Downloader-yh trojan

[Snerd]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Utilities\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Utilities\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Free Download Manager] C:\Utilities\Free Download Manager\fdm.exe -autorun
O4 - Startup: ERUNT AutoBackup.lnk = C:\Utilities\ERUNT\AUTOBACK.EXE
O4 - Global Startup: SlipStream.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Utilities\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Utilities\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Utilities\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Utilities\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\UTILIT~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Utilities\Executive Software\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Snerd]

Here is first part of report:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Utilities\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\runservice.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Utilities\Zone Labs\ZoneAlarm\zlclient.exe
C:\Utilities\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Utilities\Free Download Manager\fdm.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\New Downloads\hijackthis\HijackThis.exe

Everything was done as you requested and was clean except MS mentioned Warez but opted to ignore it.

Keeping Temp Int Files folder open to see when i286.exe pops up and what triggered it.

We'll get it   thanks again.

[dl65]

Snerd....looking better , but I see an entry I either missed or overlooked the first time .....

Run hijackthis again and mark for removal.....

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)


Something else ......make sure there's nothing in your recycle bin .........before you reboot

The Warez entry you choose to ignore my be the culperit......Warez sites are bad for viruses and trojans.

let us know how you make out

dl65  

[Snerd]

Bin was empty and am gonna remove that file ....

A friend gave me a small note  all it said was ewido.com and after a long time......
--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:                  8:54:04 PM, 4/11/2005
+ Report-Checksum:            886A8083

+ Date of database:            4/12/2005
+ Version of scan engine:      v3.0

+ Duration:                        30 min
+ Scanned Files:                  103332
+ Speed:                        56.14 Files/Second
+ Infected files:                  7
+ Removed files:                  4
+ Files put in quarantine:            4
+ Files that could not be opened:      0
+ Files that could not be cleaned:      3

+ Binder:            Yes
+ Crypter:            Yes
+ Archives:            Yes

+ Scanned items:
     C:\
     D:\
     E:\
     F:\
     C:\
     D:\
     E:\
     F:\

+ Scan result:
     C:\WINDOWS\system32\sypeitb.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
     C:\WINDOWS\system32\wmconfig.cpl -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
     C:\WINDOWS\system32\Wsiibw.exe -> Spyware.DealHelper.ac -> Cleaned with backup
     C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
     C:\WINDOWS\system32\sypeitb.dll -> TrojanDownloader.Qoologic.i -> Error during cleaning
     C:\WINDOWS\system32\wmconfig.cpl -> TrojanDropper.Win32.Small.wc -> Error during cleaning
     C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Error during cleaning


::Report End

What do you think?

[dl65]

Snerd........Go to each of the following locations and see if you can manually remove them....... Reboot into Safe and then remove them .

C:\WINDOWS\system32\sypeitb.dll -> TrojanDownloader.Qoologic.i -> Error during cleaning

C:\WINDOWS\system32\wmconfig.cpl -> TrojanDropper.Win32.Small.wc -> Error during cleaning

C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Error during cleaning

let us know,

dl65  

[Snerd]

I think we got it  -  if you re-read the ewido report it seems to say that it got them on second try.   I checked and could find nothing but I will run ewido again to be sure.

Read that Trojan Hunter found and cleaned that file so I tried it.  Beautiful program, fast and easy to use. I like it when they immediately update before scan but it found nothing.

Now all I have to do is to try and figure out why my folders keep switching back to icon view from list view.

You are great,  I cannot thank you enough and I will be back to read and learn.

[dl65]

Snerd....I have had my items change on occassion from list to icon ......but I think it may be just a glitch in windows ......If you find out otherwise ...let us know .
Glad to hear your issue is resolved .

dl65