Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Nasty trojan downloader

  1. 2007-11-10, 00:12 #11
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    ok.

    So last night I was trying to figure out why combofix wasn't working when it would restart my computer. I thought it might have to do with my spy-bot sd resident being on. I disabled it and ran combofix again with that cfscript thing you said. The computer restarted and when I put my internet on I wasn't receiving a bunch of virus alerts. I couldn't find the log though.

    So right now when I was looking for the C:\Combofix-quarantined-files.txt I found the log to the one I ran last night.

    here it is:

    ComboFix 07-11-05.1 - good person 2007-11-08 21:46:37.7 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
    Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\good person\Desktop\CFScript_used_2007-11-07@17.58_used_2007-11-07@18.38_used_2007-11-08@21.22_used_2007-11-08@21.33.txt
    * Created a new restore point

    FILE::
    C:\Documents and Settings\good person\33053.exe
    C:\Documents and Settings\good person\63599.exe
    C:\Documents and Settings\good person\957123844.exe
    C:\Documents and Settings\good person\957123845.exe
    C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
    C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
    C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
    C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
    C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
    C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
    C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
    C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
    C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
    C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
    C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
    C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
    C:\WINDOWS\SYSTEM32\408753420.dat
    C:\WINDOWS\SYSTEM32\savedump.dll
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe
    .

    I cannot find a Combofix-quarantined-files.txt, but what I do have is a ComboDel.txt:

    Files to Move:
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir

    I disabled the IPSEC services and deleted combofix. I'm not sure if I am completely disinfected yet. I will download the new combofix and post a log.
  2. 2007-11-10, 00:12 #12
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    ok.

    So last night I was trying to figure out why combofix wasn't working when it would restart my computer. I thought it might have to do with my spy-bot sd resident being on. I disabled it and ran combofix again with that cfscript thing you said. The computer restarted and when I put my internet on I wasn't receiving a bunch of virus alerts. I couldn't find the log though.

    So right now when I was looking for the C:\Combofix-quarantined-files.txt I found the log to the one I ran last night.

    here it is:

    ComboFix 07-11-05.1 - good person 2007-11-08 21:46:37.7 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
    Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\good person\Desktop\CFScript_used_2007-11-07@17.58_used_2007-11-07@18.38_used_2007-11-08@21.22_used_2007-11-08@21.33.txt
    * Created a new restore point

    FILE::
    C:\Documents and Settings\good person\33053.exe
    C:\Documents and Settings\good person\63599.exe
    C:\Documents and Settings\good person\957123844.exe
    C:\Documents and Settings\good person\957123845.exe
    C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
    C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
    C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
    C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
    C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
    C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
    C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
    C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
    C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
    C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
    C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
    C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
    C:\WINDOWS\SYSTEM32\408753420.dat
    C:\WINDOWS\SYSTEM32\savedump.dll
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe
    .

    I cannot find a Combofix-quarantined-files.txt, but what I do have is a ComboDel.txt:

    Files to Move:
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir
    C:\WINDOWS\SYSTEM32\408753420.dat|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\408753420.dat.vir
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe|C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir

    I disabled the IPSEC services and deleted combofix. I'm not sure if I am completely disinfected yet. I will download the new combofix and post a log.
  3. 2007-11-10, 00:36 #13
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    don't know why the last post posted twice.

    Here is my new log:

    ComboFix 07-11-08.3 - good person 2007-11-09 18:21:12.8 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.102 [GMT -5:00]
    Running from: C:\Documents and Settings\good person\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\good person\33053.exe
    C:\Documents and Settings\good person\63599.exe
    C:\Documents and Settings\good person\957123844.exe
    C:\Documents and Settings\good person\957123845.exe
    C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
    C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
    C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
    C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
    C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
    C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
    C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
    C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
    C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
    C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
    C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
    C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
    C:\WINDOWS\SYSTEM32\408753420.dat
    C:\WINDOWS\system32\drivers\hokmbodb.dat
    C:\WINDOWS\system32\msdar.dll
    C:\WINDOWS\SYSTEM32\savedump.dll
    C:\WINDOWS\SYSTEM32\SQLSTRh.exe
    C:\WINDOWS\Temp\1709639923.exe
    C:\WINDOWS\Temp\1791792229.exe
    C:\WINDOWS\Temp\2755977339.exe
    C:\WINDOWS\Temp\2826086077.exe
    .
    ---- Previous Run -------
    .
    C:\Documents and Settings\good person\33053.exe
    C:\Documents and Settings\good person\63599.exe
    C:\Documents and Settings\good person\957123844.exe
    C:\Documents and Settings\good person\957123845.exe
    C:\WINDOWS\{30502F77-AE96-4AA5-BDAC-BB82AF29F08F}.dat
    C:\WINDOWS\{31306A0D-C229-4303-A2AA-8703C046FDB9}.dat
    C:\WINDOWS\{43929E20-D227-48E2-95AB-5A94237F2307}.dat
    C:\WINDOWS\{C1BFD2F3-2123-49A6-98BC-D46AE0F5AA6C}.dat
    C:\WINDOWS\{D67A6E4B-E068-4DD0-9972-0FAB16F1776F}.dat
    C:\WINDOWS\{FE013763-BDFB-415B-ADF2-786F69576C6A}.dat
    C:\WINDOWS\SYSTEM32\{18968F8C-0AF8-44D8-B177-B53642E1EEEF}.dat
    C:\WINDOWS\SYSTEM32\{36DDB8CA-07F2-42A4-BF71-50C6AFEF86C1}.dat
    C:\WINDOWS\SYSTEM32\{591C05D3-B599-4FFD-AAFF-706720D12D0C}.dat
    C:\WINDOWS\SYSTEM32\{67CE7592-DF08-4D89-8400-016671C253F4}.dat
    C:\WINDOWS\SYSTEM32\{8C2BCAA7-5A95-4BE5-9018-DC4C87304B19}.dat
    C:\WINDOWS\SYSTEM32\{EDF195EE-85B8-4B77-BAF2-496C3D7E7130}.dat
    C:\WINDOWS\system32\drivers\hokmbodb.dat
    C:\WINDOWS\system32\msdar.dll
    C:\WINDOWS\SYSTEM32\savedump.dll
    C:\WINDOWS\Temp\1709639923.exe
    C:\WINDOWS\Temp\1791792229.exe
    C:\WINDOWS\Temp\2755977339.exe
    C:\WINDOWS\Temp\2826086077.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
    .

    2007-11-05 19:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-11-05 19:41 <DIR> d-------- C:\Documents and Settings\good person\Application Data\SUPERAntiSpyware.com
    2007-11-05 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-11-05 19:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-05 14:53 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-11-05 14:36 <DIR> d-------- C:\VundoFix Backups
    2007-11-05 11:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-04 22:32 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2007-11-04 22:10 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
    2007-11-04 22:10 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
    2007-11-04 22:10 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
    2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2005-04-14 16:52 18,512 ----a-w C:\Documents and Settings\good person\Application Data\GDIPFONTCACHEV1.DAT
    2003-06-18 21:49 271 --sh--w C:\Program Files\desktop.ini
    2003-06-18 21:49 23,357 ---h--w C:\Program Files\folder.htt
    2003-07-30 06:23:26 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-05_11.54.03.34 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-10-29 23:56:20 136,192 ----a-w C:\WINDOWS\catchme.exe
    + 2007-11-08 21:59:02 136,704 ----a-w C:\WINDOWS\catchme.exe
    + 2007-03-13 15:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
    + 2007-11-03 23:46:50 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2007-11-05 19:53:34 6,430,720 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
    + 2007-11-05 19:53:34 98,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2007-11-03 23:46:50 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2007-11-05 19:53:26 6,430,720 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
    + 2007-11-05 19:53:26 98,304 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
    + 2007-11-06 00:41:20 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
    + 2007-11-06 00:41:20 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2007-11-06 00:41:20 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    - 2007-11-05 03:25:10 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
    + 2007-11-09 21:50:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat
    - 2007-11-05 03:25:10 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-09 21:50:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-11-05 03:29:22 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-11-09 21:50:58 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-11-05 16:49:22 262,144 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\NtUser.dat
    + 2007-11-09 23:20:46 262,144 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\NtUser.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 08:49]
    "CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2005-12-03 18:30]
    "CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2005-12-03 18:30]
    "YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2005-04-22 19:49]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
    "SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - D:\WUTemp\Office\OSA9.EXE [2000-01-21 04:15:54]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    S3 DCamUSBUVT;ICM532A;C:\WINDOWS\System32\Drivers\usbuvt.sys
    S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
    S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys
    S4 PolicyAgentUMWdf;IPSEC Services PolicyAgentUMWdf;C:\WINDOWS\System32\SQLSTRh.exe srv

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-08 00:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
    "2007-11-09 22:46:38 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
    "2007-11-09 22:30:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
    "2007-11-09 23:27:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-09 18:29:01
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-09 18:31:17 - machine was rebooted
    C:\ComboFix3.txt ... 2007-11-05 11:55
    C:\ComboFix2.txt ... 2007-11-05 15:11
    .
    --- E O F ---
  4. 2007-11-10, 19:00 #14
    steamwiz
    steamwiz is offline
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    Your log looks good ...

    Please Download CCleaner from :-

    http://www.filehippo.com/download_ccleaner/ (click the download tab)

    During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

    doubleclick the ccsetup.exe file and install the program...

    After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

    Make sure the "windows" tab is selected

    Under "internet explorer" tick...

    Temporary internet files
    Cookies* > see Note below
    History
    Recently typed URL's     (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
    Delete index.dat files
    Last download location
    Autocomplete form history


    under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

    Other explorer MRU's     (leave this unticked if you DON'T want to clear lists such as the start\run list)

    under "System"

    Tick ALL these ...


    under "Advanced"

    no need to tick any of these (but you can if you want, and realise what they do)


    Applications tab...

    These will mostly clean out old log files for these applications...

    Clean:- (if you use them)

    Firefox/Mozilla (optional - leave the cookies - see note)
    Opera
    Sun Java
    ZoneAlarm
    ...
    Personally I clean everything in the applications tab... but you tick what you want...

    Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

    click "analyse" if you want to see a list of what is going to be removed, before it is removed.

    Or

    click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

    "This process will permanently delete files from your system. Are you sure you wish to proceed?"

    click OK.


    THEN...


    Please run a Kaspersky Online Scan

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    Click Accept

    You will be promted to install an ActiveX component from Kaspersky,
    Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:

      • Extended (if available otherwise Standard)

      • Scan Options:

      • Scan Archives Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • The program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Once finished, save the log to your Desktop as filename KAV.txt


    Please post the KAV.txt

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E
  5. 2007-11-11, 00:11 #15
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    Here is my report:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Saturday, November 10, 2007 6:07:10 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 10/11/2007
    Kaspersky Anti-Virus database records: 456142
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 31577
    Number of viruses found: 7
    Number of infected objects: 14
    Number of suspicious objects: 0
    Duration of the scan process: 01:25:10

    Infected Object Name / Virus Name / Last Action
    C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\SchedLog.Txt Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Debug\oakley.log Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\savedump.dll.vir Infected: Trojan-Spy.Win32.BZub.btt skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\msdar.dll.vir Infected: Trojan-Spy.Win32.BZub.btx skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\hokmbodb.dat.vir Infected: Trojan.Win32.Agent.cid skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir Infected: Backdoor.Win32.Agent.cns skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\1709639923.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\1791792229.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\2826086077.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\2755977339.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\33053.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\63599.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\957123844.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\957123845.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\Documents and Settings\good person\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\good person\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\good person\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\Documents and Settings\good person\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\good person\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\A0006138.exe Infected: Backdoor.Win32.Agent.cns skipped
    C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
    D:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
    D:\WUTemp\tempfiles\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    D:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped

    Scan process completed.


    Thanx
    Kelly
  6. 2007-11-11, 00:28 #16
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    Here is my report:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Saturday, November 10, 2007 6:07:10 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 10/11/2007
    Kaspersky Anti-Virus database records: 456142
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 31577
    Number of viruses found: 7
    Number of infected objects: 14
    Number of suspicious objects: 0
    Duration of the scan process: 01:25:10

    Infected Object Name / Virus Name / Last Action
    C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\SchedLog.Txt Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Debug\oakley.log Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\savedump.dll.vir Infected: Trojan-Spy.Win32.BZub.btt skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\msdar.dll.vir Infected: Trojan-Spy.Win32.BZub.btx skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\hokmbodb.dat.vir Infected: Trojan.Win32.Agent.cid skipped
    C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\SQLSTRh.exe.vir Infected: Backdoor.Win32.Agent.cns skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\1709639923.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\1791792229.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\2826086077.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\WINDOWS\Temp\2755977339.exe.vir Infected: Trojan-Spy.Win32.BZub.bty skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\33053.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\63599.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\957123844.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\qoobox\Quarantine\C\Documents and Settings\good person\957123845.exe.vir Infected: Trojan-Spy.Win32.BZub.btu skipped
    C:\Documents and Settings\good person\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\good person\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\good person\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\Documents and Settings\good person\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\good person\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\good person\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\A0006138.exe Infected: Backdoor.Win32.Agent.cns skipped
    C:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
    D:\System Volume Information\_restore{62901DAB-6FA4-4400-9DA6-20E4E5874EE3}\RP7\change.log Object is locked skipped
    D:\WUTemp\tempfiles\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    D:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped

    Scan process completed.


    Thanx
    Kelly
  7. 2007-11-11, 21:07 #17
    steamwiz
    steamwiz is offline
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    The KASPERSKY is basically clean ... just files in backup folders & a file used by SmitfraudFix, which is NOT a problem ...

    Please do this :-

    Find & delete :-

    C:\qoobox ... folder
    Delete the SmitfraudFix folder on your desktop (you don't need it anymore)

    If there are still any of those random numbered files in your c\windows\temp folder ... please delete them now ...

    -
    This will clear all your infected restore points...

    Turn off (Disable) System Restore in XP :-

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    Then...

    Turn on (enable) System Restore :-

    Follow the same procedure, but this time uncheck Turn off System Restore

    if you have any problem with this... here's a link to instructions :-


    Disabling or enabling Windows XP System Restore >

    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    -
    please post a new hijackthis log ...

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E
  8. 2007-11-11, 23:00 #18
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    Thanks so much. I really thought my computer was finished. It is actually running a lot smoother too.

    Here is my hijack log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:57:53 PM, on 11/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\YAHOO!\YOP\yop.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\Program Files\kelly\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/gam...ts/y/st3_x.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

    --
    End of file - 7297 bytes
  9. 2007-11-11, 23:48 #19
    steamwiz
    steamwiz is offline
    Security Expert-Emeritus steamwiz's Avatar
    Join Date
    Dec 2005
    Location
    Yorkshire. U.K.
    Posts
    1,313

    Default

    Hi

    Just a little tidying up to do ...

    run hijackthis and fix these entries

    O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
    O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)

    O20 - Winlogon Notify: yayyyax - C:\WINDOWS\


    Reboot run hijackthis again, let me know if they are still there ... if they are, then teatimer is probably stopping you fix them ... I'll tell you how to disable it while you perform the fix ...

    ALSO ...

    You are running an out-of-date version of java

    jre1.5.0 now has update _11 ... But jre1.6.0 is much faster...

    Go to add/remove programs and uninstall any earlier versions ... (in your case jre1.5.0_06 )

    Then You can go here and install the latest version of Java.

    http://java.sun.com/javase/downloads/index.jsp

    Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button.


    Running an out-of-date version of java is an infection risk.

    -
    & Now that your computer is clean ... it's a good time to visit Windows update & download SP2 .... it contains much needed security patches ...

    steam
    MICROSOFT MVP - Security 2004/9 .member of ASAP since 2004 - member of U.N.I.T.E
  10. 2007-11-12, 01:00 #20
    kellygrl
    kellygrl is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    14

    Default

    I installed the new java. I tried to delete what you listed in the hijack log but they came back. I believe I know how to disable tea timer. It's under tools in spybot and I just uncheck the two boxes in resident protection status. If that is right that is what I did. I then deleted those things in the log, rebooted, and they are still there. Here is my log. I'm sure it is pretty much the same as before.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:48:52 PM, on 11/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\YAHOO!\YOP\yop.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\WINDOWS\System32\wuauclt.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\kelly\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\WUTemp\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: (no name) - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {ED646680-F638-4256-3185-E93FCF52AA09} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\WUTemp\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/gam...ts/y/st3_x.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: yayyyax - C:\WINDOWS\
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

    --
    End of file - 7518 bytes
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules