Cabrotor Found In Spybot S&d Scan

[domingus]

Chappy or anyone, Here's my HiJackThis log. I don't know what to fix.

Thanks for the help

Logfile of HijackThis v1.98.2

Scan saved at 8:05:05 PM, on 10/26/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Compaq\eakdrv\STARTDRV.exe

C:\WINDOWS\System32\pctspk.exe

C:\Compaq\eakdrv\EAKDRV.exe

C:\WINDOWS\System32\taskswitch.exe

C:\Program Files\RAM Idle\RAMIdle.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Compaq\eakdrv\EAUSBKBD.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\GetRight\getright.exe

C:\Program Files\SBC\Connection Manager\CManager.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\Fast.exe

C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jsonline.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service

R3 - Default URLSearchHook is missing

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe

O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\RAM Idle\RAMIdle.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GetRight\GRbrowse.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{06B05BAC-58F8-490D-A4A1-342AAFDC79D6}: NameServer = 65.43.19.26 206.141.192.60

O17 - HKLM\System\CS1\Services\Tcpip\..\{06B05BAC-58F8-490D-A4A1-342AAFDC79D6}: NameServer = 65.43.19.26 206.141.192.60

[Racktracker]

Not really much in the way of problems in your log.

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - Default URLSearchHook is missing

[thesidekickcat]

I am not sure if this is any help or not.

I scanned with Spybot just after getting off the internet last night and came up clean. Today I logged on and then came over here, found a notice from someone that Spybot had an update, so I got it, did another scan, and it came up with this:

"Error during check!: Cabrotor (Datei C:\WINNT\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()

Congratulations!: No immediate threats were found. ()"

So it appears to be an error of some kind. It still comes up with same thing on additional scans. I don't know if that is any help or not. I would like to hear if anyone else is getting the same thing.

I am sorry if this is the wrong place to put this but thought it might be pertinent.

P.S. My Norton scans come up clean. So could this just be a Spybot S+D error or false positive?

God bless everyone.

[domingus]

Hi RackTracker,

I'm not home now, so I'll do this when I get there.

I'm curious as to why Yahoo is in need of fixes. Oh well.

Thanks.

[domingus]

I am not sure if this is any help or not.

I scanned with Spybot just after getting off the internet last night and came up clean. Today I logged on and then came over here, found a notice from someone that Spybot had an update, so I got it, did another scan, and it came up with this:

"Error during check!: Cabrotor (Datei C:\WINNT\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()

Congratulations!: No immediate threats were found. ()"

So it appears to be an error of some kind. It still comes up with same thing on additional scans. I don't know if that is any help or not. I would like to hear if anyone else is getting the same thing.

I am sorry if this is the wrong place to put this but thought it might be pertinent.

God bless everyone.

Wow - I'm glad to know that it's just not happening to me.

I wonder if they goofed up again in their update.

Thanks thesidekickcat.

Take care

[domingus]

Hi thesidekickcat,

Just wanted you to know that todays update took care of the Cabrotor error message. After the update today, I ran the scan and it was all clear.

It appears yesterday's update was an "ooops".

Take care.

[thesidekickcat]

Thanks for letting me know it was Spybot S and D's error. Whew!!!

And I am sorry for butting in on your HJT log thread (yes I do know better ), but it just felt like something should would have shown up in your log if this threat had been for real. So I was adding my little bit in case there was another reason for this thing.

I did another scan after today's Norton antivirus update and came up clean again, as well as updated Spybot and scanned again. Clean!!! Whew!!!

Sure a big relief to find it wasn't something invading our computers. My Norton warns me every now and then, even as recently as night before last, that a trojan is attempting entry and it is being blocked. And that is with a dial up connection!!!!

Seriously I think my blood pressure would be lower if I wasn't always trying so hard to stay safe and keep everything working right.

God bless everyone.

[Dragon]

Hi RackTracker,

I'm not home now, so I'll do this when I get there.

I'm curious as to why Yahoo is in need of fixes.  Oh well.

Thanks.

hi there,

in reference to your question dealing with the Yahoo entries, the RedClientsApp section is the concern, Red Clients is a form of spyware. it tracks the websites you go to so that spam can be sent to your email account that is on record with Yahoo.

By fixing these entries, it removes the red client app, but keeps your homepage set to Yahoo like you want.