Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
win32/Oneraw!generic win32/Oneraw!generic
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 03-12-2007, 03:55 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 4
OS: windows XP home edition


Mistake win32/Oneraw!generic
my online protection keeps telling me I have this win32/oneraw!generic. I followed your steps and here are the things you needed to look at.


Panda Log:

Incident Status Location

Adware:adware/seekmo Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@112.2o7[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.tripod.lycos[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bfast[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bravenet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Owner\Cookies\owner@centrport[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[5].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[7].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[8].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter1.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter10.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter6.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@counter7.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Owner\Cookies\owner@data.coremetrics[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ehg.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fe.lea.lycos[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hc2.humanclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hg1.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hotlog[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@landing.domainsponsor[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Owner\Cookies\owner@linksynergy[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Cookies\owner@maxserving[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Owner\Cookies\owner@pacificpoker[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@phg.hitbox[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Owner\Cookies\owner@sexlist[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Owner\Cookies\owner@sextracker[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Owner\Cookies\owner@spylog[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@systemdoctor[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Owner\Cookies\owner@targetnet[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@terra.com[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tickle[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Owner\Cookies\owner@web.tickle[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.systemdoctor[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www1.addfreestats[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@xxxcounter[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
Adware:Adware/Zango Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\1804.tmp
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@tribalfusion[1].txt
Adware:Adware/MalwareAlarm Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\24UPJWA0\install116[1].cab[install116.exe]

ComboScan.txt:

ComboScan v20070306.20 run by Owner on 2007-03-12 at 17:25:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
57: 2007-03-12 22:25:18 UTC - RP213 - ComboScan Restore Point
56: 2007-03-12 22:01:48 UTC - RP212 - Software Distribution Service 2.0
55: 2007-03-09 23:43:14 UTC - RP211 - System Checkpoint
54: 2007-03-08 23:39:20 UTC - RP210 - Installed Ad-Aware SE Personal
53: 2007-03-06 22:44:48 UTC - RP209 - Removed Sprint PCS Connection Manager


-- First Restore Point --
1: 2006-12-11 07:03:32 UTC - RP157 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:30 PM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D9AXUP9M\comboscan[1].exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://noticierodigital.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://laktira8ary8.spaces.msn.com//...d/MsnPUpld.cab
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/active...oadControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/tr...2.1.0.0.67.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/fr...g.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/iw...amesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R E100B (Intel(R) PRO Network Connection Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
3R IntelC51 - C:\WINDOWS\system32\drivers\IntelC51.sys
3R IntelC52 - C:\WINDOWS\system32\drivers\IntelC52.sys
3R IntelC53 - C:\WINDOWS\system32\drivers\IntelC53.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
3R MODEMCSA (Unimodem Streaming Filter Device) - C:\WINDOWS\system32\drivers\MODEMCSA.sys
3R mohfilt - C:\WINDOWS\system32\drivers\mohfilt.sys
1S OMCI - C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (not found)
3R senfilt - C:\WINDOWS\system32\drivers\senfilt.sys
3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys
3S SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
1R VET-FILT (VET File System Filter) - C:\WINDOWS\system32\drivers\Vet-Filt.sys
1R VET-REC (VET File System Recognizer) - C:\WINDOWS\system32\drivers\Vet-Rec.sys
3R VETEBOOT (VET Boot Scan Engine) - C:\WINDOWS\system32\drivers\VetEBoot.sys
1R VETEFILE (VET File Scan Engine) - C:\WINDOWS\system32\drivers\VetEFile.sys
1R VETFDDNT (VET Floppy Boot Sector Monitor) - C:\WINDOWS\system32\drivers\VetFDDNT.sys
1R VETMONNT (VET File Monitor) - C:\WINDOWS\system32\drivers\vetmonnt.sys
3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\system32\drivers\WudfPf.sys
3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\system32\drivers\WudfRd.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2R CAISafe - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3R iPodService - C:\Program Files\iPod\bin\iPodService.exe
2R LexBceS (LexBce Server) - C:\WINDOWS\system32\LEXBCES.EXE
3S usnsvc (Messenger Sharing USN Journal Reader service) - C:\WINDOWS\system32\svchost.exe -k usnsvc
2R VETMSGNT (VET Message Service) - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
3S YPCService - C:\WINDOWS\system32\YPCSER~1.EXE
2S spupdsvc (Windows Service Pack Installer update service) - C:\WINDOWS\system32\spupdsvc.exe


-- Files created between 2007-02-12 and 2007-03-12 -----------------------------

2007-03-12 17:02:07 0 d-------- C:\WINDOWS\LastGood
2007-03-12 16:36:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-03-12 16:13:19 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-03-12 16:07:17 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-08 20:44:35 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-08 18:41:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-03-08 18:39:32 0 d-------- C:\Program Files\Lavasoft
2007-03-08 18:30:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-06 19:02:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2007-03-06 17:29:53 0 d-------- C:\Program Files\InCode Solutions<INCODE~1>
2007-03-04 14:29:33 0 d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst<PLAYFI~1>
2007-03-04 14:29:33 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst<PLAYFI~1>
2007-02-15 18:11:35 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>
2007-02-15 18:05:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-02-13 16:31:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Zylom


-- Find3M Report ---------------------------------------------------------------

2007-03-12 16:31:02 0 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1>
2007-03-12 14:59:16 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-09 17:52:39 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-06 17:46:44 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-03-06 17:46:04 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-29 03:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-12 10:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 10:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 10:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 10:27:42 6054400 -----n--- C:\WINDOWS\system32\ieframe.dll
2007-01-08 20:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 20:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 20:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 20:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 20:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 20:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 20:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 20:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 20:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 20:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 19:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 19:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-12-19 16:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 13:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="1"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"RemoveIT Pro XT"="C:\\Program Files\\InCode Solutions\\RemoveIT Pro v4-Trial\\removeit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-03-12 at 17:28:23 ------------------------
Attached Files
File Type: txt Supplementary.txt (5.8 KB, 1 views)
*ARY* is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-14-2007, 01:04 AM   #2 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: win32/Oneraw!generic
Hi *ARY*,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

I notice that you have SpywareGuard running. Please disable SpywareGuard, as it may interfere with some of our HijackThis fixes:

To disable SpywareGuard:
  • Right click the SpywareGuard icon in the System Tray at the bottom-right corner of the screen and open the program.
  • Then go to Menu -> File -> Exit.
  • Then confirm the program is closed.

You can re-enable SpywareGuard once your system is clean.


NEXT:

Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

RemoveIT Pro XT


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following FOLDERS (if they exist):

C:\Program Files\InCode Solutions


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:
  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  5. Then, click the Applications tab:
    • UNCHECK everything there.
  6. Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  7. Click OK.
  8. Now under select a target to scan:
    • Select My Computer.
  9. This program will start and scan your system.
  10. The scan will take a while so be patient and let it run.
  11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  12. Save the file to your desktop.
  13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the ComboFix scan.
  2. The log from the Kaspersky scan.
  3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-20-2007, 05:06 PM   #3 (permalink)
Registered User
 
Join Date: Mar 2007
Posts: 4
OS: windows XP home edition


Re: win32/Oneraw!generic
thanks for your help!
sorry it took me a while to send this info.
I couldnt find the RemoveIT Pro XT program in the add/remove programs list. here is the logs you asked for. thank you for your time.


kavscan log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 20, 2007 6:52:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/03/2007
Kaspersky Anti-Virus database records: 283709
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 33772
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:26:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007032020070321\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ECE54E6E-DE3C-4524-91A4-B6BC8A4C84FC}\RP219\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 19:00, on 07-03-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\Owner\Desktop\ComboFix.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://noticierodigital.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://laktira8ary8.spaces.msn.com//...d/MsnPUpld.cab
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/active...oadControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/tr...2.1.0.0.67.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/fr...g.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/gh...ylomplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/be...loader_v10.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Combofix log:

"Owner" - 07-03-20 18:59:18 Service Pack 2
ComboFix 07-03-20.2 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 ))))))))))))))))))))))))))))))))))


2007-03-20 18:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-03-20 18:16 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-20 17:39 <DIR> d-------- C:\Program Files\CCleaner
2007-03-12 23:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-03-12 16:13 <DIR> d-------- C:\Program Files\SpywareGuard
2007-03-12 16:07 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-03-08 20:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-08 18:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-03-08 18:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-08 18:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-06 19:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-03-04 14:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PlayFirst
2007-03-04 14:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-12 16:13 -------- d-------- C:\Program Files\spywareguard
2007-03-12 16:07 -------- d-------- C:\Program Files\spywareblaster
2007-03-12 14:59 -------- d-------- C:\Program Files\msn messenger
2007-03-09 17:52 -------- d-------- C:\Program Files\quicktime
2007-03-08 18:39 -------- d-------- C:\Program Files\lavasoft
2007-03-06 17:46 -------- d--h----- C:\Program Files\installshield installation information
2007-03-04 14:29 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\playfirst
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="1"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"