Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Yahoo Messenger Unknown Error Yahoo Messenger Unknown Error
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-06-2008, 04:21 AM   #1 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 21
OS: XP


Yahoo Messenger Unknown Error
Yahoo messenger is supposed to run at startup, however, I notice that when I run the program manually, it automatically shuts down (viewing from the windows task manager) I noticed the first error today at 7 am and ran a deckard system scan. I noticed a strange bat file name lgrncie.bat. Here is the deckard main.txt log.

Deckard's System Scanner v20071014.68
Run by user on 2008-06-06 07:03:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:56 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Documents and Settings\user\Desktop\Fix Computer Files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LifeCam] "c:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nwiz] ; nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] ; "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] ; C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...47/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 8701 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 00:12:00 131584 -r-hs---- C:\WINDOWS\system32\kavo1.dll
2008-06-06 00:11:34 121300 -r-hs---- C:\lgrncie.bat
2008-06-06 00:11:07 131584 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2008-06-06 00:11:07 121300 -r-hs---- C:\WINDOWS\system32\kavo.exe
2008-05-27 00:25:35 0 d-------- C:\Program Files\Gam Poker Analyzer
2008-05-22 13:50:52 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-05-22 13:50:46 0 d--h----- C:\Program Files\Tweak-XP Pro 4
2008-05-19 10:50:13 0 d-------- C:\Program Files\EsetOnlineScanner
2008-05-18 01:26:34 0 d-------- C:\Documents and Settings\user\Application Data\Ubisoft
2008-05-18 01:26:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-18 01:19:22 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-05-17 20:04:31 1970176 --a------ C:\WINDOWS\system32\d3dx9.dll
2008-05-17 20:04:31 679936 --a------ C:\WINDOWS\system32\D3DX81ab.dll <Not Verified; Generated by JEDI; D3DX81>
2008-05-17 20:04:29 0 d-------- C:\Program Files\Cheat Engine
2008-05-15 15:36:53 0 d-------- C:\WINDOWS\system32\Futuremark
2008-05-14 10:53:25 0 d-------- C:\cmdcons
2008-05-11 17:34:30 0 d-------- C:\Documents and Settings\user\Application Data\GetRightToGo
2008-05-07 09:29:36 0 d-------- C:\Documents and Settings\Maryliza\Copy of Desktop


-- Find3M Report ---------------------------------------------------------------

2008-06-06 06:36:33 0 d-------- C:\Program Files\Yahoo!
2008-06-06 06:35:35 0 d-------- C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-06 06:10:48 0 d-------- C:\Documents and Settings\user\Application Data\SiteAdvisor
2008-05-31 19:58:55 0 d-------- C:\Documents and Settings\user\Application Data\Azureus
2008-05-22 21:43:41 0 d-------- C:\Program Files\SiteAdvisor
2008-05-22 13:46:01 0 d--h----- C:\Program Files\Azureus
2008-05-10 06:31:03 0 d-------- C:\Program Files\AIM
2008-05-10 06:30:48 0 d-------- C:\Documents and Settings\user\Application Data\Aim
2008-05-10 06:26:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-09 21:43:20 0 d-------- C:\Program Files\Incomplete
2008-05-09 21:23:42 0 d-------- C:\Program Files\LimeWire
2008-04-17 23:18:42 0 d-------- C:\Documents and Settings\user\Application Data\LimeWire
2008-04-17 20:32:34 0 d-------- C:\Program Files\Apple Software Update
2008-04-17 05:52:23 0 d-------- C:\Program Files\iTunes
2008-04-17 05:52:16 0 d-------- C:\Program Files\iPod
2008-04-17 05:51:04 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/14/2007 07:33 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/14/2007 07:33 PM]
"RTHDCPL"="RTHDCPL.EXE" [04/26/2007 05:27 PM C:\WINDOWS\RTHDCPL.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/13/2004 04:05 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 04:01 AM]
"VX3000"="C:\WINDOWS\vVX3000.exe" [04/10/2007 06:46 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/24/2007 05:57 PM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 08:23 PM]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [05/17/2007 06:45 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/07/2008 11:31 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 08:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 05:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"nwiz"="nwiz.exe" [10/31/2006 05:35 PM C:\WINDOWS\system32\nwiz.exe]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/29/2007 05:43 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
"kava"="C:\WINDOWS\system32\kavo.exe" [06/06/2008 12:11 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0069543e-202f-11dd-836c-001aa06ee5aa}]
AutoRun\command- I:\lgrncie.bat
explore\Command- I:\lgrncie.bat
open\Command- I:\lgrncie.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{248990ea-dedd-11dc-82a8-001aa06ee5aa}]
AutoRun\command- H:\lgrncie.bat
explore\Command- H:\lgrncie.bat
open\Command- H:\lgrncie.bat




-- End of Deckard's System Scanner: finished at 2008-06-06 07:05:15 ------------
xxaznstylesxx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-06-2008, 10:53 PM   #2 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 18,684
OS: WinXP and Win98se


Re: Yahoo Messenger Unknown Error
Hello again, xxaznstylesxx.

We just cleaned a flash drive infection less than a month ago.

Before we go around in circles again, how many removable drives do you have?
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-07-2008, 06:28 AM   #3 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 21
OS: XP


Re: Yahoo Messenger Unknown Error
I have 2 flash drives, however, I believe that the infection has moved to another computer of mine and I never knew about it.
xxaznstylesxx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-07-2008, 08:13 PM   #4 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 18,684
OS: WinXP and Win98se


Re: Yahoo Messenger Unknown Error
Okay...same as what we did for your XP Pro system.

Whatever drives you just plugged into this computer that were labeled I:\ and H:\, are infected.

1. Download Flash_Disinfector.exe and save it to your desktop.


2. Download a new Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Before we go any further, get the Recovery Console installed on this system. The Windows recovery console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.





Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.



  • At the next prompt, click 'NO' to exit ComboFix for now.

----------------------


Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drives and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

----------------------

With the flash drives still connected.....

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log, and an update on system behavior.
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-09-2008, 04:32 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 21
OS: XP


Re: Yahoo Messenger Unknown Error
sorry for the long wait, no internet for a while.
everything seems fine, i think, got yahoo back.
ive traced the virus to my other system, should I just do the same process on the system? basicly same stuff goin on, but explorer keeps shuttin down.

ComboFix 08-06-06.6 - user 2008-06-09 19:22:17.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-09 19:02 . 2008-06-09 19:02 128,427 -r-hs---- C:\lgrncie.bat
2008-06-06 07:03 . 2008-06-06 07:03 <DIR> d-------- C:\Deckard
2008-05-27 00:25 . 2008-05-27 00:27 <DIR> d-------- C:\Program Files\Gam Poker Analyzer
2008-05-22 13:50 . 2008-05-22 13:59 <DIR> d--h----- C:\Program Files\Tweak-XP Pro 4
2008-05-22 13:50 . 2008-05-22 13:50 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-05-19 10:50 . 2008-05-19 12:08 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-18 01:26 . 2008-05-18 01:26 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ubisoft
2008-05-18 01:26 . 2008-05-18 01:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-18 01:19 . 2008-05-18 01:25 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-17 20:04 . 2008-05-17 21:45 <DIR> d-------- C:\Program Files\Cheat Engine
2008-05-17 20:04 . 2007-12-26 17:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2008-05-17 20:04 . 2007-12-26 17:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-05-15 15:36 . 2008-05-15 15:36 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-05-11 17:34 . 2008-05-11 17:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 15:50 --------- d-----w C:\Documents and Settings\user\Application Data\SiteAdvisor
2008-06-07 12:36 --------- d-----w C:\Program Files\Yahoo!
2008-06-06 23:31 --------- d-----w C:\Documents and Settings\user\Application Data\Azureus
2008-06-06 10:35 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-06-06 10:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-23 01:43 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-22 17:46 --------- d--h--w C:\Program Files\Azureus
2008-05-16 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-10 10:31 --------- d-----w C:\Program Files\AIM
2008-05-10 10:30 --------- d-----w C:\Documents and Settings\user\Application Data\Aim
2008-05-10 10:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 01:43 --------- d-----w C:\Program Files\Incomplete
2008-05-10 01:23 --------- d-----w C:\Program Files\LimeWire
2008-05-01 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-18 03:18 --------- d-----w C:\Documents and Settings\user\Application Data\LimeWire
2008-04-18 00:32 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 09:52 --------- d-----w C:\Program Files\iTunes
2008-04-17 09:52 --------- d-----w C:\Program Files\iPod
2008-04-17 09:51 --------- d-----w C:\Program Files\QuickTime
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 21:31 61,224 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
2007-08-20 22:04 15,505,200 ----a-w C:\Program Files\IE7-WindowsXP-x86-enu.exe
2004-09-28 02:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
2001-08-22 18:15 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 18:13 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 18:13 32,768 ----a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_10.43.55.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 14:31:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 10:26:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-07 11:25:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-09 22:43:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-07 11:25:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-09 22:43:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-07 11:25:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 22:43:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 05:43 486856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 21:58 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-14 19:33 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-14 19:33 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 17:27 16132608 C:\WINDOWS\RTHDCPL.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 04:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 04:01 110592]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 18:46 709992]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 20:23 118784]
"LifeCam"="c:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 18:45 279912]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-07 23:31 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 05:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"nwiz"="nwiz.exe" [2006-10-31 17:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-04-25 22:26 423184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R2 MSCamSvc;MSCamSvc;"c:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 18:45]
S3 XDva031;XDva031;C:\WINDOWS\system32\XDva031.sys []
S3 XDva059;XDva059;C:\WINDOWS\system32\XDva059.sys []
S3 XDva064;XDva064;C:\WINDOWS\system32\XDva064.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f95890-da2c-11dc-829c-001aa06ee5aa}]
\Shell\AutoRun\command - H:\lgrncie.bat
\Shell\explore\Command - H:\lgrncie.bat
\Shell\open\Command - H:\lgrncie.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfeb2a6d-33b4-11dd-83b0-001aa06ee5aa}]
\Shell\AutoRun\command - H:\lgrncie.bat
\Shell\explore\Command - H:\lgrncie.bat
\Shell\open\Command - H:\lgrncie.bat

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 21:47:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 06:20:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 05:20:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-09 10:29:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-07 03:55:35 C:\WINDOWS\Tasks\shutdown.job"
- C:\Documents and Settings\user\Desktop\shutdown.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 19:24:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-09 19:25:46
ComboFix-quarantined-files.txt 2008-06-09 23:25:41
ComboFix2.txt 2008-06-07 1552
ComboFix3.txt 2008-06-07 14:44:11
ComboFix4.txt 2008-05-18 16:51:55

Pre-Run: 158,642,061,312 bytes free
Post-Run: 158,781,562,880 bytes free

170 --- E O F --- 2008-04-16 11:15:24
xxaznstylesxx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-09-2008, 08:20 PM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 18,684
OS: WinXP and Win98se


Re: Yahoo Messenger Unknown Error
Hi,

Yes, please run these same tools on your other computer, but begin a new thread for that system so we can keep these straight.


Open notepad and copy/paste the entire text in the code box below: (don't forget to copy and paste REGEDIT4)

Code:
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9f95890-da2c-11dc-829c-001aa06ee5aa}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfeb2a6d-33b4-11dd-83b0-001aa06ee5aa}]
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with dss.exe

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
main.txt
Update on system behavior
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:24 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2008, Tech Support Forum

Search Engine Friendly URLs by vBSEO

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81