Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Zlob +dialers


  • This topic is locked This topic is locked
30 replies to this topic

#1 mariska

mariska

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 09 September 2007 - 08:33 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31:34, on 9.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Christian\Työpöytä\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124300608156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124300776359
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7619 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 12 September 2007 - 11:29 PM

Hello mariska,

I am SifuMike and I will be helping you. :thumbsup:
Sorry for the delay. We have many logs backed up.

Trojan Zlob +dialers, Ican't find anythingto remove it


What is finding the Trojan Zlob +dialers?
Does it tell the locations of the infections?


****************************

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

****************************

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT attach any of the logs, as that makes it harder to read.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 12 September 2007 - 11:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 14 September 2007 - 10:44 AM

thanks,i was just giving up hope of a replyhere are the logs u requested:

SmitFraudFix v2.223

Scan done at 18:33:38,56, pe 14.09.2007
Run from C:\Documents and Settings\Christian\Ty”p”yt„\SmitfraudFix
OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\XoftSpySE\xoftspy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts
ComboFix 07-09-14.2 - "Christian" 2007-09-14 18:37:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.184 [GMT 3:00]
* Created a new restore point
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2007-08-14 to 2007-09-14 )))))))))))))))))
.

2007-09-14 18:00 <KANSIO> d-------- C:\Program Files\XoftSpySE
2007-09-13 16:27 <KANSIO> d-------- C:\DOCUME~1\Vieras\APPLIC~1\Google
2007-09-13 16:25 <KANSIO> d-------- C:\DOCUME~1\Vieras\APPLIC~1\Real
2007-09-13 16:23 <KANSIO> dr------- C:\DOCUME~1\Vieras\Suosikit
2007-09-13 16:23 <KANSIO> dr------- C:\DOCUME~1\Vieras\Omat tiedostot
2007-09-13 16:23 <KANSIO> dr------- C:\DOCUME~1\Vieras\K„ynnist„-valikko
2007-09-13 16:23 <KANSIO> d--h----- C:\DOCUME~1\Vieras\Verkkoymp„rist”
2007-09-13 16:23 <KANSIO> d--h----- C:\DOCUME~1\Vieras\Tulostinymp„rist”
2007-09-13 16:23 <KANSIO> d--h----- C:\DOCUME~1\Vieras\Mallit
2007-09-13 16:23 <KANSIO> d---s---- C:\DOCUME~1\Vieras\UserData
2007-09-13 16:23 <KANSIO> d-------- C:\DOCUME~1\Vieras\Ty”p”yt„
2007-09-13 16:23 <KANSIO> d-------- C:\DOCUME~1\Vieras\APPLIC~1\InterTrust
2007-09-12 17:55 <KANSIO> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 17:55 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 18:35 <KANSIO> d-------- C:\Program Files\Windows Live Safety Center
2007-09-11 16:40 <KANSIO> d-------- C:\DOCUME~1\CHRIST~1\Contacts
2007-09-11 11:28 <KANSIO> d-------- C:\Program Files\Windows Live Toolbar
2007-09-11 11:28 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-09-10 17:04 <KANSIO> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-09 20:17 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-09 18:40 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-09-09 18:40 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-09-09 18:15 <KANSIO> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Sunbelt Software
2007-09-09 16:28 <KANSIO> d-------- C:\Program Files\Hjt
2007-09-09 15:47 <KANSIO> d-------- C:\Program Files\Enigma Software Group
2007-09-08 20:23 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-08 18:50 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-08-25 15:12 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-25 14:47 <KANSIO> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-25 13:32 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-19 19:21 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-19 19:21 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-19 19:21 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-19 19:21 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-19 19:21 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-19 19:21 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-19 19:21 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-19 19:21 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-19 19:21 <KANSIO> d-------- C:\Program Files\Alwil Software
2007-08-16 19:56 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 17:05 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-11 10:52 --------- d-------- C:\Program Files\MSN Messenger
2007-09-09 20:49 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-08 20:14 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 16:11 --------- d-------- C:\Program Files\DC++
2007-08-30 15:10 --------- d-------- C:\Program Files\Google
2007-07-31 17:55 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 09:09 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 16:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-04-21 20:10 283553138 --a------ C:\Program Files\PSE_40_WWE_TRYBUY.zip
2007-01-16 22:04 1499615 --a------ C:\Program Files\wpo6demo.exe
2006-09-22 16:04 1802698 --a------ C:\Program Files\Sony Cybershot DSCS40 41 MP Digital Camera with 3x Manual.pdf
2005-12-25 15:10 8553472 --a------ C:\Program Files\AudioConverter.exe
2005-06-23 23:06 6677264 --a------ C:\Program Files\awmaw.exe
2005-05-14 22:43 315624 --a------ C:\Program Files\dxwebsetup.exe
2005-05-13 18:09 35113704 --a------ C:\Program Files\directx_9c_redist.exe
2005-04-15 22:20 302680 --a------ C:\Program Files\ac3filter_0_70b.exe
2005-04-01 20:56 2591640 --a------ C:\Program Files\DCPlusPlus-0.673.exe
2005-03-29 14:53 37189 --a------ C:\Program Files\DC++ 0[1][1].673 Finnish.xml
2005-03-27 22:47 2495484 --a------ C:\Program Files\DCPlusPlus-0.670.exe
2004-11-24 21:46 1519 --a------ C:\Program Files\Paint.lnk
2004-11-02 20:10 6805849 --a------ C:\Program Files\setup.exe
2004-07-22 10:51 3432656 --a------ C:\Program Files\ManagedDX.CAB
2004-07-19 22:58 1156363 --a------ C:\Program Files\BDANT.cab
2004-07-19 22:53 976020 --a------ C:\Program Files\BDAXP.cab
2004-07-09 14:17 13265040 --a------ C:\Program Files\dxnt.cab
2004-07-09 09:13 703080 --a------ C:\Program Files\BDA.cab
2004-07-09 09:13 15493481 --a------ C:\Program Files\DirectX.cab
2004-07-09 04:08 472576 --a------ C:\Program Files\dxsetup.exe
2004-07-09 04:08 2242560 --a------ C:\Program Files\dsetup32.dll
2004-07-09 03:03 62976 --a------ C:\Program Files\DSETUP.dll
2002-06-04 04:24 40960 --a------ C:\Program Files\auto.exe
2007-04-24 11:02:48 5 --sha-w C:\WINDOWS\system32\ffddeeb4_d.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-09_173139.73 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 465,816 2007-03-27 11:25:30 C:\WINDOWS\Downloaded Program Files\wlscBase.dll
----a-w 141,424 2006-08-24 05:28:54 C:\WINDOWS\Downloaded Program Files\CONFLICT.1\asinst.dll
----a-r 29,926 2007-09-11 07:51:57 C:\WINDOWS\Installer\{DF6FEB75-A0D1-44E5-A754-0072D4967734}\MsblIco.Exe
----a-w 157,952 2007-09-14 13:10:01 C:\WINDOWS\system32\FNTCACHE.DAT
----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\system32\MRT.exe
----a-w 49,152 2003-02-21 04:16:08 C:\WINDOWS\system32\REGTLIB.EXE
----a-w 51,056 2007-01-19 09:53:04 C:\WINDOWS\system32\sirenacm.dll
----a-w 213,048 2005-05-24 08:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 08:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 08:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----atw 16,384 2007-09-14 14:22:25 C:\WINDOWS\temp\Perflib_Perfdata_4bc.dat
----a-w 479,232 2006-06-05 11:14:28 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
----a-w 548,864 2006-06-05 11:14:28 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
----a-w 626,688 2006-06-05 11:14:28 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
----a-w 155,568 2007-08-28 09:29:53 C:\WINDOWS\system32\FNTCACHE.DAT
----a-w 16,789,464 2007-08-03 04:34:10 C:\WINDOWS\system32\MRT.exe
----a-w 118,784 2006-01-25 03:34:24 C:\WINDOWS\system32\sirenacm.dll
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.

*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-04-22 19:04 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-24 21:22]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-04-22 19:05]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-04-22 19:05]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-29 14:34]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 13:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 02:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 00:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Ohjelmat\KYNNIS~1\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-11 22:46:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe

.
'Ajoitetut tehtävät'-kansion sisältö
"2007-09-12 12:22:39 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1180177087.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-11 15:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2007-08-19 08:56:02 C:\WINDOWS\Tasks\Scheduled scanning task.job"
"2007-09-14 15:37:04 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
"2007-09-14 15:00:16 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-09-14 15:00:15 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 18:39:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 18:40:55
C:\ComboFix-quarantined-files.txt ... 2007-09-14 18:40
.
--- E O F ---

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 14 September 2007 - 11:34 AM

Hello mariska,

I see you open another thread at GeeksToGo
http://www.geekstogo.com/forum/Trojan-zlob-t170312.html

Opening two threads wastes two helpers time and is the reason we have logs backed up. :thumbsup:

If you want me to continue helping you, then go the the thread you opened at GeeksToGo and ask them to close it, as you are being helped here.

What is finding the Trojan Zlob and dialers?
Does it tell the locations of the infections?


It looks like you posted a partial SmitfraudFix report.
Please post the entire SmitfruadFix report.

Edited by SifuMike, 14 September 2007 - 11:41 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 14 September 2007 - 11:40 AM

Hi sifu mike,I scanned with xoft spy and it found cws.oslogo media codec zlob trojan and instant access.
here is the the search log it gives me

SmitFraudFix v2.223

Scan done at 19:38:03,18, pe 14.09.2007
Run from C:\Documents and Settings\Christian\Ty”p”yt„\SmitfraudFix
OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christian


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christian\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\Suosikit


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Paketinajoituksen miniportti
DNS Server Search Order: 193.229.0.40
DNS Server Search Order: 193.229.0.42

HKLM\SYSTEM\CCS\Services\Tcpip\..\{23EF03B0-6A77-4E0E-9BEA-63451612ED57}: DhcpNameServer=193.229.0.40 193.229.0.42
HKLM\SYSTEM\CS1\Services\Tcpip\..\{23EF03B0-6A77-4E0E-9BEA-63451612ED57}: DhcpNameServer=193.229.0.40 193.229.0.42
HKLM\SYSTEM\CS3\Services\Tcpip\..\{23EF03B0-6A77-4E0E-9BEA-63451612ED57}: DhcpNameServer=193.229.0.40 193.229.0.42
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=193.229.0.40 193.229.0.42
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=193.229.0.40 193.229.0.42
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=193.229.0.40 193.229.0.42


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

ckThis v2.0.2
Scan saved at 19:40:11, on 14.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Christian\Työpöytä\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124300608156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124300776359
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 14 September 2007 - 11:46 AM

Hi

Please read my previous topic. I just edited it. I want you to close the post you opened at GeeksToGo or ask them to close it.

I scanned with xoft spy and it found cws.oslogo media codec zlob trojan and instant access.


Does it give you a location of the trojan?

Edited by SifuMike, 14 September 2007 - 11:49 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 14 September 2007 - 11:58 AM

hi i'v requested the closure of my thread in geeks to go ihave some locations but i have to type them manually ill post them soon,...thanks for the help

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 14 September 2007 - 12:02 PM

Try using copy and paste. That is far easier then typing them manually.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 14 September 2007 - 12:10 PM

hi now it says winantiviruspro 2006 many times plus dialers
the locations are-
software/ folder manager
/shellex/context menu handlers/shell extension
/shellex/context menu handlers/shell extension
/shellex/context menu handlers/shell extension
software/microsoft internet explorer/styles/user style sheet
c:/windows/system 32.eglivecam-1030dll

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 14 September 2007 - 02:27 PM

Hello mariska,

i'v requested the closure of my thread in geeks to go


I am not seeing that you requested to close the thread. :thumbsup:
http://www.geekstogo.com/forum/Trojan-zlob-t170312.html
You need to do that immedatly.
Opening up two thread on at different forums wastes helpers time and causes back logs.

now it says winantiviruspro 2006 many times plus dialers
the locations are-
software/ folder manager
/shellex/context menu handlers/shell extension
/shellex/context menu handlers/shell extension
/shellex/context menu handlers/shell extension
software/microsoft internet explorer/styles/user style sheet


Those are all partial registry keys, so they do not help me.
I need the complete registry keys to be able to delete it.



Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Go to Jotti Online File Scanner copy and paste (or use the browse to find the file) c:/windows/system 32.eglivecam-1030dll
to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


*******************************

You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

You already have AVG Anti-Spyware v7.5 installled, so I want you to run it in the Safe Mode.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.


When done, submit the results of the Jotti Scan, the BitDefender log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.

Edited by SifuMike, 14 September 2007 - 04:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 15 September 2007 - 12:35 AM

good morning,well,i wasn't sure how to close the topic in geeks to go but i think now i've succeeded.
I unchecked the boxes in tools as instructed and then i uploaded c:/windows/system 32.eglivecam-1030dll into the jotti page and it gave me this answer

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

then i ran the bit-defender program and it reported 'no threats found' hence no log

Ireebooted into safe mode and did the avg scan,here is the report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:11:58 15.9.2007

+ Scan result:



C:\Documents and Settings\Christian\Cookies\christian@ie.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Christian\Cookies\christian@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.


::Report end

Not much reading in that one...here is the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:40, on 15.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Christian\Työpöytä\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124300608156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124300776359
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8967 bytes
Thanks for ur help!!

#12 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 15 September 2007 - 12:51 AM

Hello i,m running bit-defender again as i have afeeling i didn't set it to scan correctly i'll post this log when its done..thanx

I completed the bit-defender scan and there were no problems found and so no report to send

Edited by mariska, 15 September 2007 - 01:49 AM.


#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 15 September 2007 - 01:31 PM

Hi mariska,

scanned with xoft spy and it found cws.oslogo media codec zlob trojan and instant access.


To generate a XoftSpySE log:
Open XoftSpySE.
Click Backup List on the XoftSpySE menu.

I need to see the log that is finding cws.oslogo media codec zlob trojan and instant access.

I am thinking XoftSpySE is giving you false positives or is finding remenents of malware, as I have found no malware on your computer with all the scans we have run.

XoftSpy is not a program that I would place it lot of trust in.
It previously was listed as on the Rogue/Suspect Anti-Spyware Products list
http://www.spywarewarrior.com/rogue_anti-spyware.htm
because of false positives and other concerns.

Read the note:

Note on XoftSpy: XoftSpy was listed on this page because of concerns with false positives (1, 2, 3, 4), questionable license terms, and the use of aggressive, deceptive advertising (1, 2), including exploitation of the name "spybot" by affiliates. Earlier versions of XoftSpy were also Ad-aware knockoffs. (There was clone of XoftSpy named SpyBurn, but that application is no longer available.)
Over the past few months, XoftSpy has taken aggressive steps to reign in its affiliates (who were primarily responsible for the unsavory advertising), revised its license text, and released a new version of XoftSpy (version 4.0) that addresses our concerns with false positves. Given these changes we can no longer regard XoftSpy as "rogue/suspect" anti-spyware.


Is your computer running normally?

Edited by SifuMike, 15 September 2007 - 02:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:12:06 AM

Posted 16 September 2007 - 02:48 AM

Hi sifumike i'm posting scan results from pc doctor 4.0.. My comp is running slow and downloads seem to take longer than usual,but no popups..thanksfor ur help.
I found this :\WINDOWS\System32\eglivecam_1030.dll and deleted it manuallyshould i have done?
Aloitettiin Iknow u shouldn'ttouch anything in system 32 but...well...i did. thanx
16.9.2007 10:35:24:375 Alustavat Tulokset
ActiveX osa on immunisoitu, Prosessoitu 2918 nimikettä.
16.9.2007 10:36:39:515 Skannaus Aloitettu
SkannausTyyppi - Intelli-Scan

16.9.2007 10:37:36:625 Infektio löytyi tästä tietokoneesta
UhanNimi - Adware.Advertising
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - advertising.com/ advertising.com

16.9.2007 10:37:36:640 Infektio löytyi tästä tietokoneesta
UhanNimi - Adware.Advertising
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - atdmt.com/ atdmt.com

16.9.2007 10:37:36:671 Infektio löytyi tästä tietokoneesta
UhanNimi - Application.TrackingCookies
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - doubleclick.net/ doubleclick.net

16.9.2007 10:37:37:46 Infektio löytyi tästä tietokoneesta
UhanNimi - Application.TrackingCookies
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - imrworldwide.com/ imrworldwide.com

16.9.2007 10:37:37:78 Infektio löytyi tästä tietokoneesta
UhanNimi - Application.TrackingCookies
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - msnportal.112.2o7.net/ msnportal.112.2o7.net

16.9.2007 10:37:37:500 Infektio löytyi tästä tietokoneesta
UhanNimi - Application.TrackingCookies
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - pandasoftware.112.2o7.net/ pandasoftware.112.2o7.net

16.9.2007 10:37:41:406 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Internet Explorer\Explorer bars\{F0993251-2512-4710-AF6E-0A13EA199D02}, BarSize

16.9.2007 10:37:41:421 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Internet Explorer\Explorer bars\{F0993251-2512-4710-AF6E-0A13EA199D02}

16.9.2007 10:37:45:984 Infektio löytyi tästä tietokoneesta
UhanNimi - Spyware.Known_Bad_Sites
Tyyppi - Entry
Riski Taso - Korkea
Infektio - C:\Documents and Settings\Christian\Local Settings\Temporary Internet Files\Content.IE5\9C2UCE78\results[1].htm - http://search.uk.miva.com/pss/results.aspx...e=1189872757312

16.9.2007 10:37:46:656 Infektio löytyi tästä tietokoneesta
UhanNimi - Application.TrackingCookies
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - itsessionid10001836382790 .indextools.com

16.9.2007 10:37:46:656 Infektio löytyi tästä tietokoneesta
UhanNimi - Application.TrackingCookies
Tyyppi - Cookie
Riski Taso - Alhainen
Infektio - itvisitorid10001836382790 .indextools.com

16.9.2007 10:38:47:578 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - File
Riski Taso - Korkea
Infektio - c:\windows\system32\eglivecam_1030.dll

16.9.2007 10:38:47:578 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Startup
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs, C:\WINDOWS\System32\eglivecam_1030.dll = 1

16.9.2007 10:38:55:93 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan-PWS.Tanspy
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

16.9.2007 10:38:59:921 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGAUTH.dll, .Owner

16.9.2007 10:38:59:921 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGAUTH.dll, {0594AF7E-573B-40DF-8165-E47AB2EAEFE8}

16.9.2007 10:38:59:921 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGAUTH.dll

16.9.2007 10:38:59:953 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/LiveService_9.dll, .Owner

16.9.2007 10:38:59:968 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/LiveService_9.dll, {DDF44FD9-749F-4761-89BB-E8A59339E459}

16.9.2007 10:38:59:968 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/LiveService_9.dll

16.9.2007 10:39:05:125 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448, Blob

16.9.2007 10:39:05:125 Infektio löytyi tästä tietokoneesta
UhanNimi - Dialer.Instant_Access
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448

16.9.2007 10:39:25:984 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}\iexplore, Type

16.9.2007 10:39:25:984 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}\iexplore, Flags

16.9.2007 10:39:25:984 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}\iexplore, Count

16.9.2007 10:39:26:0 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}\iexplore, Time

16.9.2007 10:39:26:0 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Key
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}\iexplore

16.9.2007 10:39:26:0 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Key
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}

16.9.2007 10:39:26:218 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Type

16.9.2007 10:39:26:234 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Flags

16.9.2007 10:39:26:234 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Count

16.9.2007 10:39:26:234 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Time

16.9.2007 10:39:26:234 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Key
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore

16.9.2007 10:39:26:250 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Key
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}

16.9.2007 10:39:26:343 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D34F5D71-99E4-4D96-91CA-F4104F69B8AE}\iexplore, Type

16.9.2007 10:39:26:343 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D34F5D71-99E4-4D96-91CA-F4104F69B8AE}\iexplore, Count

16.9.2007 10:39:26:359 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D34F5D71-99E4-4D96-91CA-F4104F69B8AE}\iexplore, Time

16.9.2007 10:39:26:359 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D34F5D71-99E4-4D96-91CA-F4104F69B8AE}\iexplore

16.9.2007 10:39:26:359 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D34F5D71-99E4-4D96-91CA-F4104F69B8AE}

16.9.2007 10:39:26:406 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}\iexplore, Type

16.9.2007 10:39:26:406 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}\iexplore, Flags

16.9.2007 10:39:26:421 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}\iexplore, Count

16.9.2007 10:39:26:421 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Value
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}\iexplore, Time

16.9.2007 10:39:26:421 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}\iexplore

16.9.2007 10:39:26:421 Infektio löytyi tästä tietokoneesta
UhanNimi - Trojan.Popuper
Tyyppi - Registry Key
Riski Taso - Korkea
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0993251-2512-4710-AF6E-0A13EA199D02}

16.9.2007 10:39:26:906 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Type

16.9.2007 10:39:26:906 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Count

16.9.2007 10:39:27:46 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore, Time

16.9.2007 10:39:27:46 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Key
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}\iexplore

16.9.2007 10:39:27:46 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Registry Key
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}

16.9.2007 10:40:34:78 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Modified Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Administrative Tools

16.9.2007 10:40:34:78 Infektio löytyi tästä tietokoneesta
UhanNimi - RogueAntiSpyware.WinAntiVirus
Tyyppi - Modified Registry Value
Riski Taso - Ylennetty
Infektio - HKEY_USERS\S-1-5-21-2221717735-1802729512-2040942079-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Administrative Tools

16.9.2007 10:40:34:453 Skannaus Lopetettu
SkannausTyyppi - Intelli-Scan
Nimikkeet jotka on käsitelty: - 190886
Havaitut Uhat - 7
Infektioita löytyi: - 52
Infektiot jätetty huomioimatta: -

Well i've done some digging and discovered something i put C:/WINDOWS/System32/LiveService_9.dll into google and suprised as i was found a page from geeks to go and it refered to a problem i had submitted to daemon when i had p2e_socks 1012dll pop up all the time..now u'v got me wondering could spydoctor be picking up remnants of previous infections.....and this trojan tanspy i've noticed is allways being mentioned on this forum when spydoctor is involved...Also spybot quarentined winantiviruspro 2006 and2007 and one zlob!COULD this spydoctor be rogue?Ihave a feeling the whole Pareto group could be dubious.What do u think?
I've scanned with Avg,Superantispyware,Spybot and Panda active scan and they find nothing.

Edited by mariska, 16 September 2007 - 12:00 PM.


#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:06 PM

Posted 16 September 2007 - 01:19 PM

Hi mariska,

COULD this spydoctor be rogue?Ihave a feeling the whole Pareto group could be dubious.What do u think?


I told you before XoftSpy is not a program that I would place it lot of trust in.

Better to use known trusted antimalware products. AVG anitspyware, SUPER antispyare, Asquared some of the good antimalware products.


I found this :\WINDOWS\System32\eglivecam_1030.dll and deleted it manuallyshould i have done?

Very dangerous to do the deletion on your own. It may have been a false positive. I would have done a virus check on the file before decide to delete it.


i'm posting scan results from pc doctor 4.0..



Sorry, but I cannot help you with pc doctor scan results, as I cannot read half of the log.
What language are we dealing with here? :thumbsup:

I suggest you go to the pc doctor support at and ask them about what it is finding and how to remove it.
Some are cookies , others are in the temp file, so you dont have to worry about them. Use CCleaner to get rid of the temp files and cookies.
Registry items are probably remenents of removed malware. I did not see them in your last ComobFix scan.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

********************

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

Edited by SifuMike, 16 September 2007 - 01:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users