Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hell In A Box...can't Defeat All Infestations!


  • Please log in to reply
4 replies to this topic

#1 Metalball

Metalball

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 06 November 2007 - 02:33 AM

Thanks, first of all, for reading this post. I have been working on this computer for the past week trying to rid it of all the infestations that have been downloaded onto it. I have found practically any and every virus known to man. Apparently, my brother isn't as internet savvy as I assumed he was! In any case, I think that I have broken down the mass majority of the problems; however, I know that a few problems still exist.

Everytime that I boot up the computer, my (now) installed Webroot SpySweeper keeps detecting an outgoing page to hxxp://81.29.248.59. I have been unsuccessful in tracking down the culprit in the system. Here is a (short) list of the enemies that I have found and defeated on this machine:

- virus: trj/downloader.mdw
- app/nircmd.a
- adware_memwatcher (I believe this is Spybot...not spyware)
- detected tspy_small (cannot defeat)
- detected tspy_mosucker (cannot defeat)
- 127.0.0.1 outgoing page
- zlob downloader

I am running the following software: Iolo System Mech 7 Pro, Iolo Personal Firewall, Webroot SpySweeper, Avast! 4 Home Edition, Spybot Search & Destroy.

I've tried every online virus scanner that I could find to clear this mess up!!! Please help!!!! Email me at ***
Thanks!

---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:14 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Patrick Donaldson\Application Data\U3\0000060431093838\LaunchPad.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O15 - Trusted Zone: *.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...155/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5457 bytes

Mod Edit: Link disabled, to preclude possible infection and email address removed for your safety ~ TMacK

Edited by TMacK, 06 November 2007 - 11:49 PM.


BC AdBot (Login to Remove)

 


#2 Metalball

Metalball
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 06 November 2007 - 08:48 PM

To whomever can help with this topic, I just found another infestation named "trojan-ace-x" on this machine as well. I REALLY could use some help here!

#3 Metalball

Metalball
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 10 November 2007 - 11:25 PM

Could somebody please reply to this post? I have found additional infections using trendmicro's housecall. Here are the new findings:

- Adware_Adclicker
- TSPY_Dumador
- Adware_Inet
- Adware_Memwatcher (I believe this is Spybot)
- TSPY_Small
- TSPY_Mosucker
- Crck_wrar.b

Please help!

#4 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:09:18 PM

Posted 24 November 2007 - 03:24 AM

Hi Metalball, Welcome to the forum,

We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like. If you still require assistance please post a new HijackThis log into this topic and I'd be happy to help you clean up any remaining problems.

Thanks

Andy

#5 Metalball

Metalball
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 November 2007 - 01:55 PM

Andy, thanks for the response. I never was able to get the computer to cooperate. The only solution that I was able to find, even after paying someone else to look at it, was low level formatting the entire hard drive. Extreme, maybe. But it did solve the problem...until it gets hit again. Thanks for the response though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users