Jump to content

Trojan.Downloader - Which Files to Remove?

anonimito
 Share

Recommended Posts

JeanInMontana

JeanInMontana

Posted
Posted

Yes tell me symptoms, the problem is vundo. It's stubborn and MBAM team is working hard to get the program to where it can deal with this new version. I was told no tools are getting it, so we have to just keep trying to do it manually and updating MBAM and scanning again.

O20 - Winlogon Notify: enqrkyuu - C:\WINDOWS\SYSTEM32\uyxgnon.dll Did you delete that file? Delete it and the bak one with the same name. Delete it with HJT please.

Update MBAM run a quick scan and new HJT log please.

Link to post
Share on other sites
  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

anonimito

anonimito

Posted
  • Author
Posted
And then use File Assassin in MBAM to delete that file C:\WINDOWS\system32\cw9k9s4nfpzv.exe You will find it under the Tools tab. Reboot.

I forgot to mention last night that I wasn't able to accomplish this step. The file you mention is still not found in the system32 folder.

O20 - Winlogon Notify: enqrkyuu - C:\WINDOWS\SYSTEM32\uyxgnon.dll Did you delete that file? Delete it and the bak one with the same name. Delete it with HJT please.

I just deleted the line you mentioned in HJT.

I thought I deleted the .dll file before...I guess it's back now? If you want me to delete it within the system32 folder...I get an error when I try that.

Cannot delete uyxgnon: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use.

Oh...should I delete the zipped file that I attached here as well? I'm not sure if I should or not.

Yes tell me symptoms, the problem is vundo. It's stubborn and MBAM team is working hard to get the program to where it can deal with this new version. I was told no tools are getting it, so we have to just keep trying to do it manually and updating MBAM and scanning again.

Oh wow...that sounds complex. Okay, so the symptoms that I noticed follow, from the beginning:

I first noticed something was wrong when I had been working on paperwork all night and had left my computer on to check various websites for information. At this time, I still had IE6 and the Yahoo Toolbar at the top of my browser. When I checked a website, I noticed that the Yahoo Toolbar showed that I had 2 new emails. So, I clicked the icon on the toolbar to check my email.

It brought up the Yahoo sign-in page. Immediately, I thought that was odd, since...the toolbar had me signed in to show that I had new mail in the first place. To top it off, the username on the sign-in page was already filled in - with a yahoo ID I've never seen before!! I wrote down the ID for future reference.

I signed in normally in a new browser window and noticed that I did not have any new email. I then realized that the toolbar was alerting me to the *other* yahoo ID's new emails.

I tried to sign in once more, and I found the sign-in page with yet another unfamiliar ID signed in, which I also wrote down. This prompted me to close all IE browser windows and check my processes for anything strange.

When I checked my task manager, I saw that firefox.exe was using a lot of my CPU...which set off alarm bells since this computer shouldn't even have firefox on it!! I checked the applications tab and it showed that 2 firefox browser windows were open (with the only evidence of them being within the task manager itself...for on my screen, I only had task manager open) and while one said "My App" the other said "Composing Message" in Yahoo mail or something similar. I knew that I certainly wasn't sending an email in a firefox browser...so I decided that the best thing to do would be to shut down the computer and unplug the internet.

After about a week of leaving my computer off and thinking about the problem, I decided that it wouldn't just fix itself and that I had to turn the computer on again.

I found the avast! antivirus and downloaded that...I ran some scans, and it got rid of a lot of stuff...I don't remember anything in particular, though. Also, whenever I'd open a browser (for the first time), avast! would start ringing its bells and telling me that a virus was found and I followed the suggestions and put the infected files in their "virus chest." I'm not sure if the names of those files would help you or not, but if so, I'd be glad to list them.

Avast! continued to act up every time I opened a browser window for the first time, so I realized that the problem wasn't gone. So I ran a panda scan, and that got rid of something...I don't remember what, though.

Some time later, my windows update came up and I downloaded the update in the hopes that it would help my problem somewhat...and that update included IE7, which I think is safer than IE6, just from noticing the differences while using it recently.

By this time, avast wasn't informing me of any new viruses or the old one it kept finding before, for that matter...

I found Spy Sweeper and used that...it found a few things, but nothing seemed major.

Somehow, I found MBAM and ran a scan...then I posted here, and the rest is documented in this thread.

As for current symptoms, I still periodically notice firefox.exe starting up. When it says that the User Name for that process is "SYSTEM", I don't see any firefox browsers open on the Applications tab, but when it says that the User Name is my user name, then I see the windows open. In that case, it's always the same. 2 windows are open - one that says "My App" and the other which starts out at the "homepage" I guess...its title is simply "t - Mozilla Firefox." It quickly moves to "(1350 unread) Yahoo! Mail - Mozilla Firefox" (the number of unread messages is different every time, but it's always a very large number...I just have 1350 documented with a screencap.) Then it says "Compose Mail - Yahoo! Mail - Mozilla Firefox" and then it changes to "Message Sent - Yahoo! Mail - Mozilla Firefox." Then the process repeats, from Compose Mail onwards.

When this occurs, I end the firefox.exe process (I hate the fact that something is sending viral e-mails using my computer! Gah!) and it usually stays away for a while. How long it's gone varies...sometimes it'll come back within minutes, and other times it waits an hour or more. I tried timing it once...it seemed to come at 5-minute intervals...but that pattern has since stopped.

Very rarely, firefox.exe will be running many times at once, and it's hard to kill those processes. In the case of that, I usually shut down.

Another process I notice is ycommon.exe...but it's only because I think it uses far too much CPU (at times 100%) and it has no real reason to run since I don't use the Yahoo toolbar, messenger, browser, or anything.

Oh, and I'm not sitting and watching my task manager every second I'm online, either. firefox.exe only starts running once I notice my cursor change to the "hourglass/cursor" when it has no reason to (i.e. I haven't clicked anything recently). It never fails. As for ycommon.exe, it starts running whenever I open or close a browser window or tab within the browser. Not sure if that matters or not.

I think that's everything. Sorry it got so wordy...I tend to explain things too much. If any of that didn't make sense, I'd be happy to try to explain it once more.

I have screencaps of my task manager when firefox browsers are running, in the various stages, if that would be of any help. I wish I knew what "My App" meant, though...

Here's the MBAM log you requested:

Malwarebytes' Anti-Malware 1.21

Database version: 966

Windows 5.1.2600 Service Pack 2

10:08:54 PM 7/18/2008

mbam-log-7-18-2008 (22-08-54).txt

Scan type: Quick Scan

Objects scanned: 67504

Time elapsed: 22 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And the HJT scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:21:18 PM, on 7/18/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\notepad.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3787B284-825E-486C-900D-D57056AED3E5} - c:\windows\system32\uyxgnon.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.darrenhayes.com

O15 - Trusted Zone: http://www.pandasecurity.com

O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1009880923873

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1009880917123

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...335/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: enqrkyuu - C:\WINDOWS\SYSTEM32\uyxgnon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 7731 bytes

Thanks so much for reading all of that, and for all your time, help, and continued patience. :)

-EDIT-

I forgot something else that happened. I don't remember how long before the firefox/yahoo thing it was, but whenever I'd go to google, for example, and do a search, the links that came up would be redirected to ad sites (even though I knew they were legit sites). This happened A LOT and was very annoying...I found out that if I double-clicked on the link, it usually took me to where I wanted to go. I think avast! was what got rid of that problem.

Not sure if any of that matters, but I want you to know as much as possible about this, so maybe it'll help us beat this virus!

Thanks again. :)

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Yes this helps. You must be what we call "rooted" and in a botnet. You need to keep this machine offline as much as possible. Your positive you don't have Firefox installed? We need to use ComboFix. It isn't as scary as it sounds. But delete the version you have and get a new one. The main part of this, is make sure you have the Recovery Console installed. The rest is a matter of clicking the program to run and posting the log to me. We need this done ASAP. Be sure you change all passwords to any place. Notify banks, credit cards etc that your identity has been compromised.

Review this article here how to use ComboFix

Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Before I do anything ill-advised...I have a few questions.

So for the Recovery Console part...the CD I need is the one for the OS? The disk I found reads:

Operating System

Reinstallation CD

Microsoft Windows XP Home Edition

If it helps, it's black with a bit of white on the top.

Is that the correct disk?

Also, the instructions for CF say that I have to disable all my antivirus, etc. programs and my firewall while I use CF. As far as I know, the only firewall I have is the XP one. Is it necessary to disable it? If so, would I do that just by going into the Network Connections icon in Control Panel and changing the firewall settings to off? Is that all there is to it? I've never done that before, and I want to make sure I do it properly.

So once I'm sure that I have the correct disk for the Recovery Console and that I know how to disable my firewall, I'll be ready to use CF. (I've read all the instructions.)

About firefox...I really don't remember ever installing it. This is a rather old computer, so I may have forgotten...but I only just heard of firefox last fall. I'm attaching a screencap of the only folder where I seem to find firefox so you can see what I see. It just doesn't seem *right* to be where it is...I dunno.

As for being "rooted"...since I'm unfamiliar with what that is, I have a few questions...

First, can this possibly "infect" the other computer in the house which uses the same internet connection? I don't think the computers are officially "networked," but they use the same wireless connection. Out of fear of the problem spreading to my other computer, I've left it off for as long as I've noticed this problem...

Also, with the recovery console and such...if something were to go wrong with CF, would my documents also be recovered? Or should I perform a massive back-up while I still have the chance?

Additionally, you said that I should change my passwords...is that because being rooted means that I have a keylogger? Or are the auto-complete passwords only compromised? This is just out of curiosity. I'll be changing my passwords once I have access to a "clean" computer.

One last question. Would it help at all to PM the Yahoo user ID's that my computer was using to send spam e-mails? I ended up writing down 3 unique ID's. So, if it'd be of any help to someone, I'll gladly PM the ID's to you or whomever handles these things.

Alright, I think that's all my questions for now. It's funny...I've started to run MBAM scans in my dreams! I'll be so relieved once this is over...

Thank you for your continued time, help, and patience. :)

screencapfirefox1.zip

screencapfirefox1.zip

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Yes!! Backup, always and on a regular basis. :) It sounds like you have the right CD, I can't be positive without reading what's on it. Try the procedure if it works it was right. Report those Yahoo ID's to Yahoo, don't contact them unless you can walk to their house with a baseball bat. Go to Control Panel > Add Remove Programs If FF is installed it will be there. Being rooted means there is a trojan in the root of your PC's Windows directory. Your not in control of the machine someone else is and therefore all your information on the entire PC has been exposed to them. You should consider doing a total reformat. That is the only way we can be positive your clean. Keep updating and running MBAM. There is no need to zip files with only picture or a text file. You can simply upload them.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Okay, I'll get to work with the Recovery Console and CF and let you know what happens.

As for the backup, is there a chance that the files I backup will also carry the trojan and just re-infect my computer at a later date, if I do chose to reformat?

I'm also still hesitant about using the other computer...I guess it's better to be safe than sorry?

As for the Yahoo ID's...back when this all started, I did report the first 2 ID's I found to Yahoo, but everything was so automated, I don't think it was ever read by a human being. I even called the tech support...

There's no firefox to be seen in my add/remove programs list. So I guess that proves that the files I found weren't put there by me. Would it be wise to delete that folder (the one I showed you in the latest screencap)? I don't want to make the problem worse...and I guess they could always put it back on my computer without my knowing again...hmm...

I'll run an MBAM scan the next chance I get.

As for zipping files, whenever I didn't, the tool used to attach it to my message told me that the file was too large...so I zipped it.

Thanks again for your help. :)

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Don't let me know what happens, I need to see that log from ComboFix. Yes, there is a chance you might back up the files containing the malware, since I have no idea what you might back up.

I'm attaching a screen shot of what the FF entry looks like in A/R. If you don't see that delete the file. There are other programs that will take screen shots and save in a format not so large BMP files are always large. MBAM has a new version.

post-1030-1216663297_thumb.jpg

post-1030-1216663297_thumb.jpg

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted
Don't let me know what happens, I need to see that log from ComboFix. Yes, there is a chance you might back up the files containing the malware, since I have no idea what you might back up.

I'll definitely post the log...I never questioned that. Sorry if I worded that strangely.

I backed up mostly word documents and notepad files...that's really all I have on this computer.

I'll look into the smaller screencap files. Thanks for the tip!

Last night I spent far too much time backing up my computer, but I guess I'll be glad that I did. So tonight is for the Recovery Console and CF. Wish me luck! I'll post as soon as I make progress.

Thanks again for all your time and assistance. :)

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Since my last posting, I've installed the Recovery Console and CF.

I also deleted the Mozilla Folder as you suggested. It stayed deleted for a while, but when I rebooted, it was back. :)

Before running CF, I decided to run a MBAM scan.

It found something!!

Here's the newest log:

Malwarebytes' Anti-Malware 1.22

Database version: 977

Windows 5.1.2600 Service Pack 2

2:57:16 AM 7/22/2008

mbam-log-7-22-2008 (02-57-16).txt

Scan type: Quick Scan

Objects scanned: 67139

Time elapsed: 23 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\uyxgnon.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_CLASSES_ROOT\kxgnahim (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aeehowdu (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aeehowdu (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aeehowdu (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{3787b284-825e-486c-900d-d57056aed3e5} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3787b284-825e-486c-900d-d57056aed3e5} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enqrkyuu (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\uyxgnon.dll (Trojan.Vundo) -> Delete on reboot.

And here is a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:07:24 AM, on 7/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3787B284-825E-486C-900D-D57056AED3E5} - c:\windows\system32\uyxgnon.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.darrenhayes.com

O15 - Trusted Zone: http://www.pandasecurity.com

O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1009880923873

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1009880917123

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...335/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: enqrkyuu - C:\WINDOWS\SYSTEM32\uyxgnon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 8179 bytes

It looks like a lot of the ones we deleted before came back...like that red.clientapps thing...

-EDIT-

After the reboot requested by the MBAM scan, I wondered if the "delete on reboot" files were really gone. So, I ran another quick scan and found that they were still there:

Malwarebytes' Anti-Malware 1.22

Database version: 977

Windows 5.1.2600 Service Pack 2

3:34:20 AM 7/22/2008

mbam-log-7-22-2008 (03-34-20).txt

Scan type: Quick Scan

Objects scanned: 67134

Time elapsed: 22 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\kxgnahim (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{3787b284-825e-486c-900d-d57056aed3e5} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3787b284-825e-486c-900d-d57056aed3e5} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\enqrkyuu (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\uyxgnon.dll (Trojan.Vundo) -> Delete on reboot.

I'm not sure if that matters or not, but I figure you'd want to know all the information.

Thank you for your time, help, and patience.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

This is a bit weird...after updating and running MBAM, the scan showed no infections...while I'm sure that the uyxgnon.dll is still in my system32 folder...is that supposed to happen?

Here's the log:

Malwarebytes' Anti-Malware 1.23

Database version: 985

Windows 5.1.2600 Service Pack 2

10:55:16 PM 7/23/2008

mbam-log-7-23-2008 (22-55-16).txt

Scan type: Quick Scan

Objects scanned: 66999

Time elapsed: 28 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:58:50 PM, on 7/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3787B284-825E-486C-900D-D57056AED3E5} - c:\windows\system32\uyxgnon.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.darrenhayes.com

O15 - Trusted Zone: http://www.pandasecurity.com

O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/clients/y/et3_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1009880923873

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1009880917123

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...335/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: enqrkyuu - C:\WINDOWS\SYSTEM32\uyxgnon.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 8171 bytes

Also, I guess this could be considered good news...since I deleted the Mozilla Shared file the second time, it hasn't reappeared yet. ::knocks on wood:: Which translates to the firefox.exe process not running since then either!

However, I'm sure something's probably going on behind the scenes that I can't view in task manager...but at least no more firefox applications for the time being...

Thank you for your continued time, help, and patience. :)

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Alrighty...I hope I did this correctly:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-07-24 20:44:01

Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip 86D47BD8

Device \Driver\Tcpip \Device\Ip 86C33E68

Device \Driver\Tcpip \Device\Ip 86EAB0F0

Device \Driver\Tcpip \Device\Ip 86B8A1E0

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp 86D47BD8

Device \Driver\Tcpip \Device\Tcp 86C33E68

Device \Driver\Tcpip \Device\Tcp 86EAB0F0

Device \Driver\Tcpip \Device\Tcp 86B8A1E0

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp 86D47BD8

Device \Driver\Tcpip \Device\Udp 86C33E68

Device \Driver\Tcpip \Device\Udp 86EAB0F0

Device \Driver\Tcpip \Device\Udp 86B8A1E0

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp 86D47BD8

Device \Driver\Tcpip \Device\RawIp 86C33E68

Device \Driver\Tcpip \Device\RawIp 86EAB0F0

Device \Driver\Tcpip \Device\RawIp 86B8A1E0

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

Is that what you wanted?

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

To be honest I had you run that for the lead definitions person, he thinks it will tell us what is hiding, and I have not used this before I will relay to him that you have the log and get back to you as soon as I can. It will be this evening or tomorrow. I have to work today and will be off this evening.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

It's probably insignificant, but a friend of mine recommended running an online kaspersky scan, and it did find something:

Saturday, July 26, 2008

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, July 26, 2008 05:23:18

Records in database: 1009963

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

A:\

C:\

D:\

Scan statistics

Files scanned 46265

Threat name 1

Infected objects 2

Suspicious objects 0

Duration of the scan 01:40:20

File name Threat name Threats count

C:\Documents and Settings\Kendall\Local Settings\Temp\sst_inst.exe

Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b

2

The selected area was scanned.

Not sure if that could help at all, but at this point, I'm willing to try anything.

Thanks.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Another finding of note, yet probably meaningless:

I just discovered that my computer saves the Yahoo! ID of every single ID that logs into yahoo with my computer. I found the folder and looked inside and found 101 Yahoo ID's that aren't mine. Obviously, the 3 which I found by going to my Yahoo page don't even scratch the surface.

So, I wrote every single one of the ID's down. I'm sure I'll get a bit of enjoyment out of reporting them...especially if it keeps people from getting more spam/viruses from them in the future (one can hope!)

2 of the 3 ID's I found earlier were in the list of 101...I'm not sure why the last one wasn't there.

It's funny, in writing out all of the ID's, I noticed that nearly every single one of them (with the exception of 2) were generated as follows:

Take a person's first name

Add a person's surname

Add a 2-digit number from 00 to 99

Some of the name combinations were actually humerous, by, for example a first name of Hispanic orgin followed by a surname of Scottish origin. And a lot of the names were rather obscure...

I also analyzed the numbers in the ID's. 2/3 of all the numbers from 00 to 99 are represented in the list of ID's on my computer. Obviously, some are repeated, with 3 times being the most.

Sorry about the aside...I just thought it was interesting. It probably won't help my situation at all, but it was still interesting.

-EDIT-

Reading over my reply jogged a memory which may be slightly more significant.

Some time between the start of the firefox browsers running on my computer (as seen on task manager only) and when they stopped appearing due to my deletion of the folder containing firefox.exe...before I started taking screencaps to note the presence of the firefox browsers on task manager, they didn't always say "Yahoo! Mail" when they appeared. For a while, they actually said, "Yahoo! Ireland & UK" or something similar. However, as far as I can remember, the other firefox browser seen on task manager always said "My App." Not sure if that matters, but I want to tell you everything I know about this issue. :D

Thanks for reading.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Okay...how exactly do I go about reformatting? I guess I'll look it up on the web...if I don't figure it out by the time of your next reply, then I'll let you know. I guess it'll be another long night of no sleep. Oh well...once this is behind me, I'll know not to ever let this happen again...at least I learned something out of all of this.

As for the file Kaspersky found...I zipped it and it's still too large to attach. Also, it's a rather old file, created a year before the infection happened. I looked it up and other sites seem to think it's a false positive or whatever they're called...

Well...maybe I can e-mail the zipped file to myself to keep it...and just not open the e-mail...let me know if you want me to send it somewhere.

The folder of Yahoo ID's was also too large (1+ MB zipped). I'll e-mail that to myself as well.

Sorry I couldn't help out anymore...once I get reformatted, what do you suggest I set up to prevent this from happening again? I know I'm going to reinstall avast! and MBAM, SuperAntiSpyware, and Spybot S&D...and probably get a better firewall...is there anything else that you notice I'm missing (aside from SP 3, that is)?

Thanks again for all your time, help, and patience in this matter.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

Well, luckily, I found the user's manual for my computer, which made reformatting a great deal easier. :D

So now, I'm rebuilding my system. I'm glad that the nightmare is finally over, even if it means I have to reinstall everything.

Jean, thanks again for all your help in this matter. I probably would have ruined my computer by now without your guidance! :)

Please let me know if there's anything else you'd like me to do.

-EDIT-

I just remembered another question that I had.

What do you suggest I do to better protect the other computer in the house? It's only a year old this August and running Windows Vista. It has Norton for a few more months, but once that expires, I think I'm going to go for avast! on that computer as well. Would it be a good idea to use MBAM and Spybot S&D on that computer as well? Also, does the Vista OS need an additional firewall (like XP does) or is it okay on its own?

Thanks again for your additional advice. :)

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

This is the standard reply I give to everyone to be better protected.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.

Were these two PC's connected via a network? It would be wise to follow the pre HJT post instructions on the Vista system and start a new topic. We can then be sure it's clean. Vista needs a better firewall too.

Link to post
Share on other sites
anonimito

anonimito

Posted
  • Author
Posted

I'll be sure to set up the firewall you recommend and I'll also look at the other links you provided.

Were these two PC's connected via a network? It would be wise to follow the pre HJT post instructions on the Vista system and start a new topic. We can then be sure it's clean. Vista needs a better firewall too.

I'm not exactly sure. The only way in which I view these computers as "connected" is that they use the same wireless to connect to the internet. As far as I know, they are not related in any other way. Once I get time to work with the other computer, I'll post a new topic...it's better safe than sorry.

Thanks again. :D

By the way...if you still want those files (the one Kaspersky found and the folder with all the Yahoo ID's that logged into my computer), just let me know. The e-mails sent without a glitch, as far as I can tell. The attachments were rather large (1.4 MB or something for the folder, and 19 MB? for the .exe Kaspersky file), but if they could help anyone, I'd be happy to send them to whomever handles these things.

-EDIT-

One last thing. After I reformatted and reinstalled avast! and MBAM and the other anti-malware programs (i.e. with essentially nothing else (save Windows Updates) on my computer), I ran a quick MBAM scan just to make sure everything was okay, and it found something. Is that normal? One would think that a computer whose OS is, for all intents and purposes, "starting over" would be clean. I'll post the log if it's necessary...I just wondered if that's normal or not.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.