Need a Look Please

[pskelley]

Thanks for returning your information, that's a clean HJT log. Post a new Kaspersky Online Scan using these settings.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

[Lane412000]

While the Kaspersky Online Scan was running I was able to locate and delete the following file:

C:\WINNT\system32\FreezeScreenSaver.exe <<< delete that file

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 08, 2008 10:52:10 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 560039
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 90080
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:15:35

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF947C.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF108D.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DFBAFD.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\tb7qZ8b8.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.srs Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.NK2 Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\mifdb\errors.log Object is locked skipped
C:\Program Files\Novatel Wireless\SprintPort\2024\20080308.TXT Object is locked skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Agents\InventoryRuleAgent\InventoryRuleCache.iad Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\PackageDownload\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\instaler.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped

Scan process completed.

[pskelley]

Thanks for returning your Kaspersky Scan Results:

(these are nasties, delete the contents of that Temp folder)

C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\tb7qZ8b8.exe ------> Trojan-Dropper.Win32.Agent.fbe
(make 100% sure the file in red goes)

C:\Program Files\instaler.exe ------> Trojan-Dropper.Win32.Agent.fbe <<< delete that installer.

That should give you a clean scan, I do not need to see it if it is clean. Any malware issues now?

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

[Lane412000]

Good Morning

I was able to delete:

C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\tb7qZ8b8.exe ------> Trojan-Dropper.Win32.Agent.fbe
(make 100% sure the file in red goes)

C:\Program Files\instaler.exe ------> Trojan-Dropper.Win32.Agent.fbe <<< delete that installer.

by doing a file search, I deleted these two items and sent them to the recycle bin and then emptied the bin.

I went back and ran a Spybot S&D and ended up with the following:


--- Search result list ---
Microsoft.Windows.Explorer: [SBI $31F4F7F9] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-52592350-1112094291-630672053-17755\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCloseDragDropBands

Microsoft.Windows.Explorer: [SBI $6E94BB3F] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-52592350-1112094291-630672053-17755\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar

Is this something I need to deal with?

Lastly, on post 9, we made changes to uncheck the Hide protected operating system files. Should I go back now an reverse this action?

Thanks for the help

lane412000

[pskelley]

Thanks for the feedback. I am of the opinion (and may be wrong) that if Spybot S&D locates something it should be able to fix it. Are you running the newest version of Spybot S&D 1.5.2? and are you fully Immunized?
http://www.safer-networking.org/en/s...d15/index.html
If you are, why not post for the folks who are Spybot S&D experts here:
http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives

If you want to clean leftovers from the registry, here is a good, free tool: http://www.ccleaner.com/
The registry cleaner is: http://www.ccleaner.com/help/tour/5-issues

To use, simply press the "Scan for Issues" button and once completed press the
"Fix Selected Issues" button. You will be prompted to backup and helped throughout the process.

Be very sure you follow the instructions for making a backup. I have never had to restore an item to the registry using CCleaner but I am always prepared to do so with a backup.

I personally do not hide any files on my computers, but I have no children and no novice users who can delete a file in error. If you want to hide them, please do so. Just reverse the procees you used to view them.

[Lane412000]

pskelley....thanks for the help in cleaning the mess out of my computer. I am running the latest version of spybot, but will go ahead and visit the sites you provided with links.

Again, thanks for helping me.

lane412000