I Need Help

jhoyz83

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:29:12 PM, on 12/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\emrcynvq.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Glen So\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: khfgged - khfgged.dll (file missing)

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: DomainService - - C:\WINDOWS\system32\emrcynvq.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 4768 bytes

I'm getting this problem

"A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

AND:

During a scan of files at system startup, potential errors in the system registry were found.

p-07-0100 irql: 1f SYSVER 0xff0024

NT_Kernel error 1256

KMODE_EXCEPTION_NOT_HANDLED

Unknown

Hello,

the following files are suspicious:

C:\WINDOWS\system32\emrcynvq.exe

khfgged.dll (unknown path, maybe c:\windows\system)

WXYZ.SYS (unknown path, probably c:\windows\system32\drivers)

Please provide the specified files in a password protected archive (zip, rar, etc)

alexcrist

Hello jhoyz83,

Before fixing the below lines, please search for and attach to your next post the files that Marius requested. The archive in which you put the files should be protected by the password infected.

The files might be hidden in your system. To make them visible, follow these steps:

1. Open Windows Explorer
   
2. Click on Tools -> Folder Options -> View
   
3. Enable the option Show hidden files and folders
   
4. Disable the option Hide protected operating system files (confirm by pressing Yes)
5. Click OK to close the dialog

After you attach the files, fix the following lines:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersi on\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: khfgged - khfgged.dll (fil e missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\emrcynvq.exe

Cris.

jollygoodtime

Hello jhoyz83,

Before fixing the below lines, please search for and attach to your next post the files that Marius requested. The archive in which you put the files should be protected by the password infected.

The files might be hidden in your system. To make them visible, follow these steps:

1. Open Windows Explorer
   
2. Click on Tools -> Folder Options -> View
   
3. Enable the option Show hidden files and folders
   
4. Disable the option Hide protected operating system files (confirm by pressing Yes)
5. Click OK to close the dialog

After you attach the files, fix the following lines:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersi on\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: khfgged - khfgged.dll (fil e missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\emrcynvq.exe

Cris.

Im having this exact same problem, and it only occured today. any advice?

alexcrist

Im having this exact same problem, and it only occured today. any advice?

Wow!! You are the third user reporting this problem today Either this is only a coincidence, either there's a new malware out-there that spreads very fast.

Please find and attach the files that Marius requested (don't forget to archive them, with a password). After that, please post a HijackThis! log.

Cris.

macsearcher

exact same problem here.... can't get into My Computer or Control Panel either

show details 1:51 PM (0 minutes ago)

Reply

Logfile of HijackThis v1.99.1

Scan saved at 1:47:19 PM, on 12/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Stardock\ThinkDesk\Multiplicity\MULTISRV32.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\WINDOWS\system32\kmw_run.exe

C:\WINDOWS\system32\hdsp32.exe

C:\WINDOWS\system32\hdspmix.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Stardock\ThinkDesk\Multiplicity\multipl.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xrjqaxhp.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe

O4 - HKLM\..\Run: [HDSPTray1] hdsp32.exe

O4 - HKLM\..\Run: [HDSPTray2] hdspmix.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Multiplicity] C:\Program Files\Stardock\ThinkDesk\Multiplicity\multipl.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189615015483

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: mljklll - mljklll.dll (file missing)

O20 - Winlogon Notify: Multi - C:\Program Files\Stardock\ThinkDesk\Multiplicity\MultiWin32.dll

O20 - Winlogon Notify: xrjqaxhp - C:\WINDOWS\SYSTEM32\xrjqaxhp.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Stardock Multiplicity (Multiplicity) - Unknown owner - C:\Program Files\Stardock\ThinkDesk\Multiplicity\MULTISRV32.EXE

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

Spirit

Same problems report

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 1:59:04 AM, on 12/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AlienGUIse\wbload.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\Spirit\My Documents\Downloads\Programs\HiJackThis_v2.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: {212dfb7e-d799-4bda-fed4-28f6e4169071} - {1709614e-6f82-4def-adb4-997de7bfd212} - C:\WINDOWS\system32\wjsvmush.dll

O2 - BHO: (no name) - {6ADD45C8-5DE8-4E9B-AFE5-889E46A8C906} - C:\WINDOWS\system32\vtsqr.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qifxajad.dll

O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - C:\WINDOWS\system32\hgghghh.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKLM\..\Run: [cc6afd0f] rundll32.exe "C:\WINDOWS\system32\ublhnucl.dll",b

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O20 - Winlogon Notify: hgghghh - C:\WINDOWS\SYSTEM32\hgghghh.dll

O20 - Winlogon Notify: qifxajad - C:\WINDOWS\SYSTEM32\qifxajad.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--

End of file - 4863 bytes

jollygoodtime

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:07:02 PM, on 12/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Documents and Settings\Jiggity Jolly\Desktop\VundoFix.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Documents and Settings\Jiggity Jolly\Desktop\IZArc_Setup.exe

C:\DOCUME~1\JIGGIT~1\LOCALS~1\Temp\is-J3R31.tmp\is-41LKK.tmp

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rgeyjowd.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe

O20 - Winlogon Notify: rgeyjowd - C:\WINDOWS\SYSTEM32\rgeyjowd.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 2616 bytes

thats my hijack this file

elint

Add me to the list. I'm getting the:

----------------------------------

Important : Potential errors found in the system.

During a scan of files at system startup, potential errors in the system registry were found.

p-07-0100 irql: 1f SYSVER 0xff0024

NT_Kernel error 1256

KMODE_EXCEPTION_NOT_HANDLED

------------------------------------

I ran AVG Anti-Spyware in safe mode and removed a few other infections, but the above error still comes up on startup, and pops up random adware in IE (even if I leave all browsers closed). Disabled all services and startup items in MSConfig and it still comes up, so it almost sounds like this infected some system files (and guess what, no system restores available?!?). Here's my HiJackThis log, only edited to change our domain name to MYDOMAIN.local, but otherwise, looks pretty clean to me

--Cody

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:58:59 PM, on 12/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

C:\WINDOWS\LogWatNT.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\CA\eTrust\InoculateIT\realmon.exe

C:\WINDOWS\system32\PB32Stub.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"

O4 - HKLM\..\Run: [PrintBoss Stub] C:\WINDOWS\system32\PB32Stub.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MYDOMAIN.local

O17 - HKLM\Software\..\Telephony: DomainName = MYDOMAIN.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MYDOMAIN.local

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe

O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe

O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe

O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe

O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--

End of file - 5764 bytes

alexcrist

Hello everyone,

Please follow the following steps:

@echo off
move /Y C:\WINDOWS\system32\emrcynvq.exe C:\emrcynvq._xe
move /Y c:\windows\system32\khfgged.dll C:\khfgged.1ll
move /Y c:\windows\system\khfgged.dll C:\khfgged.2ll
move /Y c:\windows\khfgged.dll C:\khfgged.3ll
move /Y c:\windows\system32\drivers\WXYZ.SYS C:\WXYZ._YS

The above code, copy and paste it in Notepad.

Save the file as .bat (ex: move.bat). Save it somewhere where it's easy to access it. I suggest C:\.

Follow the instructions HERE to get to Windows Recovery Console.

In the Recovery Console, go to the folder where you saved the above BAT file and execute it.

Then return to Windows. Hopefully, there won't problems this time.

Open Explorer and, in C:\ you should find the files emrcynvq._xe, khfgged.Xll (where X is 1, 2 or 3) and WXYZ._YS.

Please put these files in a ZIP file with the password infected and attach it here.

Cris.

aivyivy

I have exactly the same problem last night, I ran virus scan and could not find any problem but still won't be able to bring up My Computer and and thing from Control Pannel. Please tell me how to fix this since this is the first time I got into these problem... Thanks

alexcrist

I have exactly the same problem last night, I ran virus scan and could not find any problem but still won't be able to bring up My Computer and and thing from Control Pannel. Please tell me how to fix this since this is the first time I got into these problem... Thanks

Did you notice the exact previous post? Please follow those instructions and attach the files.

Cris.

RoLeX-

Hello,

I've got exactly the same problem..

here is my logfile:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:40:24, on 20.12.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

C:\WINDOWS\Logi_MwX.Exe

C:\Programme\iTunes\iTunesHelper.exe

C:\Programme\Java\jre1.6.0_03\bin\jusched.exe

C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Programme\ICQLite\ICQLite.exe

C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Programme\Razer\Copperhead\razerhid.exe

C:\Programme\Gemeinsame Dateien\Logitech\G-series Software\LGDCore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

C:\Programme\Save\Save.exe

C:\Programme\MSN Messenger\MsnMsgr.Exe

C:\Programme\DAEMON Tools\daemon.exe

C:\Programme\ICQ6\ICQ.exe

C:\Programme\Skype\Phone\Skype.exe

C:\Programme\Google\Google Updater\GoogleUpdater.exe

C:\Programme\NDAS\System\ndasmgmt.exe

C:\Programme\Bonjour\mDNSResponder.exe

C:\Programme\OpenOffice.org 2.3\program\soffice.exe

C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Programme\OpenOffice.org 2.3\program\soffice.BIN

C:\Programme\Octoshape Streaming Services\tim\OctoshapeClient.exe

C:\Programme\Razer\Copperhead\razertra.exe

C:\Programme\NDAS\System\ndassvc.exe

C:\Programme\Razer\Copperhead\razerofa.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Programme\iPod\bin\iPodService.exe

C:\Programme\Mozilla Firefox\firefox.exe

C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

O4 - HKLM\..\Run: [iCQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [razer] C:\Programme\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programme\Gemeinsame Dateien\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programme\Gemeinsame Dateien\Logitech\LCD Manager\lcdmon.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [WhenUSave] "C:\Programme\Save\Save.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [iCQ] "C:\Programme\ICQ6\ICQ.exe" silent

O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\tim\OctoshapeClient.exe" -inv:bootrun

O4 - HKCU\..\Run: [skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programme\OpenOffice.org 2.3\program\quickstart.exe

O4 - Global Startup: Google Updater.lnk = C:\Programme\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: TrekStor NDAS-Geräte-Manager.lnk = C:\Programme\NDAS\System\ndasmgmt.exe

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoogleDesktopManager - Google - C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe

O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows

O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Programme\NDAS\System\ndassvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe

--

End of file - 8189 bytes

Can you plz describe more precisely how to fix it? I can't find these lines

elint

Hello everyone,

Please follow the following steps:

<snip>

Please put these files in a ZIP file with the password infected and attach it here.

Cris.

Sorry, Cris, I was already running another fix (vundofix if anybody wants to google it) and it cleaned these messages right up. The files you mentioned was present and infected, but there were other similar files with random names (hggecdc.dll, jkkklkj.dll to name the 2 I wrote down before the fix deleted them all). That fix might help the other 2 guys above, if your suggestion doesn't fix 'em right up.

alexcrist

Hello elint,

Yes, I was told that VundoFix might help with this issue.

I don't know what VundoFix detects, but as far as I understand from what I've fond on Google, it detects something different. The Vundo symptoms don't appear in your HijackThis! logs, nor in your descriptions of the problem. My best guess is that VundoFix fixes this problem only because of a coincidence (it looks for files with random names and probably finds the above files, and more).

BUT, this is only a short-term fix.

We are still hoping that someone can actually provide the infected files, so that they can be studied, detection can be added to BitDefender, and future infections might be prevented from the very beginning.

So: for anyone who wants to help, please follow the instructions in post#10. The most important file there is c:\windows\system32\drivers\WXYZ.SYS because this is the file that's making all of the other ones.

For the rest of you, try to use VundoFix.

Cris.

haberdudas

ok. im not savvy enough to figure out the hijakcthis log stuff. but i've been getting all these same messages for the last 48 hours and my computer at work dies after 10 minutes or so. i ran vundofix and it had some kind of error halfway through, and crashed. i had downloaded it because over the last few days NortonAntivirus continually was catching "Trojan.Vundo" several times a day.

i did as told in the previous post but none of those files exist on my infected computer (and the commands you gave did not work in the windows recovery console environment, fyi, and i am running XP).

i guess i should just wait, but this is pretty messed up. anyway i wanted to let yall know that i do not have any of those files on my computer but i am getting all these same problems.

Hello elint,

Yes, I was told that VundoFix might help with this issue.

I don't know what VundoFix detects, but as far as I understand from what I've fond on Google, it detects something different. The Vundo symptoms don't appear in your HijackThis! logs, nor in your descriptions of the problem. My best guess is that VundoFix fixes this problem only because of a coincidence (it looks for files with random names and probably finds the above files, and more).

BUT, this is only a short-term fix.

We are still hoping that someone can actually provide the infected files, so that they can be studied, detection can be added to BitDefender, and future infections might be prevented from the very beginning.

So: for anyone who wants to help, please follow the instructions in post#10. The most important file there is c:\windows\system32\drivers\WXYZ.SYS because this is the file that's making all of the other ones.

For the rest of you, try to use VundoFix.

Cris.

zorricky

Hi, i just registered to say that i had the same problem (kernel error) and after many try i fixed all problems with Vundofix (thanx elint). Previously i tried a full system scan with Norton Antivirus and the Symantec Vundo fix tool but they haven't solved the problem ... Vundofix v6.7.7 did it (i had to delete manually the file c:Windows\system32\ddcbbca.dll) and now i've no more error popups

Jimbo-uk

Hey, i too have a similar problem.. have got that computer offline at the minute, incase this spreads accross my network... here is what i have observed so far though.

2 Icons on Desktop - If i delete them, they come back moments after.

Icon1 : "Windows Update" with target location of -> "http://storageprotector.com"

Icon2 : "Help and Support Center" with target of -> "http://storageprotector.com"

over 5000 files have appread in my Main Drive.... " .tmp " " .sqm " files extensions.

Many different prompts.... the original one is the one saying there is a problem with the Kernel, as written in first post.

Packet Sniffer revealed something trying to send info on a UDP protocol, out of my computer, off the network, and the port number seemed to increment. ( in the 8000 range ).

trying to access My computer or Control Panel.. among other things... put the CPU and RAM LOAD to 100%. Seems to kick in when performing virus scans too!

<will update this post with more info shortly>

Screenshot of some bits above - http://img265.imageshack.us/img265/8682/sceenkb9.jpg

<more to come>

aivyivy

Cris, Sorry but I coudn't find those files you mention in my system

SLAPDOG

Hi, i just registered to say that i had the same problem (kernel error) and after many try i fixed all problems with Vundofix (thanx elint). Previously i tried a full system scan with Norton Antivirus and the Symantec Vundo fix tool but they haven't solved the problem ... Vundofix v6.7.7 did it (i had to delete manually the file c:Windows\system32\ddcbbca.dll) and now i've no more error popups

I AM HAVING SAME ISSUE HOW DO I GO IN AND MANUALY REMOVE WHAT IS THE EXACT PATH I NEED TO FOLLOW

THANKS

SCOTTY

rauf

I am with same problem. I already scanned with nod32 updated and removed malicious lines with hijackthis. But the problem persists. Screenshot below:

Visit My Website

CalvNHobbs

I am with same problem. I already scanned with nod32 updated and removed malicious lines with hijackthis. But the problem persists. Screenshot attached.

Hi all - exact same problem...

But after a while also this appears . just for your information:

Your system could become unstable

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

OK

Best regards

Calvin

PS Will try posted steps to resolve tomorrow

basscakes

Same deal for me. I couldn't find the files you requested for upload (i.e. WXYZ.SYS). I'm running VundoFix right now and it's finding a bunch of junk DLL's. We'll see if it works. Here's hijack this output:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:17:46 AM, on 12/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Last.fm\LastFMHelper.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Mozilla Firefox\firefox.exe

G:\downloads\VundoFix.exe

G:\downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKUS\S-1-5-21-1445824084-942452860-2498106250-1007\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'elijah')

O4 - HKUS\S-1-5-21-1445824084-942452860-2498106250-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'elijah')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135748569531

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144210964156

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

kozzy

OMG, this same thing has been happening to me starting thursday night (around 11:00pm pacific time). Was trying everything to get rid of it with no luck at all. I am trying what has been said in here so far, i will update (:

Thanks though for the information shared already, i had to register when i found these posts and people with the exact same problem.

For me it seemed to happen just after a windows update

kozzy

Thank you guys so much for that VundoFix program, worked like a charm

h3rcul3s

Hey guyz......this may help!!

-----------

Hi,

It appears that antivirus signatures for well known AV-Vendors - are not available at the time of writing this mail.

Threat : Virus Activity

Infected Systems: Microsoft Windows [Observed on XP-SP2, ??]

Critical : YES

================================================================================

==============

Common symptoms:

================================================================================

==============

1]Systems drives show red cross in front of each drive icon [probably showing disconnected state of the logical drive]

2]System alerts:

a] NT_kernel error 1256

b] A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

3]Several pos*.tmp files created in system drive.

4]Two new shortcuts created on Desktop

a] Windows Update [ http://storageprotector.com/clean/p=60&gai....]

b] Help an Support Center [ http://storageprotector.com/clean/p=61&gai....]

Both point to some suspicious links [not the authentic Windows Update Server]

Screenshot of an infected desktop with a few alerts:

http://img265.imageshack.us/img265/8682/sceenkb9.jpg

================================================================================

==============

Discussion:

Interestingly, there's a thread initiated in the bitDefender AntiVirus Forum - since YESTERDAY, discussing this issue:

http://forum.bitdefender.com/index.php?showtopic=3561

================================================================================

==============

Fix:

VundoFix AND Combofix utilities are successfully used to detect several malicious files indicating infection. This utility also has an option of removing the infection.

VundoFix

http://www.tinyurl.com/9uaag

Combofix

http://tinyurl.com/22n35l

================================================================================

==============

Amol Sable

Security Analyst (Secur-i Group)

http://www.securview.com

-----------

zorricky

I AM HAVING SAME ISSUE HOW DO I GO IN AND MANUALY REMOVE WHAT IS THE EXACT PATH I NEED TO FOLLOW

THANKS

SCOTTY

Get Vundofix v6.7.7 (found with google), run it and take note of the files it can't delete, reboot and see if Vundofix will delete them, if don't do it manually using the procedure suggested by Cris (http://forum.bitdefender.com/index.php?showtopic=1054); when you are at point 5 delete the files Vundofix left (e.g. DEL c:\windows\system32\ddcbbca.dll).

It worked fine, i had to manually delete only c:\Windows\system32\ddcbbca.dll but it could have a different name there so check yours vundofix results

okneu

b] A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

4]Two new shortcuts created on Desktop

a] Windows Update [ http://storageprotector.com/clean/p=60&gai....]

b] Help an Support Center [ http://storageprotector.com/clean/p=61&gai....]

I'm not savvy enough to sumbit logs but I have those symptoms too. I tried using the VundoFix as suggested but the system hangs before it is able to finish.

A question: how is this virus transmitted? If I gave some mp3 files to a friend, can she be infected too?

aivyivy

I have exactly the same symtoms and also there are lots of tmp files got created in C: drive

Polo

Hello, I'm from POLAND

I've got the same problem "..NT_KERNEL ERROR_NOT HANDLED..." + 2 Icons "Windows Update" and "Help and support center";/ Must try that Vundofix now.

POLO

swingtrader

I tried VundoFix and it didn't work for me.

Here are what I found so far and excuse me for some geeky languages :-)

It seems some libraries attached to explorer.exe and created lots of junk files like *.tmp under c: and My Document. If I kill explorer, those can be deleted.

If I don't have an explorer running, I don't get "wxyz.sys" error. However I can't stop explorer from running when xp boot_s up so I always see the "registry error".

I have no way to delete the icons mentioned below so there must be another system process being affected.

What a nasty surprise!

Anyway, still wish you guys a merry Christmas.

Hello, I'm from POLAND

I've got the same problem "..NT_KERNEL ERROR_NOT HANDLED..." + 2 Icons "Windows Update" and "Help and support center";/ Must try that Vundofix now.

POLO

emweebles

Daughter was using the computer and on her msypace when "Mom, stuff is downloading onto your computer" and then I got all the same error messages as everyone else, this had never happened before when she was on it, it was just ironic that it happened right after I ran my MS updates????hmmmmm. I ran AVs and cleaned up some stuff, but this just kept coming back. I ran the Vundofix v6.7.7 and it solved the problem (sorry didn't take a screen shot or write the files it found and different names than what is on the list) except the the two desktop icons that got added and go to that storageprotector website.

Anyone figure out how to get rid of those yet?

Nabocleese

Hey all

Again to those who helped me out, a sincere Thank You. I've replied to threds posted on this topic and wanted to say: vundofix worked great.

thanks again

Nabs

h3rcul3s

It seems that a new variant of VUNDO trajan has been around since last 2-3 days.

It appears that antivirus signatures for well known AV-Vendors - are not available at the time of writing this mail.

Threat : Virus Activity

Infected Systems: Microsoft Windows [Observed on XP-SP2, ??]

Critical : YES

================================================================================

Common symptoms:

================================================================================

1]Systems drives show red cross in front of each drive icon [probably showing disconnected state of the logical drive]

2]System alerts:

a] NT_kernel error 1256

b] A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

3]Several pos*.tmp files created in system drive.

4]Two new shortcuts created on Desktop

a] Windows Update [ http://storageprotector.com/clean/p=60&gai....]

b] Help an Support Center [ http://storageprotector.com/clean/p=61&gai....]

Both point to some suspicious links [not the authentic Windows Update Server]

Screenshot of an infected desktop with a few alerts:

http://img265.imageshack.us/img265/8682/sceenkb9.jpg

================================================================================

Fix:

VundoFix AND Combofix utilities are successfully used to detect several malicious files indicating infection. This utility also has an option of removing the infection.

VundoFix

http://www.tinyurl.com/9uaag

Combofix

http://tinyurl.com/22n35l

================================================================================

Additionally the ComboFix needs to be run from commandline, and not by double clicking.

I did it this way:

[indent]1]Killed explorer.exe from windows TASK MANAGER [Ctr+Shift+Esc] > Processes TAB.

2]File> Run> cmd

3]Entered path to Combofix to run it[/indent]

It took me through several phases, rebooted the system once.

Finished doing a set of activities[restoring registry hives that it has backed up earlier] and system booted up normally.

Balint

I tried ComboFix, but after the booting process (30 minutes later) the popups and icons on the desktop came back...

" />

alexcrist

@ everyone:

Again, I have to insist: this issue, apparently, can be fixed by using VundoFix. BUT without a permanent protection, infection can reappear as easily as the first time.

Please, if anyone can help us and provide some samples of the infected files, BitDefender can add detection to this virus and future infections can be prevented. Without a sample, BitDefender cannot do anything.

Cris.

JohnDrake

Cris:

Thanks for your help. This forum was the only place I could find information on this new threat.

I too had all the symptoms listed above, but running VundoFix multiple times in safe mode finally removed the trojan.

The VundoFix tool copies and renames infected files to a folder called "VundoFix Backups." I archived the files in this folder with the password "infected."

Regards,

JD

/applications/core/interface/file/attachment.php?id=1226" data-fileid="1226" rel="">VundoFix_Backups.rar

aivyivy

Attached is the infected files after I used Vundo

/applications/core/interface/file/attachment.php?id=1229" data-fileid="1229" rel="">VundoFix_Backups.zip

Tazo

Hi Everybody,

God thanks i'm not alone in the universe with this problem. I have exatly the same indications already discussed here. Some more "add-ons" which i beleive are related to this problem.

1. Antivir constantly reports trojan.vundo. Tried to use removal tool from Symantec and of course it did not find any trace of vundo.

2. Can not delete temporary internet file (i.e. history and related staff). Comp simply shows deleting window and does nothing.

3. While updating virus definition file it resets during installation and asks to start from the begining and when i start from the begining looks it downloading everything from the begining like antivir was never updated.

4.After Win strart it give warning message to fix the problem and when i'm asking "go ahead" it goes to some website which never opens. Bsically at least visually does nothing.

So, what it might be and what is solution?

Thanks

aivyivy

Attached is the infected files after I used Vundo

By the way, after I use vundo, the problem go away, I can remove all tmp file form c drive. However; after I reboot, I have UseDLL error report on missing covfdjqo.dll which is a file that get infected and got rename by vundo. Although I didn't see any significant problem after that popup, I don't know if there is any problem... Is there anyway to get this file? thanks

asine@comcast.net

After reading all the various posts and since I have a machine that had most if not all the symptoms here is what I documented on how I completely cleaned this system:

All,

I had ticket EDITED assigned to me, user was stating that she was getting the following popup error message with every boot-up:

During a scan of files at system startup, potential errors in the system registry were found.

p-07-0100 irql: 1f SYSVER 0xff0024

NT_Kernel error 1256

KMODE_EXCEPTION_NOT_HANDLED

and then this after 10-15 minutes:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

The user had two new icons on her desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.

I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I have it saved at EDITED for easy access. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except one. The system required a reboot. Once rebooted, it deleted the final .dll and rebooted again and all icons on the desktop were now accessible. However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. Working with EDITED, the icons were deleted. Also, after double-clicking the "My Computer" icon, the C: drive icon was replaced with a big red X. After double-clicking the C: icon, roughly 4000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.

With EDITED help, we went into registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group. We then went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer and found a folder called DriveIcon. We deleted it and refreshed the My Computer folder which brought back the default icon for the C:.

I then ran McAfee's On-Demand scan for good measure as well as deleted temp files and cookies. This system is now functioning normally.

Hope this helps!

JohnDrake

Thanks EnterpriseSupport for your excellent guide, I'm sure it will help lots of users rid their systems of this stubborn trojan.

I looked at two XP Home machines that exhibited the symptons you described.

I ran VundoFix v6.7.7 in safe mode, rebooting multiple times to get rid of the many .dll files. However, several files could not be removed by VundoFix so I had to run Pocket Killbox using the "Delete on Reboot" option to get rid of them.

I found thousands of .tmp file in the root directory, but also in "My Documents" and in "\system32" as well. I ran /Start /Search /Files /*.tmp and found over 20,000 temp files! I highlighted all the .tmp files using CTL-A and pressed SHIFT-DEL to delete all the files permanently (without sending them to the Recycle Bin.)

Both of these home computers were used by teenagers for IRC and P2P file-sharing. Interesting, both machines were running an old version of Sun Java, v1.4.2_03. What was most alarming is that both systems had good antivirus products running on them, Symantec Norton 360 and Webroot SpySweeper with Antivirus.

Regards,

JD

pepsov

Exactly as EnterpriseSupport described the symptoms (excellent job, btw!).

ComboFix and VundoFix did find infections, but failed to delete the files.

So I booted off an Ubuntu 7 live CD (it supports NTFS in read-write mode) and looked at the system32 folder in detail. Removed the infected files that VundoFix discovered, but also found a bunch of .ini files with extraordinary size - around a megabyte each - which were not text files (just ran `file *.ini` and the real .ini files get detected as ASCII text, while the suspicious ones show as DATA.

From the creation dates of these files I figured out the approximate time of infection, and then searched the system32 folder for files created after that date. Found a bunch of .dll files that didn't belong there.

Removed those too.

After a reboot, the uggunoew.dll pops up again though

After reading all the various posts and since I have a machine that had most if not all the symptoms here is what I documented on how I completely cleaned this system:

All,

I had ticket EDITED assigned to me, user was stating that she was getting the following popup error message with every boot-up:

During a scan of files at system startup, potential errors in the system registry were found.

p-07-0100 irql: 1f SYSVER 0xff0024

NT_Kernel error 1256

KMODE_EXCEPTION_NOT_HANDLED

and then this after 10-15 minutes:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

The user had two new icons on her desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.

I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I have it saved at EDITED for easy access. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except one. The system required a reboot. Once rebooted, it deleted the final .dll and rebooted again and all icons on the desktop were now accessible. However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. Working with EDITED, the icons were deleted. Also, after double-clicking the "My Computer" icon, the C: drive icon was replaced with a big red X. After double-clicking the C: icon, roughly 4000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.

With EDITED help, we went into registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group. We then went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer and found a folder called DriveIcon. We deleted it and refreshed the My Computer folder which brought back the default icon for the C:.

I then ran McAfee's On-Demand scan for good measure as well as deleted temp files and cookies. This system is now functioning normally.

Hope this helps!

pepsov

Plus, I had to remove

C:\WINDOWS\system32\shel9

C:\WINDOWS\system32\oc9

C:\WINDOWS\system32\ipd1

C:\WINDOWS\system32\ex1

and a couple of registry entries that ComboFix identified as suspicious.

Exactly as EnterpriseSupport described the symptoms (excellent job, btw!).

ComboFix and VundoFix did find infections, but failed to delete the files.

So I booted off an Ubuntu 7 live CD (it supports NTFS in read-write mode) and looked at the system32 folder in detail. Removed the infected files that VundoFix discovered, but also found a bunch of .ini files with extraordinary size - around a megabyte each - which were not text files (just ran `file *.ini` and the real .ini files get detected as ASCII text, while the suspicious ones show as DATA.

From the creation dates of these files I figured out the approximate time of infection, and then searched the system32 folder for files created after that date. Found a bunch of .dll files that didn't belong there.

Removed those too.

After a reboot, the uggunoew.dll pops up again though

kenbart

Everyone: Thank you so much with your help with this. I've been following the instructions on this forum for nearly a week now, and my computer is now in much better shape than it was a few short days ago.

However, I'm still having a couple of lingering problems. For one, all the programs are taking a long time to load when I start up my computer, though they are running relatively fast once they're up (I'm seeing a few drags here and there, but I'm not sure whether that's just because this virus has made me paranoid).

Second thing: I'm getting a RUNDLL message shortly after Windows starts up--it's telling me it cannot load C:WINDOWS\system32\tpichloa.dll. This message appeared after I ran ComboFix the first time. I googled the dll file, but I came up with nothing, so I'm not quite sure what this means for my computer--I just don't want to see this error message from this point forward if it can be fixed.

Do any of these issues sound familiar to anyone? Any ideas on how to resolve them?

Thanks!

sneaky

I am haveing same issue for about 5or 6 days now

Wow!! You are the third user reporting this problem today Either this is only a coincidence, either there's a new malware out-there that spreads very fast.

Please find and attach the files that Marius requested (don't forget to archive them, with a password). After that, please post a HijackThis! log.

Cris.

carpediembr

Well same probleme here... it came way down to Brazil (i live here)

I play mmorpgs and download torrents n http files.

dont really use p2p programas (but torrents)

Well i have Spybot S&D Monitor..after i "fix" some suspicious thing from hyjack the monitor ask me if i want to delete, i allow, but then 5 seconds later the monitor ask me if i want to install it...

And keep poping the monitor efevery 5 seconds about it trying to install itself..

Anyone got some news?

I Dit vundofix, it delete some stuff, but some just come back later.

Chris u still need those files?

sneaky

After reading all the various posts and since I have a machine that had most if not all the symptoms here is what I documented on how I completely cleaned this system:

All,

I had ticket EDITED assigned to me, user was stating that she was getting the following popup error message with every boot-up:

During a scan of files at system startup, potential errors in the system registry were found.

p-07-0100 irql: 1f SYSVER 0xff0024

NT_Kernel error 1256

KMODE_EXCEPTION_NOT_HANDLED

and then this after 10-15 minutes:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.

****WXYZ.SYS - Address F73120AE base at C00000, DateStamp 36b072A3

Kernel Debugger Using: COM2 (Port0x28f, Baud rat 192000)"

The user had two new icons on her desktop, Windows XP's "Help and Support" icon and Windows XP's "Windows Update", both pointing to http://storageprotector.com. Symptoms of this infection included sluggishness, inability to double-click "My computer" icon as well as others, depending of the configuration of the system.

I googled the NT_Kernel error 1256 and came upon the forum http://forum.bitdefender.com/index.php?showtopic=3561 and after combing through the forum I found a fix mentioned called FixVundo.exe. I have it saved at EDITED for easy access. I downloaded this third-party utility and ran it. It detected several .dlls related to this trojan and deleted all of them except one. The system required a reboot. Once rebooted, it deleted the final .dll and rebooted again and all icons on the desktop were now accessible. However, a new error message popped up wanting to run one of the affected .dll but was unable to locate it. The two malicious icons on the desktop also remained. Working with EDITED, the icons were deleted. Also, after double-clicking the "My Computer" icon, the C: drive icon was replaced with a big red X. After double-clicking the C: icon, roughly 4000+ .tmp files, all starting with the name posxxx.dll were in the root. I highlighted and deleted those files.

With EDITED help, we went into registry editor and went to HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and deleted the .dll in that group. We then went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer and found a folder called DriveIcon. We deleted it and refreshed the My Computer folder which brought back the default icon for the C:.

I then ran McAfee's On-Demand scan for good measure as well as deleted temp files and cookies. This system is now functioning normally.

Hope this helps!

Hello i have sorta curbed all this vundo fix found the files but would not remove them for good. I used a spyware program that came with my internet it found and removed the spyware. I do not get the error anymore or the system unstable but their is still something lingering my c: is a red x and over it states

(with EDITED help we went into the registery how do i do that so i can se if that fixes my red x) PLease help this has been many days of trying everything on here and it is very frustrating

Rjt98

Ive had this Kernel error 1256 problem for awhile now, tried vundofix and it worked for a day then it came back. Tried system restore and vundofix, then it came back again. Now I am trying to run vundofix again and the computer just shuts off half way through. If I try system restore same problem, the computer just shuts off. Ive tried deleting the 20,000+ .tmp files starting with the letters pol but it gives me an error about referenced memory.

Starting windows in safe mode is no help either, still automatically shuts off computer after about 3 minutes.

Any help is appreciated.

Fox

I have the same problem as stated on the top of this page but i cannot do much about it because my computer freezes about 2-3 minutes after starting up.

help?

Mekenshi

I have the same problem on my friends PC and I am trying to fix it, so I searched google and found this forum.

I have tried the solution that Cris said, but I could only use it from the command prompt because this computer will not let me into the boot options. ALso when I used the move.bat file with the command prompt it said that the files that were specified were not there. I have no idea whats going on but I keep getting the errors, and also an error that says that seipclor.dll is missing. Also ads keep popping up at random in internet explore, even when I'm not using the browser. I have not tried HijackThis! because I have no idea what it is, but I can if necessary.

Any help would be greatly appriciated.