Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Familycyberalert!


  • Please log in to reply
15 replies to this topic

#1 ron_c

ron_c

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 13 December 2007 - 03:58 PM

Two days ago I downloaded, saved and then later on ran the program CyberScrub. This was the only thing that was downloaded that day. Yesterday, my Comodo firewall started alerting me about programs that was wanting to get on line that has never ask before. Thinking this was just CyberScrub needing updates and the like, "Allowed" the request. Later that evening the request for getting on line was increasing. For example, "Internet Explorer\iexplorer.exe has loaded ieframe.dll into ybrowser.exe using a global hook which could be used by keyloggers to steal private information". This program (ieframe.dll) has never ask permission to get on line. Other programs then started asking to be allowed to get on line. My service provider, AT&T Self Support Tool (used in case you have a problem getting on line) has never requested to get on line. Something was wrong. First thing I did was run a scan with NOD32, nothing found. Then ran a scan with Spyware Doctor, nothing found. Same thing with SuperAntiSpyware, Spy Sweeper, Ad-Aware 2007, nothing found (except for minor cookies which were deleted) then scanned with Spybot S&D, bingo, found "FamilyCyberAlert" which is spyware to monitor the whole computer. Anyway, had Spybot S&D purge this program. I then ran a scan with Regisrty Fix to get rid of any errors it found and it found several entries no longer existing pertaining to FamilyCyberAlert and almost every error was linked back to CyberScrub! What gives? I thought CyberScrub was a legitmate program, if it is, how did FamilyCyberAlert get downloaded and installed and why was it linked back to CyberScrub? Today, (12-13-07) I'm still being bombarded with reguest to get on line and most wanting to go a remote IP address of 192.168.1.254: :dns(53) and I have had, as of a few minutes ago, 410 request form different programs from Comodo asking to get on line. If I "Deny" I can't get on the internet. Computer runs very slow (took almost 5 minutes to pull Control Panel). If I "Deny" one program from getting on line I get another one wanting to get on line and so on and so on. Sure could use some help on this one.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:25 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iolo\System Mechanic 7\SMTrayNotify.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
O4 - Global Startup: AT&T Self Support Tool.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk.disabled
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191880714890
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9162 bytes

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 26 December 2007 - 10:40 PM

Welcome to BC :thumbsup:

Sorry for the delay, the forum has been extremely busy lately.

Since its been a few days, please post a fresh Hijackthis log. Thanks.
Microsoft MVP Consumer Security--2007-2010

#3 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 27 December 2007 - 12:24 PM

Here is the new HiJackThis log. OK, to clear things up a bit, I'm not refering to Family Cyber Alert by InfroWorks but the spyware FamilyCyberAlert. Something new that started the next day after posting the above log is at Startup or Reboot I now get "Initialize Command c000003a". Have never had this happen before having problems. Before getting on line I also get this popup from my Comodo Firewall that "There are unknown components in svchost.exe or System Mechanic 7 or whichever program I'm trying to run, that requires approval before proceding with this request". Before the problem started I had never received any "unknown components" popup. This is every program I try to run. After getting on line I'm bombarded with my Firewall popups with mainly this request C:\Programs Files\Yahoo!\browser\ybrowser.exe has loaded ieframe.dll into ybrowser.exe using a global hook which could be used by keyloggers to steal private inforormation". Yesterday, I counted 87 request with mostly this request, the only difference was the IP Address it was going. Some popups were only the single request, some were 1 of 2, 1 of 8 or even 1 of 15. Before I can even get off line I have to go through 10 to 15 request like this. Please help!Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:43 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
O4 - Global Startup: AT&T Self Support Tool.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191880714890
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9519 bytes

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 27 December 2007 - 10:04 PM

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Consumer Security--2007-2010

#5 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 28 December 2007 - 10:37 AM

Was able to disable NOD32, Spyware Doctor and Spy S&D but didn't see how to disable Superantispyware, Ad-Aware 2997 or SpyBlaster. Hope this doesn't cause problems.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:56 AM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
O4 - Global Startup: AT&T Self Support Tool.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ymetray.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191880714890
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9268 bytes
ComboFix 07-12-28.1 - Ron 2007-12-28 9:01:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.435 [GMT -6:00]
Running from: C:\Documents and Settings\Ron\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 21:00 . 2007-12-27 21:00 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2007-12-27 20:57 . 2007-11-20 22:34 35,840 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-12-27 20:56 . 2007-12-27 20:56 <DIR> d-------- C:\Program Files\iolo
2007-12-27 20:44 . 2007-12-27 21:00 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\iolo
2007-12-27 20:44 . 2007-12-27 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-12-26 12:49 . 2007-12-26 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-12-24 16:16 . 2007-12-24 16:29 <DIR> d-------- C:\Program Files\1st Registry Repair
2007-12-24 13:42 . 2007-12-24 13:42 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-24 13:27 . 2007-12-24 13:27 <DIR> d-------- C:\Program Files\Ace Utilities
2007-12-23 18:23 . 2007-12-23 19:37 <DIR> d-------- C:\Documents and Settings\Ron\.housecall6.6
2007-12-23 17:38 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-23 16:42 . 2007-12-23 16:42 <DIR> d-------- C:\WINDOWS\Sun
2007-12-23 16:40 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 16:38 . 2007-12-23 16:40 <DIR> d-------- C:\Program Files\Java
2007-12-23 16:36 . 2007-12-23 16:36 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-22 20:09 . 2007-12-22 20:09 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\WinPatrol
2007-12-22 20:08 . 2007-12-22 20:08 <DIR> d-------- C:\Program Files\BillP Studios
2007-12-22 19:30 . 2007-12-22 19:30 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\TuneUp Software
2007-12-22 19:30 . 2007-12-22 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-12-22 19:30 . 2007-12-22 19:30 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2007-12-22 19:30 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-12-22 19:29 . 2007-12-22 19:34 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2007-12-22 17:26 . 2007-12-22 17:26 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-12-22 17:26 . 2007-12-22 17:26 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-12-21 18:48 . 2007-12-21 18:48 <DIR> d-------- C:\Program Files\Privacy Guardian
2007-12-21 18:48 . 2004-03-09 00:00 224,016 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2007-12-21 12:23 . 2007-12-21 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-20 17:16 . 2007-12-20 17:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-20 17:15 . 2007-12-21 17:57 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-12-20 17:13 . 2007-12-20 17:18 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\SiteAdvisor
2007-12-20 17:13 . 2007-12-27 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-19 13:41 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-19 13:41 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-19 13:41 . 2007-12-13 19:40 77,824 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-19 13:41 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-19 13:41 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-19 13:41 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-17 14:44 . 2007-12-20 12:50 437,096 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-12-13 22:09 . 2006-03-28 08:54 696,320 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-13 22:09 . 2006-03-28 08:55 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-12-12 13:18 . 2007-12-21 10:42 <DIR> d-------- C:\Program Files\Webroot
2007-12-12 13:18 . 2007-12-12 13:18 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-12-12 13:18 . 2007-12-21 10:42 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\Webroot
2007-12-12 13:18 . 2007-12-21 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-12-12 13:15 . 2007-11-26 14:50 196,424 --a------ C:\WINDOWS\Unwash6.exe
2007-12-11 17:09 . 2007-12-11 17:09 <DIR> d-------- C:\Documents and Settings\Ron\Application Data\Safe Folder
2007-12-11 15:53 . 2007-02-07 11:08 84 --a------ C:\WINDOWS\csact.ini
2007-12-08 10:33 . 2007-12-08 10:36 102,364 --a------ C:\WINDOWS\hpqins13.dat
2007-11-29 15:54 . 2007-11-29 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 14:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC425
2007-12-28 14:26 --------- d-----w C:\Program Files\TrueSwitchAT&TYahoo
2007-12-28 03:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-28 03:16 --------- d-----w C:\Program Files\Spyware Doctor
2007-12-25 19:21 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-23 01:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-23 01:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 03:28 --------- d-----w C:\Documents and Settings\Ron\Application Data\Image Zone Express
2007-12-14 23:13 23,040 ----a-w C:\WINDOWS\system32\smrgdf.exe
2007-12-14 15:18 74,240 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-14 15:18 56,832 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-03 19:22 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-23 16:10 --------- d-----w C:\Program Files\SUPERFileRecover
2007-11-23 16:08 --------- d-----w C:\Program Files\EULAlyzer
2007-11-22 03:53 --------- d-----w C:\Documents and Settings\Ron\Application Data\SUPERAntiSpyware.com
2007-11-22 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-20 00:35 --------- d-----w C:\Documents and Settings\Ron\Application Data\Comodo
2007-11-20 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-20 00:31 --------- d-----w C:\Program Files\Comodo
2007-11-19 22:11 --------- d-----w C:\Program Files\CCleaner
2007-11-18 22:43 --------- d-----w C:\Documents and Settings\Ron\Application Data\Yahoo!
2007-11-18 20:12 --------- d-----w C:\Program Files\SBC Self Support Tool
2007-11-18 20:12 --------- d-----w C:\Documents and Settings\Ron\Application Data\Motive
2007-11-18 20:09 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-18 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-11-16 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2007-11-15 05:10 --------- d-----w C:\Program Files\RegistryFix
2007-11-14 21:08 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 04:42 --------- d-----w C:\Program Files\Yahoo!
2007-11-13 00:37 --------- d-----w C:\Program Files\CONEXANT
2007-11-11 21:47 --------- d-----w C:\Documents and Settings\Ron\Application Data\MSN6
2007-11-11 03:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\iolo
2007-11-10 14:52 --------- d-----w C:\Program Files\Trend Micro
2007-11-10 14:51 --------- d-----w C:\Program Files\Common Files\PC Tools
2007-11-10 14:51 --------- d-----w C:\Documents and Settings\Ron\Application Data\PC Tools
2007-11-10 14:51 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot(2)
2007-11-10 14:50 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-11-10 14:50 --------- d-----w C:\Documents and Settings\Ron\Application Data\TrueSwitch
2007-11-10 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(2)
2007-11-10 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2007-11-10 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(3)
2007-11-10 14:43 --------- d-----w C:\Program Files\Connection Wizard
2007-11-10 14:21 --------- d-----w C:\Program Files\TrueSwitch
2007-11-09 19:46 135,251 ----a-w C:\WINDOWS\java\Packages\86W8A5BD.ZIP
2007-11-09 16:25 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot(3)(2)
2007-11-07 22:46 --------- d-----w C:\Program Files\Nero
2007-11-03 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-10-31 17:04 --------- d-----w C:\Program Files\Lavasoft
2007-10-31 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 18:24 12,060,765 ----a-w C:\WINDOWS\Internet Logs\GLBF3_on_demand_2007_10_28_10_56_15_full.dmp.zip
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 20:59 164 ----a-w C:\install.dat
2007-10-22 01:40 135,161 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_21_18_34_29_small.dmp.zip
2007-10-22 01:40 124,094 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_21_18_34_34_small.dmp.zip
2007-10-22 01:40 118,036 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_21_18_32_03_small.dmp.zip
2007-10-19 22:32 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-10-11 23:32 155,995 ----a-w C:\WINDOWS\java\Packages\EOB9J93V.ZIP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-10-07 12:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-19 16:32]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-19 18:30]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 16:31]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-13 12:05]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2007-12-20 12:50]

C:\Documents and Settings\Ron\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe [2007-09-13 06:45:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk.disabled [2007-11-18 14:12:11]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10]
ymetray.lnk.disabled [2007-10-11 19:26:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"NVIEW"="rundll32.exe" nview.dll,nViewLoadHook
"NvMediaCenter"="RUNDLL32.EXE" C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
"NvCplDaemon"="RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
"nwiz"="nwiz.exe" /install
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2007-11-22 00:11]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:50]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 16:59]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-22 19:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 01:31:31 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 09:04:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 9:05:13
.
2007-12-12 19:34:26 --- E O F ---

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 28 December 2007 - 09:37 PM

How is everything running?
Microsoft MVP Consumer Security--2007-2010

#7 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 29 December 2007 - 09:50 AM

It's still running the same. Still get "Unknown Comonets" request brfore getting on line and while on line still get the "ybrowser .exe has loaded irframe.dll into ybvrowser.exe" firewall popups but seems like not as many. However, I now know how I'm getting this junk on my computer. Caught my 16 old grandson looking at porn yesterday evening. Anyway, ran a scan with Spyware Doctor and durn had these on my computer "Application.Component Keyloggers", "Trojan.PWS.Tanspy", "Trojan.Generic". Got rid of these and then ran a scan with Spybot S&D, Superantispyware and Ad-Aware 2007 and nothing else was found. Just for the heck of it ran another scan with Spy. Doc. and then it found "Trojan-Downloader.VB>AXA. Also saw that he had disabled NOD32 and SPy. Doc. and ask him why he did that. He said Spy. Doc. wouldn't allow him on one site and he figured it must have something on that site he wanted to see. I ask him did he not read what Spy. Doc. was warning him about this site and he said no, he just figured it was something sood and he disabled them. Some poeple just don't realize what these programs do.

#8 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 29 December 2007 - 04:47 PM

Here's a update. After writing the above results this morning, thought about the program WinPatrol 2007 that was downloaded, saved and then ran later that day and this is about the same time I was getting about 14,000 firewall popups a day. This was a program that I tried (try before you buy) and uninstalled it, rebooted and than got on line and low and behold, NOT 1 POPUP that wanted "ybrowser.exe to loaded irframe.dll into ybrowser.exe, etc." Got off and back on line several times to be sure. If on line, like here , Bleeping Computer, just to go to another page or go back to another page would have to go through several firewall popups. So, it APPEARS, Winpatrol 2007 was the problem. However, thought I would do a scan with Spyware Doctor just to check things out and durn if two of the three trojans I deleted yesterday reappeared, Trojan.PWS.Tanspy and Torjan.Generic. The description for Tanspy is, every time you get on line this trojan reappears. Tried this, got on line went to Bleeping Computer and C/Net download.com went to a couple of pages, got off line and ran another scan with Spyware Doctor and sure enough they reappeared. Even ran ComboFix to see if this would get rid of them. Didn't. When I leave here I'll have to go and do another scan to get rid of theses trojans. Also, still get the, "Initinize Command c000003a" at bootup and have never received this before the problems started and was wondering it this might be part of it. Have found "c000003a" reference in two places in the registry. All I can think of at this time. Oh, one more thing, I uninstalled my Comodo Firewall and reinstalled it to start from stratch, to see if this might stop the "unknown components" popups and it did, but with the trojans still reappearing this might have been a mistake.

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 30 December 2007 - 08:37 PM

This was a program that I tried (try before you buy) and uninstalled it, rebooted and than got on line and low and behold, NOT 1 POPUP that wanted "ybrowser.exe to loaded irframe.dll into ybrowser.exe, etc." Got off and back on line several times to be sure. If on line, like here ,


That file is related to Yahoo browser Toolbar. You will need to open IE 7, click on Tools, Manage Add-ons, Click on Enable or Disable Add-ons, under Enabled look for any Yahoo Toolbar addons. When you find any, you will need to disable one by one. Until, you no longer recieve the error at start up (IE 7).


Where is Spyware doctor finding the trojan??? Can you post the log from Spware doctor. Thanks
Microsoft MVP Consumer Security--2007-2010

#10 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 30 December 2007 - 10:05 PM

sjpritch25,
Can't believe your working today, but again I can't believe how many people get junk on their computers each and every day.
Anyway here is the Spyware Doctor log for the Downloader.VB.AXA Trojan and location. As a update, yesterday ran scan after scan with all my antispyware programs just before shutting down for the day and at that time every thing was clean. This morning first thing I did was run a scan with Spyware Doctor and Soybot S&D and again it was clean. Got on line went to Bleeping Computer Forum and to www.download.com. Was on line about 1 hour, got off line, signed out, and ran a scan with Spyware Doctor and it found Downloader.V.AXA Trojan again. Got rid of it. Have been on line off and on all day and have scanned time and time again and for now it clean.Scan Finished
Scan Type - Intelli-Scan
Items Processed - 180657
Threats Detected - 1
Infections Detected - 14
Infections Ignored - 0

12/29/2007 7:33:45 PM:593 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com

12/29/2007 7:33:45 PM:609 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\www

12/29/2007 7:33:45 PM:625 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\www, *

12/29/2007 7:33:45 PM:640 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com, *

12/29/2007 7:33:45 PM:656 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com

12/29/2007 7:33:45 PM:671 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\www

12/29/2007 7:33:45 PM:687 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\www, *

12/29/2007 7:33:45 PM:718 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com, *

12/29/2007 7:33:45 PM:734 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com

12/29/2007 7:33:45 PM:750 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\www

12/29/2007 7:33:45 PM:843 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\www, *

12/29/2007 7:33:45 PM:859 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\bsa

12/29/2007 7:33:45 PM:875 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\bsa, *

12/29/2007 7:33:45 PM:875 Infection quarantined
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com, *

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\www

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\www, *

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com, *

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\www

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\www, *

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com, *

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com

12/29/2007 7:33:46 PM:250 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\www

12/29/2007 7:33:46 PM:484 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\www, *

12/29/2007 7:33:46 PM:484 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\bsa

12/29/2007 7:33:46 PM:484 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\bsa, *

12/29/2007 7:33:46 PM:484 Infection cleaned
Threat Name - Trojan-Downloader.VB.AXA
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com, *

12/29/2007 7:33:48 PM:640 Infections Quarantined/Removed Summary
Quarantined - 14
Quarantine Failed - 0
Removed - 14
Remove Failed - 0


Do you also need the location for the recurring Trojans PWS>Tanspy and Generic? Thanks.

#11 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 30 December 2007 - 10:19 PM

Download DelDomains.inf from: http://www.mvps.org/winhelp2002/DelDomains.inf

A zipped version is available here:
http://www.geekstogo.com/modules.php?mo...load&id=40
http://www.geekstogo.com/modules.php?mo...show&id=40

1. Save it to your desktop.
2. Right-click DelDomains.inf and select: Install (no need to restart).
3. You may not see any noticeable changes or prompts - this is normal.

If you downloaded the zipped file, extract it to your desktop, then right-click DelDomains.inf and select Install.

Note: This .inf file will remove ALL entries in the Trusted Zone and Restricted Zone. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.


This will remove everything. Let me know if anything else is detected.
Microsoft MVP Consumer Security--2007-2010

#12 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 31 December 2007 - 10:12 AM

sjpritch25

Did as you requested about DelDomains.inf. Checked out the registry in domains and all data is gone. What about the domains in the other keys, HKEY_USERS_DEFAULT and CURRENT_USER or is it just better just to leave these alone? This might take a couple of days or so to see if this trojan (Downloader.VB.AXA) reappears. Also the Trojans-Application Component Keyloggers, Torjan-PWS.Tanspy and Trojan-Generic was from a spyware program called Oceanside something or another and it turned out to be just another fake spyware program and these have not returned and probably won't. Also I have seen other helpers request a donation for their help, do you accept donations and how would I go about doing it? Thanks, and will let you know in a couple of days or so if everything is ok.

#13 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 31 December 2007 - 02:08 PM

I don't take donations, but you are welcome to donate to this wonderful site.
Microsoft MVP Consumer Security--2007-2010

#14 ron_c

ron_c
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 02 January 2008 - 01:40 PM

sjpritch25,

It's been over 2 days now and the Downloader Trojan has not reappeared. So, lets consider this matter closed. Just in case this trojan reappears in the next few days, do I recontact you or do I start a new post? Thanks a bunch for your help.

Edited by ron_c, 02 January 2008 - 01:42 PM.


#15 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:02:25 PM

Posted 02 January 2008 - 01:50 PM

Just pm me and i will re-open this thread.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users