problems with browser trojan(RESOLVED)
-
Re: problems with browser trojan
Hi i was having trouble running fixwareout as it wasn't bringing up the report at the end instead it putting it somewhere i couldn't find i donr a search for the report and here it is
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
here is the ewildo scan in safe mode report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 17:46:25, 27/03/2006
+ Report-Checksum: EE6C254
+ Scan result:
C:\Documents and Settings\jimbo\Cookies\jimbo@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
::Report End
i have also done another hjt scan
Logfile of HijackThis v1.99.1
Scan saved at 17:55:09, on 27/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Update] MSlti32.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKLM\..\Run: [init32] UserSp1.exe
O4 - HKCU\..\Run: [Rbnwmkt] C:\WINDOWS\system32\m?iexec.exe
O4 - HKCU\..\Run: [ActionScr] hyandex.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
There is only one user on this computer
the computer is hooked up via a router as my laptop is wireless
-
Hi,
Do you have Pal Talk?
Go here to learn how to show hidden files/folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat
Run hijackthis and click on scan and put checks next to these items:
O4 - HKLM\..\Run: [Microsoft Update] MSlti32.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKLM\..\Run: [init32] UserSp1.exe
O4 - HKCU\..\Run: [Rbnwmkt] C:\WINDOWS\system32\m?iexec.exe
O4 - HKCU\..\Run: [ActionScr] hyandex.exe
make sure all browser windows are closed and click FIX
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Hunt for and delete if present:
MSlti32.exe < file
ActionScr.exe < file
UserSp1.exe < file
C:\WINDOWS\system32\m?iexec.exe< file
hyandex.exe < file
Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter each time you type in "Y" until black box disappears.
Then:
Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter
Reboot
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start
Post a new HJT log for further review. How is your computer behaving now?
-
Hi paltalk is installed but i have never used it in a long time
when i first ran hjt there were only 2 04 that came up that i could put a check against
(microsoft update) mslti32.exe and (init32) usersp1.exe the others were not there, i checked them and fixed them and carried on anyway
here is the new hjt log
Logfile of HijackThis v1.99.1
Scan saved at 15:02:51, on 28/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Office Mouse\moffice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Office Mouse\MOUSE32A.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [uio] browsebar.exe
O4 - HKCU\..\Run: [Temo] C:\Documents and Settings\jimbo\Application Data\sdsu.exe
O4 - HKCU\..\Run: [Rbnwmkt] C:\WINDOWS\system32\m?iexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ActionScr] hyandex.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
i noticed that the ones that were missing on the initial hjt log are present now?
i hope this helps
thanks
-
Yep they do not want to die. I meant to say this sooner but it escaped me one of those trojans is a information stealing trojan. Which means if you have done any online banking or credit card transactions you could possibly be a victim of identity theft and would urge you to contact those places and notify them.
I suggest you don't do anything on the internet until you are clean except to come here.
Don't run spysweeper just yet we will from safe mode in a little bit
Please download WebRoot SpySweeper from HERE (It's a 14-day trial):
* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.
Run killbox from safe mode after installation
Download KillBox from here:---Please download TheKillbox by Option^Explicit.
from here:
http://downloads.subratam.org/KillBox.zip
or here:
http://download.broadbandmedic.com/
or here:
http://www.bleepingcomputer.com/file...re/KillBox.zip
Unzip it to the desktop but do NOT run it yet.
1) Open up kill box now.
2) Select "Delete on Reboot".
3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\Svchosts.exe
C:\Windows\System32\ActionScr.exe
C:\WINDOWS\System32\browsebar.exe
C:\Documents and Settings\jimbo\Application Data\sdsu.exe
C:\WINDOWS\system32\m?iexec.exe
C:\WINDOWS\system32\ hyandex.exe
4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Now run spysweeper, reboot back into safe mode and run it and post the log it makes and a new hijackthis log.
-
Hi neal do i have to copy these files into a folder first as when i boot up in safe mode i cannot access this forum to highlight the selected files and copy them to clipboard or do i copy them to the clipboard first then boot up in safe mode
thanks
-
copy/paste to notepad and save it to your desktop.(PREFERED METHOD)
Thanks.
-
Hi i carried out your instructions and here is the log after the first spysweeper and hjt log
********
07:32: | Start of Session, 31 March 2006 |
07:32: Spy Sweeper started
07:32: Sweep initiated using definitions version 644
07:32: Starting Memory Sweep
07:33: Memory Sweep Complete, Elapsed Time: 00:01:06
07:33: Starting Registry Sweep
07:33: Registry Sweep Complete, Elapsed Time:00:00:08
07:33: Starting Cookie Sweep
07:33: Cookie Sweep Complete, Elapsed Time: 00:00:00
07:33: Starting File Sweep
07:34: Found Trojan Horse: trojan-downloader-ruin
07:34: a0148902.exe (ID = 246)
07:34: a0148893.exe (ID = 246)
07:34: a0151225.exe (ID = 147)
07:34: a0151192.exe (ID = 246)
07:34: a0151183.exe (ID = 246)
07:34: a0148911.exe (ID = 246)
07:35: a0151202.exe (ID = 246)
07:35: a0151255.exe (ID = 246)
07:35: a0151221.exe (ID = 246)
07:35: a0151210.exe (ID = 246)
07:35: a0151248.exe (ID = 125496)
07:39: Found Adware: unspypc
07:39: a0151247.exe (ID = 209443)
07:42: a0126851.exe (ID = 209375)
07:43: Found Adware: idesk
07:43: a0151288.sys (ID = 205674)
07:43: a0130156.sys (ID = 205674)
07:43: a0151252.exe (ID = 232868)
07:44: a0150930.exe (ID = 246)
07:44: Found Trojan Horse: trojan-secdrop
07:44: a0151254.exe (ID = 81237)
07:51: Found Adware: exact cashback/bargain buddy
07:51: package8029_cdt3.exe (ID = 50800)
07:54: Warning: Invalid Stream
07:59: Warning: Invalid Stream
08:00: File Sweep Complete, Elapsed Time: 00:26:46
08:00: Full Sweep has completed. Elapsed time 00:28:06
08:00: Traces Found: 19
08
Removal process initiated
08 Quarantining All Traces: trojan-downloader-ruin
08 Quarantining All Traces: trojan-secdrop
08 Quarantining All Traces: exact cashback/bargain buddy
08 Quarantining All Traces: idesk
08 Quarantining All Traces: unspypc
08 Removal process completed. Elapsed time 00:00:18
********
08:50: | Start of Session, 29 March 2006 |
08:50: Spy Sweeper started
08:50: Sweep initiated using definitions version 643
08:50: Starting Memory Sweep
08:54: Memory Sweep Complete, Elapsed Time: 00:03:49
08:54: Starting Registry Sweep
08:54: Found Trojan Horse: trojan-downloader-wareout
08:54: HKU\S-1-5-21-2025429265-57989841-839522115-1003\software\microsoft\windows\currentversion\run \ || uio (ID = 144858)
08:54: Registry Sweep Complete, Elapsed Time:00:00:18
08:54: Starting Cookie Sweep
08:54: Cookie Sweep Complete, Elapsed Time: 00:00:00
08:54: Starting File Sweep
08:55: Found Trojan Horse: trojan-downloader-ruin
08:55: a0151249.exe (ID = 147)
08:57: Warning: The file sweep got stuck and had to be terminated and restarted in "safe" (slow) mode..
10:17: File Sweep Complete, Elapsed Time: 01:22:20
10:17: Full Sweep has completed. Elapsed time 01:26:33
10:17: Traces Found: 2
10:17: Removal process initiated
10:17: Quarantining All Traces: trojan-downloader-ruin
10:17: Quarantining All Traces: trojan-downloader-wareout
10:17: Removal process completed. Elapsed time 00:00:01
18:32: The Spy Communication shield has blocked access to: csx.adservs.com
18:32: The Spy Communication shield has blocked access to: csx.adservs.com
18:46: The Spy Communication shield has blocked access to: csx.adservs.com
18:46: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
19:39: Your spyware definitions have been updated.
19:44: The Spy Communication shield has blocked access to: www.freebigmovies.com
19:44: The Spy Communication shield has blocked access to: www.freebigmovies.com
19:47: The Spy Communication shield has blocked access to: www.vidsvidsvids.com
19:47: The Spy Communication shield has blocked access to: www.vidsvidsvids.com
19:59: The Spy Communication shield has blocked access to: csx.adservs.com
19:59: The Spy Communication shield has blocked access to: csx.adservs.com
20:07: The Spy Communication shield has blocked access to: www.dansmovies.com
20:07: The Spy Communication shield has blocked access to: www.dansmovies.com
20:15: The Spy Communication shield has blocked access to: www.dansmovies.com
20:15: The Spy Communication shield has blocked access to: www.dansmovies.com
20:17: The Spy Communication shield has blocked access to: www.dansmovies.com
20:17: The Spy Communication shield has blocked access to: www.dansmovies.com
20 The Spy Communication shield has blocked access to: www.dansmovies.com
20 The Spy Communication shield has blocked access to: www.dansmovies.com
20:32: The Spy Communication shield has blocked access to: csx.adservs.com
20:32: The Spy Communication shield has blocked access to: csx.adservs.com
21:00: The Spy Communication shield has blocked access to: www.dansmovies.com
21:00: The Spy Communication shield has blocked access to: www.dansmovies.com
********
08:03: | Start of Session, 29 March 2006 |
08:03: Spy Sweeper started
08:03: Sweep initiated using definitions version 643
08:03: Starting Memory Sweep
08:06: Memory Sweep Complete, Elapsed Time: 00:03:54
08:06: Starting Registry Sweep
08:07: Found Trojan Horse: trojan-downloader-wareout
08:07: HKU\S-1-5-21-2025429265-57989841-839522115-1003\software\microsoft\windows\currentversion\run \ || uio (ID = 144858)
08:07: Registry Sweep Complete, Elapsed Time:00:00:21
08:07: Starting Cookie Sweep
08:07: Cookie Sweep Complete, Elapsed Time: 00:00:00
08:07: Starting File Sweep
08:07: Found Trojan Horse: trojan-downloader-ruin
08:07: a0151249.exe (ID = 147)
08:08: Warning: Failed to open file "c:\system volume information\_restore{8b984396-f460-4e54-a537-3b93039bc46c}\rp288\a0148902.exe". Access is denied
08:08: Warning: Failed to open file "c:\system volume information\_restore{8b984396-f460-4e54-a537-3b93039bc46c}\rp288\a0148893.exe". Access is denied
08:08: a0150920.exe (ID = 246)
08:08: a0151225.exe (ID = 147)
08:08: Warning: Failed to open file "c:\system volume information\_restore{8b984396-f460-4e54-a537-3b93039bc46c}\rp288\a0148911.exe". Access is denied
08:08: a0151192.exe (ID = 246)
08:08: a0151183.exe (ID = 246)
08:09: a0151202.exe (ID = 246)
08:09: a0151255.exe (ID = 246)
08:09: a0151221.exe (ID = 246)
08:09: a0151210.exe (ID = 246)
08:10: a0151248.exe (ID = 125496)
08:10: Found Adware: purityscan
08:10: mediaticketsinstaller.ocx (ID = 73162)
08:13: Found Adware: unspypc
08:13: a0151247.exe (ID = 209443)
08:17: a0126851.exe (ID = 209375)
08:18: Found Adware: idesk
08:18: a0151288.sys (ID = 205674)
08:18: a0130156.sys (ID = 205674)
08:18: a0151252.exe (ID = 232868)
08:19: a0150930.exe (ID = 246)
08:19: Found Trojan Horse: trojan-secdrop
08:19: a0151254.exe (ID = 81237)
08:26: Found Adware: exact cashback/bargain buddy
08:26: package8029_cdt3.exe (ID = 50800)
08:28: Found Adware: 180search assistant/zango
08:28: salmau.dat (ID = 93788)
08:29: Warning: Invalid Stream
08:33: Warning: Invalid Stream
08:33: File Sweep Complete, Elapsed Time: 00:26:15
08:33: Full Sweep has completed. Elapsed time 00:30:36
08:33: Traces Found: 21
08:34: Removal process initiated
08:34: Quarantining All Traces: 180search assistant/zango
08:34: Quarantining All Traces: purityscan
08:34: Quarantining All Traces: trojan-downloader-ruin
********
08:00: | Start of Session, 29 March 2006 |
08:00: Spy Sweeper started
08:01: Your spyware definitions have been updated.
08:03: | End of Session, 29 March 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 08:23:06, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hjt\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Temo] C:\Documents and Settings\jimbo\Application Data\sdsu.exe
O4 - HKCU\..\Run: [Rbnwmkt] C:\WINDOWS\system32\m?iexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ActionScr] hyandex.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
here are the logs after the clean
********
08:31: | Start of Session, 31 March 2006 |
08:31: Spy Sweeper started
08:31: Sweep initiated using definitions version 644
08:31: Starting Memory Sweep
08:32: Memory Sweep Complete, Elapsed Time: 00:01:05
08:32: Starting Registry Sweep
08:32: Registry Sweep Complete, Elapsed Time:00:00:08
08:32: Starting Cookie Sweep
08:32: Cookie Sweep Complete, Elapsed Time: 00:00:00
08:32: Starting File Sweep
08:54: File Sweep Complete, Elapsed Time: 00:22:19
08:54: Full Sweep has completed. Elapsed time 00:23:39
08:54: Traces Found: 0
********
07:32: | Start of Session, 31 March 2006 |
07:32: Spy Sweeper started
07:32: Sweep initiated using definitions version 644
07:32: Starting Memory Sweep
07:33: Memory Sweep Complete, Elapsed Time: 00:01:06
07:33: Starting Registry Sweep
07:33: Registry Sweep Complete, Elapsed Time:00:00:08
07:33: Starting Cookie Sweep
07:33: Cookie Sweep Complete, Elapsed Time: 00:00:00
07:33: Starting File Sweep
07:34: Found Trojan Horse: trojan-downloader-ruin
07:34: a0148902.exe (ID = 246)
07:34: a0148893.exe (ID = 246)
07:34: a0151225.exe (ID = 147)
07:34: a0151192.exe (ID = 246)
07:34: a0151183.exe (ID = 246)
07:34: a0148911.exe (ID = 246)
07:35: a0151202.exe (ID = 246)
07:35: a0151255.exe (ID = 246)
07:35: a0151221.exe (ID = 246)
07:35: a0151210.exe (ID = 246)
07:35: a0151248.exe (ID = 125496)
07:39: Found Adware: unspypc
07:39: a0151247.exe (ID = 209443)
07:42: a0126851.exe (ID = 209375)
07:43: Found Adware: idesk
07:43: a0151288.sys (ID = 205674)
07:43: a0130156.sys (ID = 205674)
07:43: a0151252.exe (ID = 232868)
07:44: a0150930.exe (ID = 246)
07:44: Found Trojan Horse: trojan-secdrop
07:44: a0151254.exe (ID = 81237)
07:51: Found Adware: exact cashback/bargain buddy
07:51: package8029_cdt3.exe (ID = 50800)
07:54: Warning: Invalid Stream
07:59: Warning: Invalid Stream
08:00: File Sweep Complete, Elapsed Time: 00:26:46
08:00: Full Sweep has completed. Elapsed time 00:28:06
08:00: Traces Found: 19
08 Removal process initiated
08 Quarantining All Traces: trojan-downloader-ruin
08 Quarantining All Traces: trojan-secdrop
08 Quarantining All Traces: exact cashback/bargain buddy
08 Quarantining All Traces: idesk
08 Quarantining All Traces: unspypc
08 Removal process completed. Elapsed time 00:00:18
********
08:50: | Start of Session, 29 March 2006 |
08:50: Spy Sweeper started
08:50: Sweep initiated using definitions version 643
08:50: Starting Memory Sweep
08:54: Memory Sweep Complete, Elapsed Time: 00:03:49
08:54: Starting Registry Sweep
08:54: Found Trojan Horse: trojan-downloader-wareout
08:54: HKU\S-1-5-21-2025429265-57989841-839522115-1003\software\microsoft\windows\currentversion\run \ || uio (ID = 144858)
08:54: Registry Sweep Complete, Elapsed Time:00:00:18
08:54: Starting Cookie Sweep
08:54: Cookie Sweep Complete, Elapsed Time: 00:00:00
08:54: Starting File Sweep
08:55: Found Trojan Horse: trojan-downloader-ruin
08:55: a0151249.exe (ID = 147)
08:57: Warning: The file sweep got stuck and had to be terminated and restarted in "safe" (slow) mode..
10:17: File Sweep Complete, Elapsed Time: 01:22:20
10:17: Full Sweep has completed. Elapsed time 01:26:33
10:17: Traces Found: 2
10:17: Removal process initiated
10:17: Quarantining All Traces: trojan-downloader-ruin
10:17: Quarantining All Traces: trojan-downloader-wareout
10:17: Removal process completed. Elapsed time 00:00:01
18:32: The Spy Communication shield has blocked access to: csx.adservs.com
18:32: The Spy Communication shield has blocked access to: csx.adservs.com
18:46: The Spy Communication shield has blocked access to: csx.adservs.com
18:46: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:00: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:09: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
20:10: The Spy Communication shield has blocked access to: csx.adservs.com
19:39: Your spyware definitions have been updated.
19:44: The Spy Communication shield has blocked access to: www.freebigmovies.com
19:44: The Spy Communication shield has blocked access to: www.freebigmovies.com
19:47: The Spy Communication shield has blocked access to: www.vidsvidsvids.com
19:47: The Spy Communication shield has blocked access to: www.vidsvidsvids.com
19:59: The Spy Communication shield has blocked access to: csx.adservs.com
19:59: The Spy Communication shield has blocked access to: csx.adservs.com
20:07: The Spy Communication shield has blocked access to: www.dansmovies.com
20:07: The Spy Communication shield has blocked access to: www.dansmovies.com
20:15: The Spy Communication shield has blocked access to: www.dansmovies.com
20:15: The Spy Communication shield has blocked access to: www.dansmovies.com
20:17: The Spy Communication shield has blocked access to: www.dansmovies.com
20:17: The Spy Communication shield has blocked access to: www.dansmovies.com
20 The Spy Communication shield has blocked access to: www.dansmovies.com
20 The Spy Communication shield has blocked access to: www.dansmovies.com
20:32: The Spy Communication shield has blocked access to: csx.adservs.com
20:32: The Spy Communication shield has blocked access to: csx.adservs.com
21:00: The Spy Communication shield has blocked access to: www.dansmovies.com
21:00: The Spy Communication shield has blocked access to: www.dansmovies.com
********
08:03: | Start of Session, 29 March 2006 |
08:03: Spy Sweeper started
08:03: Sweep initiated using definitions version 643
08:03: Starting Memory Sweep
08:06: Memory Sweep Complete, Elapsed Time: 00:03:54
08:06: Starting Registry Sweep
08:07: Found Trojan Horse: trojan-downloader-wareout
08:07: HKU\S-1-5-21-2025429265-57989841-839522115-1003\software\microsoft\windows\currentversion\run \ || uio (ID = 144858)
08:07: Registry Sweep Complete, Elapsed Time:00:00:21
08:07: Starting Cookie Sweep
08:07: Cookie Sweep Complete, Elapsed Time: 00:00:00
08:07: Starting File Sweep
08:07: Found Trojan Horse: trojan-downloader-ruin
08:07: a0151249.exe (ID = 147)
08:08: Warning: Failed to open file "c:\system volume information\_restore{8b984396-f460-4e54-a537-3b93039bc46c}\rp288\a0148902.exe". Access is denied
08:08: Warning: Failed to open file "c:\system volume information\_restore{8b984396-f460-4e54-a537-3b93039bc46c}\rp288\a0148893.exe". Access is denied
08:08: a0150920.exe (ID = 246)
08:08: a0151225.exe (ID = 147)
08:08: Warning: Failed to open file "c:\system volume information\_restore{8b984396-f460-4e54-a537-3b93039bc46c}\rp288\a0148911.exe". Access is denied
08:08: a0151192.exe (ID = 246)
08:08: a0151183.exe (ID = 246)
08:09: a0151202.exe (ID = 246)
08:09: a0151255.exe (ID = 246)
08:09: a0151221.exe (ID = 246)
08:09: a0151210.exe (ID = 246)
08:10: a0151248.exe (ID = 125496)
08:10: Found Adware: purityscan
08:10: mediaticketsinstaller.ocx (ID = 73162)
08:13: Found Adware: unspypc
08:13: a0151247.exe (ID = 209443)
08:17: a0126851.exe (ID = 209375)
08:18: Found Adware: idesk
08:18: a0151288.sys (ID = 205674)
08:18: a0130156.sys (ID = 205674)
08:18: a0151252.exe (ID = 232868)
08:19: a0150930.exe (ID = 246)
08:19: Found Trojan Horse: trojan-secdrop
08:19: a0151254.exe (ID = 81237)
08:26: Found Adware: exact cashback/bargain buddy
08:26: package8029_cdt3.exe (ID = 50800)
08:28: Found Adware: 180search assistant/zango
08:28: salmau.dat (ID = 93788)
08:29: Warning: Invalid Stream
08:33: Warning: Invalid Stream
08:33: File Sweep Complete, Elapsed Time: 00:26:15
08:33: Full Sweep has completed. Elapsed time 00:30:36
08:33: Traces Found: 21
08:34: Removal process initiated
08:34: Quarantining All Traces: 180search assistant/zango
08:34: Quarantining All Traces: purityscan
08:34: Quarantining All Traces: trojan-downloader-ruin
********
08:00: | Start of Session, 29 March 2006 |
08:00: Spy Sweeper started
08:01: Your spyware definitions have been updated.
08:03: | End of Session, 29 March 2006 |
Logfile of HijackThis v1.99.1
Scan saved at 09:05:01, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hjt\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Temo] C:\Documents and Settings\jimbo\Application Data\sdsu.exe
O4 - HKCU\..\Run: [Rbnwmkt] C:\WINDOWS\system32\m?iexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ActionScr] hyandex.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I hope this helps
Thanks
-
Info on post #14
Killbox these again from safe mode they did not die
C:\Windows\System32\Svchosts.exe
C:\Windows\System32\ActionScr.exe
C:\Documents and Settings\jimbo\Application Data\sdsu.exe
C:\WINDOWS\system32\m?iexec.exe
C:\WINDOWS\system32\ hyandex.exe
Thanks.
-
Hi neal
when i run killbox and hit the delete button it gives me the option 'delete on reboot' which i tick yes but i dont get the 'no' option on pending operations promt it comes up with a dialogue box with a red X saying 'pending file rename operations registry data has been removed by external process' and you have to ok this
Any ideas
thanks
-
Hi,
Give me a new hijackthis log please and we will have alook. Thanks.
