Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 6.3.2025 / 14:04
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > possible infection.. hjt log
Show topics
 
Forums
Forums
possible infection.. hjt log
  Jump to:
 
Posted Message
mesa101
Member
_ 		21. July 2008 @ 14:35 _ Link to this message    Send private message to this user   
kaspersky security suite keeps finding this:: will be quarantined when the computer is restarted: new threat Hidden.Object (modification) File: C:\WINDOWS:CABFCAE96AE78894

here is the hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:53 PM, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8292E5-964F-4187-8A65-68045FF6DB07}: NameServer = 216.45.34.2 216.45.33.130
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2805 bytes
[ + quote]
Advertisement
_ 		__
2oldGeek
AfterDawn Addict
_ 		21. July 2008 @ 20:52 _ Link to this message    Send private message to this user   
Hi mesa101,

From this Log, I see nothing that would cause problems except maybe one line that I am unsure of.
This may be a deep rooted Trojan that?s replacing that file each time kaspersky deletes it.
Let?s look deeper than HJT and see if we can catch it?.

Be sure to disable your kaspersky before running the following program?.

Download ComboFix from Here to your Desktop.
? Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
? Double click combofix.exe and follow the prompts.
? When finished, it shall produce a log for you. Post the Combofix log log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


Post the Combofix log and a Fresh HiJackthis log in your next reply

Regards
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
mesa101
Member
_ 		21. July 2008 @ 21:20 _ Link to this message    Send private message to this user   
i clicked on the combofix link and kaspersky said it was a virus catchme.exe another link?
[ + quote]
mesa101
Member
_ 		21. July 2008 @ 21:30 _ Link to this message    Send private message to this user   
ComboFix 08-07-20.A0 - Owner 2008-07-21 15:24:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1099 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 14:49 . 2008-07-20 14:49 <DIR> d-------- C:\Program Files\IObit
2008-07-20 14:49 . 2008-07-20 14:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\IObit
2008-07-20 14:49 . 2008-04-17 16:19 90,668 --a------ C:\WINDOWS\system32\vobis32.dll
2008-07-19 18:11 . 2008-07-19 18:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Samsung
2008-07-18 22:46 . 2008-07-18 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 22:45 . 2008-07-18 22:45 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-18 22:06 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-18 22:04 . 2008-07-18 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-07-17 18:09 . 2008-07-17 18:09 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-17 00:19 . 2007-07-11 11:11 888,832 --a------ C:\WINDOWS\system32\securenet.dll
2008-07-16 17:01 . 2008-07-16 17:01 24,392 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-16 09:45 . 2008-07-16 09:45 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-15 17:06 . 2008-07-15 17:07 <DIR> d-------- C:\Neurostar
2008-07-14 18:27 . 2008-07-20 14:58 <DIR> d-------- C:\Program Files\DVDFab 5
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-08 21:58 . 2008-07-08 21:58 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-08 21:50 . 2008-07-08 21:50 <DIR> d-------- C:\WINDOWS\EHome
2008-07-08 21:39 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-03 18:51 . 2008-07-03 18:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-07-03 18:50 . 2008-07-03 18:50 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-30 22:55 . 2008-06-30 22:55 <DIR> d-------- C:\Program Files\LG Software Innovations
2008-06-30 01:29 . 2008-06-30 01:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Anonymizer
2008-06-30 01:29 . 2008-06-30 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Anonymizer
2008-06-28 21:08 . 2008-06-28 21:08 <DIR> d-------- C:\Program Files\QuickTime
2008-06-28 16:09 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-06-28 16:09 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-06-27 17:32 . 2008-07-20 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-06-26 07:06 . 2008-06-26 07:06 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2008-06-24 00:08 . 2008-06-24 00:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MysteryStudio
2008-06-23 20:16 . 2008-07-20 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fashion Solitaire 1.2
2008-06-21 14:59 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-06-21 14:57 . 2008-06-21 14:58 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-06-21 14:57 . 2008-06-21 14:57 <DIR> d-------- C:\Program Files\Samsung
2008-06-21 14:57 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-21 14:57 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 19:29 7,497,760 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-21 19:28 353,312 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-21 19:28 34,124 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-21 19:28 101,396 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-21 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-21 07:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-07-20 18:58 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-20 18:58 --------- d-----w C:\Program Files\FrostWire
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\VideoReDo-TVSuite
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\iolo
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-07-17 05:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 05:34 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-15 21:18 --------- d-----w C:\Program Files\Java
2008-07-14 22:27 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-14 22:27 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-07-14 21:54 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-14 21:36 --------- d-----w C:\Program Files\Ahead
2008-06-29 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-28 20:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-28 20:10 827 ----a-w C:\Program Files\Common Files\ConvertXtoDvd 3.lnk
2008-06-27 00:56 --------- d-----w C:\Program Files\Shockwave.com
2008-06-21 18:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 23:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Gamelab
2008-06-17 18:28 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-06-17 18:28 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-06-17 18:28 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-17 18:24 --------- d-----w C:\Program Files\CCleaner
2008-06-17 18:13 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-17 12:45 --------- d-----w C:\Documents and Settings\Administrator.YOUR-D9B2E5A77E\Application Data\iolo
2008-06-17 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-06-17 00:20 --------- d-----w C:\Documents and Settings\LocalService\Application Data\iolo
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-06-07 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 20:14 --------- d-----w C:\Program Files\VideoLAN
2008-05-23 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-05-23 21:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\My Games
2008-05-22 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-21 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 15:58 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-05 03:15 1,566 ----a-w C:\Program Files\Common Files\VideoReDo TVSuite.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced WindowsCare 3"="C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" [2008-07-20 18:01 2037624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 12:52 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"nolowdiskspaceckecks"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2008-02-08 18:36 227856 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 15:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 15:29:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 15:34:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 19:33:52

Pre-Run: 187,187,810,304 bytes free
Post-Run: 187,160,547,328 bytes free

167 --- E O F --- 2008-07-09 21:31:26






HIJACK THIS LOG..........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:06 PM, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8292E5-964F-4187-8A65-68045FF6DB07}: NameServer = 216.45.34.2 216.45.33.130
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2438 bytes
[ + quote]
2oldGeek
AfterDawn Addict
_ 		21. July 2008 @ 21:30 _ Link to this message    Send private message to this user   
mesa101,

It is NOT a virus.. It uses some of the same coding as Trojans, but it uses it to defeat them.. (Good usage)

That?s why I asked you to disable kaspersky. Disable kaspersky and continue with the instructions in the order presented to you.

Thanks for asking.. Thumbs up!

2OG
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
2oldGeek
AfterDawn Addict
_ 		21. July 2008 @ 21:39 _ Link to this message    Send private message to this user   
mesa101,

It will take me some time to go over the Logs so hang in there.
I?ll be back as soon as I can..
2OG
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
mesa101
Member
_ 		21. July 2008 @ 22:12 _ Link to this message    Send private message to this user   
thanks alot 2og
[ + quote]
2oldGeek
AfterDawn Addict
_ 		21. July 2008 @ 22:22 _ Link to this message    Send private message to this user   
mesa101, you're more than welcome.

You look clean.. If you are having any problems, please describe them and we?ll see what we can do..

We found:
inst.exe
Description: Listed as TrojanDropper.Small.LG by SpywareBlaster.

I strongly recommend installing the following application:

? Spywareblaster <= SpywareBlaster will prevent malware like this from being installed.


UnInstall Combofix <-- This is a very powerful tool and not a general cleaning tool, if you run this on your own without supervision you could bork your system.

ComboFix is being updated all the time and if you ever need it again, you will want to use the latest version..

This may or may not work if you did not follow the instructions and download it to your desktop, if it does not work, then go to where you have Combofix and drag it to the trash.
? Click START then RUN
? Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
? When shown the disclaimer, Select "2"

The above procedure will:
? Delete the following:
o ComboFix and its associated files and folders.
? Reset the clock settings.
? Hide file extensions, if required.
? Hide System/Hidden files, if required.
? Reset System Restore.


2OG
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
mesa101
Member
_ 		21. July 2008 @ 23:07 _ Link to this message    Send private message to this user   
everything seems fine except that kaspersky keeps finding this :
new threat Hidden.Object (modification) File: C:\WINDOWS:CABFCAE96AE78894

what is this?...should i just ad it to the trusted zone so it wont keep popping up?... thanks for your help.
[ + quote]
2oldGeek
AfterDawn Addict
_ 		21. July 2008 @ 23:37 _ Link to this message    Send private message to this user   
mesa101,

That?s STRANGE??? I can find nothing in your logs?

Let?s try this
Use your windows explorer and navigate to C:\windows then see if you can locate the file -> CABFCAE96AE78894

Also use the search function in windows explorer (be sure to search hidden files) and search the C:\windows folder for it.

Let me know if you find it??.
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
cdavfrew
Senior Member
_ 		22. July 2008 @ 09:34 _ Link to this message    Send private message to this user   
Hi mesa

Just wanted to say that the detection by Kaspersky is not a signature or heuristic detection of any malware, just one of the extra ways which Kaspersky protects your system. Apparently, C:\Windows was modified in some way, possibly the atributes. It probably isn't something to be worried about, and if you want to be sure, you can always scan your computer with Kaspersky in safe mode, and quarantine it.

Also, another thing to be noted is this: even though modification protection and such can be attractive, Kaspersky alters your system in ways so that it cannot be reversed, such as attaching the md5 of each file to the file itself. That is why I will not recommend it, but if you are fine with it, that's good.

Best Regards :D
[ + quote]
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

mesa101
Member
_ 		22. July 2008 @ 12:15 _ Link to this message    Send private message to this user   
it turns out it was runanalyzer that i downloaded with spybot awhile back... i uninstalled it and im fine now.. thanks.
[ + quote]
2oldGeek
AfterDawn Addict
_ 		22. July 2008 @ 15:06 _ Link to this message    Send private message to this user   
Thanks cdavfrew, where you been?

@ mesa101,
Looks like you?re good to go.. unless you have something else beating you up? : )

2OG
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

This message has been edited since posting. Last time this message was edited on 22. July 2008 @ 15:08
mesa101
Member
_ 		22. July 2008 @ 18:25 _ Link to this message    Send private message to this user   
many thanks 2og...
[ + quote]
2oldGeek
AfterDawn Addict
_ 		22. July 2008 @ 18:32 _ Link to this message    Send private message to this user   
You're Welcome.
[ + quote]


There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
Advertisement
_ 		__
 
_
cdavfrew
Senior Member
_ 		24. July 2008 @ 08:56 _ Link to this message    Send private message to this user   
Hey 2oldgeek

I was gone because of summer and holiday! Glad to be back!

I speak too deeply? Strange, because other malware experts speak like this, like those from MRU! You too do, with your analogies :)

Best Regards :D
[ + quote]
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

Related links
Download the latest version of HijackThis now!
 
Related forum topics Posts Last post Forum room
Findgala. Sticked Failed. HJT Log 8 21. August 2013 Windows - Virus and spyware problems
Pls check my HJT - is it heathy now? 4 14. February 2012 Windows - Virus and spyware problems
Laptop freezes and need re boot. HJT help needed 6 13. February 2012 Windows - Virus and spyware problems
Hi! Can someone take a look at a HJT log please, nasty virus! 1 27. January 2012 Windows - Virus and spyware problems
HJT..... Assist Please 15 31. December 2011 Windows - Virus and spyware problems
Redirections, other random things, HJT log 2 23. May 2011 Windows - Virus and spyware problems
System slow on startup and running loud - HJT log 3 11. May 2011 Windows - Virus and spyware problems
Slow and lagging computer -HJT log 4 30. March 2011 Windows - Virus and spyware problems
computer actin up a lil (HJT log) 3 24. February 2011 Windows - Virus and spyware problems
HJT log, please check 1 24. January 2011 Windows - Virus and spyware problems

 
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > possible infection.. hjt log
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork