Another coolpics problem (yahoo)

Hi

I hope some kind soul out there can help me and put my mind at rest, i was using Yahoo yesterday and a friend of mine had a link next to their name, yes you guessed it and i clicked on it i have since found out that it was a coolpics link.

When i clicked on the link it opened up a blank window and after about 5 seconds i closed the window, i then tried it again and still the internet explorer window was blank so then just closed it down.

I am not sure if my pc is affected or not as i still have access to the run option on the start bar, task manager still works and my homepage has not changed. I run an avg anti virus check,spybot,avg spyware and adaware and all have come up clean, I also ran a combofix like the other users and here are my results.

Like i said am not sure if my pc is affected, i couldnt look at profiles earlier today on yahoo so uninstalled and reinstalled it and it works ok now, also had a couple of page not found on websites but i think its ok

Can someone please check it for me and put my mind at rest?


"Daz" - 2007-05-24 18:23:16 Service Pack 2
ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\Daz\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))


2007-05-24 17:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-05-23 17:57 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 17:51 0 --a------ C:\WINDOWS\system32\sfsync03.dll
2007-05-23 17:51 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-05-23 11:36 <DIR> d-------- C:\DOCUME~1\Daz\APPLIC~1\Prevx
2007-05-23 11:35 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-15 22:40 <DIR> d-------- C:\cpuz
2007-05-14 16:25 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-14 16:25 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-05-14 16:24 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-11 23:48 <DIR> d-------- C:\steel
2007-05-11 23:47 <DIR> d-------- C:\steely dan]


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-24 00:31:14 -------- d-----w C:\Program Files\Replay Music
2007-05-23 23:04:51 -------- d-----w C:\Program Files\MSN Messenger
2007-05-21 21:02:08 -------- d-----w C:\Program Files\EPSON Print CD
2007-05-16 15:30:18 -------- d-----w C:\Program Files\Washer
2007-05-16 13:31:02 -------- d-----w C:\DOCUME~1\Daz\APPLIC~1\dvdcss
2007-05-14 15:26:12 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-02 23:52:01 -------- d-----w C:\DOCUME~1\Daz\APPLIC~1\.BitTornado
2007-04-22 21:09:06 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 06:14:49 -------- d-----w C:\DOCUME~1\Daz\APPLIC~1\Vso
2007-04-07 15:15:19 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-04-07 15:15:19 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-04-07 15:15:19 -------- d-----w C:\Program Files\OpenAL
2007-04-07 12:39:00 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2007-04-01 17:50:42 -------- d-----w C:\DOCUME~1\Daz\APPLIC~1\teamspeak2
2007-03-26 00:02:32 -------- d-----w C:\Program Files\Winamp
2007-03-25 11:42:14 -------- d-----w C:\Program Files\Teamspeak2_RC2
2007-03-24 22:52:20 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-24 22:51:54 -------- d-----w C:\DOCUME~1\Daz\APPLIC~1\InstallShield
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 21:36:42 -------- d-----w C:\Program Files\Codemasters
2007-03-08 20:41:31 -------- d-----w C:\Program Files\vso
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-03 16:23:06 407,168 ----a-w C:\WINDOWS\system32\pr2agnqb.exe
2007-02-28 22:25:53 87,608 ----a-w C:\DOCUME~1\Daz\APPLIC~1\ezpinst.exe
2007-02-28 22:25:53 47,360 ----a-w C:\DOCUME~1\Daz\APPLIC~1\pcouffin.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2005-03-09 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 09:35]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk]
backup=C:\WINDOWS\pss\CoreCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
"C:\Program Files\Logitech\Profiler\lwemon.exe" /noui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070424-175915-785
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab



backup-20070122-221322-937
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll

backup-20061108-223449-550
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab


backup-20061108-223412-855
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

backup-20061108-222652-194
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - blank (file missing)
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 18:24:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-24 18:25:10
C:\ComboFix-quarantined-files.txt ... 2007-05-24 18:24

--- E O F ---

 

Can you post the link?

Use HXXP://

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

hi

am afraid i cant remember what it was i think it was something like coolpics.myvacation jpg



is my file ok?

 

I don't know how to read those things. Someone else might be able to help.

Besides, your logs might have stuff left over from some other compromise.

Without the link, you can't tell what this particular exploit contained.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

it looks like i still have a problem as i cant view any profiles when i use the Yahoo messenger

 

Wouldn't there be a record of the link in Internet Explorer's history file?
Rick

 

As Herbalist says, should be a link in your history so you can post it.

I just posted another thread on the coolpix worm. I've examined your posting.. From what I can see, you're not infected with the worm that affected my system..

Check your temp folder.. "/docs and settings/username/local settings/temp" to see if there are any exe files in there running. If there are, they should also show in your task manager list, as active.

My "infection" was definitely aided by the fact I am using an old version of IE and it hasn't been patched in well over a year.. Your browser probably rebuffed the attempt..

 

hi

i looked in the temp folder and there are no exe files in there

unfortuatley i deleted the history so i cant check in there either

what i have noticed is that when i try and use yahoo now and try and view a profile the url is adding http://" before the normal http://profiles.yahoo.com which is why i cant view them, have tried uninstalling and installing but no luck

 

Just guessing here, but maybe the exploit had just a small success with your system, and was able to get into your registry.. I'd search for that string in my registry. If you're not experienced in doing so, nothing to fear in searching for an errant string like that.. If it's relevant, it should be in the keys pertaining to yahoo.

Just go to your start button .. choose run, type: regedit, press ok. Regedit will open. At the top of regedit, highlight "my computer", so the search you will do will search all keys. Then choose edit from the menu up top, then find. Enter the search string "http://%22" without any quotes, and see if it finds anything.. Also search on %22 and 22.com. See if those get any hits.. If you do find anything, it should be in the yahoo keys. If found, the key should be in the right side of the regedit window. Highlight the key, then right click, choose modify.. and erase what is in that key... If you know for sure what to replace it with, do it. If not, close regedit, try again a reinstall of yahoo messenger. It's possible the uninstall routine did not remove that entry.. and it remains.. When you reinstalled it's still there... and redirecting the profile entry.

Good luck