Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan trouble


  • Please log in to reply

#1
TusseyBoy

TusseyBoy

    Member

  • Member
  • PipPip
  • 10 posts
Hello, I am new to this site. I am having troubles with some a trojan. First off I run :
~Microsoft Antispyware
~Ad-Aware SE
~Spybot S&D
~Avast AntiVirus
~HiJack This
And have had no luck

I have (according to microsoft Anti spyware) 1. Trojan intell32. I chose to delete it, but i just returns with in mins. 2. Wolrdantispy in on my desktop, I delete it from add/remove adn its is gone, untill I reboot :tazz: It just returns. Microsoft says it is "bad", Wolrdantispy says it is a spyware stopper, but i dont believe it. I am not a real pc wiz with this stuff. Can anyone pass some insight along? I would greatly appreciate it. Thanks

TB
  • 0

Advertisements


#2
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok. I know "bumps" and double posts are discouraged here, but I am getting desperate. All I need is a little help, or a point in the right direction...Thx
  • 0

#3
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by tampabelle, 28 September 2005 - 12:24 PM.

  • 0

#4
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I am at work, I wil do this as soon as i am at home. Thnx !!
  • 0

#5
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
sure, post back the log in your next reply
  • 0

#6
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:06:05 PM, on 9/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ETWC v1.1\etwc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\My downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


There are 2 trusted zones that have been there for months and they wont go away either..fyi
Thnx!
  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Run the installer to install CleanUp.

Download DelDomains.inf.

Right click on it and then click on Install.

Run CleanUp and delete all temp files including temporary internet files

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#8
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:43:25 PM, on 9/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Incident Status Location

Virus:Bck/Delf Disinfected C:\Documents and Settings\Owner\My Documents\etmain\ET STUFF\aimingbyraz.zip[thedamned4.0.zip][KeyLib.dll]
Possible Virus. No disinfected C:\Program Files\Lock Down Mu\MuLockdown\MuLockdown.exe
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E48613C4-6686-4AAC-AFFD-5B6959\86F62E28-FF7C-40E3-B783-2D6718
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\$NtUninstallKB896727-IE6SP1-20050719.165959$\wininet.dll
Adware:adware/searchaid No disinfected C:\WINDOWS\d3jv32.exe
Adware:adware/cws.008k No disinfected C:\WINDOWS\iefr.dll
Adware:adware/navipromo No disinfected C:\WINDOWS\sdkbe32.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\fdzfo.dll
Adware:adware/transponder No disinfected C:\WINDOWS\system32\msts32.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\m?dtc.exe
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\system32\oleext.dll
Adware:adware/adsmart No disinfected C:\WINDOWS\system32\thun.dll
Adware:adware/nowfind No disinfected C:\WINDOWS\system32\wcnl32.dll
Adware:adware/sbsoft No disinfected C:\WINDOWS\system32\winsx.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\xldrj.dll

On the Deldomains i udt it on my desktop and right-clicked it. The onlything i saw was my desktop flashed quick. That was the only way I could right click and see a "install" option

Thnx
  • 0

#9
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows.

Please do a Panda scan again and post back the scan report here.

Also, please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#10
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
K thanks again. I (as usual) am at work, will post results this evening.

Thanks for your patience!
  • 0

Advertisements


#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
sure no problem
  • 0

#12
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
6:44 PM: |··· Start of Session, Friday, September 30, 2005 ···|
6:44 PM: Spy Sweeper started
6:44 PM: Sweep initiated using definitions version 547
6:44 PM: Starting Memory Sweep
6:46 PM: Memory Sweep Complete, Elapsed Time: 00:01:26
6:46 PM: Starting Registry Sweep
6:46 PM: Found Adware: coolwebsearch (cws)
6:46 PM: HKCR\clsid\{905bd5e4-261c-4efd-5456-cd124d7b9d18}\ (2 subtraces) (ID = 107685)
6:46 PM: HKCR\clsid\{d75b9d6b-fb2a-ee40-24da-791d27c77147}\ (2 subtraces) (ID = 108151)
6:46 PM: HKLM\software\classes\clsid\{905bd5e4-261c-4efd-5456-cd124d7b9d18}\ (2 subtraces) (ID = 109069)
6:46 PM: HKLM\software\classes\clsid\{d75b9d6b-fb2a-ee40-24da-791d27c77147}\ (2 subtraces) (ID = 109534)
6:46 PM: Found Adware: cws_ns3
6:46 PM: HKCR\clsid\{0add4d53-b7dd-20f8-2ac9-ab9cb538a46f}\ (2 subtraces) (ID = 117597)
6:46 PM: HKCR\clsid\{0b4f9b2c-f81d-7c42-ae33-07f0fcb846ec}\ (2 subtraces) (ID = 117601)
6:46 PM: HKCR\clsid\{0b936818-a83d-004a-625a-757b4d758cc6}\ (2 subtraces) (ID = 117609)
6:46 PM: HKCR\clsid\{029db004-6bcd-0e73-3aea-f205b565f0f8}\ (2 subtraces) (ID = 117644)
6:46 PM: HKCR\clsid\{05971453-fe87-cb75-bb1f-338a196198b0}\ (2 subtraces) (ID = 117678)
6:46 PM: HKCR\clsid\{0661c16f-8ed8-1431-8a0b-2c95c6994589}\ (2 subtraces) (ID = 117681)
6:46 PM: HKCR\clsid\{07f0caa0-8206-9dcc-5402-d4cc24ec1764}\ (2 subtraces) (ID = 117686)
6:46 PM: HKCR\clsid\{09098a2e-29b4-d7ac-c8ec-1c448eba69e3}\ (2 subtraces) (ID = 117698)
6:46 PM: HKCR\clsid\{1bd83f34-5674-fa0d-e5b2-7d7655f0d46f}\ (2 subtraces) (ID = 117710)
6:46 PM: HKCR\clsid\{1d232f9d-941d-5cd9-732f-8f6ec1977cf2}\ (2 subtraces) (ID = 117720)
6:46 PM: HKCR\clsid\{1e920882-80ef-bd61-dbbd-0847c13d1197}\ (2 subtraces) (ID = 117728)
6:46 PM: HKCR\clsid\{1f5650ba-2c95-0e8c-5c3f-d482646bf979}\ (2 subtraces) (ID = 117737)
6:46 PM: HKCR\clsid\{2cab7717-202b-8a26-bfd7-fa41ec47a745}\ (2 subtraces) (ID = 117753)
6:46 PM: HKCR\clsid\{2d9bb7b5-d27a-5907-a874-72e04fc719e8}\ (2 subtraces) (ID = 117762)
6:46 PM: HKCR\clsid\{3ba763e9-3208-0cd2-31bd-37026d1b8537}\ (2 subtraces) (ID = 117789)
6:46 PM: HKCR\clsid\{3e8aea49-2882-96d1-d4b0-d1ea3e4eefd2}\ (2 subtraces) (ID = 117807)
6:46 PM: HKCR\clsid\{5bcc3ee7-9153-e89f-6d4e-9b02b02b4e2e}\ (2 subtraces) (ID = 117881)
6:46 PM: HKCR\clsid\{5da6ca48-7d98-bc0b-40ef-22ac6558668a}\ (2 subtraces) (ID = 117892)
6:46 PM: HKCR\clsid\{5fa0cf1e-5ff7-5212-6d7d-5710e683babb}\ (2 subtraces) (ID = 117913)
6:46 PM: HKCR\clsid\{7e2b347a-52aa-597f-9371-80822a8d1263}\ (2 subtraces) (ID = 117988)
6:46 PM: HKCR\clsid\{9c149fc6-86a5-c649-4760-9e20ac138bed}\ (2 subtraces) (ID = 118050)
6:46 PM: HKCR\clsid\{9d7705a4-9543-9869-8249-f62ac961bda5}\ (2 subtraces) (ID = 118057)
6:46 PM: HKCR\clsid\{18df9808-f6c9-984b-ede3-0b7624ec452a}\ (2 subtraces) (ID = 118093)
6:46 PM: HKCR\clsid\{30c5202d-2cdd-8c6d-6cd3-86cbac73988b}\ (2 subtraces) (ID = 118124)
6:46 PM: HKCR\clsid\{32fb9a97-c47a-795a-3b47-9a97c1448dfc}\ (4 subtraces) (ID = 118132)
6:46 PM: HKCR\clsid\{35cdce87-6bd6-878a-d4c9-24118a153d34}\ (2 subtraces) (ID = 118140)
6:46 PM: HKCR\clsid\{38c14aa2-0708-7dad-f01c-6c0208a38be2}\ (2 subtraces) (ID = 118149)
6:46 PM: HKCR\clsid\{46c8c875-7053-566f-b7df-a8735884b10e}\ (2 subtraces) (ID = 118180)
6:46 PM: HKCR\clsid\{62b52b4d-547b-bfc7-9850-79709fdecf27}\ (2 subtraces) (ID = 118222)
6:46 PM: HKCR\clsid\{83cbe2fb-4038-4351-9b1c-e69bf75962aa}\ (2 subtraces) (ID = 118279)
6:46 PM: HKCR\clsid\{85f1c7fc-7359-d6d5-c42b-f3e410db4cad}\ (2 subtraces) (ID = 118285)
6:46 PM: HKCR\clsid\{763fc5cf-92d8-a8be-597e-1c53c8d18d56}\ (2 subtraces) (ID = 118424)
6:46 PM: HKCR\clsid\{1714a690-3be3-3c63-d05d-b9e2e19a88a3}\ (2 subtraces) (ID = 118471)
6:46 PM: HKCR\clsid\{4822a81b-a35c-81ca-4b1e-595c44df3f5e}\ (2 subtraces) (ID = 118502)
6:46 PM: HKCR\clsid\{5932f9cb-e60e-11c7-5ba5-2cd8198cbdb4}\ (2 subtraces) (ID = 118512)
6:46 PM: HKCR\clsid\{12130dcb-3df4-96ec-27b9-61e0d766f680}\ (2 subtraces) (ID = 118563)
6:46 PM: HKCR\clsid\{67654c62-b847-d47b-7386-202e338f4761}\ (2 subtraces) (ID = 118593)
6:46 PM: HKCR\clsid\{88261a8f-96f3-66d7-0279-b1c677b30b41}\ (2 subtraces) (ID = 118616)
6:46 PM: HKCR\clsid\{765369c1-d4e0-d6a4-69b4-6261d4e1319a}\ (2 subtraces) (ID = 118652)
6:46 PM: HKCR\clsid\{795714a8-c9c0-e8bd-30db-a0da3b603993}\ (2 subtraces) (ID = 118654)
6:46 PM: HKCR\clsid\{1486290a-90c1-388f-adc8-6bfaa6b057e8}\ (2 subtraces) (ID = 118667)
6:46 PM: HKCR\clsid\{9320654e-9dd7-7b4e-fd11-be169ac706f5}\ (2 subtraces) (ID = 118683)
6:46 PM: HKCR\clsid\{61682029-a490-5c49-d9fd-682fb2da97af}\ (2 subtraces) (ID = 118711)
6:46 PM: HKCR\clsid\{a5b3b4a7-6bd2-e7ce-e654-7a1d658d1bb3}\ (2 subtraces) (ID = 118745)
6:46 PM: HKCR\clsid\{b2e28203-4884-d849-f129-5f1a3c2a59d2}\ (2 subtraces) (ID = 118841)
6:46 PM: HKCR\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 118859)
6:46 PM: HKCR\clsid\{b33c5b98-f4b9-b550-c81a-4ee9720874bf}\ (2 subtraces) (ID = 118860)
6:46 PM: HKCR\clsid\{b1169abc-e367-2937-9f96-3b9cb54e0f31}\ (2 subtraces) (ID = 118884)
6:46 PM: HKCR\clsid\{b91259b9-be3b-d475-8861-62b879410e5e}\ (2 subtraces) (ID = 118889)
6:46 PM: HKCR\clsid\{ba8c901d-7125-d60e-c709-3e7f4a433a01}\ (2 subtraces) (ID = 118902)
6:46 PM: HKCR\clsid\{bca18f7d-4cab-d300-286e-432722ffb0fb}\ (2 subtraces) (ID = 118913)
6:46 PM: HKCR\clsid\{be5dcdbc-54d3-95ea-b258-2d53bd817431}\ (2 subtraces) (ID = 118926)
6:46 PM: HKCR\clsid\{cdec09e6-8009-fc50-5ff8-83f317343213}\ (2 subtraces) (ID = 119065)
6:46 PM: HKCR\clsid\{d605eaff-2c3a-4619-43c1-4ffb062f68de}\ (2 subtraces) (ID = 119121)
6:46 PM: HKCR\clsid\{d4451521-f203-568e-2657-c5ad1f0b1f77}\ (2 subtraces) (ID = 119139)
6:46 PM: HKCR\clsid\{da78be1d-07fe-b346-204e-c738df8c7f8d}\ (2 subtraces) (ID = 119148)
6:46 PM: HKCR\clsid\{ec6cc6a4-2de4-7d97-7906-9d8567369627}\ (2 subtraces) (ID = 119301)
6:46 PM: HKCR\clsid\{eceaf197-b6ef-9e38-0846-ff3bb03983ad}\ (2 subtraces) (ID = 119305)
6:46 PM: HKCR\clsid\{ef24beb1-9592-9f8f-4b29-99399fd2c231}\ (2 subtraces) (ID = 119331)
6:46 PM: HKCR\clsid\{f55b9b22-5baa-c8bb-5c3f-3e652d794bf7}\ (2 subtraces) (ID = 119379)
6:46 PM: HKCR\clsid\{f2255af4-092c-0bf6-52cf-8484b194fcc4}\ (2 subtraces) (ID = 119399)
6:46 PM: HKCR\clsid\{f2352fd0-b78a-fc66-ee98-5dfbf99e1f48}\ (2 subtraces) (ID = 119400)
6:46 PM: HKCR\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (2 subtraces) (ID = 119436)
6:46 PM: HKLM\software\classes\clsid\{0add4d53-b7dd-20f8-2ac9-ab9cb538a46f}\ (2 subtraces) (ID = 119478)
6:46 PM: HKLM\software\classes\clsid\{0b4f9b2c-f81d-7c42-ae33-07f0fcb846ec}\ (2 subtraces) (ID = 119482)
6:46 PM: HKLM\software\classes\clsid\{0b936818-a83d-004a-625a-757b4d758cc6}\ (2 subtraces) (ID = 119488)
6:46 PM: HKLM\software\classes\clsid\{029db004-6bcd-0e73-3aea-f205b565f0f8}\ (2 subtraces) (ID = 119523)
6:46 PM: HKLM\software\classes\clsid\{05971453-fe87-cb75-bb1f-338a196198b0}\ (2 subtraces) (ID = 119554)
6:46 PM: HKLM\software\classes\clsid\{0661c16f-8ed8-1431-8a0b-2c95c6994589}\ (2 subtraces) (ID = 119557)
6:46 PM: HKLM\software\classes\clsid\{07f0caa0-8206-9dcc-5402-d4cc24ec1764}\ (2 subtraces) (ID = 119562)
6:46 PM: HKLM\software\classes\clsid\{09098a2e-29b4-d7ac-c8ec-1c448eba69e3}\ (2 subtraces) (ID = 119573)
6:46 PM: HKLM\software\classes\clsid\{1bd83f34-5674-fa0d-e5b2-7d7655f0d46f}\ (2 subtraces) (ID = 119585)
6:46 PM: HKLM\software\classes\clsid\{1d232f9d-941d-5cd9-732f-8f6ec1977cf2}\ (2 subtraces) (ID = 119595)
6:46 PM: HKLM\software\classes\clsid\{1e920882-80ef-bd61-dbbd-0847c13d1197}\ (2 subtraces) (ID = 119603)
6:46 PM: HKLM\software\classes\clsid\{1f5650ba-2c95-0e8c-5c3f-d482646bf979}\ (2 subtraces) (ID = 119612)
6:46 PM: HKLM\software\classes\clsid\{2cab7717-202b-8a26-bfd7-fa41ec47a745}\ (2 subtraces) (ID = 119629)
6:46 PM: HKLM\software\classes\clsid\{2d9bb7b5-d27a-5907-a874-72e04fc719e8}\ (2 subtraces) (ID = 119637)
6:46 PM: HKLM\software\classes\clsid\{3ba763e9-3208-0cd2-31bd-37026d1b8537}\ (2 subtraces) (ID = 119662)
6:46 PM: HKLM\software\classes\clsid\{3e8aea49-2882-96d1-d4b0-d1ea3e4eefd2}\ (2 subtraces) (ID = 119680)
6:46 PM: HKLM\software\classes\clsid\{5bcc3ee7-9153-e89f-6d4e-9b02b02b4e2e}\ (2 subtraces) (ID = 119754)
6:46 PM: HKLM\software\classes\clsid\{5da6ca48-7d98-bc0b-40ef-22ac6558668a}\ (2 subtraces) (ID = 119768)
6:46 PM: HKLM\software\classes\clsid\{5fa0cf1e-5ff7-5212-6d7d-5710e683babb}\ (2 subtraces) (ID = 119788)
6:46 PM: HKLM\software\classes\clsid\{7e2b347a-52aa-597f-9371-80822a8d1263}\ (2 subtraces) (ID = 119863)
6:46 PM: HKLM\software\classes\clsid\{9c149fc6-86a5-c649-4760-9e20ac138bed}\ (2 subtraces) (ID = 119922)
6:46 PM: HKLM\software\classes\clsid\{9d7705a4-9543-9869-8249-f62ac961bda5}\ (2 subtraces) (ID = 119929)
6:46 PM: HKLM\software\classes\clsid\{18df9808-f6c9-984b-ede3-0b7624ec452a}\ (2 subtraces) (ID = 119964)
6:46 PM: HKLM\software\classes\clsid\{30c5202d-2cdd-8c6d-6cd3-86cbac73988b}\ (2 subtraces) (ID = 119993)
6:46 PM: HKLM\software\classes\clsid\{32fb9a97-c47a-795a-3b47-9a97c1448dfc}\ (4 subtraces) (ID = 120001)
6:46 PM: HKLM\software\classes\clsid\{35cdce87-6bd6-878a-d4c9-24118a153d34}\ (2 subtraces) (ID = 120009)
6:46 PM: HKLM\software\classes\clsid\{38c14aa2-0708-7dad-f01c-6c0208a38be2}\ (2 subtraces) (ID = 120017)
6:46 PM: HKLM\software\classes\clsid\{46c8c875-7053-566f-b7df-a8735884b10e}\ (2 subtraces) (ID = 120038)
6:46 PM: HKLM\software\classes\clsid\{62b52b4d-547b-bfc7-9850-79709fdecf27}\ (2 subtraces) (ID = 120079)
6:46 PM: HKLM\software\classes\clsid\{83cbe2fb-4038-4351-9b1c-e69bf75962aa}\ (2 subtraces) (ID = 120135)
6:46 PM: HKLM\software\classes\clsid\{85f1c7fc-7359-d6d5-c42b-f3e410db4cad}\ (2 subtraces) (ID = 120141)
6:46 PM: HKLM\software\classes\clsid\{763fc5cf-92d8-a8be-597e-1c53c8d18d56}\ (2 subtraces) (ID = 120272)
6:46 PM: HKLM\software\classes\clsid\{1714a690-3be3-3c63-d05d-b9e2e19a88a3}\ (2 subtraces) (ID = 120318)
6:46 PM: HKLM\software\classes\clsid\{4822a81b-a35c-81ca-4b1e-595c44df3f5e}\ (2 subtraces) (ID = 120349)
6:46 PM: HKLM\software\classes\clsid\{12130dcb-3df4-96ec-27b9-61e0d766f680}\ (2 subtraces) (ID = 120410)
6:46 PM: HKLM\software\classes\clsid\{67654c62-b847-d47b-7386-202e338f4761}\ (2 subtraces) (ID = 120440)
6:46 PM: HKLM\software\classes\clsid\{88261a8f-96f3-66d7-0279-b1c677b30b41}\ (2 subtraces) (ID = 120463)
6:46 PM: HKLM\software\classes\clsid\{765369c1-d4e0-d6a4-69b4-6261d4e1319a}\ (2 subtraces) (ID = 120499)
6:46 PM: HKLM\software\classes\clsid\{795714a8-c9c0-e8bd-30db-a0da3b603993}\ (2 subtraces) (ID = 120501)
6:46 PM: HKLM\software\classes\clsid\{1486290a-90c1-388f-adc8-6bfaa6b057e8}\ (2 subtraces) (ID = 120512)
6:46 PM: HKLM\software\classes\clsid\{9320654e-9dd7-7b4e-fd11-be169ac706f5}\ (2 subtraces) (ID = 120528)
6:46 PM: HKLM\software\classes\clsid\{61682029-a490-5c49-d9fd-682fb2da97af}\ (2 subtraces) (ID = 120553)
6:46 PM: HKLM\software\classes\clsid\{a5b3b4a7-6bd2-e7ce-e654-7a1d658d1bb3}\ (2 subtraces) (ID = 120584)
6:46 PM: HKLM\software\classes\clsid\{b2e28203-4884-d849-f129-5f1a3c2a59d2}\ (2 subtraces) (ID = 120680)
6:46 PM: HKLM\software\classes\clsid\{b26e0da6-7964-2b58-9b4b-94cbaa3aff83}\ (2 subtraces) (ID = 120698)
6:46 PM: HKLM\software\classes\clsid\{b33c5b98-f4b9-b550-c81a-4ee9720874bf}\ (2 subtraces) (ID = 120699)
6:46 PM: HKLM\software\classes\clsid\{b1169abc-e367-2937-9f96-3b9cb54e0f31}\ (2 subtraces) (ID = 120722)
6:46 PM: HKLM\software\classes\clsid\{b91259b9-be3b-d475-8861-62b879410e5e}\ (2 subtraces) (ID = 120727)
6:46 PM: HKLM\software\classes\clsid\{ba8c901d-7125-d60e-c709-3e7f4a433a01}\ (2 subtraces) (ID = 120740)
6:46 PM: HKLM\software\classes\clsid\{bca18f7d-4cab-d300-286e-432722ffb0fb}\ (2 subtraces) (ID = 120750)
6:46 PM: HKLM\software\classes\clsid\{be5dcdbc-54d3-95ea-b258-2d53bd817431}\ (2 subtraces) (ID = 120763)
6:46 PM: HKLM\software\classes\clsid\{d605eaff-2c3a-4619-43c1-4ffb062f68de}\ (2 subtraces) (ID = 120957)
6:46 PM: HKLM\software\classes\clsid\{d4451521-f203-568e-2657-c5ad1f0b1f77}\ (2 subtraces) (ID = 120975)
6:46 PM: HKLM\software\classes\clsid\{da78be1d-07fe-b346-204e-c738df8c7f8d}\ (2 subtraces) (ID = 120984)
6:46 PM: HKLM\software\classes\clsid\{ec6cc6a4-2de4-7d97-7906-9d8567369627}\ (2 subtraces) (ID = 121132)
6:46 PM: HKLM\software\classes\clsid\{eceaf197-b6ef-9e38-0846-ff3bb03983ad}\ (2 subtraces) (ID = 121136)
6:46 PM: HKLM\software\classes\clsid\{ef24beb1-9592-9f8f-4b29-99399fd2c231}\ (2 subtraces) (ID = 121161)
6:46 PM: HKLM\software\classes\clsid\{f55b9b22-5baa-c8bb-5c3f-3e652d794bf7}\ (2 subtraces) (ID = 121207)
6:46 PM: HKLM\software\classes\clsid\{f2352fd0-b78a-fc66-ee98-5dfbf99e1f48}\ (2 subtraces) (ID = 121227)
6:46 PM: HKLM\software\classes\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (2 subtraces) (ID = 121261)
6:46 PM: Found Adware: cws_tiny0
6:46 PM: HKCR\clsid\{1f46e851-7eaf-1a9b-e6b4-cca46bd7bb86}\ (2 subtraces) (ID = 123824)
6:46 PM: HKCR\clsid\{2ac8ec43-eae7-f7bd-2b63-7de1ff58c69f}\ (2 subtraces) (ID = 123829)
6:46 PM: HKCR\clsid\{5b9a8be3-69a5-661b-3bb5-fa99e29d5453}\ (2 subtraces) (ID = 123842)
6:46 PM: HKCR\clsid\{8e883ec3-abb5-0cd9-ec0a-78cb81a818d1}\ (2 subtraces) (ID = 123864)
6:46 PM: HKCR\clsid\{18eafe7b-570b-346c-adef-9cdda8a1986f}\ (2 subtraces) (ID = 123875)
6:46 PM: HKCR\clsid\{109fcead-8c5c-5b76-3bb3-a646d2b52c93}\ (2 subtraces) (ID = 123903)
6:46 PM: HKCR\clsid\{286ece71-3f17-089b-f6bd-0e16d255ae8a}\ (2 subtraces) (ID = 123907)
6:46 PM: HKCR\clsid\{595b569b-a80c-dee4-5ae6-7af21d2b6f17}\ (2 subtraces) (ID = 123917)
6:46 PM: HKCR\clsid\{2621d1bf-0a92-2d9c-e595-02a9c3f76f46}\ (2 subtraces) (ID = 123929)
6:46 PM: HKLM\software\classes\clsid\{1f46e851-7eaf-1a9b-e6b4-cca46bd7bb86}\ (2 subtraces) (ID = 124059)
6:46 PM: HKLM\software\classes\clsid\{2ac8ec43-eae7-f7bd-2b63-7de1ff58c69f}\ (2 subtraces) (ID = 124064)
6:46 PM: HKLM\software\classes\clsid\{5b9a8be3-69a5-661b-3bb5-fa99e29d5453}\ (2 subtraces) (ID = 124077)
6:46 PM: HKLM\software\classes\clsid\{8e883ec3-abb5-0cd9-ec0a-78cb81a818d1}\ (2 subtraces) (ID = 124097)
6:46 PM: HKLM\software\classes\clsid\{18eafe7b-570b-346c-adef-9cdda8a1986f}\ (2 subtraces) (ID = 124108)
6:46 PM: HKLM\software\classes\clsid\{109fcead-8c5c-5b76-3bb3-a646d2b52c93}\ (2 subtraces) (ID = 124135)
6:46 PM: HKLM\software\classes\clsid\{595b569b-a80c-dee4-5ae6-7af21d2b6f17}\ (2 subtraces) (ID = 124148)
6:46 PM: HKLM\software\classes\clsid\{2621d1bf-0a92-2d9c-e595-02a9c3f76f46}\ (2 subtraces) (ID = 124158)
6:46 PM: Found Trojan Horse: trojan-downloader-winshow
6:46 PM: HKCR\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\ (2 subtraces) (ID = 144887)
6:46 PM: HKLM\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\ (2 subtraces) (ID = 144894)
6:46 PM: Found Trojan Horse: trojan_downloader_tibser
6:46 PM: HKCR\clsid\{c72087fb-0f26-d300-04c9-bfd60278a6a2}\ (2 subtraces) (ID = 145085)
6:46 PM: HKLM\software\classes\clsid\{c72087fb-0f26-d300-04c9-bfd60278a6a2}\ (2 subtraces) (ID = 145102)
6:46 PM: Found Adware: abetterinternet
6:46 PM: HKCR\clsid\{8df52e69-ba52-5f6e-2a2a-0cd81e0f3492}\ (6 subtraces) (ID = 145793)
6:46 PM: HKLM\software\classes\clsid\{8df52e69-ba52-5f6e-2a2a-0cd81e0f3492}\ (6 subtraces) (ID = 145873)
6:46 PM: Found Adware: winad
6:46 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
6:46 PM: Found Adware: worldantispy
6:46 PM: HKLM\software\microsoft\windows\currentversion\uninstall\worldantispy.com_is1\ (16 subtraces) (ID = 714262)
6:46 PM: Registry Sweep Complete, Elapsed Time:00:00:06
6:46 PM: Starting Cookie Sweep
6:46 PM: Found Spy Cookie: nextag cookie
6:46 PM: owner@nextag[1].txt (ID = 5014)
6:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
6:46 PM: Starting File Sweep
6:46 PM: Found Adware: screensavers
6:46 PM: c:\program files\screensavers.com (1 subtraces) (ID = -2147480365)
6:46 PM: c:\documents and settings\owner\application data\skinux\worldantispy (1 subtraces) (ID = -2147473526)
6:46 PM: mfclu.exe:njvza (ID = 56949)
6:46 PM: imsins.log:bueicq (ID = 56601)
6:46 PM: clock.avi:ugaurn (ID = 56753)
6:46 PM: comsetup.log:mzlhly (ID = 57035)
6:46 PM: xldrj.dll (ID = 56887)
6:46 PM: q816979.log:jqdfv (ID = 56968)
6:46 PM: rtcwplat.ini:eszdm (ID = 56949)
6:46 PM: q813862.log:agofj (ID = 56968)
6:46 PM: vbaddin.ini:tmfju (ID = 56968)
6:46 PM: ieck32.exe:zcyoul (ID = 57035)
6:46 PM: Found Adware: ist istbar
6:46 PM: 86f62e28-ff7c-40e3-b783-2d6718 (ID = 64598)
6:46 PM: mdacy.txt:jivjme (ID = 54114)
6:46 PM: iis6.log:adsqyi (ID = 57147)
6:46 PM: desktop.ini:dnobzu (ID = 56789)
6:46 PM: _default.pif:craads (ID = 56766)
6:46 PM: javaeu32.exe:nffwhv (ID = 57119)
6:47 PM: vbaddin.ini:fzxpn (ID = 54339)
6:47 PM: 6ee8a1f5-feb9-4deb-ab43-0f7fc7 (ID = 136143)
6:47 PM: logi_mwx.exe:sqfbvs (ID = 56753)
6:47 PM: faxsetup.log:ogrlwg (ID = 56601)
6:47 PM: q329048.log:pfwsp (ID = 56968)
6:47 PM: npcdt.dll (ID = 90430)
6:47 PM: a4136692-5e47-432c-9c02-06106f (ID = 136143)
6:47 PM: control.ini:oxxoq (ID = 56968)
6:47 PM: File Sweep Complete, Elapsed Time: 00:01:05
6:47 PM: Full Sweep has completed. Elapsed time 00:02:42
6:47 PM: Traces Found: 511
7:03 PM: Removal process initiated
7:03 PM: Quarantining All Traces: coolwebsearch (cws)
7:03 PM: Quarantining All Traces: cws_ns3
7:03 PM: Quarantining All Traces: cws_tiny0
7:03 PM: Quarantining All Traces: trojan-downloader-winshow
7:03 PM: Quarantining All Traces: trojan_downloader_tibser
7:03 PM: Quarantining All Traces: abetterinternet
7:03 PM: Quarantining All Traces: winad
7:03 PM: Quarantining All Traces: worldantispy
7:03 PM: Quarantining All Traces: nextag cookie
7:03 PM: Quarantining All Traces: screensavers
7:03 PM: Quarantining All Traces: ist istbar
7:03 PM: Removal process completed. Elapsed time 00:00:25
********
6:44 PM: |··· Start of Session, Friday, September 30, 2005 ···|
6:44 PM: Spy Sweeper started
6:44 PM: |··· End of Session, Friday, September 30, 2005 ···|


Incident Status Location

Possible Virus. No disinfected C:\Program Files\Lock Down Mu\MuLockdown\MuLockdown.exe
Adware:adware/searchaid No disinfected C:\WINDOWS\d3jv32.exe
Adware:adware/cws.008k No disinfected C:\WINDOWS\iefr.dll
Adware:adware/navipromo No disinfected C:\WINDOWS\sdkbe32.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\fdzfo.dll
Adware:adware/transponder No disinfected C:\WINDOWS\system32\msts32.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\m?dtc.exe

smitRem log file
version 2.5

by noahdfear

The current date is: Fri 09/30/2005
The current time is: 18:08:09.06

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:




Also that "worldspyware" icon is still on my desktop, but the icon has changed to just a little window , rather than th e worldspyware logo....just thought it was weird. Thnx!
  • 0

#13
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Delete the files -

C:\Program Files\Lock Down Mu\MuLockdown\MuLockdown.exe

(I am not sure what this program is. In case you need it then let me know)

C:\WINDOWS\d3jv32.exe
C:\WINDOWS\iefr.dll
C:\WINDOWS\sdkbe32.exe
C:\WINDOWS\system32\fdzfo.dll
C:\WINDOWS\system32\msts32.exe
C:\WINDOWS\system32\m?dtc.exe
(do not delete the file msdtc.exe. If there are more than one instance of this file running then make a note of the respective dates of creation and file sizes and let me know in your next reply).



Also delete the worldspyware icon from your desktop.

Let me know how it goes.
  • 0

#14
TusseyBoy

TusseyBoy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
There are 67files with the letters msdtc in them. 1 has only those letter, the other 6 have that plus 2 more in them. msdtcprx.dll, msdtctm.dll, msdtcuiu.dll have the create date as 9/27/2005.


C:\WINDOWS\system32\m?dtc.exe
... Not sure what you mean here


That MuOnline is a rpg game. me and several gaming buddies play it off and on. It's legit too. I am gonna keep it, unless you think i shouldn't

Before I delete worldspyware, it is in the add/remove programs. Do you want to icon gone or the whole program? I assume the whole program, but i thought I'd check
  • 0

#15
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
C:\WINDOWS\system32\m?dtc.exe

the ? and the * characters are wild cards. ? is a wild card for 1 letter / character while * is for unlimited no. of letters or characters.

When you search for "m?dtc.exe", it will search for all file names like


madtc.exe
mbdtc.exe
mcdtc.exe

etc.etc.


Anyway it seems that there are no associated bad files with it. The three file names you gave (with date of creation 9/27/05) are genuine files.


I think you can keep Muonline game.

If worldspyware program appears in your list of installed programs then you can uninstall it.


How is your PC behaving now ????
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP