• Check to see if top button on left hand side says Make Writable ?
  
  • If it does. click on it then proceed to next instruction.
  • If not, just proceed to next instruction
• Click on Restore MS Hosts File to restore your Hosts file to its default condition.
• When prompted to confirm, click OK.
• Click on Make Read Only ? to secure it against further infection.
• Exit the programme.

Next

There are some new infections that damage your ability to boot if they are removed. So before we go any further, I need you to install Recovery Console to your computer. This is purely a precautionary measure, I don't see signs of them on your computer, but it's better to be a little cautious now than regretful later.

Recovery Console gives us the ability to recover your computer if things go wrong.

• Download combofix.exe by sUBs to your Desktop (it must be in this location).
• Alternate Download
• If you already have a previous version, delete it and download a new version.
• Go to Microsoft's website
• Select the download that's appropriate for your Operating System (if you have XP Media Centre, use download for XP Pro)

• Download the file & save it as it's originally named, to your Desktop.

• Next
  
• Disconnect from the Internet.
• Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
• Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours are not listed and you don't know how to disable them, please ask.

• Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix.
• When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
• When complete a mesage will pop up asking if you want to continue scanning for Malware.
  
  • Click Yes
    
  • Combofix will now run a scan. (Usually takes 15-20 mins, but could be slightly longer)
  • When finished, it will
    
  • Produce a log for you. (it can also be found at C:\Combofix.txt)
• Post the log in your next reply please.
• Now run a new HJT scan and send me the log from that as well please.

[*]Don't forget to re-enable your anti-virus and anti-malware protection before re-connecting to the Internet.
[/list]IMPORTANT

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
• If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.

Edited by Gary R, 18 May 2008 - 01:58 AM.

[Sean R D]

Hi Gary, Here's an Update. I uninstalled the Viewpoint Manager. I attempted the HostsXpert a few times. I don't know if it's working...the first time I tried, after I Write-protected it, my Desktop and Taskmanager disappeared, so I had to restart. Like I said before, for some reason, this forum won't load on the infected computer, so I've been downloading all the files to my mac then transferring them with a flash drive to the PC. It seems that Combo Fix won't run either. Should I try to run my Anti-malware programs again and then try to use Combofix? Sean

[Gary R]

I'm not sure why Combofix isn't running, do you get any messages when it fails?

Try the following.

• Click Start > Run type Notepad click OK.
• This will open an empty Notepad file.
• Copy/Paste the contents of the box below into Notepad.

Killall::

• Click Format and ensure Wordwrap is unchecked.
• Save as CFScript.txt to your Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please, along with a new HJT log. (it can also be found at C:\Combofix.txt)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If that doesn't work then try running Combofix from Safe Mode.

To Reboot your computer in Safe Mode

• If your computer is running, shut down Windows, then turn the power off.
• Wait 30 seconds, then turn the computer on, and begin tapping the F8 key.
• The Windows Advanced Options Menu appears. (If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again).
• Select Safe Mode using the up/down arrow keys.
• Press Enter.
• Log on with an account that has administrator priviledges (NOT the account named Administrator).

Note: if you cannot boot into safe mode using this method, DO NOT attempt to do so by using MSConfig, this could result in your computer becoming unbootable.

Then

Run a scan with Combofix

• First
  
  • Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
  • Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Double click combofix.exe & follow the prompts.
• Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.
• When finished, it will
  
  • Produce a log for you. (it can also be found at C:\Combofix.txt)
  • Restore your Internet connection.
• Post the log in your next reply please.
• Now run a new HJT scan and send me the log from that as well please.

IMPORTANT

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
• If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If you're still having problems running Combofix

• Click Start > Run and type cleanmgr then click OK.
• This will bring up the Disk Cleanup window.
• Check the following entries.
  
  • Temporary Internet Files.
  • Recycle Bin.
  • Temporary Files.
• Click OK.
• When a prompt pops up click Yes.

Now download OTScanIt.exe by OldTimer to your Desktop.

• Double-click on it to extract the files.
• It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• Next check the following.
  
• Scan all users
• In the Drivers section click on Non-Microsoft.
• In the Rootkit Search section click on Yes
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
• Reg - BotCheck
• File - Additional Folder Scans
  

[*]Do not change any other settings.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
[/list]Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts and post each separately.

Edited by Gary R, 18 May 2008 - 08:32 AM.

[Sean R D]

I tried the Nopepad command on combo fix. Didnt work I tried Combo Fix in safe mode. Didn't work Nothing happens when I click the Icon...no error message. I just doesn't run Same thing happens with OT ScanIt. After unzipping, I can't open the program. I went into the folder and there was an application called "catchme" I clicked on it and a box opened up and there is a tab where I can scan. I'll do that and post the log.

[Sean R D]

Catchme didn't produce a log

[Gary R]

Do you have access to another Windows based computer. If so, DL the tools using that then transfer them using USB disk, rather than using a Mac to DL. Not sure whether the Mac is having some effect on the DL process. Is the account you're using an Administrator account ?

Edited by Gary R, 18 May 2008 - 09:33 AM.

[Gary R]

If the instructions in the post above don't work, try the following.

First delete the copies of Combofix and OTScanIt.

Next

Click on combofix.exe by sUBs to download it to your Desktop (it must be in this location).

When the save box opens.



Save as FredFix



Do not download it and then re-name it, as this will not work, your infection will corrupt the file as soon as it is downloaded.

Now run a scan with Combofix (Fredfix), and post me the log please.

[Sean R D]

The account is administrator. I might be able to access another windows computer by tonight. I will try everything again after I use that computer. Is there anything else that can be done in the meantime? Any fixes we can do in HJT? I tried tried going on this forum with firefox, and It still won't load. I tried Googling combofix to download it again, but those pages won't load either.

[Gary R]

Did you see my latest instructions? We posted at about the same time, so you may have missed my last post.

[Sean R D]

Excellent... It looks like FredFix is working..but I think I might want to do it in safemode so I don't get any pop ups? do you recommend that?

[Sean R D]

I've run into another problem.. Combofix got past Stage 41... The malware that put the animated bugs on my screen occurred after that...it looked the the computer froze, I let it go for 15 minutes, then turned the computer off which I thought was a bad idea. I tried to run combofix again...the little loading box popped up and loaded, but then the program didn't launch.

[Gary R]

Combofix was designed to work in Normal Mode, and it will perform best if run that way. If you cannot run it in Normal Mode then Safe Mode is OK, but if it will run in Normal Mode, then that is what I'd prefer. I'm going to be out for the rest of the night, so I'll look your Combofix log over in the morning.

[Sean R D]

Ok I have combofix working again..I'll post the log if it works

[Sean R D]

Ok after running combofix, many of the symptoms seem to be gone...I can change my background, I can access this forum on the infected computer.

Here's the ComboFIx Log:

ComboFix 08-05-15.3 - Owner 2008-05-18 13:24:58.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

J:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 11:58 . 2008-05-18 12:30 <DIR> d-------- C:\FredFix
2008-05-17 18:59 . 2008-05-17 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 17:14 . 2008-05-17 17:14 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-17 17:14 . 2008-05-17 17:55 10,059 --a------ C:\startup.exe
2008-05-17 17:13 . 2004-08-04 15:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-17 13:17 . 2005-03-23 23:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-17 13:17 . 2005-05-11 12:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-05-17 13:17 . 2005-05-11 12:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-05-17 13:17 . 2008-05-17 13:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 13:17 . 2008-05-18 13:00 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-17 13:05 . 2008-05-18 11:45 735 --a------ C:\WINDOWS\wininit.ini
2008-05-17 11:31 . 2008-05-17 11:31 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-17 10:45 . 2008-05-17 10:45 49,183 --a------ C:\WINDOWS\system32\jkwnw64l.exe
2008-05-17 08:13 . 2008-05-17 12:11 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-17 08:12 . 2008-05-17 08:12 <DIR> d-------- C:\WINDOWS\system32\polX
2008-05-17 08:12 . 2008-05-17 08:12 <DIR> d-------- C:\WINDOWS\system32\GUI2
2008-05-17 08:12 . 2008-05-17 08:12 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-17 08:12 . 2008-05-17 08:12 <DIR> d-------- C:\WINDOWS\system32\binR
2008-05-17 08:12 . 2008-05-17 11:48 <DIR> d-------- C:\WINDOWS\system32\3036a
2008-05-17 08:12 . 2008-05-17 08:12 <DIR> d-------- C:\temp\tmpvc14
2008-05-17 08:12 . 2008-05-17 08:12 401,972 --a------ C:\WINDOWS\system32\g88.exe
2008-05-17 08:12 . 2008-05-17 08:12 200,768 --a------ C:\WINDOWS\system32\pcntlkdm.exe
2008-05-17 08:11 . 2008-05-17 08:11 87,513 --a------ C:\WINDOWS\system32\xwusuhzh.exe
2008-05-17 08:11 . 2008-05-17 08:11 4 --a------ C:\WINDOWS\system32\hljwugsf.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 17:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-18 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 00:59 20,502 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-11 01:43 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-04-11 01:43 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-07 14:40 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 13:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-18_13.20.45.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:14:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 17:22:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflict]
@={458829D6-C79F-4A99-897C-0DA32AB1A619}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflictUnsync]
@={278A95EA-3EAE-4BCE-9986-0A86A98B1407}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncUnsync]
@={6E80B8CC-6741-4362-A7E1-467763FC6297}

[HKEY_CLASSES_ROOT\CLSID\{458829D6-C79F-4A99-897C-0DA32AB1A619}]
2006-03-29 21:14 126464 --a------ C:\PROGRA~1\BeInSync\SHELLEX.DLL

[HKEY_CLASSES_ROOT\CLSID\{278A95EA-3EAE-4BCE-9986-0A86A98B1407}]
2006-03-29 21:14 126464 --a------ C:\PROGRA~1\BeInSync\SHELLEX.DLL

[HKEY_CLASSES_ROOT\CLSID\{6E80B8CC-6741-4362-A7E1-467763FC6297}]
2006-03-29 21:14 126464 --a------ C:\PROGRA~1\BeInSync\SHELLEX.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 11:34 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Aim6"="" []
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"WinUpdater"="C:\Program Files\winvi\update.exe" [ ]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"FLMOFFICE4DMOUSE"="C:\Program Files\Micro Innovations\Optical Scroll\mouse32a.exe" [2006-09-02 11:29 356352]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1131296374\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"WheelMouse"="C:\MOUSES~1.2\wh_exec.exe" [2007-02-28 09:42 86016]
"AOLAspSunset2"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= C:\PROGRA~1\BeInSync\SHELLEX.DLL [2006-03-29 21:14 126464]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\BeInSync\\BeInSyncServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\1131296374\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5120:TCP"= 5120:TCP:PORT_5120
"60931:TCP"= 60931:TCP:PORT_60931
"29418:TCP"= 29418:TCP:PORT_29418

R3 whfltr2k;WheelMouse USB Lower Filter Driver;C:\WINDOWS\system32\DRIVERS\whfltr2k.sys [2007-01-25 11:45]
S2 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-09 17:29]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\srv32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 13:26:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 13:29:42
ComboFix-quarantined-files.txt 2008-05-18 17:28:46

Pre-Run: 87,029,510,144 bytes free
Post-Run: 87,017,807,872 bytes free

138 --- E O F --- 2008-05-16 07:01:30