[hemanth_hg]

Hi All,
Even I'm facing the same yahoo messenger problem (virus: www.53best.com)
I did run the Hijackthis.exe.

The log is as follows:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
ogfile of HijackThis v1.99.1
Scan saved at 1:02:48 AM, on 11/6/2001
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\System32\inetsrv\inetinfo.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\System32\wuauclt.exe
E:\WINDOWS\System32\rsvp.exe
E:\WINDOWS\system32\cidaemon.exe
E:\WINDOWS\system32\cidaemon.exe
E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\hemanth12\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=461
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sify.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=461
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Satyam Infoway Limited
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\System32\msapi.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - E:\WINDOWS\System32\MTC.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - E:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - E:\WINDOWS\System32\spm1316.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - E:\WINDOWS\System32\wer1316.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - E:\WINDOWS\System32\MTC.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.hi\msntb.dll
O4 - HKLM\..\Run: [requester] "E:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] E:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sify.com
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE71129C-7782-45CB-971A-D312A341C6B0}: NameServer = 61.1.96.71 61.1.128.65
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - E:\WINDOWS\System32\textwareilluminatorbaseProtocol.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - E:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

+++++++++++++++++++++++++++++++++++++++++++++++

Can anyone help in analyzing the log

Thanks in advance.
Hemanth

[dvk01]

Download AdAware SE from http://www.lavasoft.de/support/download and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT...01052409420406

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=461
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=461

F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\System32\msapi.exe
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - E:\WINDOWS\System32\MTC.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - E:\WINDOWS\System32\spm1316.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - E:\WINDOWS\System32\wer1316.dll

O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - E:\WINDOWS\System32\MTC.dll

O4 - HKLM\..\Run: [requester] "E:\WINDOWS\System32\requester.10.exe"
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - E:\WINDOWS\System32\vbsys2 (file missing)

now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

E:\WINDOWS\System32\vbsys2.dll
E:\WINDOWS\System32\MTC.dll
E:\WINDOWS\System32\spm1316.dll
E:\WINDOWS\System32\wer1316.dll
E:\WINDOWS\System32\requester.10.exe



Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

delete these folders



then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R29.05.03.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


Reboot &

Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/secu...e/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

First press file and check for updates and then run it

Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

Run an online antivirus check from at least one and preferably 2 of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/o...iruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

reboot again

please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted

the easy way is first go to c:\!submit and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

then post a new hijackthis log to check what is left