My laptop is infected with - spyware, Trojan -, what I initially believed with stealthSWs114.h!dll ver.4.442as18a and then after following your preliminary instructions, ewido security suite will pop up an alert message every 10 min with an infected file.
My equipment:
Laptop IBM T20
OS Windows 2000 Pro, updated to SP 5
IE: 6.0 SP1
Description:
- stealthSWs114.h!dll ver.4.442as18a
Every time I access IE, a Microsoft warning window pop open stating:
" Your PC is infected with spyware
Browser version: 4.0(compatible; MSIE 6.0; NT 5,o.........)
Spyware details: "stealthSWs114.h!dll ver.4.442as18a"
Access port: #33299
Your private data information is in danger. You need to download additional security software to protect your system.
Click OK to visit official anti-spyware
"
Moreover, it direct the homepage to http://www.syserros.com/ no matter what you do or set on the internet option.
- After installed and run ewido security suite, every 10 min an alert warning window is openned with an infected file. All files are located in the c:\winnt\system32. These are some of them: nvcrtl.exe, mscornet.exe, hpfc81.tmp, hp4aa.tmp, id579c.tmp, hp3446.tmp, idfc8b.tmp, hp1006.tmp, ......... related to this main group: Trojan.Small.fs, Spyware.Hijacker.Gen....., and TrojanDownloadder.Zlo... It never ends
I have tried to clean and delete each one of the above with Killbox software and they come back. I have also selected and fixed/cleaned the BHO files from/with the Hijackthis software and they come back in the next scan.
I am really exausted and frustated at trying to clean this computer and nothing. Please help me. I am going nuts.
The below it the Hijack this log file:
Logfile of HijackThis v1.99.1
Scan saved at 4:46:49 PM, on 11/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\csrss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\winnt\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\wm.exe
C:\WINNT\TEMP\ROEB12.EXE
C:\winnt\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\winnt\system32\NWTRAY.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido\security suite\securitysuite.exe
C:\winnt\system32\nvctrl.exe
C:\SOFTWARE\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\winnt\system32\hp1006.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.95\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132045354699
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6462BFA-7DE6-4C6E-8A6C-D6392D640730}: NameServer = 68.28.50.11 68.28.58.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fll.emb
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fll.emb
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fll.emb
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\winnt\system32\wm.exe
Let me know if there is anything I can provide you to help destroy this ridiculous malware.
Thanks.