View Full Version : Nasty trojan downloader
kellygrl
2007-11-06, 17:52
My sbc online protection keeps popping up every few seconds or so saying file name c\windows\temp win32/vmalum.bcof is being quarantined. I have over 300 quarantined items. I ran spy bot, ad adware, and superantispyware. It finds and fixes the trojans, but then as soon as I turn on my internet the quarantined items keep popping up again. In the last couple of days I have been doing some internet research on the problem and I have run combo fix and sd fix but still the same thing happends. This computer I'm on is strictly for my kids to do thier homework on and do websurfing. I'd hate to trash it. Some help please. Here is the hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:20 AM, on 11/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Program Files\kelly\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: IPSEC Services PolicyAgentUMWdf (PolicyAgentUMWdf) - Unknown owner - C:\WINDOWS\System32\SQLSTRh.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7853 bytes
I can't run kaspersky cuz its online and my computer locks up. Ran my other antivirus and it finds nothing.
steamwiz
2007-11-06, 20:04
Hi
Either you spelt this wrong, or you are the only one in the world with it :wink::
win32/vmalum.bcof ...
I would like to see the ...
1. superantispyware report
2. C:\ComboFix.txt
3. Report.txt from inside the C:\SDFix folder
steam
kellygrl
2007-11-07, 00:32
It's spelled correctly. I clicked on the link in my realtime protection for more information and here is a copy and paste of it just so there is no mistake. Search term: win32/vmalum.bcof there is no info on it so I dont know.
Anyways here are my reports:
superantispyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/05/2007 at 09:26 PM
Application Version : 3.9.1008
Core Rules Database Version : 3338
Trace Rules Database Version: 1339
Scan type : Complete Scan
Total Scan Time : 01:38:54
Memory items scanned : 340
Memory threats detected : 0
Registry items scanned : 4700
Registry threats detected : 8
File items scanned : 20948
File threats detected : 5
Parasite.CoolWebSearch Variant
HKLM\Software\Classes\CLSID\{ECAFCABD-0B54-56A6-2583-0145770D2DCB}
HKCR\CLSID\{ECAFCABD-0B54-56A6-2583-0145770D2DCB}
HKCR\CLSID\{ECAFCABD-0B54-56A6-2583-0145770D2DCB}\InprocServer32
HKCR\CLSID\{ECAFCABD-0B54-56A6-2583-0145770D2DCB}\InprocServer32#ThreadingModel
HKCR\CLSID\{ECAFCABD-0B54-56A6-2583-0145770D2DCB}\Programmable
HKCR\CLSID\{ECAFCABD-0B54-56A6-2583-0145770D2DCB}\TypeLib
C:\WINDOWS\SYSTEM32\KIECLPR.DLL
Adware.IncrediFind
HKU\S-1-5-21-1409082233-1580818891-1060284298-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{0428FFC7-1931-45b7-95CB-3CBB919777E1}
Adware.SearchClickAds
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7564B020-44E8-4c9b-A887-C6EC41AC67DA}
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\CFG32A.EXE.VIR
Trojan.Downloader-Gen/Inst2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\T6\DLWR.EXE.VIR
Adware.ClickSpring
C:\qoobox\Quarantine\C\Documents and Settings\good person\Application Data\CURITY~1\WCRTUP~1.VIR
Combofix:
ComboFix 07-11-05.1 - good person 2007-11-05 11:49:39.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.92 [GMT -5:00]
Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\good person\Application Data\CURITY~1
C:\Documents and Settings\good person\Application Data\CURITY~1\w?crtupd.exe
C:\Program Files\Common Files\{185D1~1
C:\Program Files\Common Files\{185D1~2
C:\Program Files\Common Files\{385D1~2
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\?dobe\
C:\WINDOWS\dobe~1\wucrtupd.exe
C:\WINDOWS\start.exe
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\dlwr.exe
C:\WINDOWS\system32\unsvchosts.lzma
.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.
2007-11-05 11:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 22:32 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-04 22:10 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-04 22:10 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-04 22:10 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-11-04 11:53 276,184 --a------ C:\WINDOWS\SYSTEM32\savedump.dll
2007-11-04 11:53 110,296 --a------ C:\Documents and Settings\good person\957123845.exe
2007-11-04 11:53 110,296 --a------ C:\Documents and Settings\good person\957123844.exe
2007-11-04 11:53 110,296 --a------ C:\Documents and Settings\good person\63599.exe
2007-11-04 11:53 110,296 --a------ C:\Documents and Settings\good person\33053.exe
2007-11-04 11:53 10,752 -r-hs---- C:\WINDOWS\SYSTEM32\SQLSTRh.exe
2007-11-04 11:53 185 --ahs---- C:\WINDOWS\SYSTEM32\408753420.dat
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-14 16:52 18,512 ----a-w C:\Documents and Settings\good person\Application Data\GDIPFONTCACHEV1.DAT
2003-06-18 21:49 271 --sh--w C:\Program Files\desktop.ini
2003-06-18 21:49 23,357 ---h--w C:\Program Files\folder.htt
2003-07-19 19:08:18 32 --sha-w C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
2003-07-19 19:09:06 32 --sha-w C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
2003-07-19 19:05:46 32 --sha-w C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
2003-07-19 19:05:46 32 --sha-w C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
2003-07-19 19:05:46 32 --sha-w C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
2003-07-19 19:07:24 32 --sha-w C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
2003-07-19 19:05:46 32 --sha-w C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
2003-07-19 19:05:46 32 --sha-w C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
2003-07-19 19:05:46 32 --sha-w C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
2003-07-19 19:07:24 32 --sha-w C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
2003-07-19 19:08:18 32 --sha-w C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
2003-07-19 19:09:06 32 --sha-w C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
2003-07-30 06:23:26 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED646680-F638-4256-3185-E93FCF52AA09}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 08:49]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2005-12-03 18:30]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2005-12-03 18:30]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2005-04-22 19:49]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\WUTemp\Office\OSA9.EXE [2000-01-21 04:15:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyyax]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
S2 PolicyAgentUMWdf;IPSEC Services PolicyAgentUMWdf;C:\WINDOWS\System32\SQLSTRh.exe srv
S3 DCamUSBUVT;ICM532A;C:\WINDOWS\System32\Drivers\usbuvt.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-05 02:55:02 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-11-02 22:30:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-05 16:52:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 11:53:44
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-05 11:55:33
.
--- E O F ---
sdfix:
SDFix: Version 1.113
Run by good person on Mon 11/05/2007 at 02:53 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\drivers\kcp.sys - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\mstscex.dll - Deleted
C:\WINDOWS\system32\oleauth32.dll - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\0wl.tmp - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 14:59:48
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 18 Jun 2003 194 ..SH. --- "C:\AUTOEXEC.BAK"
Sun 4 Nov 2007 10,752 ..SHR --- "C:\WINDOWS\SYSTEM32\SQLSTRh.exe"
Wed 30 Jul 2003 401 ..SH. --- "C:\WINDOWS\DRM\DRMv13.bak"
Wed 30 Jul 2003 4,348 ..SH. --- "C:\WINDOWS\DRM\DRMv1.bak"
Mon 11 Apr 2005 48 ..SH. --- "C:\WINDOWS\DRM\v2ks.sec.bak"
Mon 11 Apr 2005 400 ..SH. --- "C:\WINDOWS\DRM\v2ks.bla.bak"
Thu 29 Aug 2002 77,824 ...H. --- "C:\Program Files\MSN\msnupdate!@#@.exe"
Fri 12 Sep 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 12 Sep 2003 12,888 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 17 Apr 2006 6,716,416 ...H. --- "C:\Documents and Settings\good person\Application Data\Microsoft\Word\~WRL0004.tmp"
Finished!
Thanx
Kelly
steamwiz
2007-11-07, 21:31
Hi
You say that the file with this description (win32/vmalum.bcof) is being found in the c\windows\temp folder ...
What is/are the name/names of the files ?
You can learn a lot from the name ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\savedump.dll
C:\Documents and Settings\good person\957123845.exe
C:\Documents and Settings\good person\957123844.exe
C:\Documents and Settings\good person\63599.exe
C:\Documents and Settings\good person\33053.exe
C:\WINDOWS\SYSTEM32\SQLSTRh.exe
C:\WINDOWS\SYSTEM32\408753420.dat
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED646680-F638-4256-3185-E93FCF52AA09}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyyax]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
kellygrl
2007-11-08, 00:41
I will give just a few examples of the file names on my quantine item log.
2653416419.exe
1652847269.exe
2931057367.exe
3519774125.exe
They keep popping up every 2 seconds or so when the internet is on. Each of them seem to be a different number. Right now I have over 200 just from yesterday. I'm going to do the combo fix thing. Right now I'm on my laptop next to the bad computer. I try to be connected to the internet as little as possible on it.
kellygrl
2007-11-08, 02:02
Ok. I tried to do what you said to do with the combo.fix twice. It starts up as nomal but when it goes to reboot nothing happends. The time is still wrong on my computer clock and there is no log. Now including the other stuff on my realtime protection something new is popping up
file name c:\windows\temp\372689655.exe is Win32/Harnig!generictrojan
So here is my hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20, on 2007-11-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\Program Files\kelly\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: IPSEC Services PolicyAgentUMWdf (PolicyAgentUMWdf) - Unknown owner - C:\WINDOWS\System32\SQLSTRh.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7799 bytes
steamwiz
2007-11-08, 21:32
Hi
1. have a look here & see if you have any new Combofix logs :-
C:\ComboFix.txt
you may see ...
C:\ComboFix.txt
C:\ComboFix1.txt
C:\ComboFix2.txt
The one without the number will be the latest, if you only have the one, then as you say, no new logs have been created ... but if you see more than one, the post the one without the number, as it will be the latest ...
-
2. I want you to get a couple of files scanned for me ...
Please go here and upload this file ...
C:\WINDOWS\System32\SQLSTRh.exe
http://www.virustotal.com/flash/index_en.html
Click the browse button & browse to the file on your computer
Post back the results ... right click on the page > select all
right click again copy
post the results in your next post here...
then do the same for one of these random numbered files ...
browse to the c:\windows\temp\ folder & upload any of the random numbered files ...
c:\windows\temp\372689655.exe
post the results in your next post here...
-
3. Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
-
4. REBOOT
1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box
Files to delete:
C:\WINDOWS\SYSTEM32\savedump.dll
C:\Documents and Settings\good person\957123845.exe
C:\Documents and Settings\good person\957123844.exe
C:\Documents and Settings\good person\63599.exe
C:\Documents and Settings\good person\33053.exe
C:\WINDOWS\SYSTEM32\408753420.dat
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt
After the reboot... run hijackthis & post a new log .....
Don't forget to Post the contents of the file C:\Avenger.txt
steam
---
kellygrl
2007-11-09, 03:55
1. I double checked the combofix log. I have a combofix 2 but not a reg combofix. My time is still wrong on my computer clock.
2. Scanned those files.
the first one you asked the system32 one nothing happened just came up
0 bytes size received / Se ha recibido un archivo vacio
May I add that the date that it was created was the day I got this virus.
the second one was the random number file and here is the copy:
| Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File 2826086077.exe received on 11.09.2007 02:38:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/32 (28.13%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.11.9.0 2007.11.09 -
AntiVir 7.6.0.34 2007.11.08 TR/Crypt.Morphine.Gen
Authentium 4.93.8 2007.11.07 -
Avast 4.7.1074.0 2007.11.08 -
AVG 7.5.0.503 2007.11.08 -
BitDefender 7.2 2007.11.09 -
CAT-QuickHeal 9.00 2007.11.08 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.09 -
DrWeb 4.44.0.09170 2007.11.08 Trojan.Sentinel.origin
eSafe 7.0.15.0 2007.11.08 Suspicious File
eTrust-Vet 31.2.5281 2007.11.08 -
Ewido 4.0 2007.11.08 -
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.07 -
F-Secure 6.70.13030.0 2007.11.09 Trojan-Spy.Win32.BZub.bty
Ikarus T3.1.1.12 2007.11.09 -
Kaspersky 7.0.0.125 2007.11.09 Trojan-Spy.Win32.BZub.bty
McAfee 5159 2007.11.08 New Malware.bl
Microsoft 1.3007 2007.11.09 -
NOD32v2 2647 2007.11.09 -
Norman 5.80.02 2007.11.08 -
Panda 9.0.0.4 2007.11.09 Suspicious file
Prevx1 V2 2007.11.09 -
Rising 20.17.32.00 2007.11.08 -
Sophos 4.23.0 2007.11.09 -
Sunbelt 2.2.907.0 2007.11.08 -
Symantec 10 2007.11.09 -
TheHacker 6.2.9.120 2007.11.08 -
VBA32 3.12.2.4 2007.11.08 -
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Trojan.Crypt.Morphine.Gen
Additional information
File size: 165376 bytes
MD5: 206c1c5e31b18d8f8730e65fb3f2f2ef
SHA1: dbbeb848425aaeeed53f9898f5e39c652512a738
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com
I am going going to disconnect now from the internet and run hijack this and I repost the log.
kellygrl
2007-11-09, 05:07
Ok here it is.
avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dxftulsi
*******************
Script file located at: \??\C:\Documents and Settings\nwbvqouj.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\SYSTEM32\savedump.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\savedump.dll failed!
Could not process line:
C:\WINDOWS\SYSTEM32\savedump.dll
Status: 0xc0000034
File C:\Documents and Settings\good person\957123845.exe not found!
Deletion of file C:\Documents and Settings\good person\957123845.exe failed!
Could not process line:
C:\Documents and Settings\good person\957123845.exe
Status: 0xc0000034
File C:\Documents and Settings\good person\957123844.exe not found!
Deletion of file C:\Documents and Settings\good person\957123844.exe failed!
Could not process line:
C:\Documents and Settings\good person\957123844.exe
Status: 0xc0000034
File C:\Documents and Settings\good person\63599.exe not found!
Deletion of file C:\Documents and Settings\good person\63599.exe failed!
Could not process line:
C:\Documents and Settings\good person\63599.exe
Status: 0xc0000034
File C:\Documents and Settings\good person\33053.exe not found!
Deletion of file C:\Documents and Settings\good person\33053.exe failed!
Could not process line:
C:\Documents and Settings\good person\33053.exe
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\408753420.dat deleted successfully.
File C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat not found!
Deletion of file C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat failed!
Could not process line:
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
Status: 0xc0000034
File C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat not found!
Deletion of file C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat failed!
Could not process line:
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
Status: 0xc0000034
File C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat not found!
Deletion of file C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat failed!
Could not process line:
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
Status: 0xc0000034
File C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat not found!
Deletion of file C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat failed!
Could not process line:
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
Status: 0xc0000034
File C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat not found!
Deletion of file C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat failed!
Could not process line:
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
Status: 0xc0000034
File C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat not found!
Deletion of file C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat failed!
Could not process line:
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat failed!
Could not process line:
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat failed!
Could not process line:
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat failed!
Could not process line:
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat failed!
Could not process line:
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat failed!
Could not process line:
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat failed!
Could not process line:
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02, on 2007-11-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\kelly\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: IPSEC Services PolicyAgentUMWdf (PolicyAgentUMWdf) - Unknown owner - C:\WINDOWS\System32\SQLSTRh.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7308 bytes
Thanx
kelly
steamwiz
2007-11-09, 21:49
HI
Do you have this file ?
C:\Combofix-quarantined-files.txt
If you have it, please copy & paste it into your next post...
-
go to Start > Run and type Services.msc > click OK
Scroll down and find the service called IPSEC Services PolicyAgentUMWdf
double-click on it
click the Stop button
change the Startup Type to Disabled
click Apply and then OK and close any open windows
REBOOT
-
Delete the Combofix.exe file from your desktop ... download the newest version (it's updated almost daily)
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
kellygrl
2007-11-10, 01:12
ok.
So last night I was trying to figure out why combofix wasn't working when it would restart my computer. I thought it might have to do with my spy-bot sd resident being on. I disabled it and ran combofix again with that cfscript thing you said. The computer restarted and when I put my internet on I wasn't receiving a bunch of virus alerts. I couldn't find the log though.
So right now when I was looking for the C:\Combofix-quarantined-files.txt I found the log to the one I ran last night.
here it is:
ComboFix 07-11-05.1 - good person 2007-11-08 21:46:37.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\good person\Desktop\CFScript_used_2007-11-07@17.58_used_2007-11-07@18.38_used_2007-11-08@21.22_used_2007-11-08@21.33.txt
* Created a new restore point
FILE::
C:\Documents and Settings\good person\33053.exe
C:\Documents and Settings\good person\63599.exe
C:\Documents and Settings\good person\957123844.exe
C:\Documents and Settings\good person\957123845.exe
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
C:\WINDOWS\SYSTEM32\408753420.dat
C:\WINDOWS\SYSTEM32\savedump.dll
C:\WINDOWS\SYSTEM32\SQLSTRh.exe
.
I cannot find a Combofix-quarantined-files.txt, but what I do have is a ComboDel.txt:
Files to Move:
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
I disabled the IPSEC services and deleted combofix. I'm not sure if I am completely disinfected yet. I will download the new combofix and post a log.
kellygrl
2007-11-10, 01:12
ok.
So last night I was trying to figure out why combofix wasn't working when it would restart my computer. I thought it might have to do with my spy-bot sd resident being on. I disabled it and ran combofix again with that cfscript thing you said. The computer restarted and when I put my internet on I wasn't receiving a bunch of virus alerts. I couldn't find the log though.
So right now when I was looking for the C:\Combofix-quarantined-files.txt I found the log to the one I ran last night.
here it is:
ComboFix 07-11-05.1 - good person 2007-11-08 21:46:37.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\good person\Desktop\CFScript_used_2007-11-07@17.58_used_2007-11-07@18.38_used_2007-11-08@21.22_used_2007-11-08@21.33.txt
* Created a new restore point
FILE::
C:\Documents and Settings\good person\33053.exe
C:\Documents and Settings\good person\63599.exe
C:\Documents and Settings\good person\957123844.exe
C:\Documents and Settings\good person\957123845.exe
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
C:\WINDOWS\SYSTEM32\408753420.dat
C:\WINDOWS\SYSTEM32\savedump.dll
C:\WINDOWS\SYSTEM32\SQLSTRh.exe
.
I cannot find a Combofix-quarantined-files.txt, but what I do have is a ComboDel.txt:
Files to Move:
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
I disabled the IPSEC services and deleted combofix. I'm not sure if I am completely disinfected yet. I will download the new combofix and post a log.
kellygrl
2007-11-10, 01:36
don't know why the last post posted twice.
Here is my new log:
ComboFix 07-11-08.3 - good person 2007-11-09 18:21:12.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.102 [GMT -5:00]
Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\good person\33053.exe
C:\Documents and Settings\good person\63599.exe
C:\Documents and Settings\good person\957123844.exe
C:\Documents and Settings\good person\957123845.exe
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
C:\WINDOWS\SYSTEM32\408753420.dat
C:\WINDOWS\system32\drivers\hokmbodb.dat
C:\WINDOWS\system32\msdar.dll
C:\WINDOWS\SYSTEM32\savedump.dll
C:\WINDOWS\SYSTEM32\SQLSTRh.exe
C:\WINDOWS\Temp\1709639923.exe
C:\WINDOWS\Temp\1791792229.exe
C:\WINDOWS\Temp\2755977339.exe
C:\WINDOWS\Temp\2826086077.exe
.
---- Previous Run -------
.
C:\Documents and Settings\good person\33053.exe
C:\Documents and Settings\good person\63599.exe
C:\Documents and Settings\good person\957123844.exe
C:\Documents and Settings\good person\957123845.exe
C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
C:\WINDOWS\system32\drivers\hokmbodb.dat
C:\WINDOWS\system32\msdar.dll
C:\WINDOWS\SYSTEM32\savedump.dll
C:\WINDOWS\Temp\1709639923.exe
C:\WINDOWS\Temp\1791792229.exe
C:\WINDOWS\Temp\2755977339.exe
C:\WINDOWS\Temp\2826086077.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.
2007-11-05 19:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-05 19:41 <DIR> d-------- C:\Documents and Settings\good person\Application Data\SUPERAntiSpyware.com
2007-11-05 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-05 19:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 14:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-05 14:36 <DIR> d-------- C:\VundoFix Backups
2007-11-05 11:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 22:32 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-04 22:10 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-11-04 22:10 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-11-04 22:10 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-04-14 16:52 18,512 ----a-w C:\Documents and Settings\good person\Application Data\GDIPFONTCACHEV1.DAT
2003-06-18 21:49 271 --sh--w C:\Program Files\desktop.ini
2003-06-18 21:49 23,357 ---h--w C:\Program Files\folder.htt
2003-07-30 06:23:26 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.
((((((((((((((((((((((((((((( snapshot@2007-11-05_11.54.03.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 23:56:20 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 21:59:02 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-03-13 15:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2007-11-03 23:46:50 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-11-05 19:53:34 6,430,720 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-11-05 19:53:34 98,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-03 23:46:50 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-11-05 19:53:26 6,430,720 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2007-11-05 19:53:26 98,304 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-11-06 00:41:20 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-06 00:41:20 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-06 00:41:20 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-11-05 03:25:10 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2007-11-09 21:50:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2007-11-05 03:25:10 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-09 21:50:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-05 03:29:22 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-09 21:50:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-05 16:49:22 262,144 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\NtUser.dat
+ 2007-11-09 23:20:46 262,144 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 08:49]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2005-12-03 18:30]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2005-12-03 18:30]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2005-04-22 19:49]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\WUTemp\Office\OSA9.EXE [2000-01-21 04:15:54]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
S3 DCamUSBUVT;ICM532A;C:\WINDOWS\System32\Drivers\usbuvt.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys
S4 PolicyAgentUMWdf;IPSEC Services PolicyAgentUMWdf;C:\WINDOWS\System32\SQLSTRh.exe srv
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 00:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-09 22:46:38 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-11-09 22:30:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-09 23:27:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 18:29:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-09 18:31:17 - machine was rebooted
C:\ComboFix3.txt ... 2007-11-05 11:55
C:\ComboFix2.txt ... 2007-11-05 15:11
.
--- E O F ---
steamwiz
2007-11-10, 20:00
Hi
Your log looks good ...
Please Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
THEN...
Please run a Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
Click Accept
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt
Please post the KAV.txt
steam
kellygrl
2007-11-11, 01:11
Here is my report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 6:07:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456142
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 31577
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:25:10
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\savedump.dll.vir Infected: Trojan-Spy.Win32.BZub.btt skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\msdar.dll.vir Infected: Trojan-Spy.Win32.BZub.btx skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\hokmbodb.dat.vir Infected: Trojan.Win32.Agent.cid skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir Infected: Backdoor.Win32.Agent.cns skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\1709639923.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\1791792229.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\2826086077.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\2755977339.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\33053.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\63599.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\957123844.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\957123845.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\Documents and Settings\good person\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\good person\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\good person\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\good person\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\good person\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\A0006138.exe Infected: Backdoor.Win32.Agent.cns skipped
C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
D:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
D:\WUTemp\tempfiles\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped
Scan process completed.
Thanx
Kelly
kellygrl
2007-11-11, 01:28
Here is my report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 6:07:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456142
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 31577
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:25:10
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\savedump.dll.vir Infected: Trojan-Spy.Win32.BZub.btt skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\msdar.dll.vir Infected: Trojan-Spy.Win32.BZub.btx skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\hokmbodb.dat.vir Infected: Trojan.Win32.Agent.cid skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir Infected: Backdoor.Win32.Agent.cns skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\1709639923.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\1791792229.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\2826086077.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\WINDOWS\Temp\2755977339.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\33053.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\63599.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\957123844.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\qoobox\Quarantine\C\Documents and Settings\good person\957123845.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
C:\Documents and Settings\good person\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\good person\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\good person\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\good person\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\good person\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\A0006138.exe Infected: Backdoor.Win32.Agent.cns skipped
C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
D:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
D:\WUTemp\tempfiles\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped
Scan process completed.
Thanx
Kelly
steamwiz
2007-11-11, 22:07
Hi
The KASPERSKY is basically clean ... just files in backup folders & a file used by SmitfraudFix, which is NOT a problem ...
Please do this :-
Find & delete :-
C:\qoobox ... folder
Delete the SmitfraudFix folder on your desktop (you don't need it anymore)
If there are still any of those random numbered files in your c\windows\temp folder ... please delete them now ...
-
This will clear all your infected restore points...
Turn off (Disable) System Restore in XP :-
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Then...
Turn on (enable) System Restore :-
Follow the same procedure, but this time uncheck Turn off System Restore
if you have any problem with this... here's a link to instructions :-
Disabling or enabling Windows XP System Restore >
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
-
please post a new hijackthis log ...
steam
kellygrl
2007-11-12, 00:00
Thanks so much. I really thought my computer was finished. It is actually running a lot smoother too.
Here is my hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:53 PM, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\kelly\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7297 bytes
steamwiz
2007-11-12, 00:48
Hi
Just a little tidying up to do ...
run hijackthis and fix these entries
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
Reboot run hijackthis again, let me know if they are still there ... if they are, then teatimer is probably stopping you fix them ... I'll tell you how to disable it while you perform the fix ...
ALSO ...
You are running an out-of-date version of java
jre1.5.0 now has update _11 ... But jre1.6.0 is much faster...
Go to add/remove programs and uninstall any earlier versions ... (in your case jre1.5.0_06 )
Then You can go here and install the latest version of Java.
http://java.sun.com/javase/downloads/index.jsp
Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button.
Running an out-of-date version of java is an infection risk.
-
& Now that your computer is clean ... it's a good time to visit Windows update & download SP2 .... it contains much needed security patches ...
steam
kellygrl
2007-11-12, 02:00
I installed the new java. I tried to delete what you listed in the hijack log but they came back. I believe I know how to disable tea timer. It's under tools in spybot and I just uncheck the two boxes in resident protection status. If that is right that is what I did. I then deleted those things in the log, rebooted, and they are still there. Here is my log. I'm sure it is pretty much the same as before.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:52 PM, on 11/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\kelly\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7518 bytes
steamwiz
2007-11-12, 21:39
Hi
Yes, you are right as far as you went with teatimer, but after unchecking those boxes & allowing the change, you need to reboot for those changes to take effect ... then run hijackthis and delete those lines ...
then go back to teatimer & recheck those boxes again, then reboot again...
But if you can't get them to delete, don't worry about them, as i say they are only orphans and will cause no problems ...
steam
kellygrl
2007-11-15, 00:57
I did exactly as you asked and my log was clean. When I enabled tea timer again and I ran the log out of curiousity, it came back. Not exactly was that is all about. Oh well, you said it's no big deal anyway. My computer is running great now. Thank you for all your help :)
steamwiz
2007-11-15, 13:19
Hi
looks like it's in spybots memory ...
run spybot...
click Tools > resident
look at the latest entries in the log ... do you see any referencing the entries you are trying to delete ?
If you do, then highlight the last 20 or so entries in the log, right click ? copy ... paste them here ...
steam
This topic has been archived due to inactivity.
If you need it re-opened, please send me a private message (pm) and provide a link to the closed topic.
Applies only to the original poster, anyone else with similar problems please start a new thread.