View Full Version : Smifraud-c.toolbar virus, cannot remove
dave_scouse
2006-11-18, 18:33
Please can you help me, my computer has been infected with a virus - Smitfraud-c.toolbar888
I cannot get rid of it and i'm constantly being bombarded by popups saying my computer is infected and download this product to get rid of it.
I've run Avg, Ad-Aware, and Spybot, and fixed all the problems they bring up, but it comes back.When i run spybot it comes up the the Smaitfraud-c.toolbar888, and
when i click on this it says to download sysinternals process explorer and run, and to kill the .dll file that is the same name as the virus
picked up in the spybot scan; but there isnt one there. So i dont know what to do the .dll files that come up from sysinternals process explorer are :-
yabyaxv.dll+0x4b2a (this occurs 2 times)
cscdll!winlogonevent+0x90a
yabyaxv.dll+0x49e9
winlogon.exe+0x39156
rpcrt4.dll!l_rpcbcachefree+0x5b8 (7 times)
winzlo32.dll!startmain+0x3b
art2evxx.dll+0x1500
winmm.dll!playsoundw+0x77f
kernel32.dll!createthread+0x22
ntdll.dll!rtldowncaseunicodestring+0x75
ntdll.dll!rtlallocateheap+0x18c
ntdll.dll!rtlqueueworkritem+0x2b5
winlogon.exe+0x3d353
winlogon.exe+0x2b585
Ive also run hijackthis and below is the log :-
Logfile of HijackThis v1.99.1
Scan saved at 15:40:06, on 18/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {008256D1-68A1-D05E-2EB7-01B34BA95025} - C:\WINDOWS\system32\vxdbwve.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B524BA3-6849-D5D6-32EE-09A7194D0497} - C:\WINDOWS\system32\nncoasb.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53736307-E9F6-22AC-BF85-05D7E7D6FB81} - C:\WINDOWS\system32\zvgbmfb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [yjgagvg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yjgagvg.dll,eybwpf
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A1FE3DEF-CF77-11D4-8340-0080C8D7ED4A} (GameDesire Pinball Pirate) - http://67.15.101.3/g_bin/eng/pirate_2_0_0_24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pskelley
2006-11-18, 20:19
Welcome to the forum, you have a nasty infection but Smifraud-c.toolbar is not it. That is a false positive. See this information:
http://forums.spybot.info/showthread.php?t=8668
Follow the instruction in this link:
http://forums.spybot.info/showthread.php?t=4394
Make sure you allow time for Vundofix to remove all of the infection it locates, often this takes several runs. You want the log to say everything "has been deleted" then post the Vundofix.txt and a new HJT log.
Be sure the HJT log is created in Normal Mode.
Thanks
dave_scouse
2006-11-19, 03:34
Thank you very much for your quick reply, i ran vundofix and it got rid of the problem files, i ran spybot but the problem is still there; below is the logs for vundofix and hijackthis.
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Scan started at 00:53:27 19/11/2006
Listing files found while scanning....
C:\WINDOWS\system32\winzlo32.dll
C:\WINDOWS\system32\yjgagvg.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\winzlo32.dll
C:\WINDOWS\system32\winzlo32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yjgagvg.dll
C:\WINDOWS\system32\yjgagvg.dll Has been deleted!
Performing Repairs to the registry.
Done!
Here is the hijackthis log aswell :-
Logfile of HijackThis v1.99.1
Scan saved at 01:01:42, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{B087E240-08A2-2057-1005-05102204002c}\Update.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {008256D1-68A1-D05E-2EB7-01B34BA95025} - C:\WINDOWS\system32\vxdbwve.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B524BA3-6849-D5D6-32EE-09A7194D0497} - C:\WINDOWS\system32\nncoasb.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53736307-E9F6-22AC-BF85-05D7E7D6FB81} - C:\WINDOWS\system32\zvgbmfb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [yjgagvg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yjgagvg.dll,eybwpf
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A1FE3DEF-CF77-11D4-8340-0080C8D7ED4A} (GameDesire Pinball Pirate) - http://67.15.101.3/g_bin/eng/pirate_2_0_0_24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pskelley
2006-11-19, 04:54
You can not rush these fixes, you have not removed the Vundo infection, if you look you can see it in the log:
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
Please follow these directions:
1) See this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_07\ <<< out of date, uninstall all old versions of Java in Add Remove programs and update to the newest version.
2)You must look at the reports and make sure all files it locates are deleted, this can take several attempts.
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(When all files "Have been deleted" then move to the next instructions, save those reports until you finish)
3) Thanks to sUBs and anyone who helped with this fix.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Restart the computer and post the log from Vundofix, the log from combofix and a new HJT log.
Thanks
dave_scouse
2006-11-19, 06:11
Sorry for the impatience, i removed all the old Java and downloaded the latest version, i ran
Vundofix but it came up with 'No Infected Files Were Found',i ran hijack this again and noticed
the files you mentioned were still there. When i ran combofix and the pc rebooted a message came
up saying 'error loading c:\windows\system32\yjgagvg.dll, the specific file was not found'
Here are the logs :-
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Scan started at 00:53:27 19/11/2006
Listing files found while scanning....
C:\WINDOWS\system32\winzlo32.dll
C:\WINDOWS\system32\yjgagvg.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\winzlo32.dll
C:\WINDOWS\system32\winzlo32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yjgagvg.dll
C:\WINDOWS\system32\yjgagvg.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Scan started at 01:02:25 19/11/2006
Listing files found while scanning....
No infected files were found.
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Java version is 1.5.0.9
Scan started at 03:17:54 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Java version is 1.5.0.9
Scan started at 03:30:32 19/11/2006
Listing files found while scanning....
No infected files were found.
Logfile of HijackThis v1.99.1
Scan saved at 03:23:25, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{B087E240-08A2-2057-1005-05102204002c}\Update.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\carl\Desktop\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {008256D1-68A1-D05E-2EB7-01B34BA95025} - C:\WINDOWS\system32\vxdbwve.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B524BA3-6849-D5D6-32EE-09A7194D0497} - C:\WINDOWS\system32\nncoasb.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53736307-E9F6-22AC-BF85-05D7E7D6FB81} - C:\WINDOWS\system32\zvgbmfb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [yjgagvg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yjgagvg.dll,eybwpf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A1FE3DEF-CF77-11D4-8340-0080C8D7ED4A} (GameDesire Pinball Pirate) - http://67.15.101.3/g_bin/eng/pirate_2_0_0_24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC352DE2-8279-4652-B966-16E3F06F8183}: NameServer = 80.225.255.50 80.225.255.58
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
dave_scouse
2006-11-19, 06:12
This is the combofix log:-
carl - 06-11-19 3:40:39.53 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\carl\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Safety Bar
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3087E240-08A1-2057-1005-05102204002c}
C:\Program Files\Common Files\{3087E240-08A2-2057-1005-05102204002c}
C:\Program Files\Common Files\{B087E240-08A1-2057-1005-05102204002c}
C:\Program Files\Common Files\{B087E240-08A2-2057-1005-05102204002c}
((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))
2006-11-17 23:31 59,392 --a------ C:\WINDOWS\system32\drvgez.dll
2006-11-17 21:00 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-17 21:00 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-17 21:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-17 21:00 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-17 19:30 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-17 19:04 71,168 --a------ C:\WINDOWS\system32\vxdbwve.dll
2006-11-17 19:03 40,973 ---hs---- C:\WINDOWS\system32\yabyaxv.dll
2006-11-16 21:23 93,696 --a------ C:\WINDOWS\system32\gewhsbh.dll
2006-11-16 21:23 71,680 --a------ C:\WINDOWS\system32\zvgbmfb.dll
2006-11-15 23:42 583,381 ---hs---- C:\WINDOWS\system32\aybeg.bak1
2006-11-15 23:36 93,696 --a------ C:\WINDOWS\system32\ahpfnwh.dll
2006-11-15 23:36 71,168 --a------ C:\WINDOWS\system32\nncoasb.dll
2006-11-15 23:36 59,392 --a------ C:\WINDOWS\system32\drvwog.dll
2006-11-15 23:36 40,973 ---hs---- C:\WINDOWS\system32\yayaawx.dll
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-28 12:34 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-28 12:34 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-28 12:33 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-10-27 15:09 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 02:44 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-19 03:42 -------- d-------- C:\Program Files\Common Files
2006-11-19 03:11 -------- d-------- C:\Program Files\Java
2006-11-19 01:01 -------- d-------- C:\Program Files\HijackThis
2006-11-17 19:58 -------- d-------- C:\Program Files\Internet Explorer
2006-11-17 19:37 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-16 22:05 -------- d-------- C:\Program Files\XoftSpy
2006-11-15 23:41 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-15 23:38 -------- d-------- C:\Documents and Settings\carl\Application Data\Azureus
2006-11-15 23:25 -------- d-------- C:\Program Files\BFG
2006-11-14 20:03 -------- d-------- C:\Program Files\SlySoft
2006-11-11 20:08 -------- d-------- C:\Program Files\GIMP-2.0
2006-10-29 13:05 -------- d-------- C:\Program Files\Apple Software Update
2006-10-28 12:39 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-28 12:39 -------- d-------- C:\Program Files\USB Game Controller
2006-10-28 12:14 -------- d-------- C:\Program Files\KONAMI
2006-10-28 10:45 -------- d-------- C:\Program Files\Google
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-19 21:34 -------- d-------- C:\Documents and Settings\carl\Application Data\RipIt4Me
2006-10-19 21:31 120 --a------ C:\Documents and Settings\carl\Application Data\FixVTS.ini
2006-10-19 19:05 -------- d-------- C:\Program Files\DVD Decrypter
2006-10-18 18:59 -------- d-------- C:\Program Files\Kelloggs Art Attack
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-12 16:57 -------- d-------- C:\Documents and Settings\carl\Application Data\AdobeUM
2006-10-01 16:48 -------- d-------- C:\Program Files\CCleaner
2006-10-01 00:31 -------- d-------- C:\Documents and Settings\carl\Application Data\Google
2006-09-30 22:09 -------- d-------- C:\Documents and Settings\carl\Application Data\Apple Computer
2006-09-30 21:45 -------- d-------- C:\Documents and Settings\carl\Application Data\Ahead
2006-09-30 21:40 -------- d-------- C:\Program Files\QuickTime
2006-09-29 22:13 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-29 22:12 -------- d-------- C:\Program Files\Nero
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 17:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-25 15:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 12:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-17 21:25 482 --a------ C:\Documents and Settings\carl\Application Data\wklnhst.dat
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"yjgagvg.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\yjgagvg.dll,eybwpf"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"cussers"="{ff170564-36c8-43f7-9100-559e166405cf}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yabyaxv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1132254993.job
C:\WINDOWS\tasks\XoftSpy.job
Completion time: 06-11-19 3:44:01.14
C:\ComboFix.txt ... 06-11-19 03:44
pskelley
2006-11-19, 13:50
OK Dave and thanks for that feedback, this Vundo can be a real pain to remove at times. We have an installer in the HJT log here:
C:\Program Files\Common Files\{B087E240-08A2-2057-1005-05102204002c}\Update.exe
and it appears to be putting the infection back with another name when we remove it. I probably should have run sUBs combofix first, as you can see under:
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
The fix has killed the installer. I need to ask you to run Vundofix again, that installer should no longer be there to reinstall the junk. Now that I see what combofix has removed I will add the rest of the junk to what you have to fix. Here is what you are after, and there could be something else now showing in the HJT log, but it will show in Vundofix. Sorry, but no two infections seem to be exactly alike, make our jobs harder.
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
Before we start, Please read through the complete instruction, you may want to print them. We need to check some files combofix indicates "may be" bad. I scanned the list with Google and these are probably bad, but we must be sure. Use the free online scanners and once you establish them as malware, delete them. You can wait until you are removing a file in #5 of the instructions below if you wish. I would like to leave these files in your Recycle Bin for a few days just in case, so when you run ATF-Cleaner, uncheck "Recycle Bin".
I should also say Vundofix may remove some of these, so if they are not there, no problem, just don't miss them. You will also need to enable all files and folders as in instruction #2 or you may not see the junk. If you have issues deleting any of them once you know they are bad, boot to safe mode and do it there.
C:\WINDOWS\system32\drvgez.dll
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\swsc.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\swreg.exe
C:\WINDOWS\system32\xmllite.dll
C:\WINDOWS\system32\vxdbwve.dll
C:\WINDOWS\system32\yabyaxv.dll
C:\WINDOWS\system32\gewhsbh.dll
C:\WINDOWS\system32\zvgbmfb.dll
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\ahpfnwh.dll
C:\WINDOWS\system32\nncoasb.dll
C:\WINDOWS\system32\drvwog.dll
C:\WINDOWS\system32\yayaawx.dll
C:\WINDOWS\system32\xinput1_2.dll
C:\WINDOWS\system32\xactengine2_3.dll
Your free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
1) Run Vundofix with the same instructions as before.
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {008256D1-68A1-D05E-2EB7-01B34BA95025} - C:\WINDOWS\system32\vxdbwve.dll
O2 - BHO: (no name) - {1B524BA3-6849-D5D6-32EE-09A7194D0497} - C:\WINDOWS\system32\nncoasb.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: (no name) - {53736307-E9F6-22AC-BF85-05D7E7D6FB81} - C:\WINDOWS\system32\zvgbmfb.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
(Vundo, should say "file missing")
O4 - HKLM\..\Run: [yjgagvg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\yjgagvg.dll,eybwpf
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
(Vundo, should be gone)
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\yjgagvg.dll <<< delete that file (may be gone, just do not miss it)
6) Run ATF Cleaner (uncheck the Recycle Bin)
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Vundofix results and a new HJT log. Let me know how the computer is running now.
Thanks...Phil
dave_scouse
2006-11-19, 17:01
Thanks for your reply ive done what you asked, i checked out the files on the online scanners
virus scan and kaspersky :- results below
virus scan kasp
C:\WINDOWS\system32\drvgez.dll bad bad
C:\WINDOWS\system32\Process.exe bad ok
C:\WINDOWS\system32\swsc.exe caution ok
C:\WINDOWS\system32\SrchSTS.exe caution ok
C:\WINDOWS\system32\swreg.exe caution ok
C:\WINDOWS\system32\xmllite.dll ok ok
C:\WINDOWS\system32\vxdbwve.dll bad ok
C:\WINDOWS\system32\yabyaxv.dll bad bad
C:\WINDOWS\system32\gewhsbh.dll bad ok
C:\WINDOWS\system32\zvgbmfb.dll bad ok
C:\WINDOWS\system32\aybeg.bak1 ok ok
C:\WINDOWS\system32\ahpfnwh.dll bad ok
C:\WINDOWS\system32\nncoasb.dll bad ok
C:\WINDOWS\system32\drvwog.dll bad bad
C:\WINDOWS\system32\yayaawx.dll bad bad
C:\WINDOWS\system32\xinput1_2.dll ok ok
C:\WINDOWS\system32\xactengine2_3.dll ok ok
Which files do you want to delete as they both give differant results, and didnt want to delete anything i shouldnt.
Ive noticed in the hijackthis log that the files
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
are still there, even though i checked them.
On rebooting the pc avg picked up a virus saying Trojan lop.AQ, this has been coming up from the beginning.
Do i heal this or put it in the vault, and once in the vault do i delete it or empty the vault, as deleting it is irreversible. I must say there is a lot more to this than i thought :( Below are the logs you asked for :-
Once again thanks for your time in helping me out :bigthumb:
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Java version is 1.5.0.9
Scan started at 13:35:24 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Java version is 1.5.0.9
Scan started at 14:37:18 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Logfile of HijackThis v1.99.1
Scan saved at 14:33:08, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A1FE3DEF-CF77-11D4-8340-0080C8D7ED4A} (GameDesire Pinball Pirate) - http://67.15.101.3/g_bin/eng/pirate_2_0_0_24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pskelley
2006-11-19, 17:55
Here is what I would like you to do.
1) Uninstall the old version of Java:
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7that you are still running. Make sure only the newest version is running.
2) Right click on the Recycle bin on your Desktop and choose Properties. Make sure you have at least 5% set for storage, and be positive the box that is by "Do not move files to the Recycle Bin. Remove files immediately when deleted" IS NOT CHECKED. Remember not to empty the Recycle Bin for a few days to make sure nothing we deleted is needed. It is easier to recover a file from there than to hunt for it and download it from online.
3) Move all of those files you scanned to the Recycle Bin. (delete them)
4) This item: C:\WINDOWS\SYSTEM32\yabyaxv.dll, make sure you uploaded that file to here:
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
5) Run Vundofix until it locates and deletes that file:
C:\WINDOWS\SYSTEM32\yabyaxv.dll It does not get easier than this fix.
I had one member who ran the fix six times before it found and deleted the file, it has to go.
It appears from the HJT log, this is the last major malware item to remove. Once we get the hidden files you are deleting and kill that file, you should be home safe.
Thanks
dave_scouse
2006-11-19, 20:07
Hi, followed your instructions again and posted the file on malware, deleted all the files to the recycle bin except C:\WINDOWS\SYSTEM32\yabyaxv.dll, its a stubborn one , tried many times but kept getting the message
'Cannot delete yabyaxv.dll, it is being used by another person or program, close any programs that might be using the file and try again. '
i remember that the files yabyaxv.dll+0x49e9 and yabyaxv.dll+0x4b2a were picked up by sysinternals process explorer, should i try and kill these 2 files from there.
I also ran vundofix about 10 times with no joy, below is the log and the log for hijackthis :-
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Java version is 1.5.0.9
Scan started at 13:35:24 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.7
Java version is 1.5.0.9
Scan started at 14:37:18 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:01:25 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:17:17 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:18:54 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:20:08 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:21:37 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:22:56 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:24:22 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:25:46 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:26:59 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:29:05 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:32:56 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:43:04 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.8
Checking Java version...
Java version is 1.5.0.9
Scan started at 17:50:08 19/11/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Logfile of HijackThis v1.99.1
Scan saved at 18:06:58, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\yabyaxv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A1FE3DEF-CF77-11D4-8340-0080C8D7ED4A} (GameDesire Pinball Pirate) - http://67.15.101.3/g_bin/eng/pirate_2_0_0_24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC352DE2-8279-4652-B966-16E3F06F8183}: NameServer = 80.225.255.50 80.225.255.58
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yabyaxv - C:\WINDOWS\SYSTEM32\yabyaxv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pskelley
2006-11-19, 20:39
Let's give another vundo fix a try and see what happens:
Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process.
Do not be concerned.
Just reboot if your system "jams".
To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop.
Thanks
dave_scouse
2006-11-19, 21:24
Ok, done what you said, here's the log:-
[11/19/2006, 19:19:24] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\carl\Desktop\VirtumundoBeGone.exe" )
[11/19/2006, 19:19:33] - Detected System Information:
[11/19/2006, 19:19:33] - Windows Version: 5.1.2600, Service Pack 2
[11/19/2006, 19:19:33] - Current Username: carl (Admin)
[11/19/2006, 19:19:33] - Windows is in NORMAL mode.
[11/19/2006, 19:19:33] - Searching for Browser Helper Objects:
[11/19/2006, 19:19:33] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/19/2006, 19:19:33] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[11/19/2006, 19:19:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/19/2006, 19:19:33] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[11/19/2006, 19:19:33] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[11/19/2006, 19:19:33] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/19/2006, 19:19:33] - BHO 4: {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} ()
[11/19/2006, 19:19:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/19/2006, 19:19:33] - Checking for HKLM\...\Winlogon\Notify\yabyaxv
[11/19/2006, 19:19:33] - Found: HKLM\...\Winlogon\Notify\yabyaxv - This is probably Virtumundo.
[11/19/2006, 19:19:33] - Assigning {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} MSEvents Object
[11/19/2006, 19:19:33] - BHO list has been changed! Starting over...
[11/19/2006, 19:19:33] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/19/2006, 19:19:33] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[11/19/2006, 19:19:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/19/2006, 19:19:33] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[11/19/2006, 19:19:33] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[11/19/2006, 19:19:33] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/19/2006, 19:19:33] - BHO 4: {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} (MSEvents Object)
[11/19/2006, 19:19:33] - ALERT: Found MSEvents Object!
[11/19/2006, 19:19:33] - Finished Searching Browser Helper Objects
[11/19/2006, 19:19:33] - *** Detected MSEvents Object
[11/19/2006, 19:19:33] - Trying to remove MSEvents Object...
[11/19/2006, 19:19:34] - Terminating Process: IEXPLORE.EXE
[11/19/2006, 19:19:34] - Terminating Process: RUNDLL32.EXE
[11/19/2006, 19:19:34] - Disabling Automatic Shell Restart
[11/19/2006, 19:19:34] - Terminating Process: EXPLORER.EXE
[11/19/2006, 19:19:34] - Suspending the NT Session Manager System Service
[11/19/2006, 19:19:34] - Terminating Windows NT Logon/Logoff Manager
[11/19/2006, 19:19:35] - Re-enabling Automatic Shell Restart
[11/19/2006, 19:19:35] - File to disable: C:\WINDOWS\system32\yabyaxv.dll
[11/19/2006, 19:19:35] - Renaming C:\WINDOWS\system32\yabyaxv.dll -> C:\WINDOWS\system32\yabyaxv.dll.vir
[11/19/2006, 19:19:35] - File successfully renamed!
[11/19/2006, 19:19:35] - Removing HKLM\...\Browser Helper Objects\{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}
[11/19/2006, 19:19:35] - Removing HKCR\CLSID\{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}
[11/19/2006, 19:19:35] - Adding Kill Bit for ActiveX for GUID: {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}
[11/19/2006, 19:19:35] - Deleting ATLEvents/MSEvents Registry entries
[11/19/2006, 19:19:35] - Removing HKLM\...\Winlogon\Notify\yabyaxv
[11/19/2006, 19:19:35] - Searching for Browser Helper Objects:
[11/19/2006, 19:19:35] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/19/2006, 19:19:35] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[11/19/2006, 19:19:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/19/2006, 19:19:35] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[11/19/2006, 19:19:35] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[11/19/2006, 19:19:35] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[11/19/2006, 19:19:35] - Finished Searching Browser Helper Objects
[11/19/2006, 19:19:35] - Finishing up...
[11/19/2006, 19:19:35] - A restart is needed.
[11/19/2006, 19:19:49] - Attempting to Restart via STOP error (Blue Screen!)
pskelley
2006-11-19, 21:31
Looks like the fix got it,
[11/19/2006, 19:19:35] - Renaming C:\WINDOWS\system32\yabyaxv.dll -> C:\WINDOWS\system32\yabyaxv.dll.vir
Please post a HJT log and let me know how the computer is running now.
Thanks
dave_scouse
2006-11-19, 21:54
At the moment, the problem avg picks up is not happening, ran spybot and it picked up the smitfraud-c and a hotsearchbar malware. I'm a little confused.
Here is the hijackthis logfile
Logfile of HijackThis v1.99.1
Scan saved at 19:38:00, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A1FE3DEF-CF77-11D4-8340-0080C8D7ED4A} (GameDesire Pinball Pirate) - http://67.15.101.3/g_bin/eng/pirate_2_0_0_24.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC352DE2-8279-4652-B966-16E3F06F8183}: NameServer = 80.225.255.50 80.225.255.58
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pskelley
2006-11-19, 22:32
I gave you that information back at the start:
Welcome to the forum, you have a nasty infection but Smifraud-c.toolbar is not it. That is a false positive. See this information:http://forums.spybot.info/showthread.php?t=8668
This HJT log is clean, as far as I can see this is the first mention of Spybot reporting:
hotsearchbar and it may be a false positive also. Did you try to remove it with Spybot? Update Spybot, make sure you have the very latest database, run it and let me know if hotsearchbar is still showing and if Spybot will remove it.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Let me know what the results of the Spybot scan are.
Thanks
dave_scouse
2006-11-20, 00:01
Hi again :bigthumb: , selected fix problems on spybot, and ran again, congratulations appears, have also ran avg which picked up Trojan horse Generic2.IUS, which was located in C:\Vundofixbackups\winzlo32.dll.bad. this was put into the virus vault. Ran ad-aware, no probs. Am going to do the system restore now, will get in contact soon.
pskelley
2006-11-20, 00:13
OK Dave, thanks for the feedback:bigthumb: You can remove all of the tools we used during the cleanup. I would keep ATF-Cleaner if it were you, it is a fine tool. Here is a tutorial:
http://forums.security-central.us/showthread.php?t=1925
C:\Vundofixbackups\ should go with the rest of the program, just be sure it does. Make sure you review the links from the experts, that information will go a long way towards helping you avoid future infections. Let me know if all is well and I will ask tashi:) to close the topic.
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
dave_scouse
2006-11-20, 00:49
Thank You very much, i cannot say that enough, the work that you and your colleagues do is very much appreciated :bigthumb: I shall be sending you a donation shortly in the post, and shall pass on the good work you do to others. Hopefully i shall not get in contact with you again lol. Once again thank you.
Cheers
Dave_scouse