Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[INACTIVE] OIN, Aurora, and WinFixer

Started by palagibaboy , Jul 25 2005 01:00 PM

This topic is locked

#16
palagibaboy

Posted 01 August 2005 - 10:24 PM

Member

Topic Starter
Member
20 posts

Ok, well.. I tried to get rid of the "r" file in the system32 folder (for future reference to others, I found the easiest way to find it was to do a folder view by detail and then sort by size: the "r" file is about 82 K).

Unfortunately, when I tried to delete it, I kept getting an error that said something like "Cannot delete. In use by another person or program. Close other programs and try again"

So, it's still there. Here's the file.. I'm not going to shut down again. I'm not sure if the fact that I still cannot uninstall MSAS (even though it's expired) might have anything to do with it. I'll await your next directions. Thanks!

....................................

Logfile of HijackThis v1.99.1
Scan saved at 9:20:18 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\wgpgnz.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [mscgwxm] c:\windows\system32\wgpgnz.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#17
palagibaboy

Posted 01 August 2005 - 10:26 PM

Member

Topic Starter
Member
20 posts

Hmmm... I just noticed that, even though I had deleted all the jedimack.net items, they've reappeared in the 017 listings. I don't know if that has anything to do with it. I didn't install the jedimack files at all.

#18
Bugbatter

Posted 01 August 2005 - 10:42 PM

Malware Expert

Expert
341 posts

Yes, I noticed those jedimack entries. :tazz:

Nail is back. We will have to do the entire fix from the beginning tomorrow. At least you know how to find that file now.

I'll repost the fix in the morning, as long as we are on page 2.

#19
Bugbatter

Posted 02 August 2005 - 07:48 AM

Malware Expert

Expert
341 posts

Okay, here we go again...back to work on Nail and your Epolvy trojan.

You already have the tools, but I would like you to download one more, just so you have it if we need it. If we do not use it, you can delete it after we have confirmed that your log is clean and you have having no problems.

As always, please print this so you do not miss any steps.

Please download Pocket Killbox: http://www.downloads...org/KillBox.exe
Save it on your desktop, so you can find it if we need it later on.
Do not run it now. I will let you know IF we need it.

Launch ewido.

From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.

Reboot into Safemode.
Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following items:

O4 - HKLM\..\Run: [mscgwxm] C:\windows\system32\wgpgnz.exe r
**NOTE: The 04 entry WILL have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked. Close HJT.

Locate and delete the following File in BOLD:
c:\windows\system32\wgpgnz.exe (or whatever the name may have changed to, as noted above. Based on your prior experience with this critter, at least now you know how to find it! Do not just go by size. Make sure the name corresponds with the one in that 04 entry of HJT.)

Now, run CCleaner. Make sure you have done this:

Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Edited by Bugbatter, 02 August 2005 - 07:53 AM.

#20
palagibaboy

Posted 03 August 2005 - 12:31 PM

Member

Topic Starter
Member
20 posts

Sorry, I was gone all day yesterday. So, I re-ran the scans. Still had the same problems.

1) I still could not could not delete the "r" named file from the system32 folder. I got the same error message when I tried to delete it. "Cannot delete. File being used by another person or program.... etc." So it's still there.

Also..

Do not just go by size. Make sure the name corresponds with the one in that 04 entry of HJT

I've found that as soon as I fix the entry, it changes names, so I can't go just by the name that corresponds with the entry. Searching by size is the only way I can find it expediently. It changes everything (date created, etc.).. except size and version type (something like 1.1.0.3 or whatever).

Anyhoo. I still couldn't delete it, so it's still there. Looks like the next step is necessary.

Note also that when I ran HiJackThis, the svcproc.exe line item didn't show up..

023 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

..I didn't see this in the list of items to delete. :tazz:

Ok.. here are the log files:

Hijackthis

..............

Logfile of HijackThis v1.99.1
Scan saved at 11:17:17 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\lubjwa.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nyfbqg] c:\windows\system32\lubjwa.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

.............

Ewido Scan

..............

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:05:47 AM, 8/3/2005
+ Report-Checksum: 33964380

+ Scan result:

[772] c:\windows\system32\udzsif.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Riverstone\Cookies\riverstone@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Program Files\amda\uacn.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\hpdbze.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\igfxtray.exe -> TrojanDropper.Paradrop.a : Cleaned with backup
C:\WINDOWS\system32\udzsif.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

#21
Bugbatter

Posted 03 August 2005 - 06:00 PM

Malware Expert

Expert
341 posts

I've found that as soon as I fix the entry, it changes names, so I can't go just by the name that corresponds with the entry.

Yes. Exactly, and that is what is reinfecting you.
The 04 entry WILL have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

Try this:

Scan with HJT. Write down the name of that file with the "r" at the end. Do not reboot.
Run the KILLBOX ...

Check the following boxes:

Delete on Reboot

Delete the file per the instructions below.

In the box where it says "Full Path of File to Delete" place the file path to that "r" in there:

For example: c:\windows\system32\whatever.exe

With Standard file to kill ticked with a dot the next setting Delete on Reboot ... then answer "yes" to reboot now!

Go into Safemode, run HJT, and fix this item:

For example: O4 - HKLM\..\Run: [whatever] c:\windows\system32\whatever.exe r

Reboot normally ... post another HJT log.

Good luck!

#22
palagibaboy

Posted 03 August 2005 - 06:44 PM

Member

Topic Starter
Member
20 posts

Yes. Exactly, and that is what is reinfecting you.
The 04 entry WILL have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

But I haven't rebooted. It changes as soon as I hit the "fix this" button.

Anyways. I'll go back and try the killbox, but I have a feeling there's something missing here.

#23
palagibaboy

Posted 04 August 2005 - 12:03 PM

Member

Topic Starter
Member
20 posts

Ok, I tried to run killbox, but there was one instruction that was very confusing..

With Standard file to kill ticked with a dot the next setting Delete on Reboot ... then answer "yes" to reboot now!

As far as I could tell, you can't tick "Standard File to Kill" and also select "Delete on Reboot." It's an either/or scenario, since they're all part of the same radio button selections. I just went with the "Delete on Reboot," then followed the rest of the standard operating procedure. (I ran Nail.exe again, btw, since it was still showing up).

As you can see in the logfile below, I still had no success whatsoever in removing the "r" file. As I noted, it changes names immediately after running the Hijack scan, selecting the item (04) and clicking the "Fix it now" button. Just to confirm this, I left the system32 window open (I know you're not supposed to when running the scan, but I just wanted to see what happened after 'fixing' the file), and I visibly saw the file rename itself on the fly.

Trust me. I'm not rebooting at all after running HiJack and going into the system32 folder to try and delete the file. It's renaming itself, which is why I had to resort to searching for it by size (otherwise I'd spend an hour looking for it amidst all the other exe files).

In any case, I still can't delete the file manually out of the system32 folder. I continue to get the "in use by another person or program" message. I don't know if it's managed to protect itself by appearing to be an essential process for windows or what. Maybe the only way to delete it now is via command prompt mode. I dunno.

Anyways, thanks again for helping me along with this. I'm nearing the point where I think maybe a full re-install of XP might just make more sense. There's really not a lot of stuff on this computer that I need to try and save. But I'll await the next instructions.

Maybe DSRIFIX is necessary? I don't know. Thanks!

..............

Logfile of HijackThis v1.99.1
Scan saved at 10:47:30 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system32\mgxraof.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [onsyava] c:\windows\system32\mgxraof.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#24
palagibaboy

Posted 04 August 2005 - 02:10 PM

Member

Topic Starter
Member
20 posts

Ok.. I re-ran everything, including re-downloading Nailfix.exe (I heard there was an updated installer, and I just wanted to make sure).

Seems like the "r" file is gone. I also noticed that the program "ABI Network" is no longer listed in my Add/Remove program list. OIN is still listed, though.

So, maybe one down, but it still looks like I've got at least one to go.

Here's the latest log.

Logfile of HijackThis v1.99.1
Scan saved at 1:02:11 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#25
palagibaboy

Posted 04 August 2005 - 02:12 PM

Member

Topic Starter
Member
20 posts

Oh, btw.. I still get the "machdsdk.dll" error everytime I reboot into normal mode.

Also, explorer.exe is really slow to initiate on startup, though that's a minor issue right now.

Thanks again.

#26
Bugbatter

Posted 04 August 2005 - 02:33 PM

Malware Expert

Expert
341 posts

Let's try this...
I cannot tell you what the "BAD FILE" will be named, so you will have to do some "detective work".

Please download Advanced Process Termination from:
http://www.diamondcs...wnloads/apt.zip
Unzip it to the desktop.

Double-click on My Computer and navigate to C:\WINDOWS\System32. Locate the file [INSERT BAD FILE HERE]. Don't delete it yet, just leave the System32-folder open so you can see the bad file.

Now run APT.exe. Locate the process [INSERT BAD FILE HERE]. Select this process and click Kill 3.

Then immediately return to the My Computer window to your System32 folder. Delete [INSERT BAD FILE HERE].

Then run HijackThis, click Scan, and check:

[INSERT BAD O4 ENTRY HERE]

Close all open windows except for HijackThis and click Fix Checked.

See if that helps.

#27
palagibaboy

Posted 04 August 2005 - 03:24 PM

Member

Topic Starter
Member
20 posts

Um.. what bad file are you asking me to look for now? As I noted in my last post, the "r" file seems to have finally been removed. What seems to remain, however, is the OIN program (at least it's listed in the 'Add/Remove' program list). I know that trying to remove it opens up a browser, so I'd like to avoid doing that.

Is there another bad file I should be looking for? I can run another Hijackthis scan to see if it's re-installed itself after a little browsing (I've been to google, earthlink.net, and yahoo.. but that's it).

Anyhoo, if you can tell me what the new 'bad file' I should be looking for is, that'd be helpful. At this time, it seems that the re-download of nailfix.exe has done the trick for ABI. (Note: when I took a look inside the system32 folder after running the "fix this" portion of hijackthis, the "bad file" was actually named "delete after reboot 'badfile'.exe" .. so I left it alone).

#28
Bugbatter

Posted 04 August 2005 - 05:01 PM

Malware Expert

Expert
341 posts

I was replying to your post in which you stated this:

In any case, I still can't delete the file manually out of the system32 folder.

You must have posted in the meantime, and my browser was using a cached copy of the page.

Let's go after that OIN entry in your Add/Remove:
Boot into Safemode. Launch HJT.
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will now be presented with a screen.
See if you can delete OIN by clicking on the entry. Next, click on the Delete this entry button.

Run a scan with HJT, and tick this one again:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net

Click 'Fix Checked."
Then reboot.

Ewido has had another update today. If you did not get it, please do so, boot into Safemode and run ewido.

Follow by running CCleaner again.

Please post fresh logs from ewido and HJT. Thanks.

#29
palagibaboy

Posted 04 August 2005 - 06:52 PM

Member

Topic Starter
Member
20 posts

Ok.. I ran everything, and it seems OIN is gone. This log below indicates that jedimack is gone...

Logfile of HijackThis v1.99.1
Scan saved at 5:39:59 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

.............

But, I noticed that jedimack reappeared every time right after I logged online. I ran HJT just five minutes ago, and.. voila... jedimack is back.

...so, one last piece of business, right? :tazz:

Thanks for all the patience..

Logfile of HijackThis v1.99.1
Scan saved at 5:46:05 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Riverstone\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#30
Bugbatter

Posted 04 August 2005 - 08:36 PM

Malware Expert

Expert
341 posts

Let's try one more time to fix those 017 entries. If they won't leave, that might be an indication of a rootkit infection, and I hope it isn't.
...unless you have a lot of time to put into this.

For now, boot into Safemode. Scan with HJT. Tick these:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jedimack.net
O17 - HKLM\Software\..\Telephony: DomainName = jedimack.net
Close ALL windows except HJT and click "Fix Checked."

Reboot normally, and scan with HJT once more.

If you see no signs of jedimack in the new log, flush System Restore, so that (hopefully) you will have a clean Restore Point:
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Please post your updated HJT log. I'll keep my fingers crossed.

Edited by Bugbatter, 04 August 2005 - 09:57 PM.