Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.Trojan.Yspy


  • This topic is locked This topic is locked

#316
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I decided to run this to see if it would help. It may be a false positive of the Cleanup program I did earlier at your request. I thought I would show it to you anyway. If it is a false positive, please let me know so I can inform the Malwarebytes people.

Malwarebytes' Anti-Malware 1.23
Database version: 989
Windows 5.1.2600 Service Pack 3

8:47:28 PM 7/24/2008
mbam-log-7-24-2008 (20-47-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 179694
Time elapsed: 44 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\cleanup.bat (Trojan.Agent) -> No action taken.
C:\install.bat (Trojan.Agent) -> No action taken.
  • 0

Advertisements


#317
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,938 posts

How do I disable Spyware Blaster?

It doesn't have an uninstaller in the Add\Remove Programs?

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\avexport.batC:\cleanup.exeC:\cleanup.batC:\WINDOWS\system32\20.tmpC:\WINDOWS\TEMP\mc21.tmpC:\DOCUME~1\Kelly\LOCALS~1\Temp\OYKNVASYNG.exeC:\Program Files\wt3d.iniC:\install.batDriver::MEMSWEEP2OYKNVASYNGmchInjDrvRegistry::[-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv][-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

How is the computer doing?
  • 0

#318
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
The computer seems to be doing better, faster. I found out how to disable Spyware Blaster. I will do the next steps now.
  • 0

#319
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
PM Sent about this last step you mentioned.
  • 0

#320
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,938 posts
Go!
  • 0

#321
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,938 posts
This weekend will be hard for me to be here. Hopefully at least once a day only. Make sure you have one antivirus (Not two) active. Same thing applies to a firewall. I 'll be reading your post tomorrow in the evening.
  • 0

#322
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I understand, and I really want to thank you very much. I hope you have time to see this to know whether or not I messed this up. I still had stuff active, as I didn't realize this was going to run the program when I dragged and dropped that file. I got things shut off, but then it restarted, and the firewall came on...not sure if the program did right or not. :)

ComboFix 08-07-24.1 - Kelly 2008-07-24 21:13:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.604 [GMT -5:00]
Running from: C:\Documents and Settings\Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kelly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\avexport.bat
C:\cleanup.bat
C:\cleanup.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\OYKNVASYNG.exe
C:\Program Files\wt3d.ini
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\TEMP\mc21.tmp
.
  • 0

#323
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
softwareupdate.exe wants to control C:\WINDOWS\system32\DllHost.exe (Process ID =3984) I hit deny since I don't know what this is. This is from my Online Armor firewall. It won't stop even though I hit block, it just keeps asking me. So I am going to hit block, remember my decision, until I hear from you about this. I am afraid it is not a trusted program. Now under that notification Apple Software Update is asking for permission, maybe it belongs to that. I granted that one permission.
  • 0

#324
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,938 posts

softwareupdate.exe wants to control C:\WINDOWS\system32\DllHost.exe (Process ID =3984) I hit deny since I don't know what this is. This is from my Online Armor firewall. It won't stop even though I hit block, it just keeps asking me. So I am going to hit block, remember my decision, until I hear from you about this. I am afraid it is not a trusted program. Now under that notification Apple Software Update is asking for permission, maybe it belongs to that. I granted that one permission.

That' s part of Quick Time. No problems in allowing it.

Go OFF-line. Disconnect the Network cable if needed, then disable all your security. Attempt CFScript once again, once done, re-activate your security, go online and post the resulting report.
  • 0

#325
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Is there a way to stop Online Armor from going active after I pause it, if COMBOFIx wants to restart like it did last time?
  • 0

Advertisements


#326
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
If I exit the program, it still comes back and on with full enabling.
  • 0

#327
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,938 posts
http://www.tallemu.c...essSettings.htm

Turn off major Online Armor features: Mail Shield, Web Shield and Program Guard and Firewall.
  • 0

#328
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I think I had better delete the ComboFix.exe and the other file, and do it all over again, because I think my firewall blocked it partially last night. Then to top it off Kaspserky saw it as an invader today.
  • 0

#329
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Oh okay, that sounds good. Thanks.
  • 0

#330
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Can I drag ComboFix to the recycle bin? I could not find it on add/remove programs. When I try to delete it it says it is a program. I was afraid I was messing it up if I did.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP