Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Burritos.exe, Karina.dat, Infection Alerts


  • This topic is locked This topic is locked
2 replies to this topic

#1 artemus

artemus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 05 October 2008 - 07:13 PM

I got messages from my taskbar saying that my computer was infected and that I needed to download free updates from Microsoft Security Center or Windows Security Center, I believe. I unwisely clicked to do so, then sensed something wrong, and canceled the rest of the download midway through. Then I kept getting the alerts. My McAfee software early on detected the Karina.dat file. The McAfee software subsequently seemed to become disabled. One or more of the suspicious files, burritos.exe and/or Karina.dat and maybe others, would reappear when I rebooted. Following advice I received on a third-party forum, I downloaded ComboFix and ran it. I had to change its name at some point because it wouldn't run otherwise.

I later learned that I should not have run ComboFix because it could cause problems with my system. I should have run it only after being asked to do so by an expert on this forum.

At any rate, I rebooted and found that the fake alerts did not reappear and some suspicious files were now quarantined. Then, after reading the preparation guide for posting to this HijackThis forum, I ran AdAdare, Spybot Search & Destroy, Bit Defender, McAfee Stinger, and Norton 360, and then installed a firewall. I can no longer find any trace of the malware/virus, but am not savvy enough to be sure it is gone. I ran HijackThis. Could an expert please look at the log and offer advice? Thank you so much for your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:12 PM, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetWaiting\NetWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\qsacc\x1exec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69258
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?

LinkId=55896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=55896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37E2CDBA-2AF3-44BB-9223-BD1J2DA3C2B8} - C:\Program

Files\Juno\SearchEnh1.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A1-38AD-B415-E904358CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {46707962-6F75-3D53-2644-235A7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {E1D4B232-DA4C-4dbd-81E3-CDFE4931A4AA} - C:\Program

Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: JunoBar - {6214FAC4-4CF0-47AA-A6A8-B4EA8DEE3CF4} - C:\Program Files\Juno\Toolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {E1D4B232-DA4C-4dbd-81E3-CDFE4931A4AA} - C:\Program

Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0

\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\NetWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot

1
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program

Files\Juno\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
O9 - Extra button: (no name) - {09A0E5C0-3ECB-11CE-AAA4-11501C608512} - C:\Program Files\Java\j2re1.4.2_03

\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {09A0E5C0-3ECB-11CE-AAA4-11501C608512} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {DE67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {CDB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {CDB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {d3d2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {CD5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {CD5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {24492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {325B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3E8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -

http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5A86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common

Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan

Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. -

C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10597 bytes

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 14 October 2008 - 07:54 AM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

1) C:\ProgramFiles\Java\j2re1.4.2_03\ <<< Java is very badly out of date, see this:
http://forums.spybot.info/showpost.php?p=1...amp;postcount=2
If you have problems removing old versions, this tool will help:
http://www.majorgeeks.com/JavaRa_d5967.html


2) "Word Wrap" is enabled, I can not use this HJT log.
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.
Please do not quote or code.

If you still need help, post an unformatted HJT log. If you have any symptoms, please describe them.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 23 October 2008 - 04:13 PM

No response, topic is closed.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users