Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.Trojan.Yspy


  • This topic is locked This topic is locked

#256
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,939 posts
Is that the entire list, or it was cut Off? If so, attach the report.
  • 0

Advertisements


#257
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
This is all that showed up on the scanner report when I clicked on it. There are about 111 items, some are duplicates. I wish it would let me highlight and copy the whole things without the log, but it won't, I tried that.
  • 0

#258
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,939 posts
Lets confirms these are gone.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]C:\Program Files\SurfSideKick 3C:\Program Files\AprpsC:\Program Files\SpywareStrikeC:\Program Files\SaveC:\Program Files\Common Files\WhenUC:\Program Files\WHENUSEARCHC:\Program Files\ZangoC:\Program Files\Zango ProgramsC:\Program Files\SurfAccuracyC:\Program Files\ISTBarC:\Program Files\EzulaC:\Program Files\Web OfferC:\Program Files\SpySheriffC:\Program Files\WEBHANCERC:\Program Files\whInstallC:\Program Files\Common Files\WinToolsC:\Program Files\AdwarePunisherC:\Program Files\PuritySCANC:\Program Files\MemoryWatcherC:\WINDOWS\system32\wuauclt.dllC:\WINDOWS\wupdt.exeC:\WINDOWS\bsx32C:\WINDOWS\bs2.dllC:\WINDOWS\bs3.dllC:\WINDOWS\bsx5.dllC:\WINDOWS\bxxs5.dllC:\WINDOWS\oo4.dllC:\WINDOWS\system32\acd.dllC:\WINDOWS\system32\anaamon.dllC:\WINDOWS\system32\bs2.dllC:\WINDOWS\system32\bs3.dllC:\WINDOWS\system32\bsx5.dllC:\WINDOWS\system32\bxsx5.dllC:\WINDOWS\system32\bxxs5.dllC:\WINDOWS\system32\oo4.dllC:\WINDOWS\system32\rem00001.dllC:\Program Files\MalwareWipe.comC:\Program Files\Common Files\WinFixer 2006C:\Program Files\WinFixer_2006C:\WINDOWS\system32\dfe1.exeC:\Program Files\NewDotNetC:\WINDOWS\system32\atmtd.dllC:\WINDOWS\system32\atmtd.dll._C:\Program Files\StarwareC:\Program Files\SpamBlockerUtilityC:\Program Files\ShopperReportsC:\Program Files\YourSiteBarC:\Program Files\UnSpyPCC:\WINDOWS\mslagentC:\Program Files\PestTrapC:\Program Files\RazeSpywareC:\Program Files\AdwareSheriffC:\Program Files\RemedyAntispyC:\Program Files\HitVirusC:\Program Files\ADWareBazookaC:\Program Files\RegiFastC:\Program Files\Toolbar888C:\Program Files\SpyFalconC:\Program Files\ClearSearchC:\Program Files\BraveSentryC:\Program Files\TBONBinC:\Program Files\TrustIn BarC:\Program Files\TrustIn SearchC:\Program Files\TrustIn ContextualC:\Program Files\TrustIn PopupsC:\WINDOWS\system32\tisa.cnfC:\Program Files\Spyware StormerC:\Program Files\AlertSpyC:\Program Files\E2GC:\Program Files\ipwindowsC:\Program Files\BullsEye NetworkC:\Program Files\NaviSearchC:\Program Files\RegFreezeC:\Program Files\AdFinderToolbarC:\Program Files\AdwareFinderC:\Program Files\KillAndCleanC:\Program Files\AntiviralGoldenC:\Program Files\Media-CodecC:\Program Files\MMediaCodecC:\Program Files\Antispyware SoldierC:\Program Files\SeekmoC:\Program Files\DriveCleaner 2006 FreeC:\Program Files\PestCaptureC:\Program Files\AntiVerminsC:\Program Files\AdSponsorC:\Program Files\MalwareAlarmC:\Program Files\ContraVirusC:\Program Files\SpyDawnC:\Program Files\MalwareStopperC:\Program Files\Web BuyingC:\Program Files\SideFindC:\Program Files\PC MightyMaxC:\Program Files\AVSystemCareC:\Program Files\Antivirus ProtectionC:\Program Files\Spyware RemoverC:\Program Files\180search assistantC:\Program Files\180searchassistantC:\Program Files\stcC:\Program Files\SrngC:\Program Files\MyNetProtectorC:\Program Files\AdwareSpyC:\Program Files\ETD Security ScannerC:\Program Files\MySpyProtectorC:\Program Files\PC Health PlanC:\Program Files\Adware PatrolC:\Program Files\Doctor AdwareC:\Program Files\Doctor Adware ProC:\WINDOWS\system32\cdscsix3.dllC:\WINDOWS\etbHKU\S-1-5-21-3792878029-4271234764-2959189486-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doubleclick.netHKU\S-1-5-21-3792878029-4271234764-2959189486-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doubleclick.net#*[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#259
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Possibly infected: Trojan program Trojan-Downloader.JS.gen (modification) c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp601\a0281036.msi 5 MB 7/19/2008 11:47:59


This one is in quarantine by Kaspersky AV. I do not know if it is a valid file anymore because I wiped the system restore files last night. I am wondering if this could just be deleted. But if it really is infected, that could cause problems, I guess. The rest of those system restore files do not show up on Sophos anymore as hidden files, which was a big relief. Sophos AntiRootkit shows NO hidden files, or any root kits now, as of last night.
  • 0

#260
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Explorer killed successfully
C:\Program Files\SurfSideKick 3 moved successfully.
C:\Program Files\Aprps moved successfully.
C:\Program Files\SpywareStrike moved successfully.
C:\Program Files\Save moved successfully.
C:\Program Files\Common Files\WhenU moved successfully.
C:\Program Files\WHENUSEARCH moved successfully.
C:\Program Files\Zango moved successfully.
C:\Program Files\Zango Programs moved successfully.
C:\Program Files\SurfAccuracy moved successfully.
C:\Program Files\ISTBar moved successfully.
C:\Program Files\Ezula moved successfully.
C:\Program Files\Web Offer moved successfully.
C:\Program Files\SpySheriff moved successfully.
C:\Program Files\WEBHANCER moved successfully.
C:\Program Files\whInstall moved successfully.
C:\Program Files\Common Files\WinTools moved successfully.
C:\Program Files\AdwarePunisher moved successfully.
< C:\Program Files\PuritySCAN >
C:\Program Files\purityscan moved successfully.
C:\Program Files\MemoryWatcher moved successfully.
C:\WINDOWS\system32\wuauclt.dll moved successfully.
C:\WINDOWS\wupdt.exe moved successfully.
C:\WINDOWS\bsx32 moved successfully.
C:\WINDOWS\bs2.dll moved successfully.
C:\WINDOWS\bs3.dll moved successfully.
C:\WINDOWS\bsx5.dll moved successfully.
C:\WINDOWS\bxxs5.dll moved successfully.
C:\WINDOWS\oo4.dll moved successfully.
C:\WINDOWS\system32\acd.dll moved successfully.
C:\WINDOWS\system32\anaamon.dll moved successfully.
C:\WINDOWS\system32\bs2.dll moved successfully.
C:\WINDOWS\system32\bs3.dll moved successfully.
C:\WINDOWS\system32\bsx5.dll moved successfully.
C:\WINDOWS\system32\bxsx5.dll moved successfully.
C:\WINDOWS\system32\bxxs5.dll moved successfully.
C:\WINDOWS\system32\oo4.dll moved successfully.
C:\WINDOWS\system32\rem00001.dll moved successfully.
C:\Program Files\MalwareWipe.com moved successfully.
C:\Program Files\Common Files\WinFixer 2006 moved successfully.
C:\Program Files\WinFixer_2006 moved successfully.
C:\WINDOWS\system32\dfe1.exe moved successfully.
C:\Program Files\NewDotNet moved successfully.
C:\WINDOWS\system32\atmtd.dll moved successfully.
C:\WINDOWS\system32\atmtd.dll._ moved successfully.
C:\Program Files\Starware moved successfully.
C:\Program Files\SpamBlockerUtility moved successfully.
C:\Program Files\ShopperReports moved successfully.
C:\Program Files\YourSiteBar moved successfully.
C:\Program Files\UnSpyPC moved successfully.
C:\WINDOWS\mslagent moved successfully.
C:\Program Files\PestTrap moved successfully.
C:\Program Files\RazeSpyware moved successfully.
C:\Program Files\AdwareSheriff moved successfully.
C:\Program Files\RemedyAntispy moved successfully.
C:\Program Files\HitVirus moved successfully.
C:\Program Files\ADWareBazooka moved successfully.
C:\Program Files\RegiFast moved successfully.
C:\Program Files\Toolbar888 moved successfully.
C:\Program Files\SpyFalcon moved successfully.
C:\Program Files\ClearSearch moved successfully.
C:\Program Files\BraveSentry moved successfully.
C:\Program Files\TBONBin moved successfully.
C:\Program Files\TrustIn Bar moved successfully.
C:\Program Files\TrustIn Search moved successfully.
C:\Program Files\TrustIn Contextual moved successfully.
C:\Program Files\TrustIn Popups moved successfully.
C:\WINDOWS\system32\tisa.cnf moved successfully.
C:\Program Files\Spyware Stormer moved successfully.
C:\Program Files\AlertSpy moved successfully.
C:\Program Files\E2G moved successfully.
C:\Program Files\ipwindows moved successfully.
C:\Program Files\BullsEye Network moved successfully.
C:\Program Files\NaviSearch moved successfully.
C:\Program Files\RegFreeze moved successfully.
C:\Program Files\AdFinderToolbar moved successfully.
C:\Program Files\AdwareFinder moved successfully.
C:\Program Files\KillAndClean moved successfully.
C:\Program Files\AntiviralGolden moved successfully.
C:\Program Files\Media-Codec moved successfully.
C:\Program Files\MMediaCodec moved successfully.
C:\Program Files\Antispyware Soldier moved successfully.
C:\Program Files\Seekmo moved successfully.
C:\Program Files\DriveCleaner 2006 Free moved successfully.
C:\Program Files\PestCapture moved successfully.
C:\Program Files\AntiVermins moved successfully.
C:\Program Files\AdSponsor moved successfully.
C:\Program Files\MalwareAlarm moved successfully.
C:\Program Files\ContraVirus moved successfully.
C:\Program Files\SpyDawn moved successfully.
C:\Program Files\MalwareStopper moved successfully.
C:\Program Files\Web Buying moved successfully.
C:\Program Files\SideFind moved successfully.
C:\Program Files\PC MightyMax moved successfully.
C:\Program Files\AVSystemCare moved successfully.
C:\Program Files\Antivirus Protection moved successfully.
C:\Program Files\Spyware Remover moved successfully.
C:\Program Files\180search assistant moved successfully.
C:\Program Files\180searchassistant moved successfully.
C:\Program Files\stc moved successfully.
C:\Program Files\Srng moved successfully.
C:\Program Files\MyNetProtector moved successfully.
C:\Program Files\AdwareSpy moved successfully.
C:\Program Files\ETD Security Scanner moved successfully.
C:\Program Files\MySpyProtector moved successfully.
C:\Program Files\PC Health Plan moved successfully.
C:\Program Files\Adware Patrol moved successfully.
C:\Program Files\Doctor Adware moved successfully.
C:\Program Files\Doctor Adware Pro moved successfully.
C:\WINDOWS\system32\cdscsix3.dll moved successfully.
C:\WINDOWS\etb moved successfully.
< HKU\S-1-5-21-3792878029-4271234764-2959189486-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doubleclick.net >
Registry key HKEY_USERS\S-1-5-21-3792878029-4271234764-2959189486-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doubleclick.net\\ deleted successfully.
< HKU\S-1-5-21-3792878029-4271234764-2959189486-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doubleclick.net#* >
Registry key HKEY_USERS\S-1-5-21-3792878029-4271234764-2959189486-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doubleclick.net#*\\ not found.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07202008_142051
  • 0

#261
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,939 posts

Possibly infected: Trojan program Trojan-Downloader.JS.gen (modification) c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp601\a0281036.msi 5 MB 7/19/2008 11:47:59


This one is in quarantine by Kaspersky AV. I do not know if it is a valid file anymore because I wiped the system restore files last night. I am wondering if this could just be deleted. But if it really is infected, that could cause problems, I guess. The rest of those system restore files do not show up on Sophos anymore as hidden files, which was a big relief. Sophos AntiRootkit shows NO hidden files, or any root kits now, as of last night.

Remove it from quarantine.
  • 0

#262
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,939 posts
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
Re-Scan with Super Antispyware and post the report.
  • 0

#263
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
You mean delete it in quarantine?
  • 0

#264
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,939 posts

You mean delete it in quarantine?

Yes. If KAS have it in quarantine, remove it from there.

I'll be back in the evening to check this report.
  • 0

#265
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Alright, the clean up was done, and I will remove that file in quarantine, and rescan with SuperAntiSpyware. THANKS. :)
  • 0

Advertisements


#266
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
2 adware ezulas this time, that is all


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/20/2008 at 04:02 PM

Application Version : 4.15.1000

Core Rules Database Version : 3508
Trace Rules Database Version: 1499

Scan type : Complete Scan
Total Scan Time : 01:21:22

Memory items scanned : 359
Memory threats detected : 0
Registry items scanned : 7031
Registry threats detected : 0
File items scanned : 140922
File threats detected : 2

Adware.Ezula
C:\WINDOWS\system32\ezstub.exe
C:\WINDOWS\eZinstall.exe
  • 0

#267
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,939 posts
Hi, kelkay :)

Please boot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files

C:\WINDOWS\system32\ezstub.exe
C:\WINDOWS\eZinstall.exe

Restart the computer.

I believe that should do it. How is it doing?
  • 0

#268
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
I did a regular Kaspersky scan and it showed nothing. I am doing an online one, and it shows two cases of an infection. C:/ATT_SST_installer.exe not a virus RemoteAd...

When the scan is through, I will delete the files you mentioned. I have not been using the computer because the AV is turned off while the scan is on...at least not until now. Just wanted to check in and see if you had an update. Hopefully the scan will be through quickly. It is at 77%. :)
  • 0

#269
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Here are the online scan infections, one name, two different instances of it.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 21, 2008 02:38:15
Records in database: 979076
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 144025
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:44:49


File name / Threat name / Threats count
C:\ATT_SST_Installer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2

The selected area was scanned.
  • 0

#270
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
When I went into safe mode I looked for those two files, and could not find either one. I was looking in Windows Explorer....could not find. Then I went to search, all files and folders, and still the files were not there under that particular name. Odd.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP