Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups, Trojan Downloaders, and cbxxyy.dll


  • Please log in to reply

#1
StormShadow

StormShadow

    New Member

  • Member
  • Pip
  • 7 posts
This problem started days ago. For some reason, when I go to google and look up something, I get redirected to another site like "btcar.com" or an ebay search or something else when I click on a search result for the 1st time. Then I noticed that when I go to sites, all of a sudden another IE window pops up and it shows sites like "buzznet.com", "vlaze.com", "jack9.com", and other mess. And to add on to that, I get some junk on my comp that has "htepo.com" in the Properties link and an unwanted toolbar on my Internet Explorer.

I read the tutorials previously and I've used Adaware, Superantispyware, Spybot Search And Destroy, Combofix, VundoFix, Smitfraudfix, RegCleaner, and CCleaner. All of them removed adware, malware, the unwanted toolbar, the trojan downloader, and certain dlls like urspp.dll from my machine, but when I tried to go back online, I got more of the same....the htepo.com links showing up, the windows, etc.

I found a new file called "cbxxyy.dll" and I recognized it as malware from a search, but I can't get rid of it and there's a winlogon key that points to this ddl as well as another on in my HJT log. I ran all the aforementioned programs again before I logged on here for good measure, but I have no idea what's going on and why this cbxxyy.dll file won't delete.

I'm at my wit's end here..... :)


Here is my HJT log as well as my ComboFix log, Smitfraudfix log, and Vundofix log.

Logfile of HijackThis v1.99.1
Scan saved at 5:24:21 PM, on 10/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe
C:\WINNT\system32\lxamsp32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINNT\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINNT\system32\cbxyyaa.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187426248224
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbxyyaa - C:\WINNT\SYSTEM32\cbxyyaa.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\System32\dmgpi.exe




---------------------------------------------------


ComboFix 07-10-16.1 - user 10/17/2007 13:05:05.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.51 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 13:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_258.dat
2007-10-16 17:34 106 --a------ C:\delete.bat
2007-10-16 17:19 <DIR> d-------- C:\Program Files\CCleaner
2007-10-16 11:48 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-15 17:53 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-10-15 17:23 <DIR> d-------- C:\VundoFix Backups
2007-10-15 13:03 389,184 --a------ C:\WINNT\system32\vrifrcvs.exe
2007-10-14 14:58 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-14 13:00 389,184 --a------ C:\WINNT\system32\bsctsyrn.exe
2007-10-13 13:26 35,840 --a------ C:\WINNT\tsitra77.exe
2007-10-13 13:25 34,304 --------- C:\WINNT\system32\cbxyyaa.dll
2007-09-24 22:46 <DIR> d-------- C:\Memorex Vault
2007-09-19 18:47 167,936 --a------ C:\WINNT\system32\minirec.exe
2007-09-19 18:44 23,600 --a------ C:\WINNT\system32\drivers\TVICHW32.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 18:35 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-16 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 05:32 --------- d-----w C:\Program Files\BroadJump
2007-10-01 04:05 --------- d-----w C:\Program Files\Yahoo!
2007-09-30 03:47 --------- d-----w C:\Documents and Settings\user\Application Data\U3
2007-08-25 00:01 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2007-08-24 23:59 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-18 17:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-08-18 14:16 --------- d-----w C:\Program Files\LexmarkX63
2007-08-18 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-18 09:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-18 09:10 --------- d-----w C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2007-08-18 07:28 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-08-18 07:26 --------- d-----w C:\Program Files\7-Zip
2006-10-09 22:56 271 ---h--w C:\Program Files\desktop.ini
2006-10-09 22:56 21,952 ---h--w C:\Program Files\folder.htt
2001-06-19 14:04 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}]
10/13/07 01:25p 34304 --------- C:\WINNT\system32\cbxyyaa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe" [09/25/06 05:52p]
"LexStart"="" []
"PrinTray"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/01 11:54a]
"lxamsp32.exe"="lxamsp32.exe" [10/21/01 02:12p C:\WINNT\system32\LXAMSP32.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/02 09:26p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/05 10:02a]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/07 04:46p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcBtnMgr_X63.exe.lnk - C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe [2001-06-06 15:03:10]
ACMonitor_X63.exe.lnk - C:\Program Files\LexmarkX63\ACMonitor_X63.exe [2001-06-06 15:02:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"= C:\WINNT\system32\cbxyyaa.dll [10/13/07 01:25p 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csakj.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyaa]
cbxyyaa.dll 10/13/07 01:25p 34304 C:\WINNT\system32\cbxyyaa.dll

R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S2 Windows Management Service;Windows Management Service;C:\WINNT\System32\dmgpi.exe -service
S3 V90drv;v90drv;C:\WINNT\system32\DRIVERS\v90drv.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 13:06:16
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/17/2007 13:07:11
C:\ComboFix2.txt ... 10/17/07 11:11a
C:\ComboFix3.txt ... 10/16/07 09:15p
.
--- E O F ---

---------------------------------------------






SmitFraudFix v2.240

Scan done at 11:17:58.35, Wed 10/17/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=85.255.115.6,85.255.112.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=85.255.115.6,85.255.112.20
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8D0CAAD6-3586-4423-86D9-55392B5090A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csakj.exe"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End






VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 5:23:14 PM 10/15/2007

Listing files found while scanning....

C:\WINNT\system32\eihykjby.ini
C:\WINNT\system32\ybjkyhie.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\eihykjby.ini
C:\WINNT\system32\eihykjby.ini Has been deleted!

Attempting to delete C:\WINNT\system32\ybjkyhie.dll
C:\WINNT\system32\ybjkyhie.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 5:31:52 PM 10/15/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 7:32:51 PM 10/15/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 10:11:57 AM 10/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 10:35:48 AM 10/16/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 10:58:24 AM 10/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:04:13 AM 10/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:05:57 AM 10/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 11:11:17 AM 10/16/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.10

Checking Java version...

Sun Java not detected
Scan started at 1:03:14 PM 10/17/2007

Listing files found while scanning....

No infected files were found.

Edited by StormShadow, 17 October 2007 - 05:01 PM.

  • 0

Advertisements


#2
StormShadow

StormShadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
While I've been wating for help, I did another Panda Activescan and it found some viruses, but didn't get rid of the spyware and toolkits. I used VBG and it changed the cbxyy.dll file and I was able to delete it. I ran Spybot S&D, Adaware, and Superantispyware again and it got some bugs and declared my system clen. I ran Activescan again, but it found spyware and toolkits again.

Here is my updated HJT and other logs.

Logfile of HijackThis v1.99.1
Scan saved at 12:26:17 PM, on 10/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe
C:\WINNT\system32\lxamsp32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "user"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187426248224
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E7B6C1A-EB10-459E-AE69-01F1BA156BCB}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe



___________________________________________________________________

Activescan #1:



Incident Status Location

Spyware:Spyware/Vundo Not disinfected C:\WINNT\system32\cbxyyaa.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix\restart.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\user\Desktop\SmitfraudFix.exe
Adware:Adware/SecurityToolbar Not disinfected C:\qoobox\Quarantine\C\Program Files\Hammer.dll.vir
Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINNT\b122.exe.vir
Adware:Adware/SecurityToolbar Not disinfected C:\VundoFix Backups\xtaoqkvv.dll.bad
Virus:W32/Patchlog.J Disinfected C:\WINNT\$NtServicePackUninstall$\tcpip.sys
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NirCmd.exe
Virus:Trj/Downloader.PYH Disinfected C:\WINNT\rfxse.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINNT\system32\bsctsyrn.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINNT\system32\vrifrcvs.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINNT\tsitra77.exe


______________________________________________________________________

Activescan #2


Incident Status Location

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\Gear\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user\Desktop\Gear\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\Gear\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\user\Desktop\Gear\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\user\Desktop\Gear\VirtumundoBeGone.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NirCmd.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINNT\system32\bsctsyrn.exe
Adware:Adware/SecurityToolbar Not disinfected C:\WINNT\system32\vrifrcvs.exe

________________________________________________

ComboFix:

ComboFix 07-10-16.1 - user 10/18/2007 0:21:47.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.54 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-18 00:21 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_268.dat
2007-10-17 21:22 6,465 ---hs---- C:\WINNT\system32\rrqss.bak1
2007-10-16 17:34 106 --a------ C:\delete.bat
2007-10-16 17:19 <DIR> d-------- C:\Program Files\CCleaner
2007-10-16 11:48 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-15 17:53 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-10-15 17:23 <DIR> d-------- C:\VundoFix Backups
2007-10-15 13:03 389,184 --a------ C:\WINNT\system32\vrifrcvs.exe
2007-10-14 14:58 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-14 13:00 389,184 --a------ C:\WINNT\system32\bsctsyrn.exe
2007-10-13 13:25 34,304 --------- C:\WINNT\system32\cbxyyaa.dll
2007-09-24 22:46 <DIR> d-------- C:\Memorex Vault
2007-09-19 18:47 167,936 --a------ C:\WINNT\system32\minirec.exe
2007-09-19 18:44 23,600 --a------ C:\WINNT\system32\drivers\TVICHW32.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 06:13 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-10-18 04:57 --------- d-----w C:\Program Files\LexmarkX63
2007-10-18 04:56 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-10-18 04:55 --------- d-----w C:\Program Files\7-Zip
2007-10-16 20:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 05:32 --------- d-----w C:\Program Files\BroadJump
2007-10-01 04:05 --------- d-----w C:\Program Files\Yahoo!
2007-09-30 03:47 --------- d-----w C:\Documents and Settings\user\Application Data\U3
2007-08-25 00:01 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2007-08-24 23:59 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-18 17:53 --------- d-----w C:\Program Files\SpywareBlaster
2007-08-18 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-18 09:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-08-18 09:10 --------- d-----w C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2006-10-09 22:56 271 ---h--w C:\Program Files\desktop.ini
2006-10-09 22:56 21,952 ---h--w C:\Program Files\folder.htt
2001-06-19 14:04 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( [email protected] 10-17-2007_13.06.23.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-16 17:00:39 320,000 -c----w C:\WINNT\$NtServicePackUninstall$\tcpip.sys
+ 2007-10-18 04:22:38 305,248 -c--a-w C:\WINNT\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{836C8DCE-50EA-4E63-814B-254CD5917B23}]
C:\WINNT\system32\ssqrr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}]
10/13/07 01:25p 34304 --------- C:\WINNT\system32\cbxyyaa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1182560263\ee\AOLSoftware.exe" [09/25/06 05:52p]
"LexStart"="" []
"PrinTray"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/21/01 11:54a]
"lxamsp32.exe"="lxamsp32.exe" [10/21/01 02:12p C:\WINNT\system32\LXAMSP32.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/02 09:26p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [03/08/05 10:02a]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/07 04:46p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AcBtnMgr_X63.exe.lnk - C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe [2001-06-06 15:03:10]
ACMonitor_X63.exe.lnk - C:\Program Files\LexmarkX63\ACMonitor_X63.exe [2001-06-06 15:02:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"= C:\WINNT\system32\cbxyyaa.dll [10/13/07 01:25p 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="csakj.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyaa]
cbxyyaa.dll 10/13/07 01:25p 34304 C:\WINNT\system32\cbxyyaa.dll

R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 V90drv;v90drv;C:\WINNT\system32\DRIVERS\v90drv.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 00:22:55
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 10/18/2007 0:23:52
C:\ComboFix2.txt ... 10/17/07 01:07p
C:\ComboFix3.txt ... 10/17/07 11:11a
.
--- E O F ---
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP