Solved: Infected by Win32.Greepa.A

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
Hi to anyone who could help, I got infected by this thing called Win32.Greepa.A and my anti-virus software tells me that it's under the file name lsass.exe. So far, it hasn't done a big damage but I think somehow it disabled my anti-virus software and it won't even let me do an HJT log. So if anyone there could help, I'd be eternally grateful!

Thanks in advance! :)
 

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
Hi! Thanks for replying! I did what you told me but it's still the same as before -- the scan would start but it would not finish and the window would disappear abruptly without saving the log.
 
Joined
Sep 7, 2004
Messages
49,014
Sorry missed that - run it in safe mode (Tapping F8 at the begenning of the boot)

See if you can run this

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
 

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
I still couldn't get HJT to work even in safe mode but I was able to run Ewido. And my anti-virus software still alerts me regarding the infected file. Anyway, here's the Ewido report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:30:37 PM, 1/16/2006
+ Report-Checksum: F3699ED5

+ Scan result:

[884] c:\lsass.exe -> Logger.Banker.ahy : Cleaned with backup
:mozilla.6:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.7:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.8:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.19:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.73:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.103:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.104:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.105:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.106:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.154:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.155:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.169:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.174:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.177:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.179:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.181:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.185:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.186:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.187:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.188:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.197:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.198:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.199:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.225:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.232:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.236:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.237:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.238:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.239:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.260:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.261:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.262:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.263:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.264:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.272:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.273:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.274:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.276:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.293:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.361:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.374:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.375:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.401:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.410:C:\Documents and Settings\ROBBY RAY BELMES\Application Data\Mozilla\Firefox\Profiles\k3matdlc.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\lsass.exe -> Logger.Banker.ahy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP356\A0029242.exe -> Logger.Banker.ahy : Cleaned with backup


::Report End
 
Joined
Sep 7, 2004
Messages
49,014
Ewido got this

C:\lsass.exe -> Logger.Banker.ahy : Cleaned with backup

Now can you run HiJack????
===============
http://www.kaspersky.com/virusscanner - Online scan

When the scan is finished Save the results from the scan! and post them
============

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
 

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
No, for some reason I still can't run HiJack even after doing what you said above. Here's the log for both:

Spy Sweeper Log
********
6:37 PM: | Start of Session, Monday, January 16, 2006 |
6:37 PM: Spy Sweeper started
6:37 PM: Sweep initiated using definitions version 602
6:37 PM: Starting Memory Sweep
6:42 PM: Memory Sweep Complete, Elapsed Time: 00:04:30
6:42 PM: Starting Registry Sweep
6:42 PM: Found Adware: commander toolbar
6:42 PM: HKLM\software\microsoft\code store database\distribution units\{0fffffff-0fff-0fff-0fff-0fffffffffff}\ (8 subtraces) (ID = 106772)
6:42 PM: Found Adware: winad
6:42 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadservx.dll\ (2 subtraces) (ID = 147195)
6:42 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\winadservx.dll (ID = 147224)
6:42 PM: Registry Sweep Complete, Elapsed Time:00:00:15
6:42 PM: Starting Cookie Sweep
6:42 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:42 PM: Starting File Sweep
6:42 PM: Found Adware: bullguard popup ad
6:42 PM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
6:47 PM: bulldownload.exe (ID = 52017)
7:13 PM: Warning: Unhandled Archive Type
7:13 PM: Warning: Unhandled Archive Type
7:13 PM: Warning: Cannot open file "c:\program files\yahoo!\ypsr\quarantine\20051105203436.zip". Access is denied
7:14 PM: Warning: Unhandled Archive Type
7:14 PM: Warning: Invalid Stream
7:14 PM: File Sweep Complete, Elapsed Time: 00:32:26
7:14 PM: Full Sweep has completed. Elapsed time 00:37:18
7:14 PM: Traces Found: 16
7:15 PM: Removal process initiated
7:15 PM: Quarantining All Traces: winad
7:15 PM: Quarantining All Traces: bullguard popup ad
7:15 PM: Quarantining All Traces: commander toolbar
7:15 PM: Removal process completed. Elapsed time 00:00:18
********
5:26 PM: | Start of Session, Monday, January 16, 2006 |
5:26 PM: Spy Sweeper started
5:27 PM: Your spyware definitions have been updated.
6:37 PM: | End of Session, Monday, January 16, 2006 |




Online Scan Log
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 16, 2006 18:35:18
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 161114
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66153
Number of viruses found: 1
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 4674 sec

Infected Object Name - Virus Name
C:\Program Files\LimeWire\Shared\2 Find MP3 8.2.0.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\2pac - tupac full album battle before his dead.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Adobe InDesign CS 2.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Adobe keygen for photoshop indesign incopy SERIAL crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Adobe Photoshop CS 2.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Autocad 2002 Crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Autocad 2004 Crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Autocad 2005 Crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Autocad 2006 Crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\BEST HACK TOOL FOR REAL HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Counter strike - cs full version.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Counter strike keygen WORKING FOR ONLINE STEAM.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\credit card generator.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Fifa 2006 FULL with crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Fifa 2007 FULL with crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\flash 8.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Free SMS Bomber.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Google hack tutorial for beginners.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\HalfLife 2 WORKING Steam crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Hotmail account hacker in 30 minutes.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Hotmail hacker.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Hotmailhacker v1.0.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\hotmail_account_sniffer.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\IP Changer.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Microsoft Office Activation Crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Microsoft Office Professional Crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Microsoft Office Professional Serial.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Microsoft Office Professional Universal Crack without serial.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Microsoft Office Universal Activator v1.0.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\MSN hacker - password stealer.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\norton anti virus FULL NEWEST VERSION.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Norton AntiVirus 2005 crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Norton AntiVirus 2006 crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Norton antivirus crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Norton firewall 2006 crack.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\porn.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\porn_account_cracker.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\porn_account_hacker.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\psx2 - playstation 2 emulator.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\toon boom.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\UniVersal GSM unlocker for removing simlock (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\WinRAR 4 beta.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\yahoo_cracker.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\yahoo_hacker.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\Yahoo_mail_cracker.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\LimeWire\Shared\ZoneAlarm crack (keygen).exe Infected: Backdoor.Win32.SdBot.gen
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0026552.exe Infected: Backdoor.Win32.SdBot.gen
C:\WINDOWS\SYSTEM32\taskdrv32.exe Infected: Backdoor.Win32.SdBot.gen

Scan process completed.
 
Joined
Sep 7, 2004
Messages
49,014
As you can tell LimeWire is full of spyware

Remove Lime wire via add remove programs

==================
DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\LimeWire
C:\WINDOWS\SYSTEM32\taskdrv32.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Boot - now can you get a log???
 

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
Hi again! Okay so I just did what you said above and the good news is my anti-virus software didn't alert of me of the infection so I guess that was taken care of. However, when I restarted my computer to try HiJack once again, the window that asks you to choose the program you want to open it with popped up. I thought that was weird so I tried opening other applications and the same window popped up. Any idea what might have caused and how to fix this?
 

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
Thanks! It worked. I finally was able to run HiJack also, so here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:58 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ROBBY RAY BELMES\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
 
Joined
Sep 7, 2004
Messages
49,014
How are things now??? Log looks fine

If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?
 

slick ray

Thread Starter
Joined
Nov 11, 2004
Messages
15
Everything's okay now. Thanks a lot, MFDnSC! You are heaven sent! I wouldn't have fixed this without your help! :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top