Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vwwdiag32.exe Infected


  • This topic is locked This topic is locked
38 replies to this topic

#1 HockeyFighter

HockeyFighter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 07 November 2006 - 02:18 PM

I got hammered with vwwdiag32.exe last wk.

I've been pulling out my hair.
Can you good folks review the HJT log and help me ?

Thanks


Logfile of HijackThis v1.99.1
Scan saved at 8:36:00 AM, on 12/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\Ati2evxx.exe
D:\Program Files\Yahoo!\Antivirus\ISafe.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Yahoo!\Antivirus\VetMsg.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\explorer.exe
D:\WINNT\system32\Atiptaxx.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Yahoo!\Antivirus\CAVTray.exe
D:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\Program Files\Yahoo!\Antivirus\CAVRID.exe
D:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\QuickTime\qttask.exe
C:\361101032252966165.exe
C:\361101032252978853.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=explorer.exe " vmmdiag32.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] D:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\msupd011350531.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a5739d4af7...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\VetMsg.exe

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:56 AM

Posted 08 November 2006 - 04:26 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
Your computer is seriously infected. You should try to remain disconnected from the internet as much as possible. You should also change any passwords that you may have used recently as they may have been comprimised.

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 09 November 2006 - 07:40 PM

Hi Buckeye
Thanks for responding.

While I was waiting during past two days, I attempted to run Spybot.

Turns out my computer is running very very slowly. Tasks that take 2-3 seconds (ie click on window to move it) now take 5-10 minutes.

Other tasks take 15-25 minutes. Computer feels "constipated" (geez, I hope I can use that word in this forum)

I've had Spybot running for the past 36 hours.

I will fun the haxfix tonight.

What should I do with Spybot ?

Thanks again

#4 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 09 November 2006 - 07:48 PM

Another question ...

You said to change passwords.

Are you talking about passwords on things like personal accounts, home banking, etc ?

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:56 AM

Posted 10 November 2006 - 09:24 AM

Are you talking about passwords on things like personal accounts, home banking, etc ?

Yes.
Any passwords that you might have typed in using this computer.

Spybot is a good program, but it won't be able to fix this. You may as well stop running it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 10 November 2006 - 02:07 PM

Buckeye ...
Attached is the HAXFIX file.
It took a long time to run. I got the red DOS screen at 1:00 am, and the logfile finished writing around 7:30am this morning. Should I be concerned ?

Is that slowness a symptom of the infections on my computer ?

I also stopped running Spybot.

Please advise on next steps. Thanks for your help

HAXFIX logfile - by Marckie
______________
version 4.28
Mon 12/11/2006 2:48:57.02

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
CmBatt

checking for matching safeboot services....
no matching safeboot services found

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....
wmdconf32.dll found


Finished

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:56 AM

Posted 11 November 2006 - 03:35 PM

The malware that you have will definitely be slowing you down, but the scan should not have taken that long. We'll investigate that further once we get the malware off your computer.

Option 2 autofix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 14 November 2006 - 04:45 AM

I ran the haxfix fix.bat file and auto fix, as you suggested.
Here is the text file

HAXFIX logfile - by Marckie
--------------
version 4.28
Fri 12/15/2006 0:46:44.99

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

not needed


searching for safeboot services

not needed


searching for files

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished


Here is the HijackThis log, after I ran the haxfix auto fix

Logfile of HijackThis v1.99.1
Scan saved at 12:56:32 AM, on 12/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\Ati2evxx.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\Atiptaxx.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Yahoo!\Antivirus\CAVTray.exe
D:\Program Files\Yahoo!\Antivirus\CAVRID.exe
D:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\QuickTime\qttask.exe
C:\361101032252966165.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\361101032252978853.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] D:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O10 - Unknown file in Winsock LSP: c:\sniffer.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a5739d4af7...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\VetMsg.exe


What should I do next ?
Thanks for your help

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:56 AM

Posted 14 November 2006 - 08:15 AM

You've still got a load of nasty malware there.

I see you're using Spybot's Teatimer. Normally this is a very good program, but while we are fixing your computer it can actually interfer with the fixes we are trying to make. I need you to disable it for now.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
===============


Download LSPFix from http://www.cexx.org/lspfix.zip and run it.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of the following files.

sniffer.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>.


===============


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a5739d4af7...ip/RdxIE601.cab



=============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    c:\sniffer.dll
    C:\361101032252978853.exe
    C:\361101032252966165.exe
    D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
================




Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 15 November 2006 - 04:53 AM

Here is the HJT log that I ran before checking the items that you called out.

Logfile of HijackThis v1.99.1
Scan saved at 2:17:48 AM, on 12/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\Ati2evxx.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\Atiptaxx.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Yahoo!\Antivirus\CAVTray.exe
D:\Program Files\Yahoo!\Antivirus\CAVRID.exe
D:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\QuickTime\qttask.exe
C:\361101032252966165.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
C:\361101032252978853.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] D:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a5739d4af7...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\VetMsg.exe

Next, here is the Killbox log

Pocket Killbox version 2.0.0.881
Running on Windows 2000 as Don(Administrator)
was started @ Saturday, December 16, 2006, 2:26 AM

# 1 [Delete on Reboot]
Path = c:\sniffer.dll


# 2 [Delete on Reboot]
Path = c:\361101032252978853.exe


# 3 [Delete on Reboot]
Path = c:\361101032252966165.exe


I Rebooted @ 2:37:17 AM
Pocket Killbox version 2.0.0.881
Running on Windows 2000 as Don(Administrator)
was started @ Saturday, December 16, 2006, 2:44 AM

When I chose Paste from Clipboard, the item D:\Program Files\Common Files ... \ibm00001.exe did not show up in the dropdown box on Killbox. Is that a problem ?

Then I tried doing the ComboFix. The executable screen showed up, then I got a message saying that ComboFix generated errors and had to be closed by Windows.

What should I do next ?

I also ran a 2nd HJT log after I got the error on the ComboFix ... thinking that it might be useful data to you.

Logfile of HijackThis v1.99.1
Scan saved at 2:56:18 AM, on 12/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\Ati2evxx.exe
D:\Program Files\Yahoo!\Antivirus\ISafe.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\Iomega\System32\AppServices.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Yahoo!\Antivirus\VetMsg.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\Atiptaxx.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
D:\Program Files\BroadJump\Client Foundation\CFD.exe
D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
D:\Program Files\Yahoo!\Antivirus\CAVTray.exe
D:\PROGRA~1\YAHOO!\browser\ycommon.exe
D:\Program Files\Yahoo!\Antivirus\CAVRID.exe
D:\PROGRA~1\YAHOO!\YOP\yop.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
D:\WINNT\system32\wuauclt.exe
C:\HighJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [BJCFD] D:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] D:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] D:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = D:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall.exe
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - D:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\Yahoo!\Antivirus\VetMsg.exe

What is the next step ?

Thanks

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:56 AM

Posted 15 November 2006 - 06:32 PM

Try Combofix in safe mode.
Reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.
If you can get it to run, please post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 15 November 2006 - 06:53 PM

Buckeye Sam,

OK, I will try in Safe Mode.

Last night, when I chose Paste from Clipboard, the item D:\Program Files\Common Files ... \ibm00001.exe did not show up in the dropdown box on Killbox. Is that a problem ?

Pls advise

Thanks

#13 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 15 November 2006 - 08:13 PM

Buckeye

I just tried running ComboFix in Safe Mode.
Got same box that says "Program Error. Combofix.exe has generated errors and will be closed by Windows. You will need to restart the program"

Bottom Line, cannot get ComboFix to run

What should I do next ?

Why do I get that error ?

#14 HockeyFighter

HockeyFighter
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 15 November 2006 - 08:25 PM

Buckeye ... please disregard my last post.

I got the Combofix running on the infected machine !

Here's the log file.

Don - Sat 12/16/2006 18:22:33.66 Service Pack 4
ComboFix 06.11.9 - Running from: "C:\Bleeping Computer"

((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))


2006-12-11 02:40 7,483 --a------ D:\clean.bat
2006-12-11 02:40 38,400 --a------ D:\WINNT\system32\moveex.exe
2006-12-11 02:39 90,112 --a------ D:\WINNT\system32\RegDACL.exe
2006-12-11 02:39 4,096 --a------ D:\WINNT\system32\reboot.exe
2006-12-11 02:38 40,960 --a------ D:\WINNT\system32\swsc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-09 02:38 -------- d-------- D:\Program Files\Lavasoft


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="Atiptaxx.exe"
"RealTray"="D:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"Drag'n'Drop_Autolaunch"="\"D:\\Program Files\\Iomega HotBurn Pro\\Autolaunch.exe\""
"BJCFD"="D:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="D:\\PROGRA~1\\YAHOO!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="D:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"CaAvTray"="\"D:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"D:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"YOP"="D:\\PROGRA~1\\YAHOO!\\YOP\\yop.exe /autostart"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="D:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061216-022548-578
O4 - HKCU\..\Run: [Winstj] C:\361101032252978853.exe
backup-20061216-022548-307
O4 - HKCU\..\Run: [Winstf] C:\361101032252978853.exe
backup-20061216-022548-247
O4 - HKCU\..\Run: [Winsto] C:\361101032252978853.exe
backup-20061216-022548-379
O4 - HKCU\..\Run: [Winstx] C:\361101032252978853.exe
backup-20061216-022548-333
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0729a5739d4af7...ip/RdxIE601.cab
backup-20061216-022548-716
O4 - HKCU\..\Run: [Winsts] C:\361101032252978853.exe
backup-20061216-022548-491
O4 - HKCU\..\Run: [Winstz] C:\361101032252978853.exe
backup-20061216-022548-777
O4 - HKCU\..\Run: [Winstk] C:\361101032252978853.exe
backup-20061216-022548-453
O4 - HKCU\..\Run: [Winsth] C:\361101032252978853.exe
backup-20061216-022548-638
O4 - HKCU\..\Run: [Winstm] C:\361101032252978853.exe
backup-20061216-022548-566
O4 - HKCU\..\Run: [Winste] C:\361101032252978853.exe
backup-20061216-022548-258
O4 - HKCU\..\Run: [Winstp] C:\361101032252978853.exe
backup-20061216-022547-582
O4 - HKCU\..\Run: [Winsty] C:\361101032252978853.exe
backup-20061216-022548-177
O4 - HKCU\..\Run: [Winstn] C:\361101032252978853.exe
backup-20061216-022548-419
O4 - HKCU\..\Run: [Winstw] C:\361101032252978853.exe
backup-20061216-022548-694
O4 - HKCU\..\Run: [Winstu] C:\361101032252978853.exe
backup-20061216-022548-337
O4 - HKCU\..\Run: [Winstt] C:\361101032252978853.exe
backup-20061216-022548-499
O4 - HKCU\..\Run: [Winstg] C:\361101032252978853.exe
backup-20061216-022548-200
O4 - HKCU\..\Run: [Winsti] C:\361101032252978853.exe
backup-20061216-022548-385
O4 - HKCU\..\Run: [Winsta] C:\361101032252978853.exe
backup-20061216-022548-883
O4 - HKCU\..\Run: [Winstc] C:\361101032252978853.exe
backup-20061216-022548-655
O4 - HKCU\..\Run: [Winstv] C:\361101032252978853.exe
backup-20061216-022548-183
O4 - HKCU\..\Run: [Winstq] C:\361101032252978853.exe
backup-20061216-022547-662
O4 - HKCU\..\Run: [Winstb] C:\361101032252978853.exe
backup-20061216-022547-154
O4 - HKCU\..\Run: [Winstr] C:\361101032252978853.exe
backup-20061216-022547-417
O4 - HKCU\..\Run: [Winstd] C:\361101032252978853.exe
backup-20061216-022547-395
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
backup-20061216-022547-669
O4 - HKCU\..\Run: [Winstl] C:\361101032252978853.exe
backup-20061216-022547-594
O4 - HKCU\..\Run: [WinMedia] C:\361101032252966165.exe
backup-20061216-022547-835
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
backup-20061216-022547-128
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20061216-022547-649
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20061216-022547-572
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
backup-20061216-022547-440
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
backup-20061216-022547-489
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
Completion time: Sat 2006-12-16 18:23:04.59
D:\ComboFix.txt ... 06-12-16 18:23

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:56 AM

Posted 16 November 2006 - 05:10 PM

Buckeye Sam,

OK, I will try in Safe Mode.

Last night, when I chose Paste from Clipboard, the item D:\Program Files\Common Files ... \ibm00001.exe did not show up in the dropdown box on Killbox. Is that a problem ?

Pls advise

Thanks

No that's ok. It just indicates that the file is no longer present.



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
How is your computer running now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users