Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pc Is Crawling - Please Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 Ashish M

Ashish M

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 August 2007 - 12:56 PM

Hi,

My pc has been crawling for about a month now. My sister by accidently let WinAntiSpyware be installed on the pc. I removed it and also ran ComboFix.exe, Dr Web Cure it (in safe mode), however I still get popups. My internet is also very slow and so is my pc.

Here is HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:39 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\atiptaxx.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "E:\WINDOWS\system32\dvvkrnwg.dll",forkonce
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Vidalia] "E:\Program Files\Vidalia\vidalia.exe"
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = E:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O24 - Desktop Component 0: (no name) - E:\Program Files\Internet Explorer\prohdyxesi.html

--
End of file - 4123 bytes



Please let me know what I can do to fix this issue.


Thanks,
Ashish M

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 11 August 2007 - 01:28 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Ashish M :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First of all you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

--------------------------------------------------------

With you having Service Pack 2 installed i'm presuming you're using the Windows Firewall.
If you're not using Windows Firewall,or you require a more robust free third party firewall then download\install one of the following freeware choices:

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

You may want to read the following.
Understanding and Using Firewalls:
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

--------------------------------------------------------

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

--------------------------------------------------------

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Ashish M

Ashish M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 August 2007 - 10:47 AM

Richie, thanks for helping me out.

I installed: AVG7 Free Edition Antivirus and Sygate Personal Firewall Free Edition.

Also, here is the log of ComboFix:

ComboFix 07-08-12 - "Ashish" 2007-08-12 11:35:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.136 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\DOCUME~1\Monika\APPLIC~1\.rdr.ini
E:\DOCUME~1\Munish\APPLIC~1\..\err.log
E:\DOCUME~1\Munish\APPLIC~1\.rdr.ini
E:\DOCUME~1\NETWOR~1\APPLIC~1\.rdr.ini
E:\Program Files\codec_setup.exe
E:\Program Files\folder.js\
E:\WINDOWS\Casino.ico
E:\WINDOWS\Free Online Dating.ico
E:\WINDOWS\Spyware Remover.ico
E:\WINDOWS\system32\dvvkrnwg.dll
E:\WINDOWS\system32\elwpiasx.ini
E:\WINDOWS\system32\gnuanknn.dll
E:\WINDOWS\system32\gwnrkvvd.ini
E:\WINDOWS\system32\jdgnaowf.dll
E:\WINDOWS\system32\NSIS.Library.RegTool.v2.{24674DBF-99A4-483E-9F3B-358AF3264A37}.exe
E:\WINDOWS\system32\rxwsjhvt.dll
E:\WINDOWS\system32\T11
E:\WINDOWS\system32\tvhjswxr.ini
E:\WINDOWS\system32\twxyb.bak1
E:\WINDOWS\system32\twxyb.bak2
E:\WINDOWS\system32\twxyb.ini
E:\WINDOWS\system32\twxyb.ini2
E:\WINDOWS\system32\twxyb.tmp
E:\WINDOWS\system32\xsaipwle.dll
E:\WINDOWS\uni_eh44.exe
E:\WINDOWS\uninst1014.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 10:52 75,328 --a------ E:\WINDOWS\system32\woyhavdq.exe
2007-08-12 10:38 83,096 --a------ E:\WINDOWS\system32\SSSensor.dll
2007-08-12 10:38 60,496 --a------ E:\WINDOWS\system32\drivers\Teefer.sys
2007-08-12 10:38 21,075 --a------ E:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg6n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg5n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg4n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg3n.sys
2007-08-12 10:37 <DIR> d-------- E:\Program Files\Sygate
2007-08-12 10:37 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 14:59 75,328 --a------ E:\WINDOWS\system32\qofuivbe.exe
2007-08-11 14:56 66,112 --a------ E:\WINDOWS\system32\bpjikkat.exe
2007-08-11 13:56 <DIR> d-------- E:\Program Files\Trend Micro
2007-08-11 13:35 75,328 --a------ E:\WINDOWS\system32\nyxsnhto.exe
2007-08-11 13:32 66,112 --a------ E:\WINDOWS\system32\cwebwxjp.exe
2007-08-11 13:29 66,112 --a------ E:\WINDOWS\system32\ykpcqmpx.exe
2007-08-11 11:10 75,328 --a------ E:\WINDOWS\system32\fbajuosq.exe
2007-08-11 01:09 75,328 --a------ E:\WINDOWS\system32\puehofqb.exe
2007-08-10 23:27 75,328 --a------ E:\WINDOWS\system32\fhddpegg.exe
2007-08-10 23:24 66,112 --a------ E:\WINDOWS\system32\xwkapjnk.exe
2007-08-09 23:23 75,328 --a------ E:\WINDOWS\system32\rjpowvqg.exe
2007-08-09 22:20 66,112 --a------ E:\WINDOWS\system32\yowgwdho.exe
2007-08-09 00:33 75,328 --a------ E:\WINDOWS\system32\eiwunogl.exe
2007-08-09 00:01 75,328 --a------ E:\WINDOWS\system32\qwhnbcpv.exe
2007-08-07 16:14 66,112 --a------ E:\WINDOWS\system32\glnkgypa.exe
2007-08-07 16:11 66,112 --a------ E:\WINDOWS\system32\hjinqknp.exe
2007-08-06 10:55 66,112 --a------ E:\WINDOWS\system32\pwocecjl.exe
2007-08-05 13:25 <DIR> d-------- E:\DOCUME~1\Ashish\DoctorWeb
2007-07-29 12:06 <DIR> d-------- E:\DOCUME~1\Monika\DoctorWeb
2007-07-29 11:46 51,200 --a------ E:\WINDOWS\nircmd.exe
2007-07-28 19:52 664 --a------ E:\WINDOWS\system32\d3d9caps.dat
2007-07-25 22:42 1,152 --a------ E:\WINDOWS\system32\windrv.sys
2007-07-25 22:42 <DIR> d-------- E:\Program Files\SpyNoMore
2007-07-25 22:42 <DIR> d-------- E:\Program Files\Common Files\Download Manager
2007-07-25 22:42 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-25 20:13 <DIR> d-------- E:\DOCUME~1\Munish\APPLIC~1\?ecurity
2007-07-25 20:12 <DIR> d-------- E:\DOCUME~1\Munish\APPLIC~1\??sks
2007-07-24 23:09 89,088 --a------ E:\WINDOWS\system32\atl71.dll
2007-07-24 23:09 499,712 --a------ E:\WINDOWS\system32\msvcp71.dll
2007-07-24 23:09 348,160 --a------ E:\WINDOWS\system32\msvcr71.dll
2007-07-24 23:09 1,060,864 --a------ E:\WINDOWS\system32\mfc71.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 11:25 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Vidalia
2007-08-12 11:24 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Tor
2007-08-12 10:44 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Azureus
2007-08-08 00:51 155648 --a------ E:\WINDOWS\system32\libssl32.dll
2007-08-05 12:24 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Apple Computer
2007-07-29 11:53 --------- d-------- E:\Program Files\Windows NT
2007-07-11 22:35 131 --a------ E:\WINDOWS\system32\winroot.bat
2007-06-14 05:22 2231 --a------ E:\Program Files\folder.js
2007-05-23 21:09 87608 --a------ E:\DOCUME~1\Ashish\APPLIC~1\inst.exe
2007-05-23 21:09 47360 --a------ E:\DOCUME~1\Ashish\APPLIC~1\pcouffin.sys
2007-05-16 11:12 86528 --a--c--- E:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- E:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- E:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ E:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- E:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- E:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39CD26CC-709C-4245-8465-8DAEEEBA58A3}]
E:\WINDOWS\system32\byxwt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 21:53]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 22:05]
"AtiPTA"="atiptaxx.exe" [2002-01-11 02:40 E:\WINDOWS\system32\atiptaxx.exe]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-12 11:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 16:49]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
Privoxy.lnk - E:\Program Files\Privoxy\privoxy.exe [2006-11-20 10:30:54]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= E:\Program Files\Internet Explorer\prohdyxesi.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwt]
E:\WINDOWS\system32\byxwt.dll

R1 ati2mtaa;ati2mtaa;E:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
R3 EL90X;3Com EtherLink XL 90X Adapter Driver;E:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 ATICDSDr;ATICDSDr;\??\E:\DOCUME~1\Ashish\LOCALS~1\Temp\{2B8D9CCD-275D-44D2-813C-99ECB38BA067}\atiicdxx.sys


Contents of the 'Scheduled Tasks' folder
2007-08-09 12:25:05 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job - E:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 11:39:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 11:41:37 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-08-12 11:41
E:\ComboFix2.txt ... 2007-08-05 12:59
E:\ComboFix3.txt ... 2007-07-31 20:49

--- E O F ---



Here is the log file for HijackThis (after renaming to abc.bat):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:46 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\atiptaxx.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\Privoxy\privoxy.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39CD26CC-709C-4245-8465-8DAEEEBA58A3} - E:\WINDOWS\system32\byxwt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = E:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: byxwt - E:\WINDOWS\system32\byxwt.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - E:\Program Files\Internet Explorer\prohdyxesi.html

--
End of file - 6371 bytes


Please let me know what I should do next.


Thanks,
Ashish M

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 12 August 2007 - 11:38 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
E:\WINDOWS\system32\woyhavdq.exe
E:\WINDOWS\system32\qofuivbe.exe
E:\WINDOWS\system32\bpjikkat.exe
E:\WINDOWS\system32\nyxsnhto.exe
E:\WINDOWS\system32\cwebwxjp.exe
E:\WINDOWS\system32\ykpcqmpx.exe
E:\WINDOWS\system32\fbajuosq.exe
E:\WINDOWS\system32\puehofqb.exe
E:\WINDOWS\system32\fhddpegg.exe
E:\WINDOWS\system32\xwkapjnk.exe
E:\WINDOWS\system32\rjpowvqg.exe
E:\WINDOWS\system32\yowgwdho.exe
E:\WINDOWS\system32\eiwunogl.exe
E:\WINDOWS\system32\qwhnbcpv.exe
E:\WINDOWS\system32\glnkgypa.exe
E:\WINDOWS\system32\hjinqknp.exe
E:\WINDOWS\system32\pwocecjl.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwt]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 Ashish M

Ashish M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 12 August 2007 - 01:03 PM

Thanks for the reply. I actually ran AVG first and then dragged CFScript to ComboFix.exe.

Here is the log file of ComboFix:


ComboFix 07-08-12 - "Ashish" 2007-08-12 13:54:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.141 [GMT -4:00]
Command switches used :: E:\Documents and Settings\Ashish\Desktop\CFScript.txt
* Created a new restore point

FILE::
E:\WINDOWS\system32\woyhavdq.exe
E:\WINDOWS\system32\qofuivbe.exe
E:\WINDOWS\system32\bpjikkat.exe
E:\WINDOWS\system32\nyxsnhto.exe
E:\WINDOWS\system32\cwebwxjp.exe
E:\WINDOWS\system32\ykpcqmpx.exe
E:\WINDOWS\system32\fbajuosq.exe
E:\WINDOWS\system32\puehofqb.exe
E:\WINDOWS\system32\fhddpegg.exe
E:\WINDOWS\system32\xwkapjnk.exe
E:\WINDOWS\system32\rjpowvqg.exe
E:\WINDOWS\system32\yowgwdho.exe
E:\WINDOWS\system32\eiwunogl.exe
E:\WINDOWS\system32\qwhnbcpv.exe
E:\WINDOWS\system32\glnkgypa.exe
E:\WINDOWS\system32\hjinqknp.exe
E:\WINDOWS\system32\pwocecjl.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\Program Files\folder.js\
E:\WINDOWS\system32\eiwunogl.exe
E:\WINDOWS\system32\fbajuosq.exe
E:\WINDOWS\system32\fhddpegg.exe
E:\WINDOWS\system32\nyxsnhto.exe
E:\WINDOWS\system32\puehofqb.exe
E:\WINDOWS\system32\qofuivbe.exe
E:\WINDOWS\system32\qwhnbcpv.exe
E:\WINDOWS\system32\rjpowvqg.exe
E:\WINDOWS\system32\woyhavdq.exe


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-12 10:38 83,096 --a------ E:\WINDOWS\system32\SSSensor.dll
2007-08-12 10:38 60,496 --a------ E:\WINDOWS\system32\drivers\Teefer.sys
2007-08-12 10:38 21,075 --a------ E:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg6n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg5n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg4n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg3n.sys
2007-08-12 10:37 <DIR> d-------- E:\Program Files\Sygate
2007-08-12 10:37 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 13:56 <DIR> d-------- E:\Program Files\Trend Micro
2007-08-05 13:25 <DIR> d-------- E:\DOCUME~1\Ashish\DoctorWeb
2007-07-29 12:06 <DIR> d-------- E:\DOCUME~1\Monika\DoctorWeb
2007-07-29 11:46 51,200 --a------ E:\WINDOWS\nircmd.exe
2007-07-28 19:52 664 --a------ E:\WINDOWS\system32\d3d9caps.dat
2007-07-25 22:42 1,152 --a------ E:\WINDOWS\system32\windrv.sys
2007-07-25 22:42 <DIR> d-------- E:\Program Files\SpyNoMore
2007-07-25 22:42 <DIR> d-------- E:\Program Files\Common Files\Download Manager
2007-07-25 22:42 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-25 20:13 <DIR> d-------- E:\DOCUME~1\Munish\APPLIC~1\?ecurity
2007-07-25 20:12 <DIR> d-------- E:\DOCUME~1\Munish\APPLIC~1\??sks
2007-07-24 23:09 89,088 --a------ E:\WINDOWS\system32\atl71.dll
2007-07-24 23:09 499,712 --a------ E:\WINDOWS\system32\msvcp71.dll
2007-07-24 23:09 348,160 --a------ E:\WINDOWS\system32\msvcr71.dll
2007-07-24 23:09 1,060,864 --a------ E:\WINDOWS\system32\mfc71.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 13:51 --------- d-------- E:\Program Files\Avi Player
2007-08-12 11:25 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Vidalia
2007-08-12 11:24 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Tor
2007-08-12 10:44 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Azureus
2007-08-08 00:51 155648 --a------ E:\WINDOWS\system32\libssl32.dll
2007-08-05 12:24 --------- d-------- E:\DOCUME~1\Ashish\APPLIC~1\Apple Computer
2007-07-29 11:53 --------- d-------- E:\Program Files\Windows NT
2007-07-11 22:35 131 --a------ E:\WINDOWS\system32\winroot.bat
2007-06-14 05:22 2231 --a------ E:\Program Files\folder.js
2007-05-23 21:09 87608 --a------ E:\DOCUME~1\Ashish\APPLIC~1\inst.exe
2007-05-23 21:09 47360 --a------ E:\DOCUME~1\Ashish\APPLIC~1\pcouffin.sys
2007-05-16 11:12 86528 --a--c--- E:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- E:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- E:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ E:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- E:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- E:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39CD26CC-709C-4245-8465-8DAEEEBA58A3}]
E:\WINDOWS\system32\byxwt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 21:53]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 22:05]
"AtiPTA"="atiptaxx.exe" [2002-01-11 02:40 E:\WINDOWS\system32\atiptaxx.exe]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-12 11:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 16:49]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
Privoxy.lnk - E:\Program Files\Privoxy\privoxy.exe [2006-11-20 10:30:54]

R1 ati2mtaa;ati2mtaa;E:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
R3 EL90X;3Com EtherLink XL 90X Adapter Driver;E:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 ATICDSDr;ATICDSDr;\??\E:\DOCUME~1\Ashish\LOCALS~1\Temp\{2B8D9CCD-275D-44D2-813C-99ECB38BA067}\atiicdxx.sys


Contents of the 'Scheduled Tasks' folder
2007-08-09 12:25:05 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job - E:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 13:56:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 13:57:59
E:\ComboFix-quarantined-files.txt ... 2007-08-12 13:57
E:\ComboFix2.txt ... 2007-08-12 11:41
E:\ComboFix3.txt ... 2007-08-05 12:59

--- E O F ---



Here is the log file of HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:03 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\atiptaxx.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39CD26CC-709C-4245-8465-8DAEEEBA58A3} - E:\WINDOWS\system32\byxwt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = E:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6075 bytes


My pc is def. responding much faster and also I am not getting popups now either. :thumbsup:

Please let me know if I need to do anything else?


Thanks,
Ashish M

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 12 August 2007 - 01:22 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {39CD26CC-709C-4245-8465-8DAEEEBA58A3} - E:\WINDOWS\system32\byxwt.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 Ashish M

Ashish M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 14 August 2007 - 09:58 PM

Thanks for your help.

Here is the log file of SuperAntiSpyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/14/2007 at 10:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3284
Trace Rules Database Version: 1295

Scan type : Complete Scan
Total Scan Time : 01:14:36

Memory items scanned : 380
Memory threats detected : 0
Registry items scanned : 5376
Registry threats detected : 0
File items scanned : 28876
File threats detected : 64

Adware.Tracking Cookie
E:\Documents and Settings\Ashish\Cookies\ashish@specificclick[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ad[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@trafficmp[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@tribalfusion[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ads.cobrad[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@adopt.specificclick[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@advertising[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@doubleclick[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ads.cnn[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ad.yieldmanager[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@adinterax[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@adecn[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@adrevolver[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@www.burstnet[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@atdmt[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@burstnet[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@realmedia[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@edge.ru4[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ad.iconadserver[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@casalemedia[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@reduxads.valuead[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@yadro[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@m.rmbclick[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@indiads[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@zedo[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@adrevolver[3].txt
E:\Documents and Settings\Ashish\Cookies\ashish@2o7[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ad.coupons[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@statcounter[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ads.addynamix[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@qnsr[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ad.reduxmedia[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@ad1.clickhype[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@advantage20.mootermedia[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@mediaplex[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@www.burstbeacon[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@tremor.adbureau[2].txt
E:\Documents and Settings\Ashish\Cookies\ashish@cgi-bin[1].txt
E:\WINDOWS\system32\config\systemprofile\Cookies\system@redorbit[1].txt
E:\WINDOWS\system32\config\systemprofile\Cookies\system@tacoda[2].txt
E:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[1].txt

Trojan.ZenoSearch
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015813.EXE

Adware.ZenoSearch
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015814.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015815.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015816.EXE

Adware.Mirar/NetNucleus
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015817.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015818.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015819.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015820.EXE

Adware.ClickSpring/Resident
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015821.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015822.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015823.DLL

Trojan.ZQuest
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015824.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015825.DLL

Adware.ClickSpring
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015826.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015827.EXE

Trojan.Unknown Origin
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015828.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015829.EXE

Trojan.TagASaurus
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015830.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015831.EXE

Adware.Search2Find
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015832.LNK
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015833.LNK
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015834.LNK

Trace.Known Threat Sources
E:\Documents and Settings\Ashish\Local Settings\Temporary Internet Files\Content.IE5\S563ODYJ\CARBP5G6.swf


Here is the log file of HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:26 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\atiptaxx.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = E:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6198 bytes




Also, I did all this cleaning up under my account. However, when my sister logs in under her account, it still launches MagicAntiSpy (which was listed as a virus I think). Do you know why this is?


Please let me know what else I need to do. And again thanks a lot for your help. Y



Regards,
Ashish M

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 15 August 2007 - 08:33 AM

Do the following logged in to your sisters account:
Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a Hijackthis log from the above account.
Posted Image
Posted Image

#9 Ashish M

Ashish M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 15 August 2007 - 10:07 PM

Richie,

Here it is:

ComboFix log file:


ComboFix 07-08-15.3 - "Monika" 2007-08-15 23:00:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.127 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\Program Files\folder.js\


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-14 23:19 <DIR> d-------- E:\Program Files\Windows Media Connect 2
2007-08-14 23:15 <DIR> d-------- E:\WINDOWS\system32\LogFiles
2007-08-14 23:15 <DIR> d-------- E:\WINDOWS\system32\drivers\UMDF
2007-08-12 15:12 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-12 15:11 <DIR> d-------- E:\Program Files\SUPERAntiSpyware
2007-08-12 15:11 <DIR> d-------- E:\DOCUME~1\Ashish\APPLIC~1\SUPERAntiSpyware.com
2007-08-12 10:38 83,096 --a------ E:\WINDOWS\system32\SSSensor.dll
2007-08-12 10:38 60,496 --a------ E:\WINDOWS\system32\drivers\Teefer.sys
2007-08-12 10:38 21,075 --a------ E:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg6n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg5n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg4n.sys
2007-08-12 10:38 14,568 --a------ E:\WINDOWS\system32\drivers\wg3n.sys
2007-08-12 10:37 <DIR> d-------- E:\Program Files\Sygate
2007-08-12 10:37 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 13:56 <DIR> d-------- E:\Program Files\Trend Micro
2007-08-05 13:25 <DIR> d-------- E:\DOCUME~1\Ashish\DoctorWeb
2007-07-29 12:06 <DIR> d-------- E:\DOCUME~1\Monika\DoctorWeb
2007-07-29 11:46 51,200 --a------ E:\WINDOWS\nircmd.exe
2007-07-28 19:52 664 --a------ E:\WINDOWS\system32\d3d9caps.dat
2007-07-26 19:06 200,704 --a------ E:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 144,704 --a------ E:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 19:06 1,044,480 --a------ E:\WINDOWS\system32\libdivx.dll
2007-07-26 19:03 823,296 --a------ E:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 19:03 823,296 --a------ E:\WINDOWS\system32\divx_xx07.dll
2007-07-26 19:03 81,920 --a------ E:\WINDOWS\system32\dpl100.dll
2007-07-26 19:03 802,816 --a------ E:\WINDOWS\system32\divx_xx11.dll
2007-07-26 19:03 740,442 --a------ E:\WINDOWS\system32\DivX.dll
2007-07-26 19:03 593,920 --a------ E:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 19:03 57,344 --a------ E:\WINDOWS\system32\dpv11.dll
2007-07-26 19:03 53,248 --a------ E:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 19:03 344,064 --a------ E:\WINDOWS\system32\dpus11.dll
2007-07-26 19:03 294,912 --a------ E:\WINDOWS\system32\dpu11.dll
2007-07-26 19:03 294,912 --a------ E:\WINDOWS\system32\dpu10.dll
2007-07-26 19:03 196,608 --a------ E:\WINDOWS\system32\dtu100.dll
2007-07-26 19:03 12,288 --a------ E:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-25 22:42 1,152 --a------ E:\WINDOWS\system32\windrv.sys
2007-07-25 22:42 <DIR> d-------- E:\Program Files\SpyNoMore
2007-07-25 22:42 <DIR> d-------- E:\Program Files\Common Files\Download Manager
2007-07-25 22:42 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-25 20:13 <DIR> d-------- E:\DOCUME~1\Munish\APPLIC~1\?ecurity
2007-07-25 20:12 <DIR> d-------- E:\DOCUME~1\Munish\APPLIC~1\??sks
2007-07-24 23:09 89,088 --a------ E:\WINDOWS\system32\atl71.dll
2007-07-24 23:09 499,712 --a------ E:\WINDOWS\system32\msvcp71.dll
2007-07-24 23:09 348,160 --a------ E:\WINDOWS\system32\msvcr71.dll
2007-07-24 23:09 1,060,864 --a------ E:\WINDOWS\system32\mfc71.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 23:10 --------- d-------- E:\Program Files\DivX
2007-08-12 17:59 --------- d-------- E:\Program Files\WinAce
2007-08-12 13:51 --------- d-------- E:\Program Files\Avi Player
2007-08-08 00:51 155648 --a------ E:\WINDOWS\system32\libssl32.dll
2007-07-29 11:53 --------- d-------- E:\Program Files\Windows NT
2007-07-26 19:06 43528 --------- E:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-26 19:06 129784 --------- E:\WINDOWS\system32\pxafs.dll
2007-07-26 19:06 120056 --------- E:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 19:06 118520 --------- E:\WINDOWS\system32\pxinsi64.exe
2007-07-11 22:35 131 --a------ E:\WINDOWS\system32\winroot.bat
2007-06-26 18:13 --------- d-------- E:\DOCUME~1\Monika\APPLIC~1\Apple Computer
2007-06-26 11:13 851968 --a--c--- E:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --a--c--- E:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a--c--- E:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-26 02:08 1104896 --a------ E:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a--c--- E:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-19 09:31 282112 --a------ E:\WINDOWS\system32\gdi32.dll
2007-06-14 14:09 96256 --a--c--- E:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --a--c--- E:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --a--c--- E:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --a--c--- E:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --a--c--- E:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --a--c--- E:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --a--c--- E:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --a--c--- E:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --a--c--- E:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --a--c--- E:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --a--c--- E:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --a--c--- E:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --a--c--- E:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --a--c--- E:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --a--c--- E:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --a--c--- E:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --a--c--- E:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --a--c--- E:\WINDOWS\system32\dllcache\iedw.exe
2007-06-14 05:22 2231 --a------ E:\Program Files\folder.js
2007-06-13 06:23 1033216 --a--c--- E:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23 1033216 --a------ E:\WINDOWS\explorer.exe
2007-05-17 07:28 549376 --a--c--- E:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-17 07:28 549376 --a------ E:\WINDOWS\system32\oleaut32.dll
2007-05-16 11:12 86528 --a--c--- E:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- E:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- E:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ E:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- E:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- E:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 21:53]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-02-16 13:54]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 22:05]
"AtiPTA"="atiptaxx.exe" [2002-01-11 02:40 E:\WINDOWS\system32\atiptaxx.exe]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-12 11:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 16:49]
"Hdlt"="E:\DOCUME~1\Monika\MYDOCU~1\ECURIT~1\ati2evxx.exe" []
"Etvpmp"="E:\Program Files\s?stem32\n?lookup.exe" []

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]
Privoxy.lnk - E:\Program Files\Privoxy\privoxy.exe [2006-11-20 10:30:54]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= E:\Program Files\Internet Explorer\prohdyxesi.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 ati2mtaa;ati2mtaa;E:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
R3 EL90X;3Com EtherLink XL 90X Adapter Driver;E:\WINDOWS\system32\DRIVERS\el90xnd5.sys
S3 ATICDSDr;ATICDSDr;\??\E:\DOCUME~1\Ashish\LOCALS~1\Temp\{2B8D9CCD-275D-44D2-813C-99ECB38BA067}\atiicdxx.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-08-09 12:25:05 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job - E:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 23:02:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 23:03:28
E:\ComboFix-quarantined-files.txt ... 2007-08-15 23:03
E:\ComboFix2.txt ... 2007-08-12 13:57
E:\ComboFix3.txt ... 2007-08-12 11:41

--- E O F ---



HijackThis log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:00 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\atiptaxx.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Privoxy\privoxy.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Hdlt] "E:\DOCUME~1\Monika\MYDOCU~1\ECURIT~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Etvpmp] "E:\Program Files\s?stem32\n?lookup.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = E:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - E:\Program Files\Internet Explorer\prohdyxesi.html
O24 - Desktop Component 1: (no name) - http://www.krishna.com/ifolio/skins/krishn...mages/pixel.gif

--
End of file - 6432 bytes



Also, is my account clean or do I need to do anything else? The log files in this post is of my sister's account.


Thanks,
Ashish M

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 16 August 2007 - 08:17 AM

Do the following in the above account:
Copy and paste the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

-----------------------------------------------------

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [Hdlt] "E:\DOCUME~1\Monika\MYDOCU~1\ECURIT~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Etvpmp] "E:\Program Files\s?stem32\n?lookup.exe"

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 Ashish M

Ashish M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 17 August 2007 - 07:43 AM

Here is the log file of SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/17/2007 at 01:38 AM

Application Version : 3.9.1008

Core Rules Database Version : 3288
Trace Rules Database Version: 1299

Scan type : Complete Scan
Total Scan Time : 02:14:29

Memory items scanned : 377
Memory threats detected : 0
Registry items scanned : 5386
Registry threats detected : 0
File items scanned : 56198
File threats detected : 22

Malware.SpywareQuake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015811.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP78\A0015812.EXE

Adware.Tracking Cookie
E:\Documents and Settings\Ashish\Cookies\ashish@divx.112.2o7[1].txt
E:\Documents and Settings\Ashish\Cookies\ashish@divx.adbureau[2].txt

Adware.eZula
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\EIWUNOGL.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\FBAJUOSQ.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\FHDDPEGG.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\NYXSNHTO.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\PUEHOFQB.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\QOFUIVBE.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\QWHNBCPV.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\RJPOWVQG.EXE.VIR
E:\QOOBOX\QUARANTINE\E\WINDOWS\SYSTEM32\WOYHAVDQ.EXE.VIR
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015734.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015735.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015736.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015737.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015738.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015739.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015740.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015741.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{80BE9622-9843-4C9D-9B3E-E4CFFA4CB5C8}\RP77\A0015742.EXE



Here is the HijackThis log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:50 AM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = E:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - http://www.krishna.com/ifolio/skins/krishn...mages/pixel.gif

--
End of file - 6262 bytes



My pc seems to be running better now. Can you please tell me there is anything else I need to do for my account or my sister's account?



Thanks,
Ashish

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 17 August 2007 - 08:26 AM

Your logs are clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
C:\Qoobox

Do the following in both user accounts.
Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

----------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#13 Ashish M

Ashish M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 21 August 2007 - 10:52 PM

Thank you so much for your help. My pc is running great. :thumbsup:


Regards,
Ashish M

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 22 August 2007 - 03:54 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users