Can anyone tell me if there's anything wrong with this log. After a recent attack, I think I may still have somethings on here. Thanks. Logfile of HijackThis v1.99.1 Scan saved at 5:16:36 AM, on 7/8/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\Documents and Settings\Orona\Desktop\HijackThis.exe C:\Program Files\Yahoo!\Antivirus\autodown.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: (no name) - {F2B53756-AD96-F464-C9FA-F0FA3BD96D9F} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F8BBF5E-8813-466E-8D9C-AA8FB258D3F0} - (no file) O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - (no file) O2 - BHO: (no name) - {3DE51B70-C157-4E31-9FC7-D8D1D90B6EFB} - \ O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll O2 - BHO: (no name) - {8D99D2A3-317C-4929-8A5D-21140259D93A} - (no file) O2 - BHO: (no name) - {9CC6AB95-099C-4048-95FC-F47583A8FAB8} - (no file) O2 - BHO: Macromedia Flash - {AD03571F-C182-D851-A69F-96C80BF4B23B} - (no file) O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: (no name) - {F2B53756-AD96-F464-C9FA-F0FA3BD96D9F} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165553312734 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173159175281 O20 - AppInit_DLLs: O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Download and Run ComboFix *Download this file from either of the two below listed places : http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe *Then double click combofix.exe & follow the prompts. *When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Ok...here's the log from ComboFix. "Orona" - 2007-07-10 19:14:48 - ComboFix 07-07-10.1 - Service Pack 1 ((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 ))))))))))))))))))))))))))))))) 2007-07-10 19:14 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-04 20:30 126,976 --a------ C:\WINDOWS\xhelper.dll 2007-07-04 20:20 22,592 --a------ C:\WINDOWS\system32\21sMPapB.exe 2007-06-25 23:56 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-06-24 10:45 <DIR> d-------- C:\Temp (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-05 18:36:43 630,200 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys 2007-07-05 18:36:43 108,392 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys 2007-06-27 06:41:55 -------- d-----w C:\DOCUME~1\Orona\APPLIC~1\Yahoo! 2007-04-22 05:38:39 8,704 ----a-w C:\WINDOWS\system32\sporder.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}] 2007-03-20 15:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2005-09-23 22:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8BBF5E-8813-466E-8D9C-AA8FB258D3F0}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DE51B70-C157-4E31-9FC7-D8D1D90B6EFB}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}] 2006-10-31 16:33 198136 --a------ C:\PROGRA~1\Yahoo!\common\yiesrvc.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}] 2006-07-28 12:36 120312 --a------ C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}] 2007-07-04 20:30 126976 --a------ C:\WINDOWS\xhelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CC6AB95-099C-4048-95FC-F47583A8FAB8}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD03571F-C182-D851-A69F-96C80BF4B23B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}] 2005-02-03 19:07 124032 --a------ C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2B53756-AD96-F464-C9FA-F0FA3BD96D9F}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43] "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19] "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-12-21 04:16] "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-12-21 04:16] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gpsaaaaa] C:\WINDOWS\System32\gpsaaaaa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins] C:\Program Files\Ipwindows\ipwins.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ixcdfr] C:\Documents and Settings\Orona\Application Data\??stem\c?rss.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s ************************************************************************** catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-10 19:16:17 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-10 19:17:24 --- E O F ---
here's the log from HJT... Logfile of HijackThis v1.99.1 Scan saved at 7:16:12 AM, on 7/11/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\Documents and Settings\Orona\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F8BBF5E-8813-466E-8D9C-AA8FB258D3F0} - (no file) O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - (no file) O2 - BHO: (no name) - {3c2ba44b-0e86-4df3-9b8b-173b6d4c12de} - (no file) O2 - BHO: (no name) - {3DE51B70-C157-4E31-9FC7-D8D1D90B6EFB} - \ O2 - BHO: (no name) - {4392060D-E3DF-42CE-A4EF-0644515CCC41} - \ O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\gebxvtt.dll O2 - BHO: (no name) - {9CC6AB95-099C-4048-95FC-F47583A8FAB8} - (no file) O2 - BHO: Macromedia Flash - {AD03571F-C182-D851-A69F-96C80BF4B23B} - (no file) O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: (no name) - {F2B53756-AD96-F464-C9FA-F0FA3BD96D9F} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165553312734 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173159175281 O20 - Winlogon Notify: gebxvtt - C:\WINDOWS\SYSTEM32\gebxvtt.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Open control panel, and there add/remove programs Remove these: Repair Registry Pro Ipwindows Open notepad and copy/paste the text in the quotebox below into it: Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Also post fresh HijackThis log
Here's the ComboFix log... "Orona" - 2007-07-11 23:42:00 - ComboFix 07-06-27.7 - Service Pack 1 NTFS Command switches used :: C:\Documents and Settings\Orona\Desktop\CFScript.txt ((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 ))))))))))))))))))))))))))))))) 2007-07-11 23:41 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-07-11 01:23 1,016,352 -r-hs---- C:\WINDOWS\annidgqA.exe 2007-07-04 20:30 126,976 --a------ C:\WINDOWS\xhelper.dll 2007-06-25 23:56 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-06-24 10:45 <DIR> d-------- C:\Temp (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-05 18:36:43 630,200 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys 2007-07-05 18:36:43 108,392 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys 2007-06-27 06:41:55 -------- d-----w C:\DOCUME~1\Orona\APPLIC~1\Yahoo! 2007-04-22 05:38:39 8,704 ----a-w C:\WINDOWS\system32\sporder.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2007-03-20 15:39] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 22:12] {3DE51B70-C157-4E31-9FC7-D8D1D90B6EFB}=\ [2007-07-11 23:43] {4392060D-E3DF-42CE-A4EF-0644515CCC41}=\ [2007-07-11 23:43] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\PROGRA~1\Yahoo!\common\yiesrvc.dll [2006-10-31 16:33] {65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll [2006-07-28 12:36] {85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xhelper.dll [2007-07-04 20:30] {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 19:07] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43] "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19] "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-12-21 04:16] "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-12-21 04:16] ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-11 23:43:26 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-11 23:44:29 --- E O F --- And here's the HJT log... Logfile of HijackThis v1.99.1 Scan saved at 11:49:51 PM, on 7/11/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Orona\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F8BBF5E-8813-466E-8D9C-AA8FB258D3F0} - (no file) O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - (no file) O2 - BHO: (no name) - {3c2ba44b-0e86-4df3-9b8b-173b6d4c12de} - (no file) O2 - BHO: (no name) - {3DE51B70-C157-4E31-9FC7-D8D1D90B6EFB} - \ O2 - BHO: (no name) - {4392060D-E3DF-42CE-A4EF-0644515CCC41} - \ O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll O2 - BHO: (no name) - {8D99D2A3-317C-4929-8A5D-21140259D93A} - (no file) O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - (no file) O2 - BHO: (no name) - {9CC6AB95-099C-4048-95FC-F47583A8FAB8} - (no file) O2 - BHO: Macromedia Flash - {AD03571F-C182-D851-A69F-96C80BF4B23B} - (no file) O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O2 - BHO: (no name) - {F2B53756-AD96-F464-C9FA-F0FA3BD96D9F} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165553312734 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173159175281 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Open HijackThis - Click the Do a system scan only button - Check the following entries (below) O2 - BHO: (no name) - {1F8BBF5E-8813-466E-8D9C-AA8FB258D3F0} - (no file) O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - (no file) O2 - BHO: (no name) - {3c2ba44b-0e86-4df3-9b8b-173b6d4c12de} - (no file) O2 - BHO: (no name) - {3DE51B70-C157-4E31-9FC7-D8D1D90B6EFB} - \ O2 - BHO: (no name) - {4392060D-E3DF-42CE-A4EF-0644515CCC41} - \ O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll O2 - BHO: (no name) - {8D99D2A3-317C-4929-8A5D-21140259D93A} - (no file) O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - (no file) O2 - BHO: (no name) - {9CC6AB95-099C-4048-95FC-F47583A8FAB8} - (no file) O2 - BHO: Macromedia Flash - {AD03571F-C182-D851-A69F-96C80BF4B23B} - (no file) Close ALL open windows Click Fix Checked Close HijackThis ======== Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder. Version 7.5.0.50 ! * Install AVG Anti-Spyware by double clicking the installer. * Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked. * On the main screen under Your Computer's security. * Click on Change state next to Resident shield. It should now change to inactive. * Click on Change state next to Automatic updates. It should now change to inactive. * Next to Last Update, click on Update now. (You will need an active internet connection to perform this) * Wait until you see the Update succesfull message. * Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows. * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. AVG Anti-Spyware manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. If AVG doesn't work in Safemode, please use this patchfile to make it work. Don't run just yet! Restart your computer to Safe Mode. 1. If the computer is running, shut down Windows, and then turn off the power. 2. Wait 30 seconds, and then turn the computer on. 3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. 4. Ensure that the Safe Mode option is selected. 5. Press Enter. The computer then begins to start in Safe Mode. 6. Login on your usual account. Now, enable the Show Hidden Folders option, like this: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Delete these files C:\WINDOWS\annidgqA.exe C:\WINDOWS\xhelper.dll Please set your system to hide all hidden files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders. Check: Hide file extensions for known file types Check the Hide protected operating system files (recommended) option. Click Yes to confirm. Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan. * Click on Scanner on the toolbar. * Click on the Settings tab. * Under How to act? * Click on Recommended Action and choose Quarantine from the popup menu. * Under How to scan? * All checkboxes should be ticked. * Under Possibly unwanted software: * All checkboxes should be ticked. * Under Reports: * Select Automatically generate report after every scan and uncheck Only if threats were found. * Under What to scan? * Select Scan every file. * Click on the Scan tab. * Click on Complete System Scan to start the scan process. * Let the program scan the machine. * When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. * Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) * At the bottom of the window click on the Apply all Actions button. (3) * When done, click the Save Scan Report button. (4) * Click the Save Report as button. * Save the report to your Desktop. * Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Reboot in Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware log.
Ok...i did the scan with AVG, but I was unable to save a log. Don't know why. However, it did find a couple of files. it found mostly 'tracking cookies' which i couldn't quarantine, but i did manage to delete them. the one file i did quarantine was 'c:\windows\browser.exe'. it was infected as 'hijacker.small'. here's the HJT log too. Logfile of HijackThis v1.99.1 Scan saved at 6:21:23 PM, on 7/12/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe C:\Program Files\Yahoo!\Antivirus\CAVRID.exe C:\Program Files\Yahoo!\Antivirus\CAVTray.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Yahoo!\Antivirus\ISafe.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\Antivirus\VetMsg.exe C:\Documents and Settings\Orona\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165553312734 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173159175281 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Update Your Windows XP. You should update your Windows XP to SP2, NOW. This fixes a large number of security holes in your system. It is a very large download, and is not feasible with Dial-Up. If you are on Dial-up, order the CD from the site below.You can download SP2 from here: If there is a problem with getting the SP2 to take after it's downloaded, see here : You can order an update Service Pack 2 CD from MicroSoft here : For updating with Firefox: http://www.microsoft.com/downloads/...70-D51C-4BE5-A15B-74430E9E2AD4&displaylang=en It is absolutely vital that you get this done, or you will have trouble often. After it's installed, set Automatic updates. We will be glad to check out your PC after SP2 is installed, to be sure everything went according to plan Then post fresh hijackthislog
sorry for the long wait in responding, but thanks alot...really. i'll do just that as soon as i get the cd.
