Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

SpyTrooper [resolved]

Started by gurgeh , Nov 06 2005 05:42 PM

This topic is locked

#1
gurgeh

Posted 06 November 2005 - 05:42 PM

Member

Member
21 posts

Hi

I was suckered in by this trojan on my machine and got right through to the pay screen before I realised it was not genuine microsoft security messages. My Mcfee says I have no viruses yet spy doctor syas there are! Can you help? Hijack log below:

Logfile of HijackThis v1.99.1
Scan saved at 23:31:36, on 06/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\SpywareDetectorSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike Newton.ASHPOOL01\Local Settings\Temporary Internet Files\Content.IE5\O9Y309QZ\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp1FA4.tmp
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\SDSystemTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\system32\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120291645074
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130493303632
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SpyDetectSVC - Max Secure Technologies - C:\WINDOWS\system32\SpywareDetectorSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#2
g2i2r4

Posted 07 November 2005 - 09:04 AM

retired HiJack Helper

Retired Staff
5,080 posts

Welcome gurgeh to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Remove Max Secure Spyware Detector:
Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows
You will need to allow the popups for this site!

Run the Free use Panda Active Scan.

A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on 1click active scan (top right hand corner) to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

#3
gurgeh

Posted 08 November 2005 - 03:31 AM

Member

Topic Starter
Member
21 posts

Hi

Many thanks for your reply - I work away during the week so I will get back to it on Friday night and follow your instructions to the letter. Many thanks for your help.

Later

G

#4
g2i2r4

Posted 08 November 2005 - 04:49 PM

retired HiJack Helper

Retired Staff
5,080 posts

Take your time, I'll be around somewhere.

#5
gurgeh

Posted 12 November 2005 - 09:55 AM

Member

Topic Starter
Member
21 posts

Hi

Been thro your list and followed the instructions to the letter. The only problem I had was with the Panda software at the end. I was using mozilla firefox to avoid the blocking IE was doing but it wouldn't run. Risked switching to IE and still no joy - but at least the browser seems clean now. Went to Panda site and downloaded Titanium version of freeware - made me take off McAffe which I did and still wouldn't run - so gave up - did run Spyware detector which showed a few low level risks, but I have been on line a while now and have had no pop ups. So apart from a higher level of spam mail than I have been used to, all seems ok. Will continue to use mozilla for a bit and run spybot after each session - and keep my fingers crossed. Was impressed with EWIDOS - found all the major problems and fixed them - something McAfee didn't do perhaps I should switch my allegiance.

Attached reports you requested - except Panda as explained

HIJACK

Scan saved at 15:32:50, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\SDSystemTray.exe
O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\system32\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [LanzarT2006] "C:\DOCUME~1\MIKENE~1.ASH\LOCALS~1\Temp\{C17709BF-ACBA-46AB-BA53-79EAAE3E826C}\{98032D6F-3EE6-4646-B68C-40BF012AC89B}\..\..\T2006tmp\Install.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120291645074
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130493303632
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

EWIDOS

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:07:09, 12/11/2005
+ Report-Checksum: 45C36002

+ Scan result:

HKU\S-1-5-21-3826821714-334337264-2154702590-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba2218.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Local Settings\Temporary Internet Files\Content.IE5\O9Y309QZ\backups\backup-20051106-232947-379.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Local Settings\Temporary Internet Files\Content.IE5\O9Y309QZ\backups\backup-20051106-233201-927.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike newton@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike [email protected][2].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Mike Newton.ASHPOOL01\Cookies\mike [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Mike Newton.ASHPOOL01\Application Data\Mozilla\Firefox\Profiles\n51dnwl6.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Mike Newton.ASHPOOL01\Application Data\Mozilla\Firefox\Profiles\n51dnwl6.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\System Volume Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP187\A0046431.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP188\A0048695.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP189\A0049585.exe -> TrojanDownloader.Zlob.ba : Cleaned with backup
C:\System Volume Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP189\A0049587.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP189\A0049588.exe -> TrojanDropper.Small.ahh : Cleaned with backup
C:\Hijackthis\backups\backup-20051107-002912-606.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Hijackthis\backups\backup-20051107-003143-701.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Hijackthis\backups\backup-20051107-003201-946.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Hijackthis\backups\backup-20051107-003218-744.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Hijackthis\backups\backup-20051107-003259-569.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Hijackthis\backups\backup-20051107-003402-313.dll -> Spyware.Hijacker.Generic : Cleaned with backup

::Report End

SMIT FILE

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/11/2005
The current time is: 10:05:47.12

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files[b]

#6
g2i2r4

Posted 12 November 2005 - 10:05 AM

retired HiJack Helper

Retired Staff
5,080 posts

Remove Max Secure Spyware Detector (it's rogue see here!):
Move to Start > Settings > Control Panel
Double click Add/Remove Programs.
Within Add/Remove programs click the "Install/Uninstall" tab or click the "Change or Remove Programs" button.
Within this section you will see a listing of programs that are currently installed that support this feature. If the program I’m advising you to uninstall is listed within this list, highlight it and click the Add/Remove or uninstall option or button.

***

please repost me the smitfiles.txt.

#7
gurgeh

Posted 12 November 2005 - 10:44 AM

Member

Topic Starter
Member
21 posts

Hi Again

OK have checked again for the Max Secure Spyware detector but still cannot find it - perhaps one of the actions I did last week removed it? Otherwise it is hiding.

Sorry about the smit log didn't realise I hadn't sent all of it - have unfortunately just re run and full log is below

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/11/2005
The current time is: 16:35:21.34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

Hope I haven't lost you vital clues! Was doing so well too!

Later

Gurgeh

#8
g2i2r4

Posted 12 November 2005 - 12:07 PM

retired HiJack Helper

Retired Staff
5,080 posts

You said this today:

did run Spyware detector which showed a few low level risks

That's why I reminded you.

Based on your last log I still see it around. Let's remove it.

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:

Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor

Once your log is clean you can re-enable Spyware Doctor.

***

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Reverse the process when you’ve carried out the advise.

***

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\system32\SDSystemTray.exe
C:\Program Files\SpywareDetector\SDMonitor.exe
Exit the Task Manager when finished.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\SDSystemTray.exe

O4 - HKLM\..\Run: [MonitorSD] C:\Program Files\SpywareDetector\SDMonitor.exe

O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\WINDOWS\system32\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [LanzarT2006] "C:\DOCUME~1\MIKENE~1.ASH\LOCALS~1\Temp\{C17709BF-ACBA-46AB-BA53-79EAAE3E826C}\{98032D6F-3EE6-4646-B68C-40BF012AC89B}\..\..\T2006tmp\Install.exe" /SETUP:"/l0x0009"

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Use Windows Explorer to remove these files:

C:\WINDOWS\system32\SDSystemTray.exe
C:\WINDOWS\system32\LiveUpdateSD.exe

and this folder:

C:\Program Files\SpywareDetector\

Close Windows Explorer when you are done.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Please post me a fresh HijackThis log to check.

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?

Edited by g2i2r4, 12 November 2005 - 12:08 PM.

#9
gurgeh

Posted 12 November 2005 - 06:14 PM

Member

Topic Starter
Member
21 posts

Hi

You were right of course - it was hiding there all the time - followed instructions to the letter and think I have got rid of it - suspect it was blocking my MS Anti Spyware all along - not even sure where it came from. Just as they prob intended I got confused between that and spyware doctor.

Log attached

Logfile of HijackThis v1.99.1
Scan saved at 00:03:23, on 13/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.c...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.n...E_5.3.0.228.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120291645074
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130493303632
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Look forward to hearing from you.

Rgds

Gurgeh
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#10
g2i2r4

Posted 13 November 2005 - 06:16 AM

retired HiJack Helper

Retired Staff
5,080 posts

Weldone

It's gone now.

The log looks clean now!

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?

#11
gurgeh

Posted 13 November 2005 - 08:26 AM

Member

Topic Starter
Member
21 posts

Hi

Thankyou - yes the computer is just zpping along fine. That was a real blow to my confidence, thought I knew what I was doing, but clearly the real world has overtaken me! So yes any tips would be greatly appreciated. I am particulary interested in your view of MacAfee - it was totally lame in spotting any of the problems.

Thanks again

Gurgeh

#12
g2i2r4

Posted 13 November 2005 - 08:44 AM

retired HiJack Helper

Retired Staff
5,080 posts

AntiVirus or AntiSpyware programs are as good as the definitions they use. New infections take some time to find their way in there. One company is faster that the other. Spytrooper is an adware type malware. Not all AntiVirus programs also detect adware.
That's why the tips included a mix of programs.

------

Please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Re-enable system restore with the instructions from the tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & Hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

You may want to check this fine article by Tony Klein: How did I get infected in the first place?

Glad I was able to help.