Either virus or spyware?

Pyotr · 05-14-2005, 02:59 AM

My firewall (Sygate Personal) notified me of a program it called "Buddy" which had changed since I last used it, and wanted to know if I would allow it to access the network. I chose no, and removed the file in question (called ycngysmow.exe). However, the file got back, and I got the same warning.
I tried running Ad-Aware, but it didn't find anything. Right now, I'm running a virus search, but as of now, no luck.
What is that program?

Here's the details from the firewall warning:

The executable has changed since the last time you used: C:\WINDOWS\ycngysmow.exe
File Version : 1.0.2.4
File Description : Buddy
File Path : C:\WINDOWS\ycngysmow.exe
Process ID : 0x66C (Heximal) 1644 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 81.230.90.83
Local Port : 1360
Remote Name :
Remote Address : 64.124.153.143
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 01-00-20-00-01-00
Source: 00-00-01-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xa5a1 (Correct)
Source: 81.230.90.83
Destination: 64.124.153.143
Transmission Control Protocol (TCP)
Source port: 1360
Destination port: 80
Sequence number: 2424658112
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xfd0d (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 01 00 20 00 01 00 00 00 : 01 00 00 00 08 00 45 00 | .. ...........E.
0010: 00 30 D2 DD 40 00 80 06 : A1 A5 51 E6 5A 53 40 7C | .0..@.....Q.ZS@|
0020: 99 8F 05 50 00 50 90 85 : 58 C0 00 00 00 00 70 02 | ...P.P..X.....p.
0030: FF FF 0D FD 00 00 02 04 : 05 AC 01 01 04 02 01 01 | ................
0040: 05 0A 06 69 C1 ED 06 69 : C1 F5 0A FA | ...i...i....

I don't understand any of it, of course. Is it any help?

Byteman · 05-14-2005, 04:26 AM

Try running these 2 online scans and then see if the problem exists:

http://www.pandasoftware.com/product..._principal.htm
http://housecall.trendmicro.com/hous...start_corp.asp

PS. be sure to turn off system restore before you do the scans.

Pyotr · 05-14-2005, 12:43 PM

Right now, my standard av hasn't found anything, while trendmicro found 5 infected files. I could delete 4 of them, but not the fifth, because it was currently in use:
TROJ AGENT.ABS c:\windows\system32\vzemuq.exe

Panda is still running, and has scanned a lot more than trendmicro (and thus, more than crappy Symantec). 500000+ scanned, 22 infected files, 1 disinfected.

Edit: Update, Panda done, 1 virus (disinfected), 23 spyware. :/

Byteman · 05-14-2005, 08:06 PM

After all is done you may want to do a final scan in safemode (especially since you said trendmicro couldn't delete one of the files). Update your AV program and AdAware (asuming you have AdAwareSE), reboot to safe mode and have both of them do a full scan. you should be done after that...

Pyotr · 05-15-2005, 12:11 PM

I did run a scan, both for virus and spyware (and my AV found some spyware too), and after I deleted what was found (no virus, just spyware), I deleted the file ycngysmow.exe and restarted. But now the file is back.

What IS that file? I've searched for it, but didn't find anything.

**Buzz1927** · 05-15-2005, 12:54 PM

It might be a hidden file. Go to Control panel>tools>Folder options>view, check "show hidden files and folders" and look for it using explorer (not via search-).

Pyotr · 05-15-2005, 01:07 PM

No no, it's visible. And not only that, I've deleted it once. It came back though. :/
(searched = on google and at symantec)

**Buzz1927** · 05-15-2005, 01:14 PM

Download Hijackthis from here. Run Hijackthis and do a scan. When finished, the "scan" button will change to "save logfile". Copy and paste the logfile here.

Pyotr · 05-15-2005, 02:22 PM

I don't know how much you need.

Logfile of HijackThis v1.99.1
Scan saved at 15:20:23, on 2005-05-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Hotkey\Hotkey.exe
C:\Program\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program\ABIT\ABITEQ\abiteq.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program\Winamp\winampa.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Spray Bredband\fts.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Spray Bredband\FWPortal.exe
C:\Program\Azureus\Azureus.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\Program\mIRC\mirc.exe
c:\windows\system32\vqkjeq.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Daniel\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

Pyotr · 05-15-2005, 02:24 PM

Then there was

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spray.se/cd/savedata.jsp?...=5.1.2600&sp=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7 _0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Program\INSTAFINK\instafink.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7 _0.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Hotkey] C:\Program\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ABITEQ] C:\Program\ABIT\ABITEQ\abiteq.exe -M
O4 - HKLM\..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [%FP%Spray fts.exe] "C:\Program\Spray Bredband\fts.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fakitw] c:\windows\system32\vqkjeq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47DB7C7D-AA4F-446C-B91C-9998757C0900}: NameServer = 195.67.199.30 195.67.199.31
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

05-14-2005, 02:59 AM	#1 (permalink)
Pyotr Gold Member Join Date: Sep 2004 Posts: 376	Either virus or spyware? My firewall (Sygate Personal) notified me of a program it called "Buddy" which had changed since I last used it, and wanted to know if I would allow it to access the network. I chose no, and removed the file in question (called ycngysmow.exe). However, the file got back, and I got the same warning. I tried running Ad-Aware, but it didn't find anything. Right now, I'm running a virus search, but as of now, no luck. What is that program? Here's the details from the firewall warning: The executable has changed since the last time you used: C:\WINDOWS\ycngysmow.exe File Version : 1.0.2.4 File Description : Buddy File Path : C:\WINDOWS\ycngysmow.exe Process ID : 0x66C (Heximal) 1644 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 81.230.90.83 Local Port : 1360 Remote Name : Remote Address : 64.124.153.143 Remote Port : 80 (HTTP - World Wide Web) Ethernet packet details: Ethernet II (Packet Length: 76) Destination: 01-00-20-00-01-00 Source: 00-00-01-00-00-00 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0xa5a1 (Correct) Source: 81.230.90.83 Destination: 64.124.153.143 Transmission Control Protocol (TCP) Source port: 1360 Destination port: 80 Sequence number: 2424658112 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0xfd0d (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 01 00 20 00 01 00 00 00 : 01 00 00 00 08 00 45 00 \| .. ...........E. 0010: 00 30 D2 DD 40 00 80 06 : A1 A5 51 E6 5A 53 40 7C \| .0..@.....Q.ZS@\| 0020: 99 8F 05 50 00 50 90 85 : 58 C0 00 00 00 00 70 02 \| ...P.P..X.....p. 0030: FF FF 0D FD 00 00 02 04 : 05 AC 01 01 04 02 01 01 \| ................ 0040: 05 0A 06 69 C1 ED 06 69 : C1 F5 0A FA \| ...i...i.... I don't understand any of it, of course. Is it any help? Last edited by Pyotr; 05-14-2005 at 03:33 AM.

05-14-2005, 04:26 AM	#2 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	Try running these 2 online scans and then see if the problem exists: http://www.pandasoftware.com/product..._principal.htm http://housecall.trendmicro.com/hous...start_corp.asp PS. be sure to turn off system restore before you do the scans. __________________ Don't byte off more than you can chew... Last edited by Byteman; 05-14-2005 at 05:08 AM.

05-14-2005, 12:43 PM	#3 (permalink)
Pyotr Gold Member Join Date: Sep 2004 Posts: 376	Right now, my standard av hasn't found anything, while trendmicro found 5 infected files. I could delete 4 of them, but not the fifth, because it was currently in use: TROJ AGENT.ABS c:\windows\system32\vzemuq.exe Panda is still running, and has scanned a lot more than trendmicro (and thus, more than crappy Symantec). 500000+ scanned, 22 infected files, 1 disinfected. Edit: Update, Panda done, 1 virus (disinfected), 23 spyware. :/ Last edited by Pyotr; 05-14-2005 at 01:06 PM.

05-14-2005, 08:06 PM	#4 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	After all is done you may want to do a final scan in safemode (especially since you said trendmicro couldn't delete one of the files). Update your AV program and AdAware (asuming you have AdAwareSE), reboot to safe mode and have both of them do a full scan. you should be done after that... __________________ Don't byte off more than you can chew...

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

05-15-2005, 12:11 PM	#5 (permalink)
Pyotr Gold Member Join Date: Sep 2004 Posts: 376	I did run a scan, both for virus and spyware (and my AV found some spyware too), and after I deleted what was found (no virus, just spyware), I deleted the file ycngysmow.exe and restarted. But now the file is back. What IS that file? I've searched for it, but didn't find anything.

05-15-2005, 12:54 PM	#6 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,346	It might be a hidden file. Go to Control panel>tools>Folder options>view, check "show hidden files and folders" and look for it using explorer (not via search-).

05-15-2005, 01:07 PM	#7 (permalink)
Pyotr Gold Member Join Date: Sep 2004 Posts: 376	No no, it's visible. And not only that, I've deleted it once. It came back though. :/ (searched = on google and at symantec)

05-15-2005, 01:14 PM	#8 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,346	Download Hijackthis from here. Run Hijackthis and do a scan. When finished, the "scan" button will change to "save logfile". Copy and paste the logfile here.

05-15-2005, 02:22 PM	#9 (permalink)
Pyotr Gold Member Join Date: Sep 2004 Posts: 376	I don't know how much you need. Logfile of HijackThis v1.99.1 Scan saved at 15:20:23, on 2005-05-15 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program\Hotkey\Hotkey.exe C:\Program\NVIDIA Corporation\NvMixer\NvMixerTray.exe C:\Program\ABIT\ABITEQ\abiteq.exe C:\Program\Delade filer\Symantec Shared\ccApp.exe C:\Program\SYMANT~1\VPTray.exe C:\Program\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program\Winamp\winampa.exe C:\Program\D-Tools\daemon.exe C:\Program\Spray Bredband\fts.exe C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe C:\Program\Java\jre1.5.0_02\bin\jusched.exe C:\Program\ATI Technologies\ATI.ACE\cli.exe C:\Program\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\MSN Messenger\MsnMsgr.Exe C:\Program\ATI Technologies\ATI.ACE\CLI.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe C:\Program\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\svchost.exe C:\Program\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\UAService7.exe C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe C:\Program\iPod\bin\iPodService.exe C:\Program\Spray Bredband\FWPortal.exe C:\Program\Azureus\Azureus.exe C:\Program\Java\jre1.5.0_02\bin\javaw.exe C:\Program\mIRC\mirc.exe c:\windows\system32\vqkjeq.exe C:\Program\Mozilla Firefox\firefox.exe C:\DOCUME~1\Daniel\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

05-15-2005, 02:24 PM	#10 (permalink)
Pyotr Gold Member Join Date: Sep 2004 Posts: 376	Then there was R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spray.se/cd/savedata.jsp?...=5.1.2600&sp=2 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program\ICQToolbar\toolbaru.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7 _0.dll O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Program\INSTAFINK\instafink.dll (file missing) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program\ICQToolbar\toolbaru.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7 _0.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Hotkey] C:\Program\Hotkey\Hotkey.exe O4 - HKLM\..\Run: [NvMixerTray] C:\Program\NVIDIA Corporation\NvMixer\NvMixerTray.exe O4 - HKLM\..\Run: [ABITEQ] C:\Program\ABIT\ABITEQ\abiteq.exe -M O4 - HKLM\..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [%FP%Spray fts.exe] "C:\Program\Spray Bredband\fts.exe" O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe" O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [fakitw] c:\windows\system32\vqkjeq.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycmap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{47DB7C7D-AA4F-446C-B91C-9998757C0900}: NameServer = 195.67.199.30 195.67.199.31 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe