Hey Rambro,
I fallowed the instructions. When i went to manually delete ddaby.ddl i could'nt as it said it was being used.
But after rebooting and doing the hijackthis fixes. I have not yet had a detection of it. I think it is fixed!
Here is the log.
Logfile of HijackThis v1.99.1
Scan saved at 8:58:49 AM, on 9/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Maximizer\Campaign Manager\AutoProgService.exe
F:\Program Files\Maximizer\Campaign Manager\AutoPrintService.exe
C:\WINDOWS\System32\ctfmon.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.135.204.157:80
N3 - Netscape 7: user_pref("browser.startup.homepage", "
http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\7nbhesdx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff\Application Data\Mozilla\Profiles\default\7nbhesdx.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoProgService] "F:\Program Files\Maximizer\Campaign Manager\AutoProgService.exe" -runexe
O4 - HKLM\..\Run: [AutoPrintService] "F:\Program Files\Maximizer\Campaign Manager\AutoPrintService.exe" -runexe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe" -startminimize
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Score Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - F:\PROGRA~1\SCOREP~1\client.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7947.dll' missing
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akama...meInstaller.exeO17 - HKLM\System\CS1\Services\Tcpip\..\{5A763252-C8FB-4CFE-97D0-F6BDEA934F18}: NameServer = 24.153.22.67,24.153.22.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
and the combofix log:
Jeff - 06-09-17 8:43:04.57 Service Pack 1
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Jeff\Desktop
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Y1123OU.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{1F110ADA-044C-1033-1130-010508250001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\Documents and Settings\Jeff\My Documents\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Jeff\My Documents\MANTEC~1\??mantec
((((((((((((((((((((((((((((((( Files Created from 2006-08-17 to 2006-09-17 ))))))))))))))))))))))))))))))))))
2006-08-26 09:25 66,480 --a------ C:\WINDOWS\system32\SSPNG2.DLL
2006-08-26 09:25 49,152 --a------ C:\WINDOWS\system32\ArmAccess.dll
2006-08-26 09:25 240,640 --a------ C:\WINDOWS\system32\imgman31.dll
2006-08-22 03:34 989,280 ---hs---- C:\WINDOWS\system32\ybadd.bak1
2006-08-20 03:34 982,172 ---hs---- C:\WINDOWS\system32\ybadd.bak2
2006-08-19 15:47 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-08-19 15:34 573,492 --------- C:\WINDOWS\system32\ddaby.dll
2006-08-19 15:30 32,768 --a------ C:\WINDOWS\system32\issearch.exe.vir
2006-08-19 15:29 2 --a------ C:\WINDOWS\system32\wnstssv.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
Rootkit driver pe386 is present. A rootkit scan is required2006-09-10 14:20 -------- d-------- C:\Documents and Settings\Jeff\Application Data\TrojanHunter
2006-08-27 22:07 -------- d-------- C:\Documents and Settings\Jeff\Application Data\Tekt
2006-08-20 09:37 -------- d-------- C:\Documents and Settings\Jeff\Application Data\My Battle for Middle-earth Files
2006-08-19 15:47 -------- d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-08-15 08:04 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-14 14:52 -------- d-------- C:\Program Files\Mozilla Firefox
2006-07-28 09:30 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Steam"=""
"Registry Cleaner"="\"C:\\Program Files\\Registry Cleaner Trial\\Regclean.exe\" -startminimize"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"iTunesHelper"="\"F:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AutoProgService"="\"F:\\Program Files\\Maximizer\\Campaign Manager\\AutoProgService.exe\" -runexe"
"AutoPrintService"="\"F:\\Program Files\\Maximizer\\Campaign Manager\\AutoPrintService.exe\" -runexe"
"THGuard"="\"F:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c0,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20060917-084112-783
O20 - Winlogon Notify: winlvw32 - winlvw32.dll (file missing)
backup-20060917-084112-331
O4 - HKCU\..\Run: [Tovju] C:\WINDOWS\system32\?racle\?poolsv.exe
backup-20060917-084112-517
O2 - BHO: (no name) - {ED7DB9A4-7364-73B5-12B1-26C0A42102C3} - C:\WINDOWS\System32\yjbzzcy.dll (file missing)
backup-20060917-084112-997
O2 - BHO: (no name) - {D4AABAF9-246E-78B1-1C51-28F077BC3DC1} - C:\WINDOWS\System32\azyier.dll (file missing)
backup-20060917-084107-968
O2 - BHO: (no name) - {C8F7AE24-1385-4379-BCA9-93E1CF12B755} - C:\WINDOWS\System32\ddaby.dll
backup-20060917-084112-154
O20 - Winlogon Notify: ddaby - C:\WINDOWS\System32\ddaby.dll
backup-20060917-084107-425
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll (file missing)
backup-20060910-120128-439
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} -
http://66.230.146.53/EPlugin.cabbackup-20060910-120127-254
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabbackup-20060910-120128-260
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A763252-C8FB-4CFE-97D0-F6BDEA934F18}: Domain = tjem.com
backup-20060910-120127-441
O4 - HKCU\..\Run: [fkzu] C:\PROGRA~1\COMMON~1\fkzu\fkzum.exe
backup-20060910-120127-964
O4 - HKCU\..\Run: [Auso] "C:\DOCUME~1\Jeff\MYDOCU~1\MANTEC~1\winspool.exe" -vt ndrv
backup-20060910-120127-704
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
backup-20060910-120127-636
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20060910-120127-219
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
backup-20060910-120127-798
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
backup-20060910-120127-949
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
backup-20060910-120127-956
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
backup-20060910-120127-821
O1 - Hosts: 69.65.0.9 L2authd.lineage2.com
backup-20060910-120127-287
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
backup-20060910-120127-999
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20060910-120127-371
R3 - URLSearchHook: (no name) - {D4AABAF9-246E-78B1-1C51-28F077BC3DC1} - C:\WINDOWS\System32\azyier.dll
backup-20060910-120127-976
R3 - URLSearchHook: (no name) - {ED7DB9A4-7364-73B5-12B1-26C0A42102C3} - C:\WINDOWS\System32\yjbzzcy.dll (file missing)
backup-20060910-120127-196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
backup-20060910-120127-394
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
backup-20060910-120127-279
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
Completion time: Sun 09/17/2006 8:44:12.65
ComboFix.txt