Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help with malware!

Started by barbk44 , Feb 17 2008 07:13 PM

  • Please log in to reply

#1
barbk44
Posted 17 February 2008 - 07:13 PM

barbk44

    New Member

  • Member
  • Pip
  • 4 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:52 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Atievxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqp.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NodLogin] C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Salestart(4)] "C:\Program Files\Common Files\StorageProtector\strpmon .exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas .exe" /minimized
O4 - HKLM\..\Run: [Salestart(6)] "C:\Program Files\Common Files\StorageProtector\strpmon .exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows

--
End of file - 4330 bytes
  • 0

Advertisements

#2
kahdah
Posted 17 February 2008 - 07:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello barbk44

Welcome to G2Go. :)
=====================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
barbk44
Posted 17 February 2008 - 07:25 PM

barbk44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ok, done.
  • 0

#4
kahdah
Posted 17 February 2008 - 07:26 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Did you run it?
I need to see the log.
  • 0

#5
barbk44
Posted 17 February 2008 - 08:28 PM

barbk44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-02-18.1 - user 2008-02-13 20:42:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.82 [GMT -6:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sstqp.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\user
C:\Documents and Settings\user\Application Data\storageprotector
C:\Documents and Settings\user\Application Data\storageprotector\Logs\update.log
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE
C:\Program Files\Common Files\StorageProtector
C:\Program Files\Common Files\StorageProtector\strpmon .exe
C:\Program Files\Common Files\StorageProtector\strpmon .exe
C:\Program Files\Common Files\StorageProtector\strpmon .exe
C:\Program Files\Common Files\StorageProtector\strpmon .exe
C:\Program Files\Common Files\StorageProtector\strpmon.exe
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cahslbcj.dll
C:\WINDOWS\system32\cdvhkdvu.dll
C:\WINDOWS\system32\dcybpzeu.dll
C:\WINDOWS\system32\dcybpzeu.dll . . . . failed to delete
C:\WINDOWS\system32\dcybpzeu.dllbox
C:\WINDOWS\system32\deckdwho.dll
C:\WINDOWS\system32\erhfsdkp.ini
C:\WINDOWS\system32\iysfnmrj.dll
C:\WINDOWS\system32\jwrqblnc.dll
C:\WINDOWS\system32\kfcthtsw.ini
C:\WINDOWS\system32\kmhgvbhg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhtkuvjt.dll
C:\WINDOWS\system32\oivnguui.dll
C:\WINDOWS\system32\pkdsfhre.dll
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\qnbiyfvq.dll
C:\WINDOWS\system32\ssqonno.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\sstqp.exe
C:\WINDOWS\system32\uvdkhvdc.ini
C:\WINDOWS\system32\vdjfnuvo.ini
C:\WINDOWS\system32\vturpqq.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wjxlcmri.ini
C:\WINDOWS\system32\wvuurol.dll

<pre>
C:\Program Files\Yahoo!\Messenger\YAHOOM~1						.EXE ---> C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 20:57 . 2008-02-18 20:58 134 ---hs---- C:\WINDOWS\system32\dcybpzeu.dllbox
2008-02-13 19:43 . 2008-02-13 19:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 16:45 . 2008-02-13 16:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-02-08 23:18 . 2008-02-13 19:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-08 22:14 . 2008-02-13 19:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-04 16:11 . 2008-02-04 16:11 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2008-02-04 16:10 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-04 16:07 . 2008-02-04 16:07 259,336 --a------ C:\Documents and Settings\user\Application Data\setup_en[1].exe
2008-02-04 15:07 . 2008-02-04 15:09 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 14:01 . 2008-02-13 19:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-02-04 11:47 . 2008-02-04 11:47 338,432 --a------ C:\WINDOWS\system32\RCX1DD.tmp
2008-01-28 19:25 . 2008-02-18 20:53 163,904 --a------ C:\WINDOWS\system32\dcybpzeu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 01:38 --------- d-----w C:\Program Files\PartyGaming
2008-01-19 01:04 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-01-16 04:47 32,764 ----a-w C:\WINDOWS\17PHolmes572.exe
2008-01-13 01:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-01-07 07:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-04 20:05 --------- d-----w C:\Program Files\Yahoo!
2008-01-04 20:03 --------- d-----w C:\Program Files\SBC Self Support Tool
2008-01-04 20:02 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-04 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Motive
2008-01-04 18:34 --------- d-----w C:\Program Files\BroadJump
2008-01-04 18:30 155,995 ----a-w C:\WINDOWS\java\Packages\PRZDNLVJ.ZIP
2007-12-24 04:05 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
<pre>
----a-w			39,792 2008-02-14 01:07:27  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   368,706 2008-02-14 01:07:27  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w		   847,872 2008-02-14 01:07:47  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w		 1,410,304 2008-02-04 17:57:16  C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
----a-w		   442,455 2008-02-14 01:07:27  C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
----a-w		   129,536 2008-02-14 01:07:22  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w		 4,670,704 2008-01-29 01:35:48  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a5929854-e4b3-4170-8ea8-5262ae39d659}]
C:\WINDOWS\system32\iysfnmrj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-18 20:53 163904 --a------ C:\WINDOWS\system32\dcybpzeu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAD1EBBE-8B72-4502-91FA-21E04062728A}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NodLogin"="C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [ ]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [ ]
"Salestart(4)"="C:\Program Files\Common Files\StorageProtector\strpmon .exe" [ ]
"Salestart(6)"="C:\Program Files\Common Files\StorageProtector\strpmon .exe" [ ]
"Salestart(7)"="C:\Program Files\Common Files\StorageProtector\strpmon .exe" [ ]
"Salestart(8)"="C:\Program Files\Common Files\StorageProtector\strpmon .exe" [ ]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-04 14:01:28 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dcybpzeu]
dcybpzeu.dll 2008-02-18 20:53 163904 C:\WINDOWS\system32\dcybpzeu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxurs]
xxyxurs.dll

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 06:48]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys [2001-08-17 06:10]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 06:19]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys [2001-08-17 07:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 20:57:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\dcybpzeu.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\dcybpzeu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-02-18 21:01:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 03:01:18
.
2008-02-10 08:00:26 --- E O F ---
  • 0

#6
kahdah
Posted 17 February 2008 - 09:02 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\dcybpzeu.dllbox
C:\Documents and Settings\user\Application Data\setup_en[1].exe
C:\WINDOWS\system32\RCX1DD.tmp
C:\WINDOWS\system32\dcybpzeu.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\iysfnmrj.dll
C:\WINDOWS\system32\sstqp.dll
Folder::
C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
C:\Program Files\Common Files\StorageProtector
RenV::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\BroadJump\Client Foundation\CFD .exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
C:\Program Files\Yahoo!\browser\ybrwicon .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a5929854-e4b3-4170-8ea8-5262ae39d659}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAD1EBBE-8B72-4502-91FA-21E04062728A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart(4)"=-
"Salestart(6)"=-
"Salestart(7)"=-
"Salestart(8)"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dcybpzeu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxurs]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
barbk44
Posted 17 February 2008 - 10:16 PM

barbk44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-02-18.1 - user 2008-02-18 22:37:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.101 [GMT -6:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\user\Application Data\setup_en[1].exe
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\dcybpzeu.dll
C:\WINDOWS\system32\dcybpzeu.dllbox
C:\WINDOWS\system32\iysfnmrj.dll
C:\WINDOWS\system32\RCX1DD.tmp
C:\WINDOWS\system32\sstqp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dcybpzeu.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
C:\Documents and Settings\user\Application Data\setup_en[1].exe
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\dcybpzeu.dll
C:\WINDOWS\system32\dcybpzeu.dllbox
C:\WINDOWS\system32\RCX1DD.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 21:16 . 2008-02-18 21:16 <DIR> d-------- C:\Documents and Settings\user\Application Data\Grisoft
2008-02-18 21:11 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-13 19:43 . 2008-02-13 19:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 16:45 . 2008-02-13 16:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-02-08 23:18 . 2008-02-13 19:02 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-08 22:14 . 2008-02-13 19:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-04 16:10 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-02-04 15:07 . 2008-02-04 15:09 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-04 14:01 . 2008-02-13 19:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 01:38 --------- d-----w C:\Program Files\PartyGaming
2008-01-19 01:04 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-01-13 01:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-01-07 07:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-04 20:05 --------- d-----w C:\Program Files\Yahoo!
2008-01-04 20:03 --------- d-----w C:\Program Files\SBC Self Support Tool
2008-01-04 20:02 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-04 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Motive
2008-01-04 18:34 --------- d-----w C:\Program Files\BroadJump
2008-01-04 18:30 155,995 ----a-w C:\WINDOWS\java\Packages\PRZDNLVJ.ZIP
2007-12-24 04:05 --------- d-----w C:\Documents and Settings\user\Application Data\MSNInstaller
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NodLogin"="C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2008-02-13 19:07 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2008-02-13 19:07 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2008-02-13 19:07 442455]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" [2008-02-18 21:20 6731312]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-04 14:01:28 217088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 06:48]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys [2001-08-17 06:10]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 06:19]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys [2001-08-17 07:28]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 22:44:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Atievxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-02-18 22:52:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 04:51:23
ComboFix2.txt 2008-02-19 03:01:33
.
2008-02-10 08:00:26 --- E O F ---
  • 0

#8
kahdah
Posted 18 February 2008 - 03:00 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP