Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo Messenger When Clicked On Closes Itself


  • This topic is locked This topic is locked
10 replies to this topic

#1 mysterygal_84

mysterygal_84

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 28 March 2008 - 09:46 AM

Since the last few months I am having spyware bugs on my pc. It makes my system quite slow and hangs all the programs. I am facing two major problems:

1) It sends automated files to all the people online on my msn messenger list.
2) Yahoo closes itself whenever I try to sign in.

Any help will be greatly appreciated.

Following is my HijackThis Log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:51 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rndsvc.exe
C:\WINDOWS\system32\wzrsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ubfl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system\usrsvc.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Application Process] rndsvc.exe
O4 - HKLM\..\Run: [Windows Logical Driver] wzrsvc.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [drtg] C:\WINDOWS\system32\ubfl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [drtg] C:\WINDOWS\system32\ubfl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/28.33/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54736056-CA5B-4D10-A0C6-0A5BE4D4A585}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{62C09758-D7AE-425A-8ADD-333B54576320}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0711BCF-EEF8-4FA8-8DAA-9E0AB6B7D72E}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: chpynpye - chpynpye.dll (file missing)
O20 - Winlogon Notify: naywpaiy - naywpaiy.dll (file missing)
O20 - Winlogon Notify: pmnkihf - pmnkihf.dll (file missing)
O20 - Winlogon Notify: wjqbulaw - wjqbulaw.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Windows System Viewer (wsvsvc) - Unknown owner - C:\WINDOWS\system\usrsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8066 bytes

=================

And the following is my combofix log file

ComboFix 08-03-22.3 - Administrator 2008-03-28 19:08:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.106 [GMT 5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\chpynpye.dllbox
C:\WINDOWS\system32\naywpaiy.dllbox
C:\WINDOWS\system32\wjqbulaw.dllbox
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-28 18:53 . 2008-03-28 18:52 102,814 -r-hs---- C:\kxax.cmd
2008-03-28 04:55 . 2008-03-26 14:33 101,345 -r-hs---- C:\tknn6.bat
2008-03-26 14:34 . 2008-03-26 14:33 101,345 -r-hs---- C:\6.bat
2008-03-24 18:42 . 2008-03-24 00:03 99,626 -r-hs---- C:\nlblkhq.com
2008-03-24 00:03 . 2008-03-24 00:03 99,626 -r-hs---- C:\okqa2g.com
2008-03-23 17:22 . 2008-03-23 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-22 09:22 . 2008-03-22 09:22 101,092 -r-hs---- C:\stw1ojde.bat
2008-03-20 18:23 . 2008-03-20 18:22 102,455 -r-hs---- C:\ser.com
2008-03-20 00:52 . 2008-03-20 18:22 102,455 -rahs---- C:\9n1k0g6t.cmd
2008-03-18 23:47 . 2008-03-18 23:46 100,863 -r-hs---- C:\mgjpcfdg.cmd
2008-03-16 16:21 . 2008-03-23 17:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-03-15 20:39 . 2008-03-16 19:50 101,295 -r-hs---- C:\xp19.com
2008-03-14 19:14 . 2008-03-14 19:13 100,382 -r-hs---- C:\cayfq2.cmd
2008-03-13 21:21 . 2008-03-13 21:21 101,291 -r-hs---- C:\32e2.com
2008-03-13 08:52 . 2008-03-13 08:51 101,492 -r-hs---- C:\22wcb21o.exe
2008-03-13 08:51 . 2008-03-05 10:28 108,058 -r-hs---- C:\x6.bat
2008-03-07 18:24 . 2008-03-07 19:18 1,307,793 ---hs---- C:\WINDOWS\system32\lhrrlvjt.ini
2008-03-05 21:25 . 2006-08-19 00:10 97,056 -ra------ C:\WINDOWS\system32\drivers\K320mdm.sys
2008-03-05 21:25 . 2006-08-19 00:10 88,560 -ra------ C:\WINDOWS\system32\drivers\K320mgmt.sys
2008-03-05 21:25 . 2006-08-19 00:10 86,368 -ra------ C:\WINDOWS\system32\drivers\K320obex.sys
2008-03-05 21:25 . 2006-08-19 00:10 61,504 -ra------ C:\WINDOWS\system32\drivers\K320bus.sys
2008-03-05 21:25 . 2006-08-19 00:10 9,328 -ra------ C:\WINDOWS\system32\drivers\K320mdfl.sys
2008-03-05 21:25 . 2006-08-19 00:10 6,208 -ra------ C:\WINDOWS\system32\drivers\K320cmnt.sys
2008-03-05 21:25 . 2006-08-19 00:10 6,208 -ra------ C:\WINDOWS\system32\drivers\K320cm.sys
2008-03-05 21:25 . 2006-08-19 00:10 5,840 -ra------ C:\WINDOWS\system32\drivers\K320whnt.sys
2008-03-05 21:25 . 2006-08-19 00:10 5,840 -ra------ C:\WINDOWS\system32\drivers\K320wh.sys
2008-03-05 21:18 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-03-05 21:18 . 2008-03-05 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2008-03-05 21:06 . 2008-03-05 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-05 21:05 . 2008-03-05 21:07 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-03-05 21:00 . 2008-03-05 21:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-05 20:55 . 2008-03-05 20:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 20:55 . 2008-03-05 20:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 20:53 . 2008-03-05 20:53 1,302,838 ---hs---- C:\WINDOWS\system32\rddasffc.ini
2008-03-04 20:30 . 2008-03-04 20:31 1,302,442 ---hs---- C:\WINDOWS\system32\cvtwlyuc.ini
2008-02-29 01:14 . 2008-02-29 01:14 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-02-29 01:14 . 2008-02-29 01:14 <DIR> d-------- C:\Program Files\FLV Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 13:58 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-23 18:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-03-23 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-23 12:11 --------- d-----w C:\Program Files\Yahoo!
2008-02-19 08:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-01-02 03:11 68,114 ----a-w C:\WINDOWS\system32\eg.exe
2008-01-01 11:39 68,114 --sh--w C:\WINDOWS\system32\ubfl.exe
2007-11-29 03:39 36,864 --sh--r C:\WINDOWS\system\usrsvc.exe
2007-12-06 04:20 6,536 --sh--w C:\WINDOWS\system32\dghjl.bak1
2007-12-20 04:58 194,728 --sh--w C:\WINDOWS\system32\dghjl.bak2
2007-12-20 07:11 199,391 --sh--w C:\WINDOWS\system32\dghjl.ini2
2007-11-17 02:43 6,470 --sh--w C:\WINDOWS\system32\gffhk.bak1
2007-11-07 05:12 103,828 --sh--w C:\WINDOWS\system32\hkjjl.bak2
2007-11-11 04:42 130,455 --sh--w C:\WINDOWS\system32\hkjjl.ini2
2007-11-24 03:21 6,510 --sh--w C:\WINDOWS\system32\lopoq.bak1
2007-11-29 04:48 121,267 --sh--w C:\WINDOWS\system32\lopoq.bak2
2007-12-02 00:14 7,455 --sh--w C:\WINDOWS\system32\lopoq.ini2
2007-11-02 21:23 10,752 --sh--r C:\WINDOWS\system32\rndsvc.exe
2007-11-22 03:41 6,470 --sh--w C:\WINDOWS\system32\rssut.bak1
2007-11-22 18:09 7,062 --sh--w C:\WINDOWS\system32\rssut.ini2
2007-11-17 18:52 6,510 --sh--w C:\WINDOWS\system32\twycf.bak1
2007-11-17 19:47 9,275 --sh--w C:\WINDOWS\system32\twycf.ini2
2007-11-27 09:06 10,752 --sh--r C:\WINDOWS\system32\wzrsvc.exe
2007-12-03 04:49 6,496 --sh--w C:\WINDOWS\system32\xabeg.bak1
2007-12-04 07:15 13,791 --sh--w C:\WINDOWS\system32\xabeg.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"drtg"="C:\WINDOWS\system32\ubfl.exe" [2008-01-01 16:39 68114]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 15:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 21:48 147514]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-16 01:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 14:11 132496]
"Application Process"="rndsvc.exe" [2007-11-03 02:23 10752 C:\WINDOWS\system32\rndsvc.exe]
"Windows Logical Driver"="wzrsvc.exe" [2007-11-27 14:06 10752 C:\WINDOWS\system32\wzrsvc.exe]
"Windows Logon Application"="C:\WINDOWS\system32\logon.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-29 00:26 185632]
"drtg"="C:\WINDOWS\system32\ubfl.exe" [2008-01-01 16:39 68114]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-27 09:27 385024]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-27 06:17 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\chpynpye]
chpynpye.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\naywpaiy]
naywpaiy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkihf]
pmnkihf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wjqbulaw]
wjqbulaw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-29 00:26 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 05:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\xampp\\apache\\bin\\apache.exe"=
"C:\\xampp\\mysql\\bin\\mysqld.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"C:\\WINDOWS\\vidcap32.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Apache2.2;Apache2.2;"C:\xampp\apache\bin\apache.exe" -k runservice []
R2 wsvsvc;Windows System Viewer;"C:\WINDOWS\system\usrsvc.exe" [2007-11-29 08:39]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 05:56]
S3 K320bus;Sony Ericsson K320 driver (WDM);C:\WINDOWS\system32\DRIVERS\K320bus.sys [2006-08-19 00:10]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\K320mdfl.sys [2006-08-19 00:10]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\K320mdm.sys [2006-08-19 00:10]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\K320mgmt.sys [2006-08-19 00:10]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\K320obex.sys [2006-08-19 00:10]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-10 00:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2f77420-8fca-11dc-87b6-0002443a5ae3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5383440-f0b9-11dc-8964-0002443a5ae3}]
\Shell\AutoRun\command - H:\6.bat
\Shell\explore\Command - H:\6.bat
\Shell\open\Command - H:\6.bat

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 19:11:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-28 19:12:14
ComboFix-quarantined-files.txt 2008-03-28 14:11:58

BC AdBot (Login to Remove)

 


#2 mysterygal_84

mysterygal_84
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 31 March 2008 - 10:40 AM

Can somebody please help me urgently because the malware is badly infecting my pc and now I cant even access my emails i.e yahoo, gmail, hotmail.

#3 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 02 April 2008 - 11:25 AM

Hello and welcome to BleepingComputer. :thumbsup:

I apologize for the delay.

Could you please download the latest Combofix to your desktop and replace the older one you now have.

Then....

Please open notepad (not any other text editor or the script will fail) and copy/paste the text in the quotebox into it

File::
C:\kxax.cmd
C:\tknn6.bat
C:\6.bat
C:\nlblkhq.com
C:\okqa2g.com
C:\stw1ojde.bat
C:\ser.com
C:\9n1k0g6t.cmd
C:\mgjpcfdg.cmd
C:\xp19.com
C:\cayfq2.cmd
C:\32e2.com
C:\22wcb21o.exe
C:\x6.bat
C:\WINDOWS\system32\lhrrlvjt.ini
C:\WINDOWS\system32\rddasffc.ini
C:\WINDOWS\system32\cvtwlyuc.ini
C:\WINDOWS\system32\eg.exe
C:\WINDOWS\system32\ubfl.exe
C:\WINDOWS\system\usrsvc.exe
C:\WINDOWS\system32\dghjl.bak1
C:\WINDOWS\system32\dghjl.bak2
C:\WINDOWS\system32\dghjl.ini2
C:\WINDOWS\system32\gffhk.bak1
C:\WINDOWS\system32\hkjjl.bak2
C:\WINDOWS\system32\hkjjl.ini2
C:\WINDOWS\system32\lopoq.bak1
C:\WINDOWS\system32\lopoq.bak2
C:\WINDOWS\system32\lopoq.ini2
C:\WINDOWS\system32\rndsvc.exe
C:\WINDOWS\system32\rssut.bak1
C:\WINDOWS\system32\rssut.ini2
C:\WINDOWS\system32\twycf.bak1
C:\WINDOWS\system32\twycf.ini2
C:\WINDOWS\system32\wzrsvc.exe
C:\WINDOWS\system32\xabeg.bak1
C:\WINDOWS\system32\xabeg.ini2
C:\WINDOWS\system32\wzrsvc.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\rndsvc.exe

Driver::
wsvsvc

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drtg"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Application Process"=-
"Windows Logical Driver"=-
"Windows Logon Application"=-
"drtg"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\chpynpye]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\naywpaiy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkihf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wjqbulaw]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\vidcap32.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5383440-f0b9-11dc-8964-0002443a5ae3}]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

-------

Along with the ComboFix log....

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :blink:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#4 mysterygal_84

mysterygal_84
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 03 April 2008 - 10:17 AM

hi,

Thnx for the reply.

My combofix log is as follows:

ComboFix 08-04-02.1 - Administrator 2008-04-03 19:43:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.60 [GMT 5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\22wcb21o.exe
C:\32e2.com
C:\6.bat
C:\9n1k0g6t.cmd
C:\cayfq2.cmd
C:\kxax.cmd
C:\mgjpcfdg.cmd
C:\nlblkhq.com
C:\okqa2g.com
C:\ser.com
C:\stw1ojde.bat
C:\tknn6.bat
C:\WINDOWS\system\usrsvc.exe
C:\WINDOWS\system32\cvtwlyuc.ini
C:\WINDOWS\system32\dghjl.bak1
C:\WINDOWS\system32\dghjl.bak2
C:\WINDOWS\system32\dghjl.ini2
C:\WINDOWS\system32\eg.exe
C:\WINDOWS\system32\gffhk.bak1
C:\WINDOWS\system32\hkjjl.bak2
C:\WINDOWS\system32\hkjjl.ini2
C:\WINDOWS\system32\lhrrlvjt.ini
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\lopoq.bak1
C:\WINDOWS\system32\lopoq.bak2
C:\WINDOWS\system32\lopoq.ini2
C:\WINDOWS\system32\rddasffc.ini
C:\WINDOWS\system32\rndsvc.exe
C:\WINDOWS\system32\rssut.bak1
C:\WINDOWS\system32\rssut.ini2
C:\WINDOWS\system32\twycf.bak1
C:\WINDOWS\system32\twycf.ini2
C:\WINDOWS\system32\ubfl.exe
C:\WINDOWS\system32\wzrsvc.exe
C:\WINDOWS\system32\xabeg.bak1
C:\WINDOWS\system32\xabeg.ini2
C:\x6.bat
C:\xp19.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\22wcb21o.exe
C:\32e2.com
C:\6.bat
C:\9n1k0g6t.cmd
C:\cayfq2.cmd
C:\kxax.cmd
C:\mgjpcfdg.cmd
C:\nlblkhq.com
C:\okqa2g.com
C:\ser.com
C:\stw1ojde.bat
C:\tknn6.bat
C:\WINDOWS\BM431df4a6.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\usrsvc.exe
C:\WINDOWS\system32\abhiordk.dll
C:\WINDOWS\system32\awtuuRKb.dll
C:\WINDOWS\system32\bKRuutwa.ini
C:\WINDOWS\system32\bKRuutwa.ini2
C:\WINDOWS\system32\cvtwlyuc.ini
C:\WINDOWS\system32\ddcYqonn.dll
C:\WINDOWS\system32\dghjl.bak1
C:\WINDOWS\system32\dghjl.bak2
C:\WINDOWS\system32\dghjl.ini2
C:\WINDOWS\system32\difmsvvh.dll
C:\WINDOWS\system32\eg.exe
C:\WINDOWS\system32\fccyvTLF.dll
C:\WINDOWS\system32\geBroOhF.dll
C:\WINDOWS\system32\geBspqol.dll
C:\WINDOWS\system32\geBuVMfe.dll
C:\WINDOWS\system32\gffhk.bak1
C:\WINDOWS\system32\gkefkxoe.dll
C:\WINDOWS\system32\hamfaoub.dll
C:\WINDOWS\system32\hgGwUkLe.dll
C:\WINDOWS\system32\hkjjl.bak2
C:\WINDOWS\system32\hkjjl.ini2
C:\WINDOWS\system32\hokhcdnd.dll
C:\WINDOWS\system32\hpdfacsu.dll
C:\WINDOWS\system32\hvvsmfid.ini
C:\WINDOWS\system32\inbnrbdf.dll
C:\WINDOWS\system32\iqvgksrr.dll
C:\WINDOWS\system32\jkkLFxuu.dll
C:\WINDOWS\system32\jpxxwpdb.dll
C:\WINDOWS\system32\kbtijwmv.dll
C:\WINDOWS\system32\kywoowoc.dll
C:\WINDOWS\system32\lhrrlvjt.ini
C:\WINDOWS\system32\lopoq.bak1
C:\WINDOWS\system32\lopoq.bak2
C:\WINDOWS\system32\lopoq.ini2
C:\WINDOWS\system32\mdgckwlv.dll
C:\WINDOWS\system32\mpyodrpe.dll
C:\WINDOWS\system32\pbnudnwe.dll
C:\WINDOWS\system32\pmnkKccy.dll
C:\WINDOWS\system32\qoMdBTno.dll
C:\WINDOWS\system32\rddasffc.ini
C:\WINDOWS\system32\rndsvc.exe
C:\WINDOWS\system32\rqRHaBSi.dll
C:\WINDOWS\system32\rsmfnscm.dll
C:\WINDOWS\system32\rssut.bak1
C:\WINDOWS\system32\rssut.ini2
C:\WINDOWS\system32\twycf.bak1
C:\WINDOWS\system32\twycf.ini2
C:\WINDOWS\system32\ubfl.exe
C:\WINDOWS\system32\uscafdph.ini
C:\WINDOWS\system32\wzrsvc.exe
C:\WINDOWS\system32\xabeg.bak1
C:\WINDOWS\system32\xabeg.ini2
C:\WINDOWS\system32\yayaBUMC.dll
C:\WINDOWS\system32\ybmrwhcd.dll
C:\x6.bat
C:\xp19.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WSVSVC
-------\Service_wsvsvc


((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-02 20:03 . 2008-04-02 20:03 48,640 --a------ C:\WINDOWS\system32\rbyogg.exe
2008-04-02 20:03 . 2008-04-02 20:03 48,640 ---h----- C:\Documents and Settings\Administrator\kktc.exe
2008-04-02 20:00 . 2008-04-02 20:00 48,640 --a------ C:\WINDOWS\system32\sfrb.exe
2008-04-02 20:00 . 2008-04-02 20:00 48,640 ---h----- C:\Documents and Settings\Administrator\tmyr.exe
2008-04-02 19:55 . 2008-04-02 19:55 48,640 --a------ C:\WINDOWS\system32\khbhj.exe
2008-04-02 19:55 . 2008-04-02 19:55 48,640 ---h----- C:\Documents and Settings\Administrator\infrjc.exe
2008-04-02 19:34 . 2008-04-02 19:34 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-02 19:34 . 2008-04-02 19:38 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-31 12:08 . 2008-04-02 01:17 1,584,304 ---hs---- C:\WINDOWS\system32\hmfmaerl.ini
2008-03-30 12:08 . 2008-03-31 12:08 1,584,357 ---hs---- C:\WINDOWS\system32\irgdqfyn.ini
2008-03-29 12:04 . 2008-03-30 12:05 1,583,997 ---hs---- C:\WINDOWS\system32\hbfraujp.ini
2008-03-28 19:34 . 2008-03-28 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 17:22 . 2008-03-23 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-16 16:21 . 2008-03-23 17:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-03-05 21:25 . 2006-08-19 00:10 97,056 -ra------ C:\WINDOWS\system32\drivers\K320mdm.sys
2008-03-05 21:25 . 2006-08-19 00:10 88,560 -ra------ C:\WINDOWS\system32\drivers\K320mgmt.sys
2008-03-05 21:25 . 2006-08-19 00:10 86,368 -ra------ C:\WINDOWS\system32\drivers\K320obex.sys
2008-03-05 21:25 . 2006-08-19 00:10 61,504 -ra------ C:\WINDOWS\system32\drivers\K320bus.sys
2008-03-05 21:25 . 2006-08-19 00:10 9,328 -ra------ C:\WINDOWS\system32\drivers\K320mdfl.sys
2008-03-05 21:25 . 2006-08-19 00:10 6,208 -ra------ C:\WINDOWS\system32\drivers\K320cmnt.sys
2008-03-05 21:25 . 2006-08-19 00:10 6,208 -ra------ C:\WINDOWS\system32\drivers\K320cm.sys
2008-03-05 21:25 . 2006-08-19 00:10 5,840 -ra------ C:\WINDOWS\system32\drivers\K320whnt.sys
2008-03-05 21:25 . 2006-08-19 00:10 5,840 -ra------ C:\WINDOWS\system32\drivers\K320wh.sys
2008-03-05 21:18 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-03-05 21:18 . 2008-03-05 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2008-03-05 21:06 . 2008-03-05 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-05 21:05 . 2008-03-05 21:07 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-03-05 21:00 . 2008-03-05 21:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-05 20:55 . 2008-03-05 20:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 20:55 . 2008-03-05 20:55 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 18:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-03-23 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-23 12:11 --------- d-----w C:\Program Files\Yahoo!
2008-02-28 20:14 --------- d-----w C:\Program Files\FLV Player
2008-02-19 08:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-01-01 11:39 2,048 --sh--w C:\WINDOWS\system32\helperubfl.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-23_19.34.40.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-03 14:52:33 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 15:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 21:48 147514]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-16 01:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 14:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-29 00:26 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-27 09:27 385024]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-27 06:17 159744]
"khbhj"="C:\WINDOWS\system32\khbhj.exe" [2008-04-02 19:55 48640]
"sfrb"="C:\WINDOWS\system32\sfrb.exe" [2008-04-02 20:00 48640]
"rbyogg"="C:\WINDOWS\system32\rbyogg.exe" [2008-04-02 20:03 48640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkKccy]
pmnkKccy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-29 00:26 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 05:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\Administrator\\kktc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 05:56]
S3 K320bus;Sony Ericsson K320 driver (WDM);C:\WINDOWS\system32\DRIVERS\K320bus.sys [2006-08-19 00:10]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\K320mdfl.sys [2006-08-19 00:10]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\K320mdm.sys [2006-08-19 00:10]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\K320mgmt.sys [2006-08-19 00:10]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\K320obex.sys [2006-08-19 00:10]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-10 00:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2f77420-8fca-11dc-87b6-0002443a5ae3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 19:52:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-04-03 19:56:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 14:55:49
ComboFix2.txt 2008-03-28 14:12:15
Pre-Run: 4,396,089,344 bytes free
Post-Run: 4,388,655,104 bytes free
--------------------------------------------------------

following is MBAM log:

Malwarebytes' Anti-Malware 1.10
Database version: 586

Scan type: Quick Scan
Objects scanned: 28886
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dubqikvw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvkiqbud.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lkbffwul.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luwffbkl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Install (Rogue.Multiple) -> Quarantined and deleted successfully.

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 03 April 2008 - 11:04 AM

Again, please open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\rbyogg.exe
C:\Documents and Settings\Administrator\kktc.exe
C:\WINDOWS\system32\sfrb.exe
C:\Documents and Settings\Administrator\tmyr.exe
C:\WINDOWS\system32\khbhj.exe
C:\Documents and Settings\Administrator\infrjc.exe
C:\WINDOWS\system32\hmfmaerl.ini
C:\WINDOWS\system32\irgdqfyn.ini
C:\WINDOWS\system32\hbfraujp.ini
C:\WINDOWS\system32\helperubfl.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"khbhj"=-
"sfrb"=-
"rbyogg"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkKccy]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Administrator\\kktc.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2f77420-8fca-11dc-87b6-0002443a5ae3}]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---

Then, please surf here: http://virustotal.com/

Paste the following filepath in the blank field and hit Send File.

C:\WINDOWS\system32\inetsrv\inetinfo.exe

Wait till the scanners have finished and post back with the results. :thumbsup:
Hi there, stranger!

#6 mysterygal_84

mysterygal_84
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 03 April 2008 - 12:17 PM

Hi..

here are the updated files

Combofix Log
----------------

ComboFix 08-04-02.1 - Administrator 2008-04-03 21:55:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\Administrator\infrjc.exe
C:\Documents and Settings\Administrator\kktc.exe
C:\Documents and Settings\Administrator\tmyr.exe
C:\WINDOWS\system32\hbfraujp.ini
C:\WINDOWS\system32\helperubfl.exe
C:\WINDOWS\system32\hmfmaerl.ini
C:\WINDOWS\system32\irgdqfyn.ini
C:\WINDOWS\system32\khbhj.exe
C:\WINDOWS\system32\rbyogg.exe
C:\WINDOWS\system32\sfrb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\infrjc.exe
C:\Documents and Settings\Administrator\kktc.exe
C:\Documents and Settings\Administrator\tmyr.exe
C:\WINDOWS\system32\hbfraujp.ini
C:\WINDOWS\system32\helperubfl.exe
C:\WINDOWS\system32\hmfmaerl.ini
C:\WINDOWS\system32\irgdqfyn.ini
C:\WINDOWS\system32\khbhj.exe
C:\WINDOWS\system32\rbyogg.exe
C:\WINDOWS\system32\sfrb.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 20:00 . 2008-04-03 20:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-03 20:00 . 2008-04-03 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-03 20:00 . 2008-04-03 20:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-02 19:34 . 2008-04-02 19:34 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-02 19:34 . 2008-04-02 19:38 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-03-28 19:34 . 2008-03-28 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 17:22 . 2008-03-23 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-16 16:21 . 2008-03-23 17:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-03-05 21:25 . 2006-08-19 00:10 97,056 -ra------ C:\WINDOWS\system32\drivers\K320mdm.sys
2008-03-05 21:25 . 2006-08-19 00:10 88,560 -ra------ C:\WINDOWS\system32\drivers\K320mgmt.sys
2008-03-05 21:25 . 2006-08-19 00:10 86,368 -ra------ C:\WINDOWS\system32\drivers\K320obex.sys
2008-03-05 21:25 . 2006-08-19 00:10 61,504 -ra------ C:\WINDOWS\system32\drivers\K320bus.sys
2008-03-05 21:25 . 2006-08-19 00:10 9,328 -ra------ C:\WINDOWS\system32\drivers\K320mdfl.sys
2008-03-05 21:25 . 2006-08-19 00:10 6,208 -ra------ C:\WINDOWS\system32\drivers\K320cmnt.sys
2008-03-05 21:25 . 2006-08-19 00:10 6,208 -ra------ C:\WINDOWS\system32\drivers\K320cm.sys
2008-03-05 21:25 . 2006-08-19 00:10 5,840 -ra------ C:\WINDOWS\system32\drivers\K320whnt.sys
2008-03-05 21:25 . 2006-08-19 00:10 5,840 -ra------ C:\WINDOWS\system32\drivers\K320wh.sys
2008-03-05 21:18 . 2008-03-05 21:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-03-05 21:18 . 2008-03-05 21:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2008-03-05 21:06 . 2008-03-05 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-05 21:05 . 2008-03-05 21:07 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-03-05 21:00 . 2008-03-05 21:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-05 20:55 . 2008-03-05 20:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 20:55 . 2008-03-05 20:55 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 18:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-03-23 12:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-23 12:11 --------- d-----w C:\Program Files\Yahoo!
2008-02-28 20:14 --------- d-----w C:\Program Files\FLV Player
2008-02-19 08:56 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 15:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 21:48 147514]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-16 01:36 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 14:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-29 00:26 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-27 09:27 385024]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-27 06:17 159744]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-29 00:26 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-31 05:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 05:56]
S3 K320bus;Sony Ericsson K320 driver (WDM);C:\WINDOWS\system32\DRIVERS\K320bus.sys [2006-08-19 00:10]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\K320mdfl.sys [2006-08-19 00:10]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\K320mdm.sys [2006-08-19 00:10]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\K320mgmt.sys [2006-08-19 00:10]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\K320obex.sys [2006-08-19 00:10]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-10 00:44]

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 21:58:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-03 21:59:38
ComboFix-quarantined-files.txt 2008-04-03 16:59:21
ComboFix2.txt 2008-04-03 14:56:02
ComboFix3.txt 2008-03-28 14:12:15
Pre-Run: 4,358,729,728 bytes free
Post-Run: 4,344,844,288 bytes free

-------------------------------------

Hijack This Log
-----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:23 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/28.33/uploader2.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54736056-CA5B-4D10-A0C6-0A5BE4D4A585}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{62C09758-D7AE-425A-8ADD-333B54576320}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0711BCF-EEF8-4FA8-8DAA-9E0AB6B7D72E}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7150 bytes
--------------------------------------------------------------------------

inetinfo.exe results
----------------------

File inetinfo.exe received on 04.03.2008 11:28:40 (CET)
Current status: finished

Result: 0/31 (0.00%)

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 03 April 2008 - 12:26 PM

Hello. :thumbsup:

Please rerun a scan with HijackThis and check the following object for removal:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


With all the other open windows closed, hit FIX CHECKED. Exit HijackThis.

How does the system appear to be running at this point?

Also, do you recognize these?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128

Hi there, stranger!

#8 mysterygal_84

mysterygal_84
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 04 April 2008 - 09:11 AM

Hi..

After removing the file, my system has improved alot. I was getting spyware windows everytime I used to open internet explorer. Everything works perfect now! :blink:

About the values, these are my Internet Service Provider settings to run the Internet.

Thnx for helping me out :thumbsup:

Edited by mysterygal_84, 04 April 2008 - 09:18 AM.


#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 04 April 2008 - 10:53 AM

Hi again.

Always glad to help. :thumbsup:

Click Start -> Run and type in:

ComboFix /u


Now click OK. When shown the disclaimer, select 2.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#10 mysterygal_84

mysterygal_84
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 05 April 2008 - 03:53 AM

Hi Rawe..


Thanks a lot for the support and proper guidance. I assure to take proper care of my pc in order to avoid future problems.

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:51 AM

Posted 05 April 2008 - 06:42 AM

Since this issue appears to be resolved, this topic has been closed. Should you need this topic reopened, please PM a Staff member. :thumbsup:

Glad I could help.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users