lzio problem, hijack this log

  1. 20-09-2005  #1
    sabbathunter
    sabbathunter is offline Newbie

    lzio problem, hijack this log

    i am having a devil of the time getting rid of this lzio spyware. i have the log file below. any assistance would be appreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:46:55 AM, on 9/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\WINDOWS\system32\logon.scr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {1CE48FA6-5FBC-5AB7-A10D-1F089F4F2287} - C:\WINDOWS\system32\vtnbiust\mfbfrnvg.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {71DC8674-63D2-44A2-9822-9A5D78C7F6BA} - (no file)
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/Wi...nerInstall.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tpco.loc
    O17 - HKLM\Software\..\Telephony: DomainName = tpco.loc
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8903342-7F22-4FFC-8C1F-F4C3BE5CE8D9}: Domain = tpco.loc
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8903342-7F22-4FFC-8C1F-F4C3BE5CE8D9}: NameServer = 172.16.105.111,172.16.103.217,172.16.2.3
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tpco.loc
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tpco.loc
    O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\dYd8thk.dll (file missing)
    O21 - SSODL: RealPlayer 6.0 - {F668EF6A-B72E-B79E-394A-301DC929A178} - (no file)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\YWRtaW5pc3RyYXRvcgAA\command.exe (file missing)
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iunlydwlkt - Unknown owner - C:\WINDOWS\system32\wlkt\iunlyd.exe (file missing)
    O23 - Service: jvyxyvovemik - Unknown owner - C:\WINDOWS\system32\ovemik\jvyxyv.exe
    O23 - Service: mmwxnlhrjbw - Unknown owner - C:\WINDOWS\system32\lhrjbw\mmwxn.exe (file missing)
    O23 - Service: msmunkmnhmgc - Unknown owner - C:\WINDOWS\system32\mnhmgc\msmunk.exe
    O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: wmrxgvpvyxpdw - Unknown owner - C:\WINDOWS\system32\yxpdw\wmrxgvpv.exe (file missing)
    O23 - Service: wxxwtuolctnflgva - Unknown owner - C:\WINDOWS\system32\ctnflgva\wxxwtuol.exe
    O23 - Service: xvkyxcncmhctb - Unknown owner - C:\WINDOWS\system32\mhctb\xvkyxcnc.exe
  2. 20-09-2005  #2
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Wow, you are possesed alright.

    Do this scan from safe mode after it is downloaded and installed.

    Safe mode explained here:

    Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.



    Please download, install, update and scan your system with the free version of Ewido trojan scanner: http://www.ewido.net/en/download/

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display ("Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


    Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


    Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
+ Reply to Thread
« Multiple browsers, same error HJTlog included | HiJack This log... »