| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 44325 | 2004-04-15 22:00:00 | Kobesl.exe | sarahk (5347) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 229673 | 2004-04-24 11:40:00 | Thats not "HijackThis", thats "Startup List". Wrong program. Download HijackThis and try again. |
godfather (25) | ||
| 229674 | 2004-04-24 15:54:00 | Inside the HiJackThis program, under the Config > Misc Tools, is the option of creating a startup list of all processes on your computer at bootup. It is in this startup list in which the kobe*.* is found that I am asking about. By my selecting scan from the main window in HiJackThis, no reference to kobe is visible. But, your wish is my command; Logfile of HijackThis v1.97.7 Scan saved at 9:35:24 AM, on 4/24/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\crypserv.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\WINNT\Mixer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Free Surfer\fs20.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\ Yahoo! \browser\ybrwicon.exe C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe C:\PROGRA~1\ Yahoo! \browser\ycommon.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe C:\WINNT\system32\ntvdm.exe D:\phpdev5\mysql\bin\mysqld-nt.exe C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE C:\Program Files\Microsoft Office\Office\1033\msoffice.exe D:\phpdev5\gtkdev\php4\php.exe C:\Palm\AlarmApp.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe D:\phpdev5\ApacheMonitor.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe C:\PROGRA~1\INCRED~1\bin\IncMail.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.sbc.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \common\ycomp5_2_3_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: & Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \common\ycomp5_2_3_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EX E -r O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\ Yahoo! \browser\ybrwicon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NetMeter] C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: PowerReg Scheduler.exe O4 - Startup: PrcView.lnk = C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: mysql_NT.lnk = D:\phpdev5\mysql\bin\mynt_shortcut.bat O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE O4 - Global Startup: phpdev5.lnk = D:\phpdev5\spiny.bat O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\ Yahoo! \Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\ Yahoo! \Common/ycsrch.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Free Surfer (HKLM) O9 - Extra 'Tools' menuitem: Free Surfer (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: NeoTrace It! (HKCU) O9 - Extra button: WeatherBug (HKCU) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll O15 - Trusted Zone: http://www.nielsennetpanel.com O15 - Trusted Zone: http://www.penguinmagic.com O16 - DPF: Yahoo! Pool 2 - download.games.yahoo.com O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - office.microsoft.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - www.apple.com O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - download.macromedia.com O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\ Yahoo! \common\yucconfig.dll O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - download.weatherbug.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\ Yahoo! \common\yinsthelper.dll O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - office.microsoft.com O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - webresponse.one.microsoft.com O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - fdl.msn.com O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - a14.g.akamai.net O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - sc.groups.msn.com O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - v4.windowsupdate.microsoft.com O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - download.yahoo.com O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} - webresponse.one.microsoft.com O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - security.symantec.com O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - sc.groups.msn.com O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - www-secure.symantec.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - www-secure.symantec.com O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - www2.incredimail.com O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - chat.msn.com |
iacchus (5532) | ||
| 229675 | 2004-05-13 09:56:00 | Well, Dave found Kobesl on Tuesday . It made itself very visible as it destroyed his hard drive . Hopefully he'll come back with his war story and some more info . Sarah |
sarahk (5347) | ||
| 229676 | 2004-05-13 10:17:00 | Someone else had this problem as well, seems to be something new. www.spywareinfo.com |
Jim B (153) | ||
| 229677 | 2004-05-13 10:36:00 | Nope, that was Dave fishing further afield. Same username... thanks for hunting it down though. |
sarahk (5347) | ||
| 229678 | 2004-05-13 10:48:00 | Same user name as Dave above Jim. Is this our Dave? The epilogue's at the bottom of this page (www.spywareinfo.com) are interesting. Cheers Murray P |
Murray P (44) | ||
| 229679 | 2004-05-13 11:01:00 | Should'a checked back before posting Sarah, too busy reading up the link Jim posted. Seems with all the new laws being enacted around the world re data cracking, spam and privacy, etc, that the sites who propagate these exploits can't be shut down even if the writers of the nasties can't be got at directly. If a select few legislators and upholders of the law got bitten hard enough I bet some action would ensue pretty quickly. Dubya would be my first pick, being action man of the moment and a mite sensitive to unauthorised behavior, not having total control, etc. Could be onto a winner there. Any ideas on how to action this? NOoo, don't post them here :O Cheers Murray P |
Murray P (44) | ||
| 229680 | 2004-05-13 20:29:00 | Here's some news from "our" Dave However, I use the Java VM from Sun, but I do know that IE does have to use the MS VM. One of the characteristics I noticed is that I could no longer perform a full system scan using Norton Systemworks Pro 2004. The more I tried, the more my system would shut down and sometimes I would recieve a memory overrun dump (blue screen) and the system would reboot. I did not know, however, about the Index.dat viewer and that is the only thing I can think of that contributed to my current situation. *sigh* Thinking back now, I guess I did notice the kobe strain sometime after installing Index.dat Viewer, I just didnt put the two together. Ironically, the one thing that led me to kobe in the first place was both the name and the current status of one of our NBA basketball players (Kobe Bryant). I did install Ad Aware Pro w/Ad Watch and there were several instances in which it alerted and prevented browser hijacks and registry updates. It was only after upgrading to Ad Aware Pro w/Ad Watch that I began to have reboot problems as well as Norton full system scan failures. I guess if the strain gets noticed it begins to shut the system down. I think it also rewrites the hd config that the computer uses to identify and read. My 40 gig hd is now unreadable and S.M.A.R.T. is telling me to backup and replace it, so that is what I am going to do (hopefully today) |
sarahk (5347) | ||
| 229681 | 2004-05-13 22:30:00 | Hmm, cheap 40Gig HDD coming up eh! Sorry to hear that, cough! ;\ MS's seperate agenda for Java has been well documented and is recognised by the US courts for what it is. Unfortunately embedding their internet browser into the OS and other apps allows an easier road by which these things can get in and cause the amount of havoc they do. Dave, if you have a spare machine to throw the drive on and boot it with a Linux live CD like Knoppix or Mepis. It might like a journelled file system. And I'm sure you will (you certainly don't want to risk your machine again, do you. How bout Sarah's, sure she won't mind especially if she isn't there to see you do it ;) ) Have you given the latest CWShredder a go, maybe wait a week or two for it to catch up with this beastie. Cheers Murray P |
Murray P (44) | ||
| 229682 | 2004-05-13 22:43:00 | I'd be happy to help but there's a slight geography problem, I'm in Auckland Dave's in the USA |
sarahk (5347) | ||
| 1 2 | |||||