Either virus or spyware?

[Pyotr]

My firewall (Sygate Personal) notified me of a program it called "Buddy" which had changed since I last used it, and wanted to know if I would allow it to access the network. I chose no, and removed the file in question (called ycngysmow.exe). However, the file got back, and I got the same warning.
I tried running Ad-Aware, but it didn't find anything. Right now, I'm running a virus search, but as of now, no luck.
What is that program?

Here's the details from the firewall warning:


The executable has changed since the last time you used: C:\WINDOWS\ycngysmow.exe
File Version : 1.0.2.4
File Description : Buddy
File Path : C:\WINDOWS\ycngysmow.exe
Process ID : 0x66C (Heximal) 1644 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 81.230.90.83
Local Port : 1360
Remote Name :
Remote Address : 64.124.153.143
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 01-00-20-00-01-00
Source: 00-00-01-00-00-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xa5a1 (Correct)
Source: 81.230.90.83
Destination: 64.124.153.143
Transmission Control Protocol (TCP)
Source port: 1360
Destination port: 80
Sequence number: 2424658112
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xfd0d (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 01 00 20 00 01 00 00 00 : 01 00 00 00 08 00 45 00 | .. ...........E.
0010: 00 30 D2 DD 40 00 80 06 : A1 A5 51 E6 5A 53 40 7C | [email protected]@|
0020: 99 8F 05 50 00 50 90 85 : 58 C0 00 00 00 00 70 02 | ...P.P..X.....p.
0030: FF FF 0D FD 00 00 02 04 : 05 AC 01 01 04 02 01 01 | ................
0040: 05 0A 06 69 C1 ED 06 69 : C1 F5 0A FA | ...i...i....


I don't understand any of it, of course. Is it any help?

 

[Byteman]

Try running these 2 online scans and then see if the problem exists:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/housecall/start_corp.asp

PS. be sure to turn off system restore before you do the scans.

 

[Pyotr]

Right now, my standard av hasn't found anything, while trendmicro found 5 infected files. I could delete 4 of them, but not the fifth, because it was currently in use:
TROJ AGENT.ABS c:\windows\system32\vzemuq.exe

Panda is still running, and has scanned a lot more than trendmicro (and thus, more than crappy Symantec). 500000+ scanned, 22 infected files, 1 disinfected.

Edit: Update, Panda done, 1 virus (disinfected), 23 spyware. :/

 

[Byteman]

After all is done you may want to do a final scan in safemode (especially since you said trendmicro couldn't delete one of the files). Update your AV program and AdAware (asuming you have AdAwareSE), reboot to safe mode and have both of them do a full scan. you should be done after that...

 

[Pyotr]

I did run a scan, both for virus and spyware (and my AV found some spyware too), and after I deleted what was found (no virus, just spyware), I deleted the file ycngysmow.exe and restarted. But now the file is back. What IS that file? I've searched for it, but didn't find anything.

 

[Buzz1927]

It might be a hidden file. Go to Control panel>tools>Folder options>view, check "show hidden files and folders" and look for it using explorer (not via search-).

 

[Pyotr]

No no, it's visible. And not only that, I've deleted it once. It came back though. :/
(searched = on google and at symantec)

 

[Buzz1927]

Download Hijackthis from here. Run Hijackthis and do a scan. When finished, the "scan" button will change to "save logfile". Copy and paste the logfile here.

 

[Pyotr]

I don't know how much you need.

Logfile of HijackThis v1.99.1
Scan saved at 15:20:23, on 2005-05-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Hotkey\Hotkey.exe
C:\Program\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program\ABIT\ABITEQ\abiteq.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program\Winamp\winampa.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Spray Bredband\fts.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\ATI Technologies\ATI.ACE\cli.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Spray Bredband\FWPortal.exe
C:\Program\Azureus\Azureus.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\Program\mIRC\mirc.exe
c:\windows\system32\vqkjeq.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Daniel\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

 

[Pyotr]

Then there was


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spray.se/cd/[email protected]&type=Friendly&os=5.1.2600&sp=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Program\INSTAFINK\instafink.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Hotkey] C:\Program\Hotkey\Hotkey.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ABITEQ] C:\Program\ABIT\ABITEQ\abiteq.exe -M
O4 - HKLM\..\Run: [REGSHAVE] C:\Program\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [%FP%Spray fts.exe] "C:\Program\Spray Bredband\fts.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fakitw] c:\windows\system32\vqkjeq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47DB7C7D-AA4F-446C-B91C-9998757C0900}: NameServer = 195.67.199.30 195.67.199.31
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

 

[Buzz1927]

Pyotr

I need to see the rest of it (with the 02, 03 etc)). (Edit, sorry, didn't see the second post)

 

[Buzz1927]

Pyotr
You've got a nasty Nail infection.
Download Ewido from here. Update it, but don't use it yet. Download Nailfix from here. Unzip it to the desktop, but don't run it yet.
Boot into safe mode.
Once in safe mode, double-click Nailfix.bat. The icons will disappear and reappear, this is normal.
Next run Ewido and do a full scan. This will take a while. When finished save the log and post it in your reply.
Run Hijackthis and place a check next to this entry
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows, apart from Hijackthis, and click "Fix checked"
Restart into normal mode, run Hijackthis and post the new log, along with the log from Ewido.

 

[Byteman]

Nice bat file for nail!

 

[Buzz1927]

Hi Byteman

Hope you don't mind me jumping in here. The fix comes from the people at Spywareinfo.

 

[Byteman]

Not at all!, I've seen the commands for nail remove, but haven't seen anyone make any kind of a tool for the dumb thing yet, yours is the first i've seen, seems to have all it's ducks in row... very slick!

I have seen alot about Ewido though, and in my mind the jury is still undecided on it... however it does seem to work on the nail problem.

 

[Buzz1927]

The guys at Spywareinfo have done a lot of work on nail. This method seems to work almost 100% of the time. As for Ewido, nail's about the only thing its recommended for. Feel free to take over in cleaning up the rest of the log.

 

[Pyotr]

Here's the log. No nail, by the looks of it. Thanks.

 

[Buzz1927]

Hi Pyotr

Yeah, looks like we got Nail. It looks like ewido saved us some work as well.
Run Hijackthis. Check the following entries
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Program\INSTAFINK\instafink.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Close all windows, and hit "Fix checked".
Next, move Hijackthis to its own folder e.g. C:HJT. You might need it again.
Press start>run> type %temp% and delete everything there.
If you haven't already got them, download Adaware SE and Spybot SD. Update and scan with them regularly.
Spywareblaster and Spywareguard will increase your chances of staying clean.
Take care
Buzz

 

[Pyotr]

All done. What're Spybot, Spywareblaster and Spywareguard? Where do I get them?
Thanks a lot for all this.

 

[Buzz1927]

Spybot checks for Spyware\adware and provides real-time protection if you enable the "tea-timer" feature. This will stop all kinds of crap from getting on your machine. Spywareblaster has a database of known bad sites, and will stop any downloads etc. from these sites. Spywareguard does a similar job to Spybot tea-timer, just two are better than one. You can download Spybot here.
Spywareblaster from here.
And Spywareguard here.