Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

UMichMed

16 Posts

4296

January 11th, 2005 13:00

Help with HijackThis log

Ok here goes.  I have run the following:  CWShredder, Adaware, Spybot S&D and Spywareblaster, as well as updated XP to SP2.  After I dial in and launch IE, I get two additional screens trying to send me to www.qdentica.com.  Installed Mozilla Firefox.  Upon launch of Firefox, IE also launches with the above screens.  Ran HighjackThis.  Here is the log.
 
Logfile of HijackThis v1.99.0
Scan saved at 6:56:34 PM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://by19fd.bay19.hotmail.msn.com/cgi-bin/getmsg?msg=MSG1098379335.1&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=&curmbox=F000000001&a=e42ac93e493df7c1bacd24bacc5b4e9a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [USBHWDRV] C:\gam.exe
O4 - HKLM\..\Run: [USBHWINFO] C:\mac.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yyyguq.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Windows Sound Manager] SndMon32.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O21 - SSODL: mtklef - {9E541990-DBA8-4EFE-0D97-7FCE715C2817} - C:\WINDOWS\System32\zxci32.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Thanks for any suggestions.
Shawn

Message Edited by UMichMed on 01-11-2005 09:24 AM

Midnight Star

4.8K Posts

January 11th, 2005 14:00

Shawn,

First, make sure your able to view system and hidden files and folders, then do:

"Start | Search..."

-

And look for the following:

*yyyguq*

-

Post back the results.

Mike.

UMichMed

16 Posts

January 11th, 2005 14:00

Mike,

Thanks for the quick response.  My problem is on my home computer, so I will have to post back results tomorrow a.m..  Just a quick question.  This is not my forte', how do I make sure I see all system and hidden folders?  Also, do I do anything with "yyyguq" if present, or simply proceed to the trendmicro scan?

Thanks Again,

Shawn

Midnight Star

4.8K Posts

January 11th, 2005 14:00

Shawn,

I've just finished analyzing your log. When your done with the above, go to www.trendmicro.com and click "Free Online Scan" - then following the links to begin downloading the free online scanner. When it's down, select all availalbe drives, then click "Scan".

Post back the results.

Mike.

 

Midnight Star

4.8K Posts

January 11th, 2005 15:00

Shawn,
 
Your welcome.
 
-
 
When the "Search Results" windows first comes up:
 
1.  Click "Tools | Folder Options... | View (tab)"
 
2.  Check(tick) the following:
 
     Show hidden files and folders.
 
3  Uncheck(untick) then following:
 
     Hide extensions for know file types.
     Hide protected operating system files [recommended].
 
4.  Click "Ok".
 
5.  Now, click "All files and folders"
 
6.  Then enter the search string (from the previous post).
 
-
 
Hopefully Housecall (from TrendMicro) will find and remove it, if not just post back the results from that.
 
Based on your log, there's qutie a few programs that are running that shouldn't be there, and we're dropped by one or more trojans. Don't fix these just yet, but here's a heads up on what i'm referring to:
 
O4 - HKLM\..\Run: [USBHWDRV] C:\gam.exe
O4 - HKLM\..\Run: [USBHWINFO] C:\mac.exe
(These two i'm not sure about, but i'm suspecting trojan.)

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yyyguq.exe
(This might be a trojan downloader.)
 
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Windows Sound Manager] SndMon32.exe
(These we're dropped by a trojan.)
 
O21 - SSODL: mtklef - {9E541990-DBA8-4EFE-0D97-7FCE715C2817} - C:\WINDOWS\System32\zxci32.dll
(This might also be a trojan downloader.)
 
-
 
Let's see what HouseCall can 'sniff' out for us.
 
Mike.
 

UMichMed

16 Posts

January 12th, 2005 10:00

Mike,
Here are the results I found after following your suggestions. First, a search for the file "yyyguq" returned the file "yyyguq.exe-0659B144.pf", with the path C:\WINDOWS\Prefetch. I recorded the information, but didn't do anything to the file.
Second, I ran Housecall, and it returned 12 files, all "non-cleanable". It identified the following. TROJ DLOADER.Z (2 files), TROJ NARRATOR.A (1 file), TROJ PURSC.A (1 file) and BKDR BERBEW.I (7 files). I have the file paths if you need them. Again, I didn't do anything with this information except record it. Finally, I re-ran HijackThis. I haven't compared it to the last log to check for changes, but the results are as follows.

Logfile of HijackThis v1.99.0
Scan saved at 7:51:56 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://by19fd.bay19.hotmail.msn.com/cgi-bin/getmsg?msg=MSG1098379335.1&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=&curmbox=F000000001&a=e42ac93e493df7c1bacd24bacc5b4e9a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [USBHWDRV] C:\gam.exe
O4 - HKLM\..\Run: [USBHWINFO] C:\mac.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yyyguq.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKCU\..\Run: [Windows Sound Manager] SndMon32.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: yyyigf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O21 - SSODL: mtklef - {9E541990-DBA8-4EFE-0D97-7FCE715C2817} - C:\WINDOWS\System32\zxci32.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Let me know if you need additional information.
Shawn

Midnight Star

4.8K Posts

January 12th, 2005 22:00

Shawn,

Yes, i'll need the full names (including the path) of the files that cannot be deleted; they might be sitting in the system restore folder.

-

Delete that file from the prefetch folder.

Now, let's run HiJackThis, then click on "Config...", then "Misc Tools", then "Open process manager". Now, while holding down the CTRL key, click on each of the following:

   

C:\gam.exe
C:\mac.exe
C:\WINDOWS\system32\yyyguq.exe
 
VideoLanPlayer.exe
winssv.exe
SndMon32.exe
yyyigf.exe

 
You'll have to locate the one(s) above in the process task list since the path is not readily apparent. Double-check and make sure only those seven are highlighted, then click "Kill process". Now, refresh the list and make sure they're gone, repeating this step if necessary.
 
Run HiJackThis and click " Scan", then check(tick) the following, if present:
 
 
O4 - HKLM\..\Run: [USBHWDRV] C:\gam.exe
O4 - HKLM\..\Run: [USBHWINFO] C:\mac.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\yyyguq.exe 
O4 - HKCU\..\Run: [Video Lan Player] VideoLanPlayer.exe 
O4 - HKCU\..\Run: [Win32 SSL Driver] winssv.exe 
O4 - HKCU\..\Run: [Windows Sound Manager] SndMon32.exe 
O4 - Global Startup: officejet 6100.lnk = ? 
O4 - Global Startup: yyyigf.exe 
 
 
Now, with all windows closed except HiJackThis, click " Fix checked".
 
 
Don't reboot your computer just yet and post back a new log.
 
Mike.
 

Message Edited by Midnight Star on 01-12-2005 06:11 PM

UMichMed

16 Posts

January 13th, 2005 11:00

Mike,
Thanks, I will give it a shot tonight.  Couple of questions.  One, currently should the system restore be "on" or "off".  Secondly, with the trendmicro scan, the files it identified were "non cleanable", there was a "clean" and also a "delete" button for choices.  Should I have selected "delete"?  I didn't want to do more harm than good so I didn't choose anything.  Below I have included file paths for the 12 files that Housecall identified.  The first 2 have names after "documents and settings", so I have replaced them with "xxxx.xxxxxx", hope that is OK.
  1. TROJ DLOADER.Z = c:\Documents and Settings\xxxx.xxxxxx\Local Settings\Temp\install.exe
  2. TROJ DLOADER.Z = c:\Documents and Settings\xxxx.xxxxxx.000\Local Settings\Temp\install.exe
  3. BKDR BERBEW.I = c:\windows\system32\config\system profile\Local Settings\Temporary Internet Files\content\.1e5\09yjkij\kk{1}.gif
  4. BKDR BERBEW.I = c:\windows\system32\cgokjj32.exe
  5. BKDR BERBEW.I = c:\windows\system32\Ejpnlgao.dll
  6. TROJ NARRATOR.Z = c:\windows\system32\gggqui.dll
  7. BKDR BERBEW.I = c:\windows\system32\Gjdpkipq.exe
  8. BKDR BERBEW.I = c:\windows\system32\Gmgeofmf.exe
  9. BKDR BERBEW.I = c:\windows\system32\kkihmg32.dll
  10. BKDR BERBEW.I = c:\windows\system32\Nbbenp32.dll
  11. BKDR BERBEW.I = c:\windows\system32\qqiwty.exe
  12. TROJ PURSC.A = c:\mac.exe

Let me know if there is anything else I can try tonight when I work on the problem.  Thanks again.

Shawn

Midnight Star

4.8K Posts

January 13th, 2005 15:00

Shawn,

Those are very good questions. Let me try and answer some of them:

currently should the system restore be "on" or "off"

Normally, it should be on. Alot of malware 'fighters' will turn this off to clear out the restore points and to prevent anything being 'fixed' from being 'saved' by windows, while they are working with the user to clean off their system. I like to 'flush' this last (turn it off then back on). That way, if anything goes wrong during the entire cleaning process, they always have their restore points to help them potentially recover. Some cleaning can cover many days, so as a general rule, I don't want their system restore functionality turned off for that long.
 
the trendmicro scan, the files it identified were "non cleanable", there was a "clean" and also a "delete" button for choices.  Should I have selected "delete"? 
 
Yes. You might also try checking(ticking) "Auto Clean" and see if that will automatically remove them. I know alot of it looks 'greek', but in almost 100% of the cases, randomly named files are 'bad'.
 
Nothing really should be running from a "temp" folder. If you remove it and it's something you've downloaded and installed, just uninstall, then reinstall it in it's own folder, or move it to it's own folder. Most legit applications will never install themselves there. When the temporary folders are cleared, unless the program is actively running from there, they'll be deleted ayways.
 
The first 2 have names after "documents and settings", so I have replaced them with "xxxx.xxxxxx", hope that is OK.
 
Absolutely! I wish more posters would do that, if they didn't want their's or other's name(s) posted on a public board.
 
-
 
Mike.
 

UMichMed

16 Posts

January 13th, 2005 15:00

Mike,

I really appreciate all the help.  Final question of the day.  Should I re-run the trendmicro scan and delete the identified files first, or should I proceed with Hijack this, with a trendmicro scan afterwards?

Thanks,

Shawn

Midnight Star

4.8K Posts

January 13th, 2005 16:00

Shawn,

Your wecome! Ok, fire away ... :)

Just to be safe, i'd re-run the TrendMicro scan first; If it was my system, i'd run at least two or more different online scans - just to make sure they all came up clean.  As long as any portion of those potentially remains on that system, it can replicate or move itself while running or on each bootup.

-

Mike.

 

Message Edited by Midnight Star on 01-13-2005 12:15 PM

UMichMed

16 Posts

January 14th, 2005 10:00

Mike,
Ok, last night I did the following. I deleted the "yyyguq" file from the prefetch folder. Secondly, I ran Housecall with "auto-clean" ticked. The same 12 files appeared, again as non-cleanable. I clicked "delete". Housecall couldn't delete 2 of the files. If I remember correctly the two that wouldn't delete were:
TROJ NARRATOR.Z from c:\Windows\system32\gggqui.exe
TROJ PURSC.A from c:\mac.exe
I believe the message was that they were running and couldn't be removed. Anyway, proceeded to the HijackThis process manager. I didn't see any of the files that you listed to "kill process", so I proceeded to run a scan. Once finished I ticked the above mentioned files and fixed them. Here is the new log. I wanted to run Housecall again, but it was late, so I will have to run it again tonight.
Logfile of HijackThis v1.99.0
Scan saved at 11:18:44 PM, on 1/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://by19fd.bay19.hotmail.msn.com/cgi-bin/getmsg?msg=MSG1098379335.1&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=&curmbox=F000000001&a=e42ac93e493df7c1bacd24bacc5b4e9a
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O21 - SSODL: mtklef - {9E541990-DBA8-4EFE-0D97-7FCE715C2817} - C:\WINDOWS\System32\zxci32.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Let me know if something has spawned elsewhere.
Thanks again,
Shawn

Midnight Star

4.8K Posts

January 14th, 2005 13:00

Shawn,

That log is looking alot better - Good work! It looks like there just a few more processes that we need to fix and you should be back in working order. Thanks for the feedback ... :)

-

Let's get started ...


Run HiJackThis then:
 
1.  Click " Config..."
2.  Click " Misc Tools"
3.  Click " Open Process manager"
 
-
 
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
 
    C:\Program Files\Admilli Service\AdmilliServ.exe
 
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
 

Now, let's run HiJackThis, then:
 
1.  click " Config..."
2.  click " Misc Tools"
3.  click " Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time, if present:
 
    C:\Program Files\Admilli Service\AdmilliServ.exe
    C:\WINDOWS\System32\zxci32.dll
 
5.  when prompted to " Reboot Now", after selecting each file, select " No"
 

Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe 
 
O21 - SSODL: mtklef - {9E541990-DBA8-4EFE-0D97-7FCE715C2817} - C:\WINDOWS\System32\zxci32.dll 
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 
 
Let's double-check and make sure these are removed. If not, let's try to manually delete them:

C:\gam.exe
C:\mac.exe
C:\WINDOWS\system32\yyyguq.exe  
C:\Program Files\Admilli Service   <=== folder
-
 
You'll have to do a search for these:
 
VideoLanPlayer.exe  
winssv.exe  
SndMon32.exe  
yyyigf.exe 
 
-
 
Also try omitting the '.exe' extension and putting an asterisk in front, and behind the 'base' filename, like this: *yyyigf* just to see if they're located elsewhere on your harddrive.
 

Now let's do some cleanup...
 
1.  Run " Disk Cleanup" and allow it to remove everything it finds.
 
2.  Go to www.trendmicro.com and click " Free Online Scan", then " Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) " Auto clean", then click " Scan".
 
3.  Run AdAware SE Personal and " perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.
 
4.  Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
 

Post back a final log for clearance.

Mike.

 

UMichMed

16 Posts

January 15th, 2005 16:00

Mike,

Ok tell me how this one looks.

Logfile of HijackThis v1.99.0
Scan saved at 1:49:10 PM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://by19fd.bay19.hotmail.msn.com/cgi-bin/getmsg?msg=MSG1098379335.1&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=&curmbox=F000000001&a=e42ac93e493df7c1bacd24bacc5b4e9a
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks for the help,

Shawn

Midnight Star

4.8K Posts

January 15th, 2005 17:00

Shawn,

That log looks good to me!


Here are a few entry(s) you might want to check out:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://by19fd.bay19.hotmail.msn.com/cgi-bin/getmsg?msg=MSG1098379335.1&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=&curmbox=F000000001&a=e42ac93e493df7c1bacd24bacc5b4e9a

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

-

I'm not sure what these are, and if you don't know either, just have HiJackThis remove them.


Good work on 'cleaning' up your system!

Mike.

UMichMed

16 Posts

January 16th, 2005 18:00

Mike,
Hmm, they look familiar (at least to me, the novice). We have a hotmail account and load a lot of photos to the Ofoto website, so I am not sure if these should remain. I haven't had anymore issues, so I think these are ok. Thanks for all the help, I was starting to think we had a really nice Dell paperweight. Any suggestions for preventing this in the future? I plan on weekly checks at trendmicro, and I have a download from my school for virus protection, am I missing anything? Again, thanks for taking the time to help, I can't tell you how much I appreciate it.
Shawn

Was this post helpful?

View All

Top