Infected with SpywareBot, Websearch_Toolbar, Generic Trojan, etc

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected with SpywareBot, Websearch_Toolbar, Generic Trojan, etc, Don't Know how to remove these infections

Options

agrono View Member Profile	Jan 6 2009, 07:55 AM Post #1
New Member Group: Members Posts: 1 Joined: 6-January 09 Member No.: 278,957	I am getting random pop-up adds when I use my internet browser (Mozilla Firefox). I have the pop-up blocker active in Firefox. I tried an Adaware SE scan of my computer, only to find that it would lock up in the middle of each scan. I then did a Spyware Doctor scan of my computer to find these items: SpywareBot Websearch_Toolbar Component.Claria NirCmd Trogan.Generic Known_Bad_Sites Advertising Tracking Cookies At that point I did some internet searching and found this forum. DDS (Version 1.1.0) - NTFSx86 Run by Nick Goeser at 5:49:14.67 on Tue 01/06/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1256 [GMT -6:00] AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\wdfmgr.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Quicknote\quicknote.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Spyware Doctor\pctsGui.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Nick Goeser\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = .local uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll BHO: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [Quicknote] c:\program files\quicknote\quicknote.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [sysguard] c:\windows\ uRun: [AWMON] "c:\program files\lavasoft\ad-aware se professional\Ad-Watch.exe" mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe" StartupFolder: c:\docume~1\nickgo~1\startm~1\programs\startup\persba~1.lnk - c:\program files\personal backup 4\Persbackup.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: wisc.edu\mytime Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll Notify: igfxcui - igfxdev.dll Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll AppInit_DLLs: cbzqns.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nickgo~1\applic~1\mozilla\firefox\profiles\v9jp3vxb.default user\ FF - prefs.js: browser.startup.homepage - hxxp://nytimes.com FF - component: c:\documents and settings\nick goeser\application data\mozilla\firefox\profiles\v9jp3vxb.default user\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll FF - component: c:\documents and settings\nick goeser\application data\mozilla\firefox\profiles\v9jp3vxb.default user\extensions\piclens@cooliris.com\components\piclensstub.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll FF - plugin: c:\program files\mozilla firefox\plugins\npcpbrk7.dll FF - plugin: c:\program files\mozilla firefox\plugins\npsnapfish.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll ============= SERVICES / DRIVERS =============== R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-5 40840] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-5 28544] R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-5 66952] R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-5 81288] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-4 99376] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090105.009\naveng.sys [2009-1-5 89104] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090105.009\navex15.sys [2009-1-5 876112] R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104] R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576] R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-5 356920] R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-5 1079176] R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768] R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-18 24652] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416] S4 hpdj00;hpdj00;c:\docume~1\nickgo~1\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=hp psc 1500 series -product=aio --> c:\docume~1\nickgo~1\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=HP PSC 1500 series -product=aio [?] S4 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?] =============== Created Last 30 ================ 2009-01-05 13:11 <DIR> --d----- C:\cmdcons 2009-01-05 12:59 161,792 a------- c:\windows\SWREG.exe 2009-01-05 12:59 98,816 a------- c:\windows\sed.exe 2009-01-05 09:47 28,544 a------- c:\windows\system32\drivers\pavboot.sys 2009-01-05 09:41 <DIR> --d----- c:\program files\Panda Security 2009-01-05 09:37 <DIR> --d----- c:\documents and settings\nick goeser\.housecall6.6 2009-01-05 07:15 29,576 a------- c:\windows\system32\drivers\kcom.sys 2009-01-05 07:15 81,288 a------- c:\windows\system32\drivers\iksyssec.sys 2009-01-05 07:15 66,952 a------- c:\windows\system32\drivers\iksysflt.sys 2009-01-05 07:15 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys 2009-01-05 07:15 <DIR> --d----- c:\program files\Spyware Doctor 2009-01-05 07:15 <DIR> --d----- c:\docume~1\nickgo~1\applic~1\PC Tools 2009-01-05 05:36 <DIR> --d----- c:\program files\Lavasoft 2009-01-04 21:20 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-01-04 21:20 48,768 a------- c:\windows\system32\S32EVNT1.DLL 2009-01-04 21:20 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-01-04 21:20 805 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-01-04 21:17 <DIR> --d----- c:\program files\Symantec AntiVirus 2009-01-04 21:09 <DIR> --d----- C:\SAVCE1016 2009-01-04 12:15 71,274 a------- c:\windows\system32\ssqNHaYR.dll 2009-01-04 09:44 273,790 a------- c:\windows\sysguard.exe 2008-12-19 06:56 259,448 a------- c:\windows\system32\awrdscdc.ax 2008-12-19 06:55 <DIR> --d----- c:\program files\Audible 2008-12-08 13:08 <DIR> --d----- c:\program files\Brownie 2008-12-08 13:07 410 a------- c:\windows\BRWMARK.INI 2008-12-08 13:07 52 a------- c:\windows\BRPP2KA.INI 2008-12-08 13:07 30 a------- c:\windows\system32\brss01a.ini 2008-12-08 13:07 184 a------- c:\windows\system32\brsvc01a.bsi 2008-12-08 13:06 180,224 a------- c:\windows\system32\PDRVINST.DLL 2008-12-08 13:06 163,840 a------- c:\windows\system32\BRSP204A.DLL 2008-12-08 13:06 163,840 a------- c:\windows\system32\BRSP104A.DLL 2008-12-08 13:06 131,072 a------- c:\windows\system32\BRSP204A.EXE 2008-12-08 13:06 131,072 a------- c:\windows\system32\BRSP104A.EXE 2008-12-08 13:06 57,344 a------- c:\windows\system32\BRSVC01A.EXE 2008-12-08 13:06 45,056 a------- c:\windows\system32\BRSS01A.EXE 2008-12-08 13:06 81,920 a------- c:\windows\system32\BrWebIns.dll 2008-12-08 13:06 65,536 a------- c:\windows\system32\BRWEBUP.EXE ==================== Find3M ==================== 2009-01-05 10:59 2,874 a------- c:\docume~1\nickgo~1\applic~1\WWB7_32.DAT 2008-12-12 11:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll 2008-11-12 18:47 75,944 a---h--- c:\windows\system32\mlfcache.dat 2008-11-07 14:23 32,000 a------- c:\windows\system32\drivers\usbaapl.sys 2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys 2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll 2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll 2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll 2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll 2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll 2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll 2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll 2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll 2008-10-15 10:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll 2008-10-15 03:45 18,432 -------- c:\windows\system32\dllcache\iedw.exe 2007-02-01 10:00 40,264 a------- c:\docume~1\nickgo~1\applic~1\GDIPFONTCACHEV1.DAT ============= FINISH: 5:50:24.84 =============== Attached File(s)* Attach.txt ( 16.65k ) Number of downloads: 1

suebaby41 View Member Profile	Jan 20 2009, 08:33 AM Post #2
W.A.M. (Women Against Malware) Group: HJT Team Posts: 4,564 Joined: 3-January 05 From: South Carolina, USA Member No.: 8,530	Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience. Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do not run any other programs or open any other windows while doing a fix. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc. Thanks. -------------------- You don't stop laughing when you get old; you get old when you stop laughing. A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators) Malware Removal University Masters Graduate Join The Fight Against Malware No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

suebaby41 View Member Profile	Feb 2 2009, 07:46 AM Post #3
W.A.M. (Women Against Malware) Group: HJT Team Posts: 4,564 Joined: 3-January 05 From: South Carolina, USA Member No.: 8,530	This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- You don't stop laughing when you get old; you get old when you stop laughing. A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators) Malware Removal University Masters Graduate Join The Fight Against Malware No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 4th July 2009 - 07:14 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive