PDA

View Full Version : please help with W32.Myzor.FK@yf


vickitoria
2007-05-23, 08:18
Here is my log taken this afternoon from the infected laptop. There is limited internet access on that machine now and annoying windows popping up alerting me of a horrible virus.

This is also something that comes up in some of the pop ups: hxxp://updateallpage.com/

Please and Thank you!

V

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:06:18 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Security Tools\imsmain.exe
C:\Program Files\Security Tools\iesmn.exe
C:\Program Files\Security Tools\imsmn.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Security Tools\iesmin.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Security Tools\iesmin.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\Security Tools\iesmin.exe
C:\WINDOWS\avp.exe
C:\Program Files\Security Tools\iesmin.exe
C:\WINDOWS\smanager.7.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\Program Files\Security Tools\iesmin.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC11.exe
C:\WINDOWS\System32\hpbpro.exe
C:\WINDOWS\System32\hpboid.exe
C:\Program Files\Hijack This\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {1496FFAC-00DB-4393-A478-7B46EC659CDC} - C:\WINDOWS\System32\byxurss.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Security Tools\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Security Tools\iesbpl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Security Tools\imsmain.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Security Tools\iesmn.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179426407971
O20 - Winlogon Notify: byxurss - C:\WINDOWS\SYSTEM32\byxurss.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: inflexive - {0c5a0fff-9164-493b-93e0-17446374e0a0} - C:\WINDOWS\System32\dtjby.dll (file missing)
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINDOWS\System32\owtmp.dll (file missing)
O22 - SharedTaskScheduler: Fdjskie8 jf8e - {8D5849A2-93F3-429D-FF34-260A2068897C} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6729 bytes
miekiemoes
2007-05-23, 08:31
Hi,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all... because I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira (http://www.free-av.com/), AVG (http://free.grisoft.com/freeweb.php/doc/2/) OR Active Virus Shield (http://www.activevirusshield.com/antivirus/freeav/index.adp) (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo (http://www.personalfirewall.comodo.com/) OR Kerio (http://www.sunbelt-software.com/Kerio.cfm) are FREE firewalls.

Understanding and using firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)

Reboot your computer afterwards.
After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.

Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
tashi
2007-05-29, 06:14
How is it going vickitoria.



Previous topic: http://forums.spybot.info/showthread.php?t=4255
tashi
2007-06-04, 18:35
Topic archived.