Spyware and trojen downloader

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Spyware and trojen downloader we have a trojen downloader and worms, spyware that wont come off our

#1 McGrien

Group: Member
Posts: 4
Joined: 29-January 06

Posted 29 January 2006 - 03:04 PM

gfile of HijackThis v1.99.1
Scan saved at 3:50:25 PM, on 1/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\crystal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp7A67.tmp
O2 - BHO: CMBHO Class - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKLM\..\Run: [itunesff] C:\WINDOWS\system32\itunesff.exe -go -c80 -w
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E32C64C-CA69-161F-724E-197B23B6453C} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {264F2902-A783-497A-4142-62D506D13E0B} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F29A7CE-49E7-60F9-6E16-1C0961D84FE8} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {51BC893C-BE86-08BE-141D-09D253D151B0} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {56BBBF69-56ED-17EE-9504-08507340A605} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {63755925-FC9E-3E35-B77A-576938275060} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {78C499C5-6AA3-1A1D-2928-37B64D504DFA} - http://85.255.113.214/1/gdnUS2296.exe
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

#2 Flrman1

Group: Retired Staff
Posts: 6,596
Joined: 17-April 05

Posted 29 January 2006 - 05:05 PM

Hi McGrien

Welcome to G2G!

* Click here to download smitRem.exe.

Save the file to your desktop.
It is a self extracting file.
Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
If the link to SmitRem above is not working try this one.

* Download the trial version of Ewido Security Suite here.

Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Run Ewido:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

Open the SmitRem folder on your desktop and locate the smitfiles.txt file. Copy and paste the contents of the smitfiles.txt file in your next reply here along with a new HiJackThis log and the results from ActiveScan

#3 McGrien

Group: Member
Posts: 4
Joined: 29-January 06

Posted 30 January 2006 - 05:31 PM

Here's the other scans that you asked for thank you for your help and it's very appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:15:56 PM, on 1/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\crystal\Desktop\HijackThis.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:33:39 PM, 1/30/2006
+ Report-Checksum: F2265214

+ Scan result:

C:\Documents and Settings\crystal\Cookies\crystal@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\crystal\Cookies\crystal@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\crystal\Local Settings\Temporary Internet Files\Content.IE5\L6CAJHXG\gdnUS2296[2].exe -> Downloader.Small.ayl : Cleaned with backup

::Report End

Incident Status Location

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\crystal\Cookies\crystal@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\crystal\Cookies\crystal@adrevolver[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\crystal\Cookies\crystal@ask[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\crystal\Cookies\crystal@clickbank[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\crystal\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\crystal\Desktop\smitRem.exe[Process.exe]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\crystal\Favorites\Antivirus Test Online.url
Dialer:Dialer.FGG Not disinfected C:\Documents and Settings\crystal\Local Settings\Temp\dhmgjpmd.exe
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\justin\Cookies\justin@ask[1].txt
Potentially unwanted tool:Application/Malwarewipe Not disinfected C:\Documents and Settings\justin\Local Settings\Temporary Internet Files\Content.IE5\C5BBBZQ0\mw_install[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\justin\strikeremove\smitRem\Process.exe
Potentially unwanted tool:Application/Malwarewipe Not disinfected C:\My Downloads\apps\mw_install.exe
Dialer:dialer.baj Not disinfected C:\WINDOWS\internt.exe
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt

#4 McGrien

Group: Member
Posts: 4
Joined: 29-January 06

Posted 30 January 2006 - 05:32 PM

#5 Flrman1

Group: Retired Staff
Posts: 6,596
Joined: 17-April 05

Posted 30 January 2006 - 05:45 PM

What did you do with all the entries in your Hijack This log. Not only are all the malware entries goe, your antivirus startups and other legitimate entries are no longer there. What did you do?

#6 McGrien

Group: Member
Posts: 4
Joined: 29-January 06

Posted 30 January 2006 - 06:09 PM

I did the Logfile of HijackThis again, ewido anti-malware - Scan report
agian, and ActiveScan. I'm sorry I'm stupid when it comes to PC's. tell me what you still need and i will try to get it to. Sorry about that.

#7 Flrman1

Group: Retired Staff
Posts: 6,596
Joined: 17-April 05

Posted 30 January 2006 - 06:26 PM

Did you use Hijack This to remove any of the entries yourself?

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Spyware and trojen downloader - Geeks to Go Forums