Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-spy.html.smitfraud.c[RESOLVED]

Started by friksos , May 13 2005 05:42 AM

  • This topic is locked This topic is locked

#1
friksos
Posted 13 May 2005 - 05:42 AM

friksos

    New Member

  • Member
  • Pip
  • 6 posts
Greetings, my friends!

My computer has been recently infected by the trojan-spy.html.smitfraud.c virus. I tried to do my best in order to get rid of it, but it seems that the problems have not disappear. When windows begin, an IE window opens, it then does not respond and cannot be closed until I force it to close by clicking End Now several times. The most annoying symptom is that msconfig or task manager cannot stay open more than a second! I count very much on your help. This is my current hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:26:40 μμ, on 13/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\BITWARE\NT\bwprnmon.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\win32.exe
D:\MATLAB\webserver\bin\win32\matlabserver.exe
D:\WINDOWS\System32\NTC.EXE
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Maratsos\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mysearch.cc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Maratsos\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mysearch.cc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysearch.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\Maratsos\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mysearch.cc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mysearch.cc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mysearch.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O1 - Hosts file is located at: D:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - D:\WINDOWS\system32\appwiz.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E011E223-47F1-4E75-9FC6-9DB636680D6C} - D:\WINDOWS\System32\dmb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [bwprnmon.exe] D:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] D:\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Windows Configs] NTC.EXE
O4 - HKCU\..\Run: [wupd] D:\WINDOWS\System32\win32.exe
O4 - HKCU\..\RunOnce: [Windows Configs] NTC.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {1E32284D-D796-4452-B1E4-4DCC72C982F4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1E32284D-D796-4452-B1E4-4DCC72C982F4} - (no file) (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.mysearch.cc/index.php?%00
O13 - WWW Prefix: http://www.mysearch.cc/index.php?%00
O13 - Home Prefix: http://www.mysearch.cc/index.php?%00
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {F3B4AE12-119A-4E71-A82D-5367F9E31CDF} - D:\WINDOWS\System32\dmb.dll
O18 - Filter: text/plain - {F3B4AE12-119A-4E71-A82D-5367F9E31CDF} - D:\WINDOWS\System32\dmb.dll
O21 - SSODL: MSThreadMode - {12545303-1234-4321-C321-000000000123} - D:\WINDOWS\system32\MSoGT1.dll (file missing)
O21 - SSODL: System - {7B0EB905-C6C5-4F7C-9B60-5A0F664D958D} - v_sys.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - D:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - D:\WINDOWS\System32\CTsvcCDA.EXE (file missing)
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - D:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
greyknight17
Posted 13 May 2005 - 07:01 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download SpHjfix http://www.greyknigh...spy/SpHjfix.exe and run it.

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Maratsos\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mysearch.cc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\Maratsos\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mysearch.cc
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mysearch.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\Maratsos\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mysearch.cc
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mysearch.cc
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mysearch.cc
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.mysearch.cc
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O1 - Hosts file is located at: D:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: (no name) - {E011E223-47F1-4E75-9FC6-9DB636680D6C} - D:\WINDOWS\System32\dmb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Windows Configs] NTC.EXE
O4 - HKCU\..\Run: [wupd] D:\WINDOWS\System32\win32.exe
O4 - HKCU\..\RunOnce: [Windows Configs] NTC.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {1E32284D-D796-4452-B1E4-4DCC72C982F4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1E32284D-D796-4452-B1E4-4DCC72C982F4} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.mysearch.cc/index.php?%00
O13 - WWW Prefix: http://www.mysearch.cc/index.php?%00
O13 - Home Prefix: http://www.mysearch.cc/index.php?%00
O18 - Filter: text/html - {F3B4AE12-119A-4E71-A82D-5367F9E31CDF} - D:\WINDOWS\System32\dmb.dll
O18 - Filter: text/plain - {F3B4AE12-119A-4E71-A82D-5367F9E31CDF} - D:\WINDOWS\System32\dmb.dll
O21 - SSODL: MSThreadMode - {12545303-1234-4321-C321-000000000123} - D:\WINDOWS\system32\MSoGT1.dll (file missing)
O21 - SSODL: System - {7B0EB905-C6C5-4F7C-9B60-5A0F664D958D} - v_sys.dll (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

D:\WINDOWS\System32\win32.exe
D:\WINDOWS\System32\NTC.EXE
D:\WINDOWS\System32\dmb.dll

I can't find enough information for this file -> D:\WINDOWS\system32\appwiz.dll
Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

Right click on this link and choose Save As. Save it and then go to that file and double click on it to run it. Click yes to add it to the registry.
  • 0

#3
friksos
Posted 13 May 2005 - 04:20 PM

friksos

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Dear greyknight17,
thank you in advance for your invaluable help and your time. I followed your instructions step by step and here is the current situation:

1. CWShredder found no file to delete
2. The file Appwiz.dll has no Version Tab in its Properties! However, I found next to it another file named Appwiz but with no extension. This file had a Version Tab with the following information:
File Version: 5.1.2600.0
Description: Shell Application Manager
Copyright: Microsoft Corporation. All rights reserved.
Company: Microsoft Corporation
File Version: 5.1.2600.0 (xpclient.010817-1148)
Original Filename: Appwiz.cpl
Product name: Microsoft Windows Operating System

3. My current hijackthis logfile is:

Logfile of HijackThis v1.99.1
Scan saved at 12:38:17 πμ, on 14/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\MATLAB\webserver\bin\win32\matlabserver.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\BITWARE\NT\bwprnmon.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\WINDOWS\System32\cmd32.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - D:\WINDOWS\system32\appwiz.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [bwprnmon.exe] D:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] D:\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ControlPanel] D:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - D:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - D:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


What I have to indicate is that my computer continues responding rather slowly and the IE window persists appearing after the startup but I get rid of it more easily (maybe a service can be the cause of it).

Again, thank you for your time.
  • 0

#4
greyknight17
Posted 14 May 2005 - 09:24 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, go to this site and upload that Appwiz.dll file to that site. See what the analysis says. Is it good/bad?

You have another trojan there, so let's use a program to see if there are others not showing up here:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#5
friksos
Posted 15 May 2005 - 08:44 AM

friksos

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well,

The appwiz.dll, according to the site you proposed, is BAD and infected by the Trojan.PWS.Bulka virus.

The results of mwav are the following:

File D:\WINDOWS\System32\cmd32.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
File System Found infected by "CoolWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\System32\intronsad.exe infected by "Trojan-Downloader.Win32.Small.ata" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File D:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File D:\DOCUME~1\Maratsos\LOCALS~1\TEMPOR~1\Content.IE5\8TWG4ISR\ysb_prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0152245.CPY tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\_RESTORE\TEMP\A0013470.CPY infected by "not-a-virus:AdWare.Gator.3202" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0013471.CPY infected by "not-a-virus:AdWare.Gator.3202" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0013472.CPY infected by "not-a-virus:AdWare.Gator.3202" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0013473.CPY infected by "not-a-virus:AdWare.Gator.3202" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0013475.CPY infected by "not-a-virus:AdWare.Gator.3202" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0015631.CPY infected by "Trojan.Win32.Delf.bg" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0015633.CPY infected by "Trojan.Win32.Delf.bg" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0024898.CPY infected by "Trojan.Win32.Delf.bg" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0024900.CPY infected by "Trojan.Win32.Delf.bg" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0169196.CPY infected by "not-a-virus:AdWare.SaveNow.ao" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0169197.CPY infected by "not-a-virus:AdWare.SaveNow.ao" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0169208.CPY infected by "not-a-virus:AdWare.SaveNow.ao" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0173670.CPY infected by "not-a-virus:AdWare.SaveNow.f" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0178952.CPY infected by "Trojan-Downloader.Win32.Mediket.s" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0178964.CPY infected by "Trojan-Downloader.Win32.Mediket.s" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0178993.CPY infected by "Trojan-Downloader.Win32.Mediket.s" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180459.CPY infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180564.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180622.CPY infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180716.CPY infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180830.CPY infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180879.CPY infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0180954.CPY infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181681.CPY infected by "Trojan.Win32.Small.du" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181686.CPY infected by "Trojan.Win32.Small.du" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181687.CPY infected by "Trojan.Win32.Small.du" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181692.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181697.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181698.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181703.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181708.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181709.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181714.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181719.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181720.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181736.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181741.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181742.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181747.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181750.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181753.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181758.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181761.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181764.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181769.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181774.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181775.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181779.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181784.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181785.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181798.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181801.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181803.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181804.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181807.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181810.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181812.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181813.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181817.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181820.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181822.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181823.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181826.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181831.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181832.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181837.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181842.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181843.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181848.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Intexdial" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181853.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Intexdial" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181854.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Intexdial" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181859.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181864.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181865.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181868.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181873.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181874.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181891.CPY infected by "not-a-virus:AdWare.NetNucleus" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181894.CPY infected by "not-a-virus:AdWare.NetNucleus" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181896.CPY infected by "not-a-virus:AdWare.NetNucleus" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181897.CPY infected by "not-a-virus:AdWare.NetNucleus" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181898.CPY infected by "not-a-virus:AdWare.NetNucleus" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181902.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181907.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0181908.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0182012.CPY infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0182013.CPY infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0182014.CPY infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185300.CPY infected by "Trojan.Win32.Small.du" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185302.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185304.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185306.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185310.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185312.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185314.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185316.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185318.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185322.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185324.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185326.CPY infected by "not-a-virus:AdWare.SaveNow.bj" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185328.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185330.CPY infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185332.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Intexdial" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185334.CPY infected by "not-a-virus:[bleep]-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185336.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185340.CPY infected by "not-a-virus:AdWare.NetNucleus" Virus. Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0185342.CPY infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\itshta.exe infected by "Trojan.Win32.Small.cr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\egIEEngine.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\EGIEProcess.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\EGNSEngine.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\EGGCEngine.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\CMEIIAPI.dll infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GDwldEng.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GIocl.dll infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GIoclClient.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GStore.dll infected by "not-a-virus:AdWare.Gator.6051" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GStoreServer.dll infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\CMESys.exe infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\Program Files\Internet Explorer\nmra.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
File C:\master.exe infected by "not-a-virus:[bleep]-Dialer.Win32.Kotu.d" Virus. Action Taken: No Action Taken.
File C:\slinstaller.exe infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\Documents and Settings\Maratsos\Local Settings\Temporary Internet Files\Content.IE5\8TWG4ISR\ysb_prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File D:\Downloads\LiveDrvUni-Pack(ENG).exe tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File D:\Program Files\Sports Interactive\Football Manager 2005\data\skins\OlympiakosSkin.exe infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\Program Files\Sports Interactive\Football Manager 2005\SKINS\fm]\FmGreece_Kits_v2.0.exe infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\Program Files\Sports Interactive\Football Manager 2005\SKINS\fm]\FmGreece_Logos_v3.3.exe infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\Program Files\Sports Interactive\Football Manager 2005\SKINS\OlympiakosSkin.zip infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\Program Files\Sports Interactive\Football Manager 2005\SKINS\skins-fm2005\OlympiakosSkin.exe infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\Program Files\Sports Interactive\Football Manager 2005\skins.zip infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File D:\RECYCLER\S-1-5-21-2025429265-492894223-725345543-1003\Dd15.exe infected by "Backdoor.Win32.Spyboter.gen" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\Downloaded Program Files\nmra.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\system32\intronsad.exe infected by "Trojan-Downloader.Win32.Small.ata" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File D:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

It seems that I have a lot more work to do...
  • 0

#6
greyknight17
Posted 16 May 2005 - 07:19 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Knew that appwiz.dll file looked too suspicious :tazz: We will delete it now.

Uninstall GMT and CMEII from the Add/Remove panel if they are listed.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\itshta.exe
C:\Program Files\Common Files\GMT\
C:\Program Files\Common Files\CMEII\
C:\Program Files\Internet Explorer\nmra.exe
C:\master.exe
C:\slinstaller.exe
D:\WINDOWS\cxtpls_loader.exe
D:\WINDOWS\Downloaded Program Files\nmra.exe
D:\WINDOWS\system32\intronsad.exe
D:\WINDOWS\system32\wldr.dll
D:\WINDOWS\System32\cmd32.exe
D:\WINDOWS\system32\appwiz.dll

For this one:
D:\Program Files\Sports Interactive\Football Manager 2005\

Do you use this program? It seems like all the skins listed there are infected.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck that same box to enable system restore.

Restart and run a new mwav and HijackThis scan. Post both logs back here. We should be almost done now.
  • 0

#7
friksos
Posted 17 May 2005 - 01:07 AM

friksos

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
- Killbox work done.

- I use Football Manager 2005, but don't worry about the SKINS folder. It was just an add-on which I deleted as soon as I read your post.

- Although I had run Cleanup! sometime before, it still found a lot of files to delete.

- I disabled System Restore as you said for my WindowsXP (D:\), but I think you aimed mostly on my WindowsMe System Restore (C:\). I disabled it too, but I think it didn't delete the restoration points (folder C:\_RESTORE still exists). Should I do something manually?

- I am thinking of keeping System Restore disabled. I have never used it and I find it rather unuseful (it also reserves a lot of HD space). How harmful can this be?

- Here are the latest logs:





Logfile of mwav:

File System Found infected by "CoolWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File D:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File C:\WINDOWS\SYSTEM\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMP\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.
File D:\Downloads\LiveDrvUni-Pack(ENG).exe tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File D:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.





Logfile of HijackThis v1.99.1
Scan saved at 9:46:19 πμ, on 17/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\MATLAB\webserver\bin\win32\matlabserver.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - D:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - D:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



(the programs were run under normal startup, I hope I needn't boot in safe mode...)
  • 0

#8
greyknight17
Posted 17 May 2005 - 06:39 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have Windows ME also? To disable system restore in Windows ME, do this:

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Now go back and uncheck that box to enable system restore again.

Yes, I know what you mean. I only used it once or twice myself, but I suggest keeping it - unless you don't mind formatting in case of system failures. What I would do is to set the restore points and clear it once in a while by doing the above steps that I mentioned (thus re-enabling it again). That should free up some space :tazz:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\TEMP\wldr.dll
C:\WINDOWS\wldr.dll

Restart and run CleanUp again.

Download FixAgent http://www.greyknigh...py/FixAgent.zip and unzip it. Run FixAgent.exe. It should fix something. If nothing is fixed, skip to the next step for the HijackThis fixes. If something is found, also download home_missing_114 http://www.greyknigh...missing_114.zip and unzip it. Run the Home winkey missing batch file. Remember: ONLY run home_missing_114 if FixAgent found something.

Any problems now? If not:

Your log is clean.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
friksos
Posted 18 May 2005 - 02:12 AM

friksos

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
- I also have WindowsMe in C:\ which I don't use so often but were very useful when my WindowsXP crushed due to the Smitfraud.

- I did as you said but FixAgent found no problem.

- What is the next step you mentioned? Anyway, I post you again my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:08 πμ, on 18/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\MATLAB\webserver\bin\win32\matlabserver.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - D:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - D:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



- I think I'm clean. Everything seems to function correctly and no problems have occured till now.

- The only thing that bothers me is that alg.exe and spoolsv.exe are missing. Are they so important? (I think alg.exe is!) If yes, can I download them or find them somewhere?
  • 0

#10
greyknight17
Posted 18 May 2005 - 02:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not sure why, but they seem to be missing. Just to make sure it's ok, go to Start->Run and type in services.msc and hit OK. Look for Application Layer Gateway Service. Is it Started (under Status column) and what is it set on (manual/automatic/disable)?

For the Print Spooler, I think that's a trojan problem which is fixed now. Go to services.msc again and see if you can find an entry for [b]Print Spooler (Spooler). Notice the extra (Spooler) part at the end. If you can find that, make sure it's stopped and disabled by double clicking on it. Click on the Stop button and under Startup type, choose Disabled.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#11
friksos
Posted 19 May 2005 - 03:15 PM

friksos

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
- Appliction Layer Gateway has no status (not started) and its startup is set to manual.

- There is no Print Spooler service with extra Spooler part at the end.

- Updates done. My computer has no problem right now.

- I think I am set to go. Thank you, thank you, thank you. You are excellent!
  • 0

#12
greyknight17
Posted 20 May 2005 - 06:31 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP