Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Another Antivirus Gold case [RESOLVED]

Started by Larscha , Jul 26 2005 04:26 AM

  • This topic is locked This topic is locked

#1
Larscha
Posted 26 July 2005 - 04:26 AM

Larscha

    New Member

  • Member
  • Pip
  • 2 posts
Hi, I came home from my vacation 2 days ago and found to my surprise that my computer was infected by a bunch of spyware... I updated and ran full system scans on spy sweeper and NA... I deleted everything that popped up. Norton cant find anything more. Spysweeper says: Trojan Horse Found: Antivirus Gold, 3 things in the registry...

I also get some IE popups with ads and stuff, and a warning triangle in my lower right corner says something about spyware. I have also got a bunch of new favourites...



I GREATLY appreciate ANY help I can get on this problem...

Here is my hijack this log, from normal mode:



Logfile of HijackThis v1.99.1
Scan saved at 12:12:14, on 2005-07-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program\Alias\Maya6.5\docs\wrapper.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Spy Sweeper\SpySweeper.exe
C:\Program\Alias\Maya6.5\docs\jre\bin\java.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program\Microsoft Office\Office\1053\OLFSNT40.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp8A34.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Port för Symantec Fax Starter Edition.lnk = C:\Program\Microsoft Office\Office\1053\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {3637C046-4008-11D5-ADF6-0050DA74F67C} (UniPrintCab Control) - https://webworkplace...xp/UniPrint.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093025742480
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O20 - Winlogon Notify: MCPClient - C:\Program\DELADE~1\Stardock\mcpstub.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program\Alias\Maya6.5\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Larscha, 26 July 2005 - 05:43 AM.

  • 0

Advertisements

#2
greyknight17
Posted 26 July 2005 - 09:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp8A34.tmp

Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete this file if found:

C:\WINDOWS\System32\hp8A34.tmp

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).
  • 0

#3
Larscha
Posted 28 July 2005 - 02:40 AM

Larscha

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi, THANKS for your time, it seems like ur the man :tazz: But theres still somestuff left... Check the panda log for it...


This is the Hijack this log, remember i ran everything after you description ;)

Logfile of HijackThis v1.99.1
Scan saved at 10:18:33, on 2005-07-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Port för Symantec Fax Starter Edition.lnk = C:\Program\Microsoft Office\Office\1053\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {3637C046-4008-11D5-ADF6-0050DA74F67C} (UniPrintCab Control) - https://webworkplace...xp/UniPrint.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093025742480
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O20 - Winlogon Notify: MCPClient - C:\Program\DELADE~1\Stardock\mcpstub.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program\Alias\Maya6.5\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Smitfiles log


smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll
wppp.html
intmonp.exe
msmsgs.exe
ole32vbs.exe
msole32.exe
hp***.tmp
intmon.exe
hhk.dll
logfiles


~~~ Windows directory ~~~

sites.ini
popuper.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!



Ewido log, Remember all these are cookies on a disk that doesnt drive the os, its a really old version of me that is not in use...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:53:08, 2005-07-27
+ Report-Checksum: A506BFA

+ Scan result:

E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Preferences : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Link4ads : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned without backup
E:\WINDOWS\COOKIES\standard@clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Pro-market : Cleaned without backup
E:\WINDOWS\COOKIES\standard@track-star[2].txt -> Spyware.Cookie.Track-star : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Clickfinders : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Porntrack : Cleaned without backup
E:\WINDOWS\COOKIES\standard@preferences[2].txt -> Spyware.Cookie.Preferences : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Oxcash : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Ad-flow : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Porntrack : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Adorigin : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Porntrack : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Adorigin : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Porntrack : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Link4ads : Cleaned without backup
E:\WINDOWS\COOKIES\standard@oxcash[1].txt -> Spyware.Cookie.Oxcash : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned without backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Hyperbanner : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\standard@x-10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\standard@epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
E:\WINDOWS\COOKIES\standard@oxcash[2].txt -> Spyware.Cookie.Oxcash : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][4].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][4].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
E:\WINDOWS\COOKIES\standard@i12[1].txt -> Spyware.Cookie.I12 : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Bpath : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Hightrafficads : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][2].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][4].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][3].txt -> Spyware.Cookie.Itrack : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
E:\WINDOWS\COOKIES\[email protected][4].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
E:\Mina dokument\Mottagna filer\101 new icons for msn.exe -> Not-A-Virus.Joke.JepRuss : Cleaned without backup


::Report End


Panda log, where some is still left...


Incident Status Location

Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Spyware:Spyware/StartPage No disinfected E:\WINDOWS\sp.dll


Thanks for your time, I GREATLY appreciate it!
  • 0

#4
greyknight17
Posted 28 July 2005 - 10:13 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
These should be gone already. But can you tell me if you can find any of these files?

c:\windows\popuper.exe
c:\windows\sites.ini
c:\windows\system32\hhk.dll
c:\windows\system32\hp***.tmp - look for any .tmp file that begins with hp followed by a few random characters
c:\windows\system32\intmon.exe
c:\windows\system32\intmonp.exe
c:\windows\system32\logfiles\
c:\windows\system32\msmsgs.exe
c:\windows\system32\msole32.exe
c:\windows\system32\ole32vbs.exe
c:\windows\system32\oleext.dll
c:\windows\system32\wppp.html

Delete these two manually:

C:\WINDOWS\INF\dm.inf
E:\WINDOWS\sp.dll

I will send you a PM now because according to the log here, you have something that won't be easy to remove. We will need a tool to help us remove it, but this tool has not gone public yet. So we can not post it here. Do the above and then use the tool I will tell you about in the PM.
  • 0

#5
greyknight17
Posted 28 July 2005 - 09:20 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
As discussed in PM, issue seems to be gone now :tazz:

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. ;)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP