Er......this really sucks. Help, please?

oldman960 · October 20, 2007, 11:08pm

There’s also the 020 line, but ixnnajpv.dll doesn’t show in running proccesses

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)

system · October 20, 2007, 11:16pm

I made 5 attempts at running DSS but each time I get a “…has encountered a problem and needs to close” error.

jkhhh.dll returned 11/32 (34.38%). I will sent it to avast.
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.

(http://www.spywaredata.com/spyware/malware/jkhhh.dll.php)

I'm guessing this is a collection of jkhhh.dll files that people have uploaded, I do not see mine there, if judging by file size is a good indication of a match.

Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point

Remove old restore points

Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Unless system restore points are created automatically, I do not have any since I recently reformatted. But will do.

some tools for stubborn file removal. - MoveOnBoot http://www.snapfiles.com/get/moveonboot.html - Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

Will be looking into this as well.

There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)

Hmm, that’s what VundoFix tried to delete twice but said it failed.

oldman960 · October 20, 2007, 11:24pm

What about this file

D:\WINDOWS\system32\jkhhh.dll

Is it present on your computer?

I don’t know anthing about DSS, will have to wait for mauserme or someone who does.

oldman960 · October 20, 2007, 11:39pm

SAS quarintined some from your system restore. Yes they are created automatically.

Hold off on a bit for that.

We might be able to remove that one, but first let’s see what combofix has to say.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

system · October 21, 2007, 4:43am

My symptoms have now come back though the frequency of IE pop-ups have decreased dramatically.

What about this file
D:\WINDOWS\system32\jkhhh.dll

Is it present on your computer?

It was, and is no longer. The ComboFix might have deleted it since that’s the only thing I’ve really done of late, see below.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you.

I ran it though I don’t think it made it to completion. At one point in the window it did list a bunch of those randomly named files, then it restarted my PC after telling me it would, and after that continued running, but then the system restarted again with no warning from ComboFix and so I believe this second restart was some sort of failure…though I am not sure. Also it said it would restore my clock settings when done but they’ve not been restored. I have looked in the ComboFix folder that was created and see no log, the only text file I see contains

ComboFix 07-10-21.1** - Administrator 2007-10-20 21:58:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1011 [GMT -6:00]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe

Created a new restore point
.

I made sure to never click in the ComboFix window. But should I try to run it again?
Here is my Hijack This log anyways:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37, on 2007-10-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\sivnbypf.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\sivnbypf.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM..\Run: [NBKeyScan] “D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “D:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “D:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

–
End of file - 6845 bytes

As well I just want to attach a screenshot from Comodo’s Traffic section in case any of you can see something suspicious there. MotiveSB is related to my ISP software, I believe. I’m just wondering what the System and svchost.exe are.

system · October 21, 2007, 4:56am

DSS would have given much the same information as ComboFix + HJT, had it run.

The ComboFix log should be c:\combofix.txt

oldman960 · October 21, 2007, 5:12am

I was going to get him to try again with a new copy, renamed. But if you think that the first one ran, then just wait for him to report back.

I was looking for backup copies of the files that I hoped would show up in combofix. Looking at what alex posted, it looked like the first part of the log and combofix didn’t complete.

As I told alex, I don’y know anything about DSS or why it didn’t run and you’d probably know.

Stepping aside now

system · October 21, 2007, 5:20am

If it didn’t run, renaming it could very well work. I was just saying he should look for the log in c:\ , not in the combofix folder.

As I told alex, I don'y know anything about DSS or why it didn't run and you'd probably know.
Stepping aside now

But you and David are the main helpers in this thread - I just jumped in with an idea or two. I’ll be happy to give some input on the ComboFix log if its wanted but otherwise I consider myself an observer

oldman960 · October 21, 2007, 5:29am

@mauserme

Okay. Really appreciate the help. Reading my post again, it may have sounded like I was in a huff, believe me I was not. I thought perhaps you wanted to try DSS.

This stared looking promising, until it seemed that combofix stalled/died. I was hoping to get to the .bak before it all started again.

I’ll get alex to try again with a new renamed copy.

@alex

If you can’t find the log in the location that mauserme posted, it may de in D:\ on your system, then try the following.

Delete the copy of combofix you have, Download a new one. Before you run it, rename it.

system · October 21, 2007, 5:36am

No sweat. I’m PM’ing you some info about DSS.

oldman960 · October 21, 2007, 8:39am

alex

I was looking at your SAS logs again. The first scan you did was a complete scan. It found a couple of downloaders,which may or may not be related.

The symptoms returning would be due to the backup copies being restored by vundo. The file names will probably be different.

SAS seems to be able to catch enough of it to make your system usable for a short period of time. But so did vundofix that DavidR had you run.

Since the popups are less, I think some of it may be gone. Combofix may have gotten some of it as there are a couple of 04 lines missing.

Perhaps another complete scan by SAS with the settings I gave you earlier before combofix. If you’ve already ran the renamed combofix that’s fine. Or better yet if you found the combofix log. We just have to find the backup files.

system · October 21, 2007, 11:25pm

Alright, this is what I’ve done since my last post:

Ran SAS again, see log as attached. It found 120 or so threats, all which I quarantined.
Restarted with modem turned off. Found no obvious signs of infection, ie. alerts were gone.
Ran HJT, found a couple of the Winlogon Notify entries with random file names, Fixed them.
Tried running the same copy of ComboFix.exe I had downloaded, which somehow initiated a 60-second system restart countdown so that ComboFix could not run to completion.
After the restart with modem turned off still, ran HJT again and got this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:00, on 2007-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\TELUS eCare\bin\mpbtn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM..\Run: [NBKeyScan] “D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe”
O4 - HKLM..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “D:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “D:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

–
End of file - 6468 bytes

Turned modem back on and saw no alerts from Comodo about IE trying to make a connection as I previously did.
Still no symptoms of infection.
Downloaded a new copy of ComboFix from the other link that was posted and renamed it, will be running it next, or trying to. The partial ComboFix log that I posted before from my first run is in D:\ComboFix\ComboFix.txt. It’s the only text document in that folder and there is nothing of the sort in just D:.

Also I’m female, but minor detail. No worries. ;D

oldman960 · October 21, 2007, 11:51pm

I think that was from something that was removed earlier. Possibly one of the downloaders.

Ususally when combofix has a problem it won’t work again. Also the new vundo is really giving the tradional tools a workout. The renaming may work like it use to with hjt.

Where these the lines

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll

I meant do ask you, I don’t know if anyone did, is windows set to show all files?

If not

Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Click OK.

I apologize, must remember not to ass u me. ;D

oldman960 · October 22, 2007, 12:14am

I don’t know if this was the result of trying to run a corrupted copy of combofix or something else at work here. Will have to check that out.

oldman960 · October 22, 2007, 3:39am

I did some checking and asking on this countdown. The opinion is it may be malware.

How are you making out with the renamed scan? I’m still concerned about there being hidden backup files.

If you still are having difficulties running combofix (countdown box appearing)

Do the following

Run a renamed ComboFix again . If you get the countdown, quickly click the Start Button, then click Run. Type “shutdown -a” without the quotes in the empty field and click OK. This will sometimes abort (-a) the pending shutdown.

If we can’t get a combofix log, I’ve requested mauserme to step in with a more sophisticated scanner.

An online scan at Kaspersky may also help. Just report back what is found. Kaspersky doesn’t offer any fixes, which in my opinion is good.

Your last hjt log looks like vundo is gone, but I’ve noticed a pattern. It seems to be a spread of a few hours before a new file is spawned and detected. Hence my concerns about hidden backups.

The SAS detections where mostly the DSS files.

edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable

If you are having problems let me know.

system · October 23, 2007, 5:42am

Where these the lines
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll

I believe so, I can’t recall though.

is windows set to show all files?

It is now. Therefore, regarding what I said before:

The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.

I have looked in the BHO directory and no such file is there any more.

An online scan at Kaspersky may also help. Just report back what is found.

Ran it on Critical Areas, it found 2 things. See attachment. Sorry about the formatting, had to copy and paste it from html. If it's hard to read I can upload the html file somewhere and link to it. Ran it on Memory, it was clean. I'm currently running it on my hard drives as well, but that will take a long while. So far it has found one virus on my other drive (C), I'm thinking it's probably unrelated to this.

It seems to be a spread of a few hours before a new file is spawned and detected.

Yep, though so far I have been symptom-free for about 30 hours and counting.

edited to add: rename comboFix.exe to comboalex.exe and try running it from the renamed executable

Okay, will do. I have not tried running it yet since I had some work going on the side and didn't want to deal with trying to restart my PC till it was done.

Thanks for the info and ongoing help, I will be updating with results.

oldman960 · October 23, 2007, 9:21am

That’s why it’s important you don’t delete/fix anything until requested. We have to be able to see what you are seeing. 8)

Do you remember if sivnbypf.dll had file missing behind it? ie both 020 lines had (file missing)

Sorry, I should have twigged on your settings before. :-[ That’s the one I thought might have be zlob. I’d have to go back over all the SAS logs, but either SAS or combofix got it.

Let us know what turns up. It may be related.

Except for the countdown when you attempt to run combofix and the fact that DSS failed to run. This still concerns me.

I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.

Bo you recall if it was DSS that had the problem or something else. Was a reboot involved?

Don’t forget about the abort shutdown command if the countdown starts again.

No problem. Will be waiting for your combofix log.

I’d like you to upload these two files to www.virustotal.com

D:\WINDOWS\system32\lfonpnnv.dll D:\WINDOWS\system32\lugaadol.dll

Just use copy and paste if you want. Please post the results. I know what kapersky called them, but would like to see what others call them.

Let me know if you have any problems. If you can’t get the renamed cobofix to run we’ll try something else.

system · October 23, 2007, 11:53am

ComboFix is updated almost daily and its been several days since you downloaded the copy you have. Please delete that one and get a fresh copy from Here or Here. Then rename it as Oldman suggested and post the log (if it runs).

Please also give us a fresh HJTAlex log. I don’t know about Oldman but I’ve really lost track of the state of your computer at this point.

If you can’t get the new, renamed copy of ComboFix to run let’s look at a WinPFind log instead.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.

oldman960 · October 23, 2007, 4:37pm

Hi mauserme

Thanks for dropping in.

I’m not certain. It’s been awhile since the last hjt log. I thought I had asked for one, but I can see I didn’t. :

But, there’s still this

so can’t honestly say.

oldman960 · October 24, 2007, 12:40am

Maybe this is a better comment on my uncertainity of this systems health.

Besides the problem of the two scanners not running, I’m looking at this.

Since the countdown timer has shown up, three scans where done. SAS, hjt and kaspersky online, in that order. SAS picked up some more vundo detections and hjt showed what seems a clean log. A day later, an online scan shows two files kaspersky classifies as adware. SAS also classifies some vundo as adware. Since there is no naming standard, I asked for the files to be submitted to see what other names came up.

This brings us back to the question of hidden backups. Are these files replacements?

Until we see the hjtalex log, results of the files in question, and at the very least a comboalex log, I’d say the jury is still out.

edited to add

In regard to the last sentence, hjt log and submitted files results and comboalex (if it runs) if not WinPFind3u log.

alex after you submit the files to virustotal move them to the chest

In the Virus Chest, switch to user file category.
In main menu, select File ® Add.
3.Browse the folders and select the file you want to add.
4.Choose Open

then delete them from their original location and out of the recyle bin. Don’t worry, the chest is a safe place for the files. They can’t run or be accessed from outside the chest.

Er......this really sucks. Help, please?

Announcements