Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Happy888.3322.org Full-screen Popups


  • Please log in to reply
36 replies to this topic

#1 smileandwave

smileandwave

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2007 - 11:18 AM

Greetings Everyone,

Long-time lurker-learner, new member with problem.

I'm running Windows XP Home edition. I usually use MSIE. (I recently began trying out Firefox.)


- PROBLEM -

A few days ago, I began getting MSIE full-screen popups several times per hour with the page title "Automated Conveyor Systems." It first goes to "happy888.3322.org" or "happy10000.3322.org" ... then redirects to one of many sites.

I first set MSIE Tools > Internet Options > Security > Internet to "Disable" or "Prompt" for scripts and ActiveX Controls. That harnessed the problem somewhat. In the process of using various malware cleaners, I reset MSIE security options to "Medium" (as requested by one of the apps; I forget which).

In the last 3-4 days, it has changed in that it will launch iexplore.exe, but does not actually display a popup. So there's no visible indication it has launched.

When I use Windows Task Manager to view Processes, I see one or more instances of iexplore.exe running, even when I am not using MSIE. During an extended period yesterday (while letting a cleaner run), I came back to find 9 instances of iexplore.exe running! I do an "End Process" on these. (Each of these instances may be using 10-40 Mb of memory.)

The original problem seems to have begun after I read some Web-based email. (Is it possible to get infected via Web-based email versus an email client?)

At the moment, I have both Norton 360 and Webroot Spy Sweeper running in the background. Yet the iexplore.exe's keep launching.


- STEPS I'VE TAKEN -

I ran Ad-Aware, then bought Webroot Spy Sweeper and ran it. (FWIW, I've had Norton Personal Firewall, recently updated to Norton 360.) Problem continued.

I went through the steps in - including Spybot S&D, McAfee AVERT Stinger, updated Windows, etc. - but problem continues. (Wasn't able to fully execute Step 5; tried Housecall Anti Virus, but no progress bar or other indication of progress; after a few hours, I stopped it. However, I did do a complete/full scan using Norton 360 with latest updates.) NOTE (FWIW): Windows Update installed MSIE 7; I had been using MSIE 6.

I'd *greatly* appreciate someone's kindness in reviewing my HijackThis log below and offering some advice. Thanks in advance.

FWIW, I've seen a similar problem (happy888.3322.org) discussed in this BleepingComputer thread:
http://www.bleepingcomputer.com/forums/t/88262/httphappy8883322orghomehtm/

SmileAndWave


Logfile of HijackThis v1.99.1
Scan saved at 11:07:18 AM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [xydzyh] C:\WINDOWS\system32\xydzyh.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Sticky Pad] "C:\Program Files\StickyPad\StickyPad.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 25 May 2007 - 02:44 PM

  • Some of out experts would like to examine the files you are infected with
  • Go to the upload page here
  • Click Browse
  • Find this file:
    • C:\WINDOWS\system32\xydzyh.exe
  • Select the file, then click Open
  • Click Send File


#3 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2007 - 04:32 PM

random/random,

I can't find a ....

C:\WINDOWS\system32\xydzyh.exe

... even with hidden files displaying in Windows Explorer.

However, I used Windows Explorer to search for any file with "xydzyh" in the name in the C:\WINDOWS\ directory and it returned only one ... in a \Prefetch\ subdirectory ....

C:\WINDOWS\Prefetch\XYDZYH.EXE-2F2870F5.pf

... which has a Size of 8.06 KB (8,254 bytes) and a Date Modified of 5/24/2007 11:44 PM [CDT].

Shall I upload that one or what? (I see the 04 entry you're referencing in my HJT log -- O4 - HKLM\..\Run: [xydzyh] C:\WINDOWS\system32\xydzyh.exe. Just can't find it on the hard drive.)

Ongoing thanks,

smileandwave

- - - - - - - - - - - - - -

random/random,

Added thought. This morning (after running HJT, I *think*), I reset MSIE > Internet Options > Security > Internet zone to "High." (I earlier had it on "Medium" or some "Custom" blend turning off ActiveX controls, etc.) Changing to "High" wouldn't cause the xydzyh.exe to "disappear" would it?

smileandwave

Edited by smileandwave, 25 May 2007 - 04:56 PM.


#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 26 May 2007 - 06:14 AM

C:\WINDOWS\Prefetch\XYDZYH.EXE-2F2870F5.pf

Yes, please upload that file

random/random,

Added thought. This morning (after running HJT, I *think*), I reset MSIE > Internet Options > Security > Internet zone to "High." (I earlier had it on "Medium" or some "Custom" blend turning off ActiveX controls, etc.) Changing to "High" wouldn't cause the xydzyh.exe to "disappear" would it?

smileandwave

No, that would not cause the file to disappear
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic


#5 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 26 May 2007 - 09:59 AM

random/random,

I just uploaded the file you requested (XYDZYH.EXE-2F2870F5.pf).

Will download and run F-Secure Blacklight ASAP.

Thanks,
smileandwave

#6 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 26 May 2007 - 10:36 AM

random/random,

Here's the log file from F-Secure Blacklight. It reported no hidden files found.

Thanks,
smileandwave

===============

05/26/07 10:01:50 [Info]: BlackLight Engine 1.0.61 initialized
05/26/07 10:01:50 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/26/07 10:01:51 [Note]: 7019 4
05/26/07 10:01:51 [Note]: 7005 0
05/26/07 10:02:06 [Note]: 7006 0
05/26/07 10:02:06 [Note]: 7022 0
05/26/07 10:02:06 [Note]: 7011 1596
05/26/07 10:02:06 [Note]: 7026 0
05/26/07 10:02:07 [Note]: 7026 0
05/26/07 10:02:35 [Note]: FSRAW library version 1.7.1021
05/26/07 10:20:01 [Note]: 2000 1012
05/26/07 10:25:26 [Note]: 7007 0

#7 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 26 May 2007 - 02:54 PM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [xydzyh] C:\WINDOWS\system32\xydzyh.exe

Then close all windows except HijackThis and click Fix Checked
  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic, along with a new HijackThis log


#8 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 27 May 2007 - 02:04 PM

random/random,

(1) HJT did show and remove/fix....
C:\WINDOWS\system32\xydzyh.exe

(2) Seems to be a problem running GMER. Launched rootkit tab > Scan. After about 30 seconds of seemingly running fine, screen went completely black (not *blank*/blue/etc., but *black*) and remained so. I thought this conceiveably was appropriate for a gut-level scan. Of course, with a black screen, I couldn't see what activity was going on in the GMER window. After an hour or so, I decided to shut down and try again. System was locked up; could NOT do a Ctrl-Alt-Del shutdown; screen remained black. Did a hard shutdown (push & hold Power button).

(FWIW -- before going to black screen, the files-being-scanned status bar at the bottom showed that GMER had transitioned from "C:\" locations to just plain "\Device\" (with no drive indicator ["C:\"].) I also have an E:\ drive, which GMER had not yet gotten to.)

Rebooted and relaunched GMER. Again, seemed to start OK, then repeated above scenario - 30 seconds or so, scanning "\Device\", goes black. On the outside chance this was appropriate, I just let it run. But after about 12 hours, I decided again to give up. Did another hard shutdown.

Q #1: Should GMER cause a black screen?
Q #2: How long does it typically take a GMER scan -- on an order-of-magniture scale (e.g., two minutes, two hours, 12 hours)?

(3) Unrelated note, but perhaps helpful info: This "trojan/rootkit/whatever" has caused some changes in my user interfaces, also. At boot up, I get a wallpaper of a landscape (apparently the "Bliss" Desktop theme in Windows Display Properties > Desktop Background). After a couple of seconds, it goes to the blue background I normally use for my desktop (Display Properties > Desktop Background = "none"). Also, I think my MSIE Favorites were out of order on occasion (while I usually do "Sort by Name" for Favorites).

Thanks,
smileandwave

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 27 May 2007 - 02:57 PM

No, GMER is most definitely not supposed to do that

It would usually take 10 or so minutes to run
  • Download AVG Anti-rootkit from here
  • Double click on avgarkt-setup-1.1.0.42.exe to start the install of AVG Anti-rootkit
  • Click Next>
  • Click Next>
  • Click I agree
  • Click Next>
  • Click Install
  • Click Finish, your computer will now be restarted
  • Once your machine has restarted, doubleclick on the AVG Anti-rootkit shortcut on your desktop to start AVG Anti-rootkit
  • Click Perform in-depth search
  • Click Scan
  • Wait for the scan to complete
  • Right click in the middle of the window, and click Save results
  • Save it to the desktop as avgrk.csv
  • Use notepad to open that file, and post the contents as a reply to this topic
  • Download Catchme by GMER from here and save it your desktop
  • Double click on catchme.exe to launch Catchme
  • This will open a DOS window
  • When the scan has finished, this message will be displayed:

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

  • Close the DOS window
  • A log will be created on your desktop called catchme.log
  • Use notepad to open the log
  • Copy and paste the contents of the log as a reply to this topic
Post back with the avg antirootkit log, the catchme log and a new HijackThis log

#10 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 May 2007 - 09:17 AM

random/random,

AVG Anti-rootkit returned a "Nothing found" message, along with a popup that congratulated me on no rootkits being found. (Therefore, no results to save and post to this topic's thread.)

Catchme reported no hidden processes, services, or files. Log is below.

HJT log is below (generated after running AVG Anti-rootkit and Catchme).

Update on suspicious activities: As you recall, my system was "locked up" with the black screen GMER process overnight Saturday until about 12:00-1:00 mid-day Sunday. Since I did that hard shutdown and reboot (plus 2-3 other reboots since mid-day Sunday), I don't think there have been any instances of suspicious iexplore.exe. Is it possible that the problem was fixed when I used HJT to remove xydzyh.exe (per your directions in Post #7 Saturday)??

Ongoing thanks,
smileandwave


=== Catchme log ===

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


=== HijackThis log ===

Logfile of HijackThis v1.99.1
Scan saved at 8:53:42 AM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sticky Pad] "C:\Program Files\StickyPad\StickyPad.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#11 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 28 May 2007 - 09:24 AM

The logs aren't showing any malware, so it looks like removing xydzyh.exe did the trick

#12 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 May 2007 - 10:07 AM

random/random,

It goes without saying, but I'm saying it anyway: I am so very grateful for your help. While having a malware infection has been a frustrating, even scary episode for me, tapping your valuable resources via BC.com has been a fascinating experience. The Internet continues to amaze me for its global community. Forget social networking sites. The real value is in the Usenet news groups, forums, and other venues built around niche interests and needs. For any topic, you can find "gathering places" where people are willing to share their knowledge and experience. When the problem is one where "I don't know where to begin" (like most of us hit by malware), being able to turn to individuals like you and the BleepingComputer.com forum is simply priceless.

Thank you so much for volunteering your assistance. (The same goes for the scores of other helpers at BC.com.)

If this bug (or others) rears its head again, I'll turn to you for help.

The other incredible element of this, of course, is the mind-boggling number of viruses, trojans, worms, rootkits, and other malware that's been set loose on the world.

By the way, back on my original post, I asked if it's possible to get infected via Web-based email versus reading email with an email client. Is that possible? (I *think* these malware symptoms began after I inadvertently opened some spam sent to the address for my blog. For that email account, I use Web-based email.)

Sidenote: I'm doing my part to be a helper, too. I publish a blog about the current outbreak of bird flu and risks associated with the next flu pandemic. The blog is simply called Pandemic Plan. It's at http://reports.typepad.com/pandemic_plan/. Check it out.

Best regards and thanks one more time,
smileandwave

#13 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 May 2007 - 10:57 AM

random/random,

Another question: Is there any way to assess damage, if any, from this infection? Any way to know what the bug was doing and whether I'm at any particular risk of stolen information, etc.? Does BleepingComputer.com or other source have any ready-made list of suggestions about "post-infection clean up?" I assume I should change all passwords, at the least.

Thanks,
smileandwave

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 28 May 2007 - 02:27 PM

Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

http://www.adobe.com/products/acrobat/readstep2.html

By the way, back on my original post, I asked if it's possible to get infected via Web-based email versus reading email with an email client. Is that possible? (I *think* these malware symptoms began after I inadvertently opened some spam sent to the address for my blog. For that email account, I use Web-based email.)


It's possible to get infected from both

random/random,

Another question: Is there any way to assess damage, if any, from this infection? Any way to know what the bug was doing and whether I'm at any particular risk of stolen information, etc.? Does BleepingComputer.com or other source have any ready-made list of suggestions about "post-infection clean up?" I assume I should change all passwords, at the least.

Thanks,
smileandwave


Without a copy of the file, it's not possible to even guess what it does, however it is never a bad idea to change your passwords

#15 smileandwave

smileandwave
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 May 2007 - 03:53 PM

Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

...didn't make sense to me. Perhaps a comment intended for another party?

Without a copy of the file, it's not possible to even guess what it does, however it is never a bad idea to change your passwords

As you know, the file - xydzyh.exe - could not be uploaded for you to examine because I could not browse to find it. Which leaves me curious .... how is it that HijackThis could "see" the xydzyh.exe file, but the file could not be seen using Windows Explorer, even with hidden files displayed? (If that can't be explained to a layman like me quickly/easily, don't trouble yourself. I was just curious if the malware possibly had a way of blocking itself from Windows Explorer visibility, just like some malware, I *think*, can look for antispyware programs by name and disable/evade them?)

Thanks,
smileandwave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users