Hi, Folks --

I've been reading along for a few weeks, trying to amass the knowledge needed to handle this on my own. However, I still can't identify all of the entries in my HJT log, and would appreciate your help. py.exe is driving me crazy. It is constantly triggering my av software, but I can't seem to get rid of it.

Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 4:03:58 PM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.lib.vt.edu:3128
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {369E376A-F440-D9A8-D44E-B68B2B58B89F} - C:\WINDOWS\system32\akruvizl.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E1FB4884-D00D-C95F-1FAC-06C40F54205C} - C:\WINDOWS\system32\chudoigy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.6164236111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab


Thanks in advance. The time you guys put into helping others is awesome.

First:
Remove Lime Shop using Add/Remove Programs. (this is considered spyware, you can get more info here: http://www.kephyr.com/spywarescanner/libra...op/index.phtml)

Second:
Check the following items in HijackThis.
O2 - BHO: (no name) - {369E376A-F440-D9A8-D44E-B68B2B58B89F} - C:\WINDOWS\system32\akruvizl.dll
O2 - BHO: (no name) - {E1FB4884-D00D-C95F-1FAC-06C40F54205C} - C:\WINDOWS\system32\chudoigy.dll

O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
Close all windows except HijackThis and click Fix checked:

Reboot. (not necessary, but recommended)

Third:
Steps to removal of PV.exe:
(note: you may need to disable your antivirus prior to this because it is a VBS)
1 - Run updated Ad-Aware to remove IELoader
2 - Go to your Internet Settings Control Panel
3 - Click "General" tab
4 - Click "Settings" under "Temporary Internet Files" area
5 - Click "View Objects"
6 - If an item called "DownloadUL" exists, right click it, and click "Remove"
7 - Close all windows.
8 - Highlight and Copy all the text below between the "============" lines
9 - Open notepad
10 - Paste the copied text into notepad
11 - Save the file to your desktop as a .vbs file
12 - Double click the newly created file on your desktop and step through each prompted step. Be sure to read the alerts for instructions.


'===========================================
Sub Main()
Set fso = CreateObject("Scripting.FileSystemObject")
Set sys32dir = fso.getFolder("C:\Windows\System32")
Set sysdir = fso.getFolder("C:\Windows")
Set wshell = CreateObject("WScript.Shell")
if msgbox("This script will try to remove zzb.exe and related Trojans. Press 'OK' to continue.", vbOkCancel) = vbCancel Then Exit Sub
'--- Delete loader apps ---
MsgBox("Deleting Trojan executables, ocx's and data files")
if fso.fileexists("C:\Windows\System32\zzb.exe") then
 fso.deletefile "C:\Windows\System32\zzb.exe"
 msgbox("C:\Windows\System32\zzb.exe DELETED!")
end if
if fso.fileexists("C:\Windows\System32\py.exe") then
 fso.deletefile "C:\Windows\System32\py.exe"
 msgbox("C:\Windows\System32\py.exe DELETED!")
end if
if fso.fileexists("C:\Windows\System32\msbb.exe") then
 fso.deletefile "C:\Windows\System32\msbb.exe"
 msgbox("C:\Windows\System32\msbb.exe DELETED!")
end if
if fso.fileexists("C:\Windows\System32\mstbl.ocx") then
 fso.deletefile "C:\Windows\System32\mstbl.ocx"
 msgbox("C:\Windows\System32\mstbl.ocx DELETED!")
end if
if fso.fileexists("C:\Windows\System32\mslib.dat") then
 fso.deletefile "C:\Windows\System32\mslib.dat"
 msgbox("C:\Windows\System32\mslib.dat DELETED!")
end if
if fso.fileexists("C:\Windows\System32\mslink32.dat") then
 fso.deletefile "C:\Windows\System32\mslink32.dat"
 msgbox("C:\Windows\System32\mslink32.dat DELETED!")
end if
if fso.fileexists("C:\Windows\msbb.exe") then
 fso.deletefile "C:\Windows\msbb.exe"
 msgbox("C:\Windows\msbb.exe DELETED!")
end if
if fso.fileexists("C:\Windows\bridge.exe") then
 fso.deletefile "C:\Windows\bridge.exe"
 msgbox("C:\Windows\bridge.exe DELETED!")
end if
'--- Clean Registry ---
msgbox("Cleaning the registry.")
on error resume next
wshell.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzb"
wshell.RegDelete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzb"
on error goto 0
'--- Find DLL's ---
msgbox("Searching for dll files associated with these trojans.")
Dim aryFiles
aryFiles = Array()
Dim found
found = 0
call findSuspectFiles(aryFiles, sysdir, found)
call findSuspectFiles(aryFiles, sys32dir, found)
MsgBox(found & " suspicious files found.")
If found = 0 then exit sub
MsgBox("You will now be prompted to confirm whether " & vbcrlf _

& "or not to delete and unregister each dll.  " & vbcrlf _

& "A backup copy will be created in the current directory " & vbcrlf _

& "should you decide to restore the files. Use caution when " & vbcrlf _

& "deleting these files. Any filename that is somewhat comprehendable, do not delete.")
on error resume next
fso.CreateFolder ".\RemoveDLL_Backup"
on error goto 0

for i = 0 to Ubound(aryFiles)
 if msgbox("Remove " & aryFiles(i), vbYesNo) = vbYes Then
  select case mid(aryFiles(i), InStrRev(aryFiles(i), "."), 4)
   case ".dll"
    wshell.Exec("regsvr32 -u " & aryFiles(i))
    fso.CopyFile aryFiles(i), ".\RemoveDLL_Backup\" & mid(aryFiles(i), InStrRev(aryFiles(i), "\"), len(aryFiles(i))) & "_"
    fso.DeleteFile aryFiles(i)
   

 case ".exe"
    fso.CopyFile aryFiles(i), ".\RemoveDLL_Backup\" & mid(aryFiles(i), InStrRev(aryFiles(i), "\"), len(aryFiles(i))) & "_"
    fso.DeleteFile aryFiles(i)
   
  End Select  
 End If
Next
End Sub
sub findSuspectFiles(aryFiles, folder, found)
Set regEx = New RegExp
regEx.Pattern = "(^([a-z]){8}\.((dll)|(exe)))"
regEx.IgnoreCase = false
regEx.Global = false
for each Files in folder.files
 set matches = regEx.Execute(Files.name)
 tFound = false
 for each item in matches

tFound = true
 next
 if tFound and ((Files.name <> "mscories.dll") AND (Files.name <> "hostname.exe")) then
  select case mid(Files.name, InStrRev(Files.Name, "."), 4)
   case ".dll"
    if Files.size = 106496 then
     redim preserve aryFiles(UBound(aryFiles) + 1)
     aryFiles(UBound(aryFiles)) = Files.path
     found = found + 1
    end if
   
   case ".exe"
    if Files.size = 7680 then
     redim preserve aryFiles(UBound(aryFiles) + 1)
     aryFiles(UBound(aryFiles)) = Files.path
     found = found + 1
    end if
  End Select
 End If
Next
end sub
Main()


Fourth:
Post another HiJackThis log in this thread for final review.

Thanks. :) Here's an updated log.

:Lee


Logfile of HijackThis v1.97.7
Scan saved at 7:21:11 PM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.lib.vt.edu:3128
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.6164236111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

Great news, your system is clean at last.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
SpywareGuard: http://www.wilderssecurity.net/spywareguard.html


IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad:
http://www.staff.uiuc.edu/~ehowes/resource.htm



Good luck, and thanks for coming to Gladiator Security Forums.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves