Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected With Masiyxanidi And Somthing Else It Appears...


  • Please log in to reply
1 reply to this topic

#1 anamnesis

anamnesis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 01 August 2007 - 12:19 PM

Ok I've tried getting rid of this trojan... tried to find the fix for the trojan and it appears that Symantic doesn't have it in it's definitions. It also looks like it copies itself... anyways... I did a combo fix and a brand new hijack this log. first is the combo this then the hijack this(btw... what ever happened to the site where you could just copy and paste it in the window and it would tell you what has been considered bad? it was so much easier). And thank you in advance for your help :thumbsup:


ComboFix 07-08-01.6 - "Pedro's" 2007-08-01 12:54:44.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bkuyttcm.dll
C:\WINDOWS\system32\efggh.bak1
C:\WINDOWS\system32\efggh.ini
C:\WINDOWS\system32\fhvihwhl.dll
C:\WINDOWS\system32\ggfhk.bak1
C:\WINDOWS\system32\ggfhk.bak2
C:\WINDOWS\system32\ggfhk.ini
C:\WINDOWS\system32\ggfhk.ini2
C:\WINDOWS\system32\ggfhk.tmp
C:\WINDOWS\system32\nvostevs.dll
C:\WINDOWS\system32\opnmmkk.dll
C:\WINDOWS\system32\riofkciu.dll
C:\WINDOWS\system32\yjudlvdc.dll
C:\WINDOWS\system32\yxycf.bak1
C:\WINDOWS\system32\yxycf.bak2
C:\WINDOWS\system32\yxycf.ini
C:\WINDOWS\system32\yxycf.ini2
C:\WINDOWS\system32\yxycf.tmp


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINIO
-------\WINIO


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-08-01 12:58 69,184 --a------ C:\WINDOWS\system32\plbvtudl.dll
2007-08-01 12:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-01 12:16 125,504 --a------ C:\WINDOWS\system32\qtapobbq.dll
2007-08-01 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-01 10:21 <DIR> d-------- C:\WINDOWS\pss
2007-08-01 10:13 <DIR> d-------- C:\Program Files\CCleaner
2007-08-01 08:34 <DIR> d-------- C:\Program Files\ATS2
2007-07-28 08:08 <DIR> d-------- C:\DOCUME~1\Pedro's\APPLIC~1\My Games
2007-07-28 07:16 <DIR> d-------- C:\Program Files\Firaxis Games
2007-07-28 04:45 228,960 --a------ C:\WINDOWS\system32\fcyxy.dll
2007-07-25 06:17 465 --ahs---- C:\WINDOWS\system32\jianfbyw.ini2
2007-07-24 18:37 126,016 --a------ C:\WINDOWS\system32\wybfnaij.dll
2007-07-22 16:49 1,183,886 --ahs---- C:\WINDOWS\system32\rqsru.bak2
2007-07-22 04:49 6,489 --ahs---- C:\WINDOWS\system32\rqsru.bak1
2007-07-22 04:36 1,184,368 --ahs---- C:\WINDOWS\system32\jillm.bak2
2007-07-21 09:13 6,528 --ahs---- C:\WINDOWS\system32\jillm.bak1
2007-07-21 07:28 6,528 --ahs---- C:\WINDOWS\system32\tuutv.bak1
2007-07-21 04:44 6,489 --ahs---- C:\WINDOWS\system32\xwxbc.bak1
2007-07-20 11:58 6,365 --ahs---- C:\WINDOWS\system32\befhk.bak1
2007-07-20 10:34 6,364 --ahs---- C:\WINDOWS\system32\vyxyb.bak1
2007-07-07 09:13 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-07 09:13 <DIR> dr-h----- C:\DOCUME~1\Pedro's\APPLIC~1\SecuROM
2007-07-07 09:05 <DIR> d-------- C:\Program Files\Sierra
2007-07-07 09:04 <DIR> d-------- C:\DOCUME~1\Pedro's\APPLIC~1\InstallShield
2007-07-02 10:56 <DIR> d-------- C:\Program Files\Turbine


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-01 13:05 1012648 ---hs---- C:\WINDOWS\system32\yxycf.bak1
2007-08-01 08:10 --------- d-------- C:\DOCUME~1\Pedro's\APPLIC~1\Skype
2007-07-31 07:01 --------- d-------- C:\Program Files\World of Warcraft
2007-07-28 08:07 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-28 07:16 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-21 09:17 --------- d-------- C:\DOCUME~1\Pedro's\APPLIC~1\AdobeUM
2007-07-02 09:19 --------- d-------- C:\Program Files\Starcraft
2007-06-28 09:10 --------- d-------- C:\DOCUME~1\Pedro's\APPLIC~1\DivX
2007-06-20 09:04 --------- d-------- C:\Program Files\Civilization III
2007-06-19 08:57 --------- d-------- C:\Program Files\Google
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-11 13:54 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-11 00:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-11 00:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-11 00:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-22 11:26 70936 --a------ C:\DOCUME~1\Pedro's\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-06-11 17:03 298 --a------ C:\Program Files\INSTALL.LOG
2006-11-12 01:48:22 88 --sh--r C:\WINDOWS\system32\788FB22318.sys
2006-11-24 21:07:53 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{273A0BBA-EE83-4D7C-99CA-7CA6F0AC3CEF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FA9F9D2-3850-40E2-98C2-7CC4952525E3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90058F76-CFBD-450F-89A5-E828ACA3CA67}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B127CC0-A503-423B-A8A4-428521A778B1}]
2007-07-28 04:45 228960 --a------ C:\WINDOWS\system32\fcyxy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9F35A4E-7183-4312-99A5-2A707DE78913}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EssSpkPhone"="essspk.exe" [2002-06-20 22:12 C:\WINDOWS\essspk.exe]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-07-31 05:54]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 05:50 C:\WINDOWS\LOGI_MWX.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-04 16:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-01 08:37]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-05 09:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2005-10-14 14:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-10-14 14:48:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-06-11 17:18:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"ZboardTray"="C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyxy]
C:\WINDOWS\system32\fcyxy.dll 2007-07-28 04:45 228960 C:\WINDOWS\system32\fcyxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfe]
C:\WINDOWS\system32\hggfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgg]
C:\WINDOWS\system32\khfgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllij]
C:\WINDOWS\system32\mllij.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursqr]
C:\WINDOWS\system32\ursqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-21 00:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
Winlognotif.dll 2003-09-03 07:14 49152 C:\WINDOWS\system32\Winlognotif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Pedro's^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Pedro's\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
"C:\Program Files\Microsoft LifeCam\LifeExp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

R0 uagp35;Microsoft AGPv3.5 Filter;C:\WINDOWS\system32\DRIVERS\uagp35.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
S3 Edspport;EDSP Port Driver;C:\WINDOWS\system32\DRIVERS\es56hpi.sys
S3 ENETHUSB;Speedstream Ethernet USB Adapter;C:\WINDOWS\system32\DRIVERS\enethusb.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a122c1f1-3c5d-11d9-a76d-806d6172696f}]
AutoRun\command- D:\Setup.EXE


Contents of the 'Scheduled Tasks' folder
2007-08-01 17:07:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 13:04:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001a2

scanning hidden files ...

C:\WINDOWS\system32\yxycf.bak1

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-01 13:07:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-01 13:07

--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:27 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Hijack\Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofwarcraft.com/index.xml;j...619611EAE.app01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {273A0BBA-EE83-4D7C-99CA-7CA6F0AC3CEF} - (no file)
O2 - BHO: (no name) - {4FA9F9D2-3850-40E2-98C2-7CC4952525E3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {90058F76-CFBD-450F-89A5-E828ACA3CA67} - (no file)
O2 - BHO: (no name) - {9B127CC0-A503-423B-A8A4-428521A778B1} - C:\WINDOWS\system32\fcyxy.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B9F35A4E-7183-4312-99A5-2A707DE78913} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\yysfrgby.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\svykljym.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183117774550
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fcyxy - C:\WINDOWS\system32\fcyxy.dll
O20 - Winlogon Notify: hggfe - C:\WINDOWS\system32\hggfe.dll (file missing)
O20 - Winlogon Notify: khfgg - C:\WINDOWS\system32\khfgg.dll (file missing)
O20 - Winlogon Notify: mllij - C:\WINDOWS\system32\mllij.dll (file missing)
O20 - Winlogon Notify: ursqr - C:\WINDOWS\system32\ursqr.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9808 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 August 2007 - 03:05 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum anamnesis :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\plbvtudl.dll
C:\WINDOWS\system32\qtapobbq.dll
C:\WINDOWS\system32\fcyxy.dll
C:\WINDOWS\system32\jianfbyw.ini2
C:\WINDOWS\system32\wybfnaij.dll
C:\WINDOWS\system32\rqsru.bak2
C:\WINDOWS\system32\rqsru.bak1
C:\WINDOWS\system32\jillm.bak2
C:\WINDOWS\system32\jillm.bak1
C:\WINDOWS\system32\tuutv.bak1
C:\WINDOWS\system32\xwxbc.bak1
C:\WINDOWS\system32\befhk.bak1
C:\WINDOWS\system32\vyxyb.bak1
C:\WINDOWS\system32\yxycf.bak1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{273A0BBA-EE83-4D7C-99CA-7CA6F0AC3CEF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FA9F9D2-3850-40E2-98C2-7CC4952525E3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90058F76-CFBD-450F-89A5-E828ACA3CA67}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B127CC0-A503-423B-A8A4-428521A778B1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9F35A4E-7183-4312-99A5-2A707DE78913}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyxy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgg]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllij]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursqr]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users