Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Other Infections


  • Please log in to reply
10 replies to this topic

#1 Jo Jo

Jo Jo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 March 2008 - 07:54 AM

Hi,

My computer has been running slow, and doing a crash where windows seems to disappear, so all the taskbar and menus etc are gone, but applications that are currently running are just fine. The only way to get out of it is to do a ctl alt del and shut down or log out and back in. This is sometimes accompanied by an error "Buffer overrun detected! Program: C\windows\Explorer.exe" and a message saying it must be terminated.

But I've tried many things already (most in safe mode as well).
Spybot returns Virtumonde and it keeps returning no matter how many times I do it. It occasionally returns other problems as well.
Vundofix removed a file successfully.
AdAware found Win32.Trojan.Crypt.
Avast found a few, and they seemed to reappear, but right now it's saying the system is clear.

I tried installing Sygate Personal Firewall but it locked up the system every time it loaded so I had to uninstall.

Any help will be greatfully accepted.

Hijackthis log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:24 PM, on 13/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program

Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat

7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [c83ef1db] rundll32.exe

"C:\WINDOWS\system32\fmcqudye.dll",b
O4 - HKLM\..\Run: [BMcb0dc247] Rundll32.exe

"C:\WINDOWS\system32\oepbbcmx.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows

Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite

6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite

6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC

Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC

Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt

7\SnagIt32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ive/x86/win32/a

ctivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...x86/client/wuwe

b_site.cab?1181263623062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...n/x86/client/mu

web_site.cab?1181898566062
O21 - SSODL: SetupSetup - {1c18fd35-0b41-406a-b45f-a2233b5ef96f} -

C:\WINDOWS\Installer\{1c18fd35-0b41-406a-b45f-a2233b5ef96f}\SetupSetup.dll

(file missing)
O21 - SSODL: WinWin - {c7bddaa4-27d3-4efd-b931-c9cc3b075d43} -

C:\WINDOWS\Installer\{c7bddaa4-27d3-4efd-b931-c9cc3b075d43}\WinWin.dll

(file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe

--
End of file - 7310 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 19 March 2008 - 08:51 AM

Jo Jo

Sorry for the delay

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 Jo Jo

Jo Jo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 19 March 2008 - 07:08 PM

Hi,

I have installed some new programs and done some scans since the Hijack This log was posted, but won't do anything at all more now.

Here is the ComboFix log. Thanks!

ComboFix 08-03-18.1 - Administrator 2008-03-20 9:27:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT 9.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Program Files\SystemDefender
C:\WINDOWS\BMcb0dc247.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cjkallie.dll
C:\WINDOWS\system32\gdkuscrm.dll
C:\WINDOWS\system32\ggipnjkw.dll
C:\WINDOWS\system32\gphpfpbw.dll
C:\WINDOWS\system32\gwhicuhu.dll
C:\WINDOWS\system32\hmwidlyt.dll
C:\WINDOWS\system32\hrlopuqx.dll
C:\WINDOWS\system32\ieeamxet.ini
C:\WINDOWS\system32\iiffddb.dll
C:\WINDOWS\system32\joubksaf.dll
C:\WINDOWS\system32\lnblhdoy.dll
C:\WINDOWS\system32\nsdnwrws.dll
C:\WINDOWS\system32\oepbbcmx.dll
C:\WINDOWS\system32\oymahfsk.dll
C:\WINDOWS\system32\qvdoafsu.dll
C:\WINDOWS\system32\rvrsaydl.dll
C:\WINDOWS\system32\texmaeei.dll
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\wkjnpigg.ini
C:\WINDOWS\system32\wmrhinog.dll
C:\WINDOWS\system32\wqrmeeum.dll
C:\WINDOWS\system32\ykucvwuf.dll
C:\WINDOWS\system32\ymrisgmt.dll
C:\WINDOWS\system32\ysdjrshu.dll
D:\Autorun.inf
S:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-19 11:40 . 2008-03-19 11:40 0 --a------ C:\LOG7.tmp
2008-03-18 16:31 . 2008-03-19 16:32 1,794 ---hs---- C:\WINDOWS\system32\ksvrgual.ini
2008-03-17 15:50 . 2008-03-18 15:50 1,734 ---hs---- C:\WINDOWS\system32\jhhmnhml.ini
2008-03-16 14:52 . 2008-03-17 14:52 1,494 ---hs---- C:\WINDOWS\system32\kwnmrtgy.ini
2008-03-16 14:47 . 2008-03-16 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-03-15 16:49 . 2008-03-16 14:18 1,374 ---hs---- C:\WINDOWS\system32\ucjghibj.ini
2008-03-14 16:46 . 2008-03-15 16:47 1,194 ---hs---- C:\WINDOWS\system32\onuokboc.ini
2008-03-13 16:34 . 2008-03-14 07:36 954 ---hs---- C:\WINDOWS\system32\eyduqcmf.ini
2008-03-13 16:23 . 2008-03-13 16:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-13 16:23 . 2008-03-13 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 15:56 . 2008-03-13 22:12 <DIR> d-------- C:\New Folder
2008-03-13 14:38 . 2008-03-13 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-13 13:26 . 2008-03-13 13:42 1,802 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-13 13:25 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-13 13:25 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-13 13:25 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-13 13:25 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-13 13:25 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-13 13:25 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-12 16:39 . 2008-03-13 14:29 534 ---hs---- C:\WINDOWS\system32\uaegkkhk.ini
2008-03-12 16:11 . 2008-03-12 16:11 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 14:31 . 2008-03-12 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-11 22:38 . 2008-03-11 22:38 <DIR> d-------- C:\Program Files\Symantec
2008-03-11 22:38 . 2008-03-11 22:38 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-11 22:38 . 2008-03-11 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-11 13:43 . 2007-12-04 22:24 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-11 13:43 . 2007-12-05 00:25 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-11 13:43 . 2007-12-05 00:26 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-11 13:43 . 2007-12-05 00:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-11 13:43 . 2007-12-05 00:19 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-11 13:43 . 2007-12-05 00:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-11 13:42 . 2008-03-11 13:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-11 13:42 . 2007-12-04 22:34 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-11 13:42 . 2004-01-09 18:43 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\SysCleaner
2008-03-10 14:53 . 2008-03-10 14:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-10 14:53 . 2008-03-10 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-10 14:46 . 2008-03-10 14:46 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-08 15:17 . 2008-03-08 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application DataTechSmith
2008-03-08 15:14 . 2008-03-08 15:14 <DIR> d-------- C:\Program Files\TechSmith
2008-03-08 14:41 . 2008-03-08 14:41 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-08 14:41 . 2008-03-08 14:41 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-08 14:39 . 2008-03-08 14:39 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-08 14:38 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-08 14:38 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-08 14:38 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-08 14:38 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-08 14:38 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-03 17:31 . 2008-03-03 17:32 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 17:31 . 2008-03-03 17:31 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 17:31 . 2008-03-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-03 09:34 . 2008-03-20 09:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 09:34 . 2008-03-03 09:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 09:33 . 2008-03-03 09:34 <DIR> d-------- C:\Program Files\iTunes
2008-03-03 09:33 . 2008-03-03 09:33 <DIR> d-------- C:\Program Files\iPod
2008-03-03 09:31 . 2008-03-03 09:32 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 02:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-03-16 05:13 --------- d-----w C:\Program Files\FileMaker
2008-03-13 06:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 06:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-03-08 06:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-03-08 05:10 --------- d-----w C:\Program Files\Nokia
2008-03-08 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-27 08:47 --------- d-----w C:\Program Files\Gallery Remote
2008-01-27 08:44 --------- d--h--w C:\Program Files\Zero G Registry
2008-01-27 07:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 07:41 --------- d-----w C:\Program Files\Google
2008-01-24 12:33 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98BCFACE-7DE8-467F-A7A8-811D001F2E1F}]
C:\WINDOWS\system32\awvtu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:48 15360]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:42 483328]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 22:30 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-06-16 11:13:48 25214]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 07:25:00 3719168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SetupSetup"= {1c18fd35-0b41-406a-b45f-a2233b5ef96f} - C:\WINDOWS\Installer\{1c18fd35-0b41-406a-b45f-a2233b5ef96f}\SetupSetup.dll [ ]
"WinWin"= {c7bddaa4-27d3-4efd-b931-c9cc3b075d43} - C:\WINDOWS\Installer\{c7bddaa4-27d3-4efd-b931-c9cc3b075d43}\WinWin.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuts]
cbxuuts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbhg32]
winbhg32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\v.cmd
\Shell\explore\Command - C:\v.cmd
\Shell\open\Command - C:\v.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\v.cmd
\Shell\explore\Command - D:\v.cmd
\Shell\open\Command - D:\v.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\S]
\Shell\AutoRun\command - S:\v.cmd
\Shell\explore\Command - S:\v.cmd
\Shell\open\Command - S:\v.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e87d2c1-e8b5-11dc-b86b-000fb588922d}]
\Shell\AutoRun\command - F:\yo2mq6.exe
\Shell\explore\Command - F:\yo2mq6.exe
\Shell\open\Command - F:\yo2mq6.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792c0f78-14d5-11dc-b825-000fb588922d}]
\Shell\AutoRun\command - G:\b.com
\Shell\explore\Command - G:\b.com
\Shell\open\Command - G:\b.com

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 23:42:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 09:33:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2008-03-20 9:34:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 00:04:28
.
2008-03-16 14:47:00 --- E O F ---

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 20 March 2008 - 10:24 AM

Jo Jo

I have installed some new programs and done some scans since the Hijack This log was posted, but won't do anything at all more now.

That would be good

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word Code)
File::
C:\WINDOWS\system32\ksvrgual.ini
C:\WINDOWS\system32\jhhmnhml.ini
C:\WINDOWS\system32\kwnmrtgy.ini
C:\WINDOWS\system32\ucjghibj.ini
C:\WINDOWS\system32\onuokboc.ini
C:\WINDOWS\system32\eyduqcmf.ini
C:\WINDOWS\system32\uaegkkhk.ini
C:\WINDOWS\system32\awvtu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98BCFACE-7DE8-467F-A7A8-811D001F2E1F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SetupSetup"=-
"WinWin"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuts]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbhg32]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\S]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e87d2c1-e8b5-11dc-b86b-000fb588922d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792c0f78-14d5-11dc-b825-000fb588922d}]

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hijackthis log as well
Posted Image
Microsoft MVP - Windows Security

#5 Jo Jo

Jo Jo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 21 March 2008 - 06:54 AM

Hi,

I'm not sure if it matters, but I ran the combo fix and went away from the computer. When I came back the log was on screen, but my explorer had disappeared again. I had to cmd alt del to restart it.

Below is my combo fix log and then my HijackThis log.

Thank you very much for your help,

Jo


ComboFix 08-03-18.1 - Administrator 2008-03-21 20:08:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.182 [GMT 9.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\eyduqcmf.ini
C:\WINDOWS\system32\jhhmnhml.ini
C:\WINDOWS\system32\ksvrgual.ini
C:\WINDOWS\system32\kwnmrtgy.ini
C:\WINDOWS\system32\onuokboc.ini
C:\WINDOWS\system32\uaegkkhk.ini
C:\WINDOWS\system32\ucjghibj.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\eyduqcmf.ini
C:\WINDOWS\system32\jhhmnhml.ini
C:\WINDOWS\system32\ksvrgual.ini
C:\WINDOWS\system32\kwnmrtgy.ini
C:\WINDOWS\system32\onuokboc.ini
C:\WINDOWS\system32\uaegkkhk.ini
C:\WINDOWS\system32\ucjghibj.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-19 11:40 . 2008-03-19 11:40 0 --a------ C:\LOG7.tmp
2008-03-16 14:47 . 2008-03-16 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-03-13 16:23 . 2008-03-13 16:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-13 16:23 . 2008-03-13 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 15:56 . 2008-03-13 22:12 <DIR> d-------- C:\New Folder
2008-03-13 14:38 . 2008-03-13 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-13 13:26 . 2008-03-13 13:42 1,802 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-13 13:25 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-13 13:25 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-13 13:25 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-13 13:25 . 2008-03-05 22:29 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-13 13:25 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-13 13:25 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-12 16:11 . 2008-03-12 16:11 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-12 14:31 . 2008-03-12 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-11 22:38 . 2008-03-11 22:38 <DIR> d-------- C:\Program Files\Symantec
2008-03-11 22:38 . 2008-03-11 22:38 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-11 22:38 . 2008-03-11 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-11 13:43 . 2007-12-04 22:24 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-11 13:43 . 2007-12-05 00:25 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-11 13:43 . 2007-12-05 00:26 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-11 13:43 . 2007-12-05 00:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-11 13:43 . 2007-12-05 00:19 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-11 13:43 . 2007-12-05 00:23 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-11 13:42 . 2008-03-11 13:42 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-11 13:42 . 2007-12-04 22:34 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-11 13:42 . 2004-01-09 18:43 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-10 14:56 . 2008-03-10 14:56 <DIR> d-------- C:\Program Files\SysCleaner
2008-03-10 14:53 . 2008-03-10 14:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-10 14:53 . 2008-03-10 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-10 14:46 . 2008-03-10 14:46 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-08 15:17 . 2008-03-08 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application DataTechSmith
2008-03-08 15:14 . 2008-03-08 15:14 <DIR> d-------- C:\Program Files\TechSmith
2008-03-08 14:41 . 2008-03-08 14:41 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-08 14:41 . 2008-03-08 14:41 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-03-08 14:39 . 2008-03-08 14:39 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-03-08 14:38 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-08 14:38 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-08 14:38 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-08 14:38 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-08 14:38 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-03 17:31 . 2008-03-03 17:32 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 17:31 . 2008-03-03 17:31 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 17:31 . 2008-03-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-03 09:34 . 2008-03-21 09:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 09:34 . 2008-03-03 09:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 09:33 . 2008-03-03 09:34 <DIR> d-------- C:\Program Files\iTunes
2008-03-03 09:33 . 2008-03-03 09:33 <DIR> d-------- C:\Program Files\iPod
2008-03-03 09:31 . 2008-03-03 09:32 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 02:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-03-16 05:13 --------- d-----w C:\Program Files\FileMaker
2008-03-13 06:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 06:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-03-08 06:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-03-08 05:10 --------- d-----w C:\Program Files\Nokia
2008-03-08 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-27 08:47 --------- d-----w C:\Program Files\Gallery Remote
2008-01-27 08:44 --------- d--h--w C:\Program Files\Zero G Registry
2008-01-27 07:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 07:41 --------- d-----w C:\Program Files\Google
2008-01-24 12:33 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((( snapshot@2008-03-20_ 9.34.15.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-20 23:56:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:48 15360]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:42 483328]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 22:30 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-06-16 11:13:48 25214]
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2005-10-14 07:25:00 3719168]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 23:42:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 20:10:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-03-21 20:11:40
ComboFix-quarantined-files.txt 2008-03-21 10:41:23
ComboFix2.txt 2008-03-20 00:04:32
.
2008-03-16 14:47:00 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:00 PM, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181263623062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181898566062
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7891 bytes

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 21 March 2008 - 09:21 AM

Jo Jo

Looking good

Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
Posted Image
Microsoft MVP - Windows Security

#7 Jo Jo

Jo Jo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 21 March 2008 - 10:21 PM

There seems to be a lot of infected :thumbsup:
Thanks,

Jo


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 12:49:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 653398
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
S:\

Scan Statistics:
Total number of scanned objects: 143584
Number of viruses found: 10
Number of infected objects: 75
Number of suspicious objects: 0
Duration of the scan process: 03:04:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\princessjoamy@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\princessjoamy@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\princessjoamy@hotmail.com\SharingMetadata\Working\database_C8C8_3F05_C83E_F174\dfsr.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\princessjoamy@hotmail.com\SharingMetadata\Working\database_C8C8_3F05_C83E_F174\fsr.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\princessjoamy@hotmail.com\SharingMetadata\Working\database_C8C8_3F05_C83E_F174\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\princessjoamy@hotmail.com\SharingMetadata\Working\database_C8C8_3F05_C83E_F174\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\princessjoamy@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\princessjoamy@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8rd8imk.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008032220080323\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF19DD.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF19EB.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF6F92.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF6FA3.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\New Folder\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\New Folder\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\New Folder\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\New Folder\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\New Folder\VundoFix Backups\tuvspnl.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\IE Extensions\cj.v2.dll Infected: Trojan-Clicker.Win32.Agent.wd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cjkallie.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gdkuscrm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ggipnjkw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gphpfpbw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gwhicuhu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hmwidlyt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hrlopuqx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iiffddb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\joubksaf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lnblhdoy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nsdnwrws.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oepbbcmx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oymahfsk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qvdoafsu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rvrsaydl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\texmaeei.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmrhinog.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqrmeeum.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ykucvwuf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ymrisgmt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ysdjrshu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-20_ 93245.18.zip/vtstt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-20_ 93245.18.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP251\A0032671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP252\A0032765.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.h skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP252\A0032859.exe Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0032980.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0033032.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0033081.exe Infected: Trojan-Dropper.Win32.Agent.ftu skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0033082.exe Infected: Trojan-Dropper.Win32.Agent.ftu skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0033085.exe Infected: Trojan-Dropper.Win32.Agent.ftu skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0033086.exe Infected: Trojan-Dropper.Win32.Agent.ftu skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP254\A0033087.exe Infected: Trojan-Dropper.Win32.Agent.ftu skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP256\A0033168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP258\A0033309.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.h skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP259\A0033393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP260\A0033651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP264\A0034114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP264\A0034166.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034210.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034211.exe Infected: Trojan-PSW.Win32.OnLineGames.upg skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034212.dll Infected: Trojan-PSW.Win32.OnLineGames.upg skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034213.dll Infected: Trojan-PSW.Win32.OnLineGames.uma skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034214.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP267\A0034275.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP267\A0034276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034296.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034298.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034299.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034301.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034302.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034303.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034305.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034307.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034309.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034311.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034313.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034315.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP268\A0034316.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP270\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_3f4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
S:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
S:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034217.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
S:\System Volume Information\_restore{9368EE87-6565-475D-961F-D07D0916FD8E}\RP265\A0034218.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped

Scan process completed.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 24 March 2008 - 07:46 AM

JoJo

Not as many as you might think. It's really not bad.

1. Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following fileC:\Program Files\IE Extensions\cj.v2.dll
Locate and empty the following folder (Delete everything in the folder, nut not the folder itself)C:\QooBox\Quarantine
Close windows explorer ->> Reboot your PC ->> Rerun Hijackthis and post a freh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#9 Jo Jo

Jo Jo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 24 March 2008 - 06:56 PM

Hey,

New HijackThis log below...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:05 AM, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181263623062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181898566062
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7960 bytes

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 25 March 2008 - 08:34 AM

Jo Jo

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u5.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall There is a list HEREAll of which are free
Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security

#11 Jo Jo

Jo Jo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 26 March 2008 - 06:42 AM

Thank you soooooooooooooo much! It's so good to have my PC back!!!!
You guys deserve medals!

Jo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users