I Need Help Options

[EnterpriseSuppor...]

After reading all the various posts and since I have a machine that had most if not all the symptoms here is what I documented on how I completely cleaned this system:

All,

I had ticket EDITED assigned to me, user was stating that she was getting the following popup error message with every boot-up:

During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1f SYSVER 0xff0024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED

and then this after 10-15 minutes:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

The user had two new icons on her desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.

I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I have it saved at EDITED for easy access. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except one. The system required a reboot. Once rebooted, it deleted the final .dll and rebooted again and all icons on the desktop were now accessible. However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. Working with EDITED, the icons were deleted. Also, after double-clicking the "My Computer" icon, the C: drive icon was replaced with a big red X. After double-clicking the C: icon, roughly 4000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.

With EDITED help, we went into registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group. We then went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer and found a folder called DriveIcon. We deleted it and refreshed the My Computer folder which brought back the default icon for the C:.

I then ran McAfee's On-Demand scan for good measure as well as deleted temp files and cookies. This system is now functioning normally.

Hope this helps!

[JohnDrake]

Thanks EnterpriseSupport for your excellent guide, I'm sure it will help lots of users rid their systems of this stubborn trojan.

I looked at two XP Home machines that exhibited the symptons you described.

I ran VundoFix v6.7.7 in safe mode, rebooting multiple times to get rid of the many .dll files. However, several files could not be removed by VundoFix so I had to run Pocket Killbox using the "Delete on Reboot" option to get rid of them.

I found thousands of .tmp file in the root directory, but also in "My Documents" and in "\system32" as well. I ran /Start /Search /Files /*.tmp and found over 20,000 temp files! I highlighted all the .tmp files using CTL-A and pressed SHIFT-DEL to delete all the files permanently (without sending them to the Recycle Bin.)

Both of these home computers were used by teenagers for IRC and P2P file-sharing. Interesting, both machines were running an old version of Sun Java, v1.4.2_03. What was most alarming is that both systems had good antivirus products running on them, Symantec Norton 360 and Webroot SpySweeper with Antivirus.

Regards,
JD

[pepsov]

Exactly as EnterpriseSupport described the symptoms (excellent job, btw!).

ComboFix and VundoFix did find infections, but failed to delete the files.
So I booted off an Ubuntu 7 live CD (it supports NTFS in read-write mode) and looked at the system32 folder in detail. Removed the infected files that VundoFix discovered, but also found a bunch of .ini files with extraordinary size - around a megabyte each - which were not text files (just ran `file *.ini` and the real .ini files get detected as ASCII text, while the suspicious ones show as DATA.
From the creation dates of these files I figured out the approximate time of infection, and then searched the system32 folder for files created after that date. Found a bunch of .dll files that didn't belong there.
Removed those too.

After a reboot, the uggunoew.dll pops up again though (IMG:http://forum.bitdefender.com/style_emoticons/default/sad.gif)

After reading all the various posts and since I have a machine that had most if not all the symptoms here is what I documented on how I completely cleaned this system:

All,

I had ticket EDITED assigned to me, user was stating that she was getting the following popup error message with every boot-up:

During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1f SYSVER 0xff0024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED

and then this after 10-15 minutes:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

The user had two new icons on her desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.

I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I have it saved at EDITED for easy access. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except one. The system required a reboot. Once rebooted, it deleted the final .dll and rebooted again and all icons on the desktop were now accessible. However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. Working with EDITED, the icons were deleted. Also, after double-clicking the "My Computer" icon, the C: drive icon was replaced with a big red X. After double-clicking the C: icon, roughly 4000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.

With EDITED help, we went into registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group. We then went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer and found a folder called DriveIcon. We deleted it and refreshed the My Computer folder which brought back the default icon for the C:.

I then ran McAfee's On-Demand scan for good measure as well as deleted temp files and cookies. This system is now functioning normally.

Hope this helps!

[pepsov]

Plus, I had to remove
C:\WINDOWS\system32\shel9
C:\WINDOWS\system32\oc9
C:\WINDOWS\system32\ipd1
C:\WINDOWS\system32\ex1
and a couple of registry entries that ComboFix identified as suspicious.

Exactly as EnterpriseSupport described the symptoms (excellent job, btw!).

ComboFix and VundoFix did find infections, but failed to delete the files.
So I booted off an Ubuntu 7 live CD (it supports NTFS in read-write mode) and looked at the system32 folder in detail. Removed the infected files that VundoFix discovered, but also found a bunch of .ini files with extraordinary size - around a megabyte each - which were not text files (just ran `file *.ini` and the real .ini files get detected as ASCII text, while the suspicious ones show as DATA.
From the creation dates of these files I figured out the approximate time of infection, and then searched the system32 folder for files created after that date. Found a bunch of .dll files that didn't belong there.
Removed those too.

After a reboot, the uggunoew.dll pops up again though (IMG:http://forum.bitdefender.com/style_emoticons/default/sad.gif)

[kenbart]

Everyone: Thank you so much with your help with this. I've been following the instructions on this forum for nearly a week now, and my computer is now in much better shape than it was a few short days ago.

However, I'm still having a couple of lingering problems. For one, all the programs are taking a long time to load when I start up my computer, though they are running relatively fast once they're up (I'm seeing a few drags here and there, but I'm not sure whether that's just because this virus has made me paranoid).

Second thing: I'm getting a RUNDLL message shortly after Windows starts up--it's telling me it cannot load C:WINDOWS\system32\tpichloa.dll. This message appeared after I ran ComboFix the first time. I googled the dll file, but I came up with nothing, so I'm not quite sure what this means for my computer--I just don't want to see this error message from this point forward if it can be fixed.

Do any of these issues sound familiar to anyone? Any ideas on how to resolve them?

Thanks!

[sneaky]

I am haveing same issue for about 5or 6 days now

Wow!! You are the third user reporting this problem today (IMG:http://forum.bitdefender.com/style_emoticons/default/ohmy.gif) Either this is only a coincidence, either there's a new malware out-there that spreads very fast.

Please find and attach the files that Marius requested (don't forget to archive them, with a password). After that, please post a HijackThis! log.

Cris.

[carpediembr]

Well same probleme here... it came way down to Brazil (i live here)

I play mmorpgs and download torrents n http files.

dont really use p2p programas (but torrents)

Well i have Spybot S&D Monitor..after i "fix" some suspicious thing from hyjack the monitor ask me if i want to delete, i allow, but then 5 seconds later the monitor ask me if i want to install it...

And keep poping the monitor efevery 5 seconds about it trying to install itself..

Anyone got some news?
I Dit vundofix, it delete some stuff, but some just come back later.

Chris u still need those files?

[sneaky]

After reading all the various posts and since I have a machine that had most if not all the symptoms here is what I documented on how I completely cleaned this system:

All,

I had ticket EDITED assigned to me, user was stating that she was getting the following popup error message with every boot-up:

During a scan of files at system startup, potential errors in the system registry were found.
p-07-0100 irql: 1f SYSVER 0xff0024
NT_Kernel error 1256
KMODE_EXCEPTION_NOT_HANDLED

and then this after 10-15 minutes:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

The user had two new icons on her desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.

I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I have it saved at EDITED for easy access. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except one. The system required a reboot. Once rebooted, it deleted the final .dll and rebooted again and all icons on the desktop were now accessible. However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. Working with EDITED, the icons were deleted. Also, after double-clicking the "My Computer" icon, the C: drive icon was replaced with a big red X. After double-clicking the C: icon, roughly 4000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.

With EDITED help, we went into registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group. We then went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer and found a folder called DriveIcon. We deleted it and refreshed the My Computer folder which brought back the default icon for the C:.

I then ran McAfee's On-Demand scan for good measure as well as deleted temp files and cookies. This system is now functioning normally.

Hope this helps!

Hello i have sorta curbed all this vundo fix found the files but would not remove them for good. I used a spyware program that came with my internet it found and removed the spyware. I do not get the error anymore or the system unstable but their is still something lingering my c: is a red x and over it states
(with EDITED help we went into the registery how do i do that so i can se if that fixes my red x) PLease help this has been many days of trying everything on here and it is very frustrating

[Rjt98]

Ive had this Kernel error 1256 problem for awhile now, tried vundofix and it worked for a day then it came back. Tried system restore and vundofix, then it came back again. Now I am trying to run vundofix again and the computer just shuts off half way through. If I try system restore same problem, the computer just shuts off. Ive tried deleting the 20,000+ .tmp files starting with the letters pol but it gives me an error about referenced memory.
Starting windows in safe mode is no help either, still automatically shuts off computer after about 3 minutes.

Any help is appreciated.

[Fox]

I have the same problem as stated on the top of this page but i cannot do much about it because my computer freezes about 2-3 minutes after starting up.

help?

[Mekenshi]

I have the same problem on my friends PC and I am trying to fix it, so I searched google and found this forum.

I have tried the solution that Cris said, but I could only use it from the command prompt because this computer will not let me into the boot options. ALso when I used the move.bat file with the command prompt it said that the files that were specified were not there. I have no idea whats going on but I keep getting the errors, and also an error that says that seipclor.dll is missing. Also ads keep popping up at random in internet explore, even when I'm not using the browser. I have not tried HijackThis! because I have no idea what it is, but I can if necessary.

Any help would be greatly appriciated.

[farbar]

I notice some people have worked hard and report their findings and how they have tried to handle their situation. That helps us all to understand and fight the security issues better. At the same time I suggest the people not to post their HJT log on a thread like this or ask for personal help. It doesn't help others, makes the thread unreadable and they don't get the individual attention they need to handle their (perhaps unique) situation. When someone starts a thread with a HJT log or asks for help he/she deserves to be attended instead of taking away the attention. Others may follow the course of action or start a new thread with their own log/issue. Otherwise it becomes a catharsis situation (which is also OK) but not a problem-solving one.

This post has been edited by farbar: Jan 3 2008, 05:53 AM

[otrebla]

so, i've had this problem as well, i've run ad aware, spybot, vundofix, and hopefully have this issue resolved...however, i'd like to be certain...i have here a hijackthis log file to see what, if anything, may still be present that i can take care of, and any other steps i should take to ensure that my computer is running free of disease (IMG:http://forum.bitdefender.com/style_emoticons/default/smile.gif)

Logfile of HijackThis v1.99.1
Scan saved at 5:27:33 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\alberto\LOCALS~1\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/support/downloads/...amp;appindex=ds
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsq.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\MC72AC~1.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Maddox]

Same problem(s) here (IMG:http://forum.bitdefender.com/style_emoticons/default/sad.gif) But I believe I know how I got this trojan in the first place - it is automatically sent via MSN messenger, and it poses as a .zip file containing several pictures, accompanied by the message along the lines of "What do you think of my new look? This picture isn't too sexy for Facebook, right?" and such. I'd strongly suggest not opening these (IMG:http://forum.bitdefender.com/style_emoticons/default/smile.gif)

However, over the past few days I've experienced most of the symptoms described in this topic, and did my best to fix them using the following:

* AVG scan, which detected unknown Trojan dropper, but didn't seem to do anything about it
* VundoFix, which removed all suspicious files except one

I've had these programs before the infection, but since they didn't seem to really help I downloaded and ran

* SpyBot S&D, which detected further problems, but also didn't turn out to be helpful
* free trial version of BitDefender, which worked out great. It's done a quick scan during the installation and removed that one suspicious .dll file VundoFix couldn't... but it also reported SpyBot's TeaTimer.exe as being infected. I then ran a deep scan, and among many infected files (all by the same Trojan), BitDefender also found itself (IMG:http://forum.bitdefender.com/style_emoticons/default/huh.gif) and I think it kind of self-destructed, because I couldn't start it later.

None of the error messages reappeared and my computer seems to work just fine... but the McAffee Security Center I'm running at the moment reports a Trojan quarantined from my Temp and Temporary Internet Files folders every few minutes. Also, after I reinstalled the MSN messenger (from a new installation file, and after I deleted the previous installation through Add/Remove Programs), it automatically sent the abovementioned "How is my new look" message, along with the infected .zip file, to several people on my contact list.

As I see it, every .exe file downloaded and executed after the first infection is corrupted.

So, even though everything seems to be working fine, I don't think I really got rid of this thing. And since I'm really getting tired, one of my tech-y friends is coming over for coffee and disk formatting. (IMG:http://forum.bitdefender.com/style_emoticons/default/smile.gif)

[Cris]

@otrebla:

Fix the following lines:

CODE

F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsq.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

Cris.

[lumberjack]

I have the same problem with those two stupid update icons on my desktop from "windows"

my computer is sluggish and after a few minutes will not open any folders i can only access things by using the run command.

this is my hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:23 AM, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxdbcoms.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsr.exe
O4 - HKLM\..\Run: [197fe782] rundll32.exe "C:\WINDOWS\system32\ilbacafw.dll",b
O4 - HKLM\..\Run: [LXDBCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdb_device - - C:\WINDOWS\system32\lxdbcoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

--
End of file - 4333 bytes

im so lost and confused i need help. I have ad-aware 2007, spybot S&D and Nod32 and all of them say no problems (IMG:http://forum.bitdefender.com/style_emoticons/default/sad.gif)

[piro]

same here, run vundofix but after a few minutes it all went wrong again
this is the log file
thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:40 πμ, on 16/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\woigxbjf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mrofinu1188.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\mrofinu1188 .exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 .EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\LVCOMSX .EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\CameraAssistant .exe
C:\Program Files\Router\Router.exe
C:\Program Files\F-Secure\Common\FSM32 .EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Router\Router .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqpo.exe
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
68951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [1860674f] rundll32.exe "C:\WINDOWS\system32\jvcoqysh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://teenhost.net/plugin/1001/CHM/test.chm::/Eve.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10DD5E31-EAB8-46C1-93CF-D3F88DEF0457}: NameServer = 193.92.150.3,194.219.227.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{10DD5E31-EAB8-46C1-93CF-D3F88DEF0457}: NameServer = 193.92.150.3,194.219.227.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{10DD5E31-EAB8-46C1-93CF-D3F88DEF0457}: NameServer = 193.92.150.3,194.219.227.2
O17 - HKLM\System\CS4\Services\Tcpip\..\{10DD5E31-EAB8-46C1-93CF-D3F88DEF0457}: NameServer = 193.92.150.3,194.219.227.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\woigxbjf.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 11912 bytes

[KcAw]

is there no solution to this bug/virus?

i've been waiting for a while now to find a solution, yet there is none.

i've tried the online bitdefender thing.. and that program is bugged itself.
It kept deleting a lot of normal files, including itself!

Help please?

[keirose]

is there no solution to this bug/virus?

i've been waiting for a while now to find a solution, yet there is none.

i've tried the online bitdefender thing.. and that program is bugged itself.
It kept deleting a lot of normal files, including itself!

Help please?

Read this whole thread. Delete any files under C:\ and My Documents called posxxx.tmp.Download VundoFix and ComboFix. Run VundoFix first, if there are still any files that it can't delete after rebooting then run ComboFix.

[farbar]

Hi KcAw,

I can assist you removing the infection. Vondufix is simpler to use and you can use it by yourself but Combofix you should use with caution under supervision. If you need close assistance start a topic with a title like help removing NT_Kernel Error 1256, Storageprotector.com and post a HJT log. I would then walk you step by step through to remove the infection.

This post has been edited by farbar: Jan 24 2008, 11:33 AM