Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojans: AIM, Backdoor, Apropop, HuntBar [RESOLVED]


  • This topic is locked This topic is locked

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
The virus looks to be back:

O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\RunServices: [Windows Services Hosts] svhosts.exe

http://www.sophos.co...rojsdbotyh.html

Lets see if we can kill it before it invites some friends over.

Copy the part in bold below into notepad and save it as nobotyh.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Services Hosts"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Services Hosts"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Services Hosts"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Services Hosts"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Windows Services Hosts"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Services Hosts"=-


Now reboot into safe mode and doubleclick that file. Confirm yo9u want to merge it with the registry and delete:
C:\svhosts.exe <= only the file in that location and with exactly that name.

Boot back to normal and let me know how it's running.

Regards,
  • 0

Advertisements


#17
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Alright, I had no problem merging that file with the registry. However, I cannot locate svhosts.exe in my C:\ folder (or anywhere for that matter). I do see two files there called "spead" and "update" which I'm pretty sure are related to the virus or trojan becuase they have dates of 5/16 and 5/17 (when this whole mess began). In addition, I keep getting privacy alerts saying that go.com is trying place a cookie in my system.

Thanks again

Edited by MollyM, 08 June 2005 - 01:53 PM.

  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please do this for the files that you do not trust.
Rightclick them and rename them to spead.bak and update.bak

See HERE for how to show hidden files.

Also check the settings to show extensions.

Keep me posted,
  • 0

#19
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I revealed the hidden files and extensions. C:\svhosts still isn't there, BUT right before that I got that message that said that svhosts has encountered a problem and needs to close. I changed spread.exe and update.exe to spead.bak and update.bak. SpySubtract keeps alerting me that Software has attempted to change my internet browser configuration. Mostly URL Zone Changes.

Let me know what you need me to do from here.

Thanks again.
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'd like to see another HijackThis log please.

And can you surf to http://www.thespykil...x.php?topic=5.0
Follow the instructions there to upload the files you renamed.
I want to have a look and see what they do (or rather "did")

Regards,
  • 0

#21
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Here's the link to my post on that board:
http://www.thespykil...php?topic=341.0

I'm also getting messages saying SpySubtract has encountered an error and needs to close. When it's not closed, SpySUbtract is a lerting me to more browser changes, which I try to deny access, but more come up.

In addition I got a message saying "Dr. Watson Postmortem Debugger" (no idea what this is) has encountered an error and needs to close.

Here's the new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:40:05 AM, on 6/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Molly\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Molly"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WinMPG Video Convert 5.5 - {DD978772-B08B-4461-83FE-DACCA5F70524} - C:\PROGRA~1\WINMPG~1\winMPGQTr.dll (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Edited by MollyM, 09 June 2005 - 09:46 AM.

  • 0

#22
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Reboot into safe mode and use the DiskCleanup Tool to empty all your Temp folders.

Then run HijackThis (still in safe mode) and post the log when you get back.
There are too less processes running in your normal logs. I suspect things are actively being hidden.
Getting a log made in safe mode might reveal some more.

In the meantime I'm ghoing to have a look at the files you uploaded.

Regards,
  • 0

#23
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
FYI: All my previous logs have also been from safe mode.

I ran that program and here's my latest log:

Logfile of HijackThis v1.99.1
Scan saved at 3:04:28 PM, on 6/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Molly\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Molly"
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WinMPG Video Convert 5.5 - {DD978772-B08B-4461-83FE-DACCA5F70524} - C:\PROGRA~1\WINMPG~1\winMPGQTr.dll (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#24
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I don't know if you saw my post at TheSpyKiller?

Both files were identified as Trojans. There was one scanner that recognized them both and they do have an online sacn I'd like you to do:

http://www.kaspersky...oduct=161744315

Let me know,
  • 0

#25
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi,

I saw your post. I tried going to that webscan, but when I click on the button that says "Launch Kaspersky Anti-Virus Web Scanner" nothing launches.
  • 0

Advertisements


#26
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Nothing happens?

That's a bummer, because since you already have McAfee installed, it is not advisable to install a second AntiVirus.

Please download a free trial of TDS3 from here:
http://tds.diamondcs...x.php?page=home
Update as described here:
http://tds.diamondcs...php?page=update
When that is ready click System Testing > Full sytem scan
Rightclick one of the items that was found and you will get a menu.
Choose save as text. Copy the content of that textfile into your next post.

Regards,
  • 0

#27
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi Pieter:

That scan seemed pretty thorough. Here are the results (please note: I removed my last name and just left the initial whenever it came up)

Scan Control Dumped @ 17:48:13 09-06-05
Positive identification: RAT.Agent.jn7
File: c:\windows\system32\svhosts.exe

Positive identification: RAT.Agent.jn7
File: c:\windows\system32\svhosts.exe

Positive identification: TrojanDropper.Win32.Agent.ec
File: c:\dist1_1_00.exe

Positive identification: RAT.Agent.jn7
File: c:\update.bak

Positive identification: Adware.WinFetcher.d Dropper.a
File: c:\documents and settings\christopher m\local settings\temp\tracker9.exe

Positive identification: Adware.WinFetch
File: c:\documents and settings\christopher ml\local settings\temp\winwildapp.exe

Positive identification: Adware.WinFetcher.d Dropper.a
File: c:\documents and settings\christopher m\local settings\temporary internet files\content.ie5\60rxpjfd\tracker9[1].exe

Positive identification: Adware.VirtualBouncer.j Dropper.b
File: c:\documents and settings\christopher m\local settings\temporary internet files\content.ie5\arx9mrm6\bundleouter2504040406[1].exe

Positive identification: TrojanDownloader.Win32.Apropo.u Dropper
File: c:\documents and settings\christopher m\local settings\temporary internet files\content.ie5\l6dz28fi\autoupdaterinstaller[2].exe

Positive identification: Adware.VirtualBouncer.j Dropper.b
File: c:\documents and settings\christopher m\local settings\temporary internet files\content.ie5\l6dz28fi\bundleouter2601031121[1].exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\molly\desktop\firefox setup 1.0.4.exe

Positive identification (DLL): Adware.Coupons (dll)
File: c:\documents and settings\molly\desktop\unused desktop shortcuts\backups\backup-20050606-171510-485.dll

Suspicious Filename: Dual extensions
File: c:\documents and settings\molly\my documents\stjoseph.ltr.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\molly m\my documents\college\sjc down payment2.ltr.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\molly m\my documents\college\sjc downpayment.ltr.doc

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\discover.hta

Suspicious Filename: HTA file in suspicious location
File: c:\program files\microsoft money\system\lnpg.hta

Positive identification: Adware.WinFetcher.d
File: c:\program files\tracker\golfregister.exe

Positive identification (DLL): Adware.TotalVelocity.e BHO (dll)
File: c:\program files\tv media\tvmbho.dll

Positive identification: RAT.Agent.jn7
File: c:\system volume information\_restore{71f37383-55db-4712-bd5d-3faf5c7f4d98}\rp1\a0006021.exe

Positive identification: Trojan.Win32.Agent.az
File: c:\windows\system32\bggb.exe

Positive identification: RAT.Agent.jn7
File: c:\windows\system32\svhosts.exe

Which of these can I delete?

Edited by MollyM, 09 June 2005 - 05:12 PM.

  • 0

#28
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
All the positive identifications can be deleted.

Leave these:
Suspicious Filename: Dual extensions
and these:
Suspicious Filename: HTA file in suspicious location
alone.

Regards,

Pieter
  • 0

#29
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Looks like some good progress today...

Last night I deleted those items (all except for the ones you mentioned). This morning I ran a fresh scan and it looked as though those deleted items were hiding out in system restore. I disabled it, ran another scan and enabled it and it came back clean! i'm running another SpySubtract scan then I'll post another HijackThis logfile to see if this thing is really gone for good. Let's hope! Thanks for all your help. :tazz:
  • 0

#30
MollyM

MollyM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
SpySubtract is still coming up with a medium to high risk threat which is TotalVelocity.com and contains C:\ProgramFiles\TV Media and C:\Program Files\Tv Media\ TvmCore.dll

But, when I try to get rid of these I get a message saying removal of 'TvmCore.dll" may cause your system to shut down or become temporarily unstable. How should I go about getting rid of this?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP