Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Was Infected With Something Called Yayvsjgf.dll?


  • This topic is locked This topic is locked
2 replies to this topic

#1 Mia13l

Mia13l

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 21 May 2008 - 12:01 PM

my google/yahoo search results were getting redirected to some other search pages. also i wasn't able to connect to the windows update site or their download site and most anti-virus/spyware sites as well. it put a file called yayvSjgf.dll in the system32 folder and it disabled the taskmanager. i eventually was able to stop the process and delete the file, but my searches were still getting redirected and i was still blocked from certain websites.

anyway, i was able to get and run super-anti spyware, spyware terminator and avast anti-virus. i ran those and they found a bunch of stuff and removed them. everything seems to be working fine now but i am not 100% sure that those programs found and fixed everything.

here is what dss.exe produced. could someone please check it and let me know if everything is ok or if there are still problems that need to be fixed? thanks.


Deckard's System Scanner v20071014.68
Run by Me on 2008-05-21 12:47:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:05 PM, on 5/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Me\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Me.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.a...&tbid=61008
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61008
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61008
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61008
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\ME\Application Data\Mozilla\Profiles\default\r3c7a4ym.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5342 bytes

-- Files created between 2008-04-21 and 2008-05-21 -----------------------------

2008-05-20 23:41:37 0 d-------- C:\Documents and Settings\Me\Application Data\Roxio
2008-05-20 23:32:49 0 d-------- C:\Program Files\Roxio
2008-05-20 14:03:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 14:03:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 14:03:24 0 d-------- C:\Documents and Settings\Me\Application Data\SUPERAntiSpyware.com
2008-05-20 12:16:49 0 d-------- C:\WINDOWS\ERUNT
2008-05-20 02:43:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-20 02:42:44 0 d-------- C:\Program Files\Spyware Doctor
2008-05-20 02:42:44 0 d-------- C:\Documents and Settings\Me\Application Data\PC Tools
2008-05-20 02:06:37 141312 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2008-05-20 02:06:36 0 d-------- C:\Documents and Settings\Me\Application Data\Spyware Terminator
2008-05-20 02:06:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-05-20 02:06:26 0 d-------- C:\Program Files\Spyware Terminator
2008-05-19 21:29:26 0 d-------- C:\Program Files\Alwil Software
2008-05-19 15:04:20 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-18 23:27:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 23:26:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 18:35:14 1695 --a------ C:\WINDOWS\System32\clbinit.dll
2008-05-18 16:17:14 0 d-------- C:\Documents and Settings\Me\Application Data\GlarySoft
2008-05-18 14:02:13 0 d-------- C:\Program Files\Glary Utilities
2008-05-18 13:49:57 0 d-------- C:\Program Files\xp-AntiSpy
2008-05-18 04:45:42 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-18 04:45:42 2536 --a------ C:\WINDOWS\unins000.dat
2008-05-18 04:08:16 0 d-------- C:\Program Files\Trend Micro
2008-04-27 18:37:11 0 d-------- C:\Program Files\GIMP-2.0
2008-04-27 13:26:39 0 d-------- C:\Documents and Settings\Me\.thumbnails
2008-04-27 13:26:00 0 d-------- C:\Documents and Settings\Me\Application Data\gtk-2.0
2008-04-27 13:18:41 0 d-------- C:\Documents and Settings\Me\.gimp-2.4
2008-04-26 17:48:11 0 d-------- C:\Program Files\Blender Foundation


-- Find3M Report ---------------------------------------------------------------

2008-05-20 20:57:49 0 d-a------ C:\Program Files\Common Files
2008-05-20 11:48:09 0 d-------- C:\Program Files\Kazaa
2008-05-20 10:52:42 0 d-------- C:\Documents and Settings\Me\Application Data\Free Download Manager
2008-05-18 23:28:05 0 d-------- C:\Program Files\Lavasoft
2008-05-18 23:28:01 0 d-------- C:\Documents and Settings\Me\Application Data\Lavasoft
2008-05-18 21:19:09 0 d-------- C:\Program Files\Universal Boxing Manager
2008-05-18 21:18:35 0 d-------- C:\Program Files\Digital Asphyxia
2008-05-18 21:18:13 0 d-------- C:\Program Files\Y!TunnelBasic V1.3 Build 244
2008-05-18 21:17:01 0 d-------- C:\Program Files\YahELite
2008-05-18 21:15:53 0 d-------- C:\Program Files\YESolo
2008-05-18 21:00:09 0 d-------- C:\Program Files\ICQ
2008-05-18 20:56:49 0 d-------- C:\Program Files\CookbookWizard
2008-05-18 20:53:58 0 d-------- C:\Program Files\AIM
2008-05-18 20:53:51 0 d-------- C:\Documents and Settings\Me\Application Data\Aim
2008-05-18 18:06:34 0 d-------- C:\Documents and Settings\Me\Application Data\MSN6
2008-05-16 18:57:40 0 d-------- C:\Program Files\CoffeeCup Software
2008-05-07 07:05:39 0 d-------- C:\Program Files\Madden Amp
2008-05-04 17:30:21 0 d-------- C:\Program Files\LimeWire
2008-04-26 12:15:08 0 d-------- C:\Program Files\C3MT
2008-03-23 17:40:02 0 d-------- C:\Program Files\InterActual
2008-03-22 12:03:02 0 d-------- C:\Documents and Settings\Me\Application Data\PolyView


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [07/10/2003 04:25 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 07:19 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 06:44 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dordo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2N85L533MR#GJT]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Soundmx]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]





-- End of Deckard's System Scanner: finished at 2008-05-21 12:48:37 ------------

BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 AM

Posted 19 June 2008 - 01:58 PM

Hello, and welcome to the forum :thumbsup:

I'm sorry for the delay, the forums are very busy. If you still need help, please post a new Deckard's System Scanner log and give a description of how your computer is currently running.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:13 AM

Posted 23 June 2008 - 05:33 PM

Due to inactivity this topic will be closed.

If you need help please start a new thread and post a new HijackThis log.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users