Another Win32:TratBHO infection

system · 2008-01-24T20:01:56.000Z

I have had this for nearly 2 weeks and have tried many different ways of unsuccessfully getting rid of it.
Can anyone help
Here is my HiJackThis log followd by the ComboFix log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:19 PM, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender10\bdmcon.exe” /reg
O4 - HKLM..\Run: [BDAgent] “C:\Program Files\Softwin\BitDefender10\bdagent.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198332921140
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: yaywuvu - yaywuvu.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

–
End of file - 6524 bytes

essexboy · 2008-01-24T20:47:12.000Z

OK try this

Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\yaywuvu.dll
C:\WINDOWS\{6D6196E7-5EBD-4F4F-9466-E72126CB61BD}.dat
C:\WINDOWS\{D90693EE-0F69-4672-B6DC-D0C46E4548FF}.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuvu]

Renv::
<pre>
----a-w         1,694,208 2008-01-09 14:39:20  C:\Program Files\Messenger\msmsgs .exe
----a-w            15,360 2008-01-09 14:39:18  C:\WINDOWS\system32\ctfmon .exe
</pre>

Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new HijackThis log.

system · 2008-01-24T22:23:31.000Z

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:52 PM, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender10\bdmcon.exe” /reg
O4 - HKLM..\Run: [BDAgent] “C:\Program Files\Softwin\BitDefender10\bdagent.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198332921140
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

–
End of file - 6724 bytes

system · 2008-01-24T22:24:31.000Z

anComboFix 08-01-23.1B - Owner 2008-01-24 16:30:19.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

Created a new restore point

FILE
C:\WINDOWS{6D6196E7-5EBD-4F4F-9466-E72126CB61BD}.dat
C:\WINDOWS{D90693EE-0F69-4672-B6DC-D0C46E4548FF}.dat
C:\WINDOWS\system32\yaywuvu.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS{6D6196E7-5EBD-4F4F-9466-E72126CB61BD}.dat
C:\WINDOWS{D90693EE-0F69-4672-B6DC-D0C46E4548FF}.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 15:52 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 16:53 . 2008-01-22 17:05 d-------- C:\Program Files\Enigma Software Group
2008-01-22 11:48 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-22 11:48 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-22 11:48 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-22 11:48 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-22 11:48 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-22 11:48 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-22 11:47 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-22 11:47 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-19 08:14 . 2008-01-24 16:45 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-01-17 15:08 . 2008-01-17 15:08 d-------- C:\Program Files\CCleaner
2008-01-17 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 13:18 . 2008-01-17 13:23 d-------- C:\Program Files\XoftSpySE
2008-01-16 11:55 . 2008-01-16 11:56 d-------- C:\WINDOWS\system32\Go Travel Direct dir
2008-01-16 11:55 . 2008-01-16 11:55 201,728 --a------ C:\WINDOWS\system32\Go Travel Direct.scr
2008-01-16 10:43 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-16 10:43 . 2004-08-04 00:58 14,848 --a–c— C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-16 10:43 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-16 10:43 . 2001-08-17 13:48 12,160 --a–c— C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-16 09:59 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-16 09:59 . 2001-08-17 14:02 9,600 --a–c— C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-16 07:54 . 2008-01-22 11:43 d-------- C:\Program Files\Free Download Manager
2008-01-15 10:28 . 2008-01-15 10:22 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-01-15 10:28 . 2008-01-15 10:22 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-01-15 08:19 . 2008-01-20 10:31 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-11 07:52 . 2008-01-11 07:52 d-------- C:\Program Files\Alwil Software
2008-01-10 15:47 . 2008-01-22 10:13 d-------- C:\VundoFix Backups
2008-01-10 15:18 . 2008-01-10 16:47 131,072 --a------ C:\WINDOWS\system32\datestamp.dll
2008-01-10 15:16 . 2008-01-10 16:49 d-------- C:\WINDOWS\system32\ZeroSpyware
2008-01-10 15:14 . 2008-01-10 16:49 d-------- C:\Program Files\FBM Software
2008-01-09 19:21 . 2008-01-09 19:21 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-01-09 19:20 . 2008-01-09 20:17 d-------- C:\Program Files\PrevxCSI
2008-01-09 07:34 . 2008-01-09 09:39 15,360 --a–c— C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-09 07:34 . 2008-01-09 09:39 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-09 07:24 . 2008-01-09 11:22 d-------- C:\WINDOWS\system32\xv2
2008-01-09 07:24 . 2008-01-15 08:39 d-------- C:\WINDOWS\system32\edcA18
2008-01-09 07:24 . 2008-01-09 15:34 d-------- C:\WINDOWS\system32\ap3
2008-01-09 07:24 . 2008-01-09 07:24 d-------- C:\TEMP\Ryuan1
2008-01-08 16:13 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-08 16:08 . 2008-01-08 16:08 d-------- C:\TEMP\BSPROINSTALL
2008-01-08 16:07 . 2008-01-08 16:08 3,642,935 --a------ C:\TEMP\BSPROINSTALL.zip
2008-01-08 16:01 . 2008-01-08 16:02 312,820,720 --a------ C:\TEMP\X12-30107.exe
2008-01-08 12:15 . 2008-01-08 12:15 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-08 12:14 . 2008-01-24 15:29 d-------- C:\Program Files\Mozilla Thunderbird
2008-01-02 16:23 . 2008-01-02 16:24 1,177 --a------ C:\WINDOWS\system32\imbrmute.ini
2008-01-02 07:59 . 2008-01-02 07:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-01 19:31 . 2008-01-01 19:31 d-------- C:\Program Files\directx
2007-12-30 21:40 . 2007-12-30 21:40 d-------- C:\Program Files\Common Files\AVSMedia
2007-12-29 07:39 . 2007-12-29 07:39 d-------- C:\Program Files\Microsoft Silverlight
2007-12-24 19:40 . 2000-05-22 00:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-12-24 19:40 . 2004-08-30 14:25 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-12-24 19:40 . 2004-12-10 10:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax
2007-12-24 19:40 . 2003-09-05 12:07 168,960 --a------ C:\WINDOWS\system32\XCDZIP35.OCX
2007-12-24 19:40 . 2005-01-21 12:20 118,832 --a------ C:\WINDOWS\system32\SHW32.DLL
2007-12-24 18:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-24 18:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 13:55 --------- d-----w C:\Program Files\Trend Microd the combofix log

system · 2008-01-24T22:26:34.000Z

I’m fairly new at this kind of stuff but it appears that the offending file is gone.
Am I correct
Your help is much appreciated and why is this infection so hard to remove.

essexboy · 2008-01-24T22:46:13.000Z

I only got half of the combofix log but from the bit I saw I would say yes

system · 2008-01-24T23:27:42.000Z

My fault that I didn’t copy the whole file here is the missing part…I think …Can’t post the whole thing as it exceeds 10000 characters

have a look at this
ComboFix 08-01-23.1B - Owner 2008-01-24 16:30:19.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

Created a new restore point

FILE
C:\WINDOWS{6D6196E7-5EBD-4F4F-9466-E72126CB61BD}.dat
C:\WINDOWS{D90693EE-0F69-4672-B6DC-D0C46E4548FF}.dat
C:\WINDOWS\system32\yaywuvu.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS{6D6196E7-5EBD-4F4F-9466-E72126CB61BD}.dat
C:\WINDOWS{D90693EE-0F69-4672-B6DC-D0C46E4548FF}.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

30,072	--a------	C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 13:55 --------- d-----w C:\Program Files\Trend Micro
2008-01-17 20:10 --------- d-----w C:\Program Files\GetRight
2008-01-17 19:09 708,096 ----a-w C:\WINDOWS\system32\ntdll.dll
2008-01-16 15:42 --------- d-----w C:\Program Files\Logitech
2008-01-16 15:42 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-16 15:26 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-15 15:22 20,640 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-15 13:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 12:29 --------- d-----w C:\Program Files\QuickTime
2008-01-01 23:45 --------- d-----w C:\Program Files\PokerStars.NET
2007-12-25 00:26 --------- d-----w C:\Program Files\EA SPORTS
2007-12-22 14:20 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-20 23:04 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 00:31 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2007-12-20 00:30 --------- d-----w C:\Program Files\Java
2007-12-19 23:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-18 23:15 --------- d-----w C:\Program Files\interMute
2007-12-18 23:04 --------- d-----w C:\Program Files\Easy Internet signup
2007-12-18 23:01 3,888 ----a-w C:\WINDOWS\viassary-hp.reg
2007-12-18 21:55 3,420 --sha-r C:\WINDOWS\system32\drivers\HP_DT076A-ABA S6200CL NA411_YC_Pres_QMXR414_E41NAheRED4_4_IKamet2_SASUSTek Computer INC._V2.01_B3.10_T041101_WXH1_L409_M512_J120_7AMD_8Athlon XP 2800+_92.07_111063044_N11063065_P_Z11C1044C_K_A11063059_U11063038_G.MRK
2007-12-16 23:04 --------- d-----w C:\Program Files\SpywareDetector
2007-12-11 20:48 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-11-30 22:45 --------- d-----w C:\Program Files\Coupons
2007-11-29 22:01 --------- d-----w C:\Program Files\SmartDraw 2008
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-08-30 00:04 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NVIEW”=“nview.dll” [2003-08-19 04:56 852038 C:\WINDOWS\system32\nview.dll]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-01-09 09:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“LTMSG”=“LTMSG.exe” [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
“BDMCon”=“C:\Program Files\Softwin\BitDefender10\bdmcon.exe” [2007-04-02 16:48 290816]
“BDAgent”=“C:\Program Files\Softwin\BitDefender10\bdagent.exe” [2007-03-26 15:49 69632]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 04:25 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuvu]
yaywuvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
“HPHmon05”=C:\WINDOWS\System32\hphmon05.exe
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe”

hidden files: 0

.

essexboy · 2008-01-25T18:28:25.000Z

Looks like that winlogon is back so lets try a different route to kill it

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuvu]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

THEN

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\WINDOWS\system32\yaywuvu.dll
C:\WINDOWS\yaywuvu.dll
C:\yaywuvu.dll

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If I could have the OTMoveit log and a new Hijackthis

system · 2008-01-26T13:54:03.000Z

Followed instructions and here are the results.
File/Folder C:\WINDOWS\system32\yaywuvu.dll not found.
File/Folder C:\WINDOWS\yaywuvu.dll not found.
File/Folder C:\yaywuvu.dll not found.

OTMoveIt2 v1.0.14 log created on 01262008_084543

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:40 AM, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender10\bdmcon.exe” /reg
O4 - HKLM..\Run: [BDAgent] “C:\Program Files\Softwin\BitDefender10\bdagent.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198332921140
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

–
End of file - 6677 bytes

Looks like it’s all gone…am I right

essexboy · 2008-01-26T14:10:12.000Z

Looks good to me

Now the best part of the day ----- Your log now appears clean

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe

Announcements