Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spywarestrike


  • This topic is locked This topic is locked
8 replies to this topic

#1 Cooley

Cooley

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 04 February 2006 - 08:33 PM

I definitely have spywarestrike that i cannot remove and im not sure if i have anything else possibly spyaxe. any help you can give me would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:25:23 PM, on 2/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1138330758\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\AOL\1138330758\ee\AOLSoftware.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Common Files\AOL\1138330758\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\3Com\Launcher.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
c:\program files\common files\aol\1138330758\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp6CE0.tmp
O2 - BHO: CMBHO Class - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138330758\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1138330758\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1138330758\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1138330758\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Thanks again

BC AdBot (Login to Remove)

 


#2 Cloutz

Cloutz

    The Malware Killa


  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:Montreal, Quebec
  • Local time:08:13 PM

Posted 04 February 2006 - 09:25 PM

Hello Cooley,

Welcome to BleepingComputer!

My name is Nick and I will be checking over your log.

Let's get started. :thumbsup:

You will want to save or print out these instructions.

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download ATF Cleaner by Atribune.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp6CE0.tmp
O2 - BHO: CMBHO Class - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Next, delete the following files(if present):
C:\Program Files\Crystalys media\cm.dll
c:\program files\crystalys media\cm.dll
C:\Program Files\SpywareStrike\SpywareStrike.exe

Next, delete the following folders(if present):
C:\Program Files\Crystalys media
C:\Program Files\SpywareStrike

Reboot back into Windows.

This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Thanks,
Nick :flowers:
Posted Image Did I help? Please consider a small donation via paypal. Thank You.

Ad-Aware SE|CWShredder|Spybot S&D|Ewido Security Suite|HijackThis 1.99.1

Please don't PM me asking for help. The forums are there for a reason.

Cloutz© 2006

#3 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 05 February 2006 - 02:27 AM

Thanks for your help i think the spywarestrike is gone finally but the panda scan reported that there was still some stuff.

Panda scan report:

Incident Status Location

Potentially unwanted tool:application/winantivirus2006 Not disinfected C:\PROGRAM FILES\WinAntiVirus Pro 2006
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nina\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nina\Desktop\smitRem.exe[Process.exe]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@ath.belnk[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@c.goclick[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@target[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@tucows[2].txt
Spyware:Cookie/SpySheriff Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@www.systemwarning[2].txt
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\compwiz.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
Possible Virus. Not disinfected C:\Program Files\HijackThis\backups\backup-20060204-212016-439.dll

Logfile of HijackThis v1.99.1
Scan saved at 11:21:34 PM, on 2/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1138330758\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Documents and Settings\Nina\Desktop\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Nina\Desktop\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\AOL\1138330758\ee\AOLSoftware.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\AOL\1138330758\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\3Com\Launcher.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1138330758\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138330758\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1138330758\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1138330758\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1138330758\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Nina\Desktop\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Nina\Desktop\ewido anti-malware\ewidoguard.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 02/04/2006
The current time is: 21:22:49.31

Running from
C:\Documents and Settings\Nina\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

SharedTaskScheduler exporter by Grinler

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update"
"{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"="WaitWain for Windows"
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}\InProcServer32]
@="C:\WINDOWS\system32\wiatwain.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
@="C:\WINDOWS\system32\replmap.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpywareStrike © by noahdfear

SpywareStrike directory present

SpywareStrike uninstaller present

Starting SpywareStrike uninstaller

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Crystalys media
Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

replmap.dll
wiatwain.dll
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1264 'explorer.exe'
Killing PID 1264 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

SharedTaskScheduler exporter by Grinler

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:



ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:28:10 PM, 2/4/2006
+ Report-Checksum: C37BD827

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Max\Cookies\max@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Max\Cookies\max@www.getlaid.com.0.fb.dbbsrv[1].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\Max\Local Settings\Temporary Internet Files\Content.IE5\A3GJUDG7\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Documents and Settings\Nina\Cookies\nina@ads1.revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Nina\Cookies\nina@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Nina\Cookies\nina@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Nina\Cookies\nina@northwestairlines.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Nina\Cookies\nina@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Sabina_2\Cookies\sabina_2@ad.adition[3].txt -> Spyware.Cookie.Adition : Cleaned with backup
C:\Documents and Settings\Sabina_2\Cookies\sabina_2@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Sabina_2\Cookies\sabina_2@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Sabina_2\Local Settings\Temp\hegkmpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\Sabina_2\Local Settings\Temporary Internet Files\Content.IE5\GRUTC5W6\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Documents and Settings\Sabina_2\Local Settings\Temporary Internet Files\Content.IE5\XBR7D5SE\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll.tcf -> Spyware.Wheaterbug : Cleaned with backup


::Report End


here is the rest of the stuff. thanks again!

#4 Cloutz

Cloutz

    The Malware Killa


  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:Montreal, Quebec
  • Local time:08:13 PM

Posted 05 February 2006 - 10:08 PM

Hi there Cooley,

Delete the following files (if present):
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll

Go ahead and delete the following folders (if present):
C:\PROGRAM FILES\WinAntiVirus Pro 2006
C:\Program Files\Common Files\WinAntiVirus Pro 2006
C:\Program Files\Common Files\Companion Wizard

I'd also like you to run ATF Cleaner again.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

How's your pc doing? If everything is fine, I'll provide you with my prevention speech :D

Thanks,
Nick :thumbsup:
Posted Image Did I help? Please consider a small donation via paypal. Thank You.

Ad-Aware SE|CWShredder|Spybot S&D|Ewido Security Suite|HijackThis 1.99.1

Please don't PM me asking for help. The forums are there for a reason.

Cloutz© 2006

#5 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 06 February 2006 - 09:11 PM

Thank you it worked like a charm! I ran both adaware and spybot and bot reported that there was nothing on my computer. I ran the panda scan again and it gave found some stuff i dunno if it matters or not but here is the log that it produced.


Incident Status Location

Potentially unwanted tool:application/winantivirus2006 Not disinfected C:\Documents and Settings\Nina\Application Data\WinAntiVirus Pro 2006
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Nina\Cookies\nina@ads.pointroll[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Nina\Cookies\nina@banner[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nina\Cookies\nina@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nina\Cookies\nina@realmedia[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Nina\Cookies\nina@ads.pointroll[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Nina\Cookies\nina@banner[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nina\Cookies\nina@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nina\Cookies\nina@realmedia[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nina\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nina\Desktop\smitRem.exe[Process.exe]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@ath.belnk[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@c.goclick[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@target[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@tucows[2].txt
Spyware:Cookie/SpySheriff Not disinfected C:\Documents and Settings\Sabina_2\Cookies\sabina_2@www.systemwarning[2].txt
Adware:Adware/SpywareStrike Not disinfected C:\Program Files\HijackThis\backups\backup-20060204-212016-439.dll

#6 Cloutz

Cloutz

    The Malware Killa


  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:Montreal, Quebec
  • Local time:08:13 PM

Posted 08 February 2006 - 03:18 PM

Hi Cooley,

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Everything looks great, your HijackThis log appears to be CLEAN!!!

Here is a list of tools I like to suggest to users to prevent future infections.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware -Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! -Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Firefox- Internet Explorer is NOT the most secure browser. I highly recommend Firefox as a safer alternative.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Nick :thumbsup:

Edited by Cloutz, 08 February 2006 - 03:19 PM.

Posted Image Did I help? Please consider a small donation via paypal. Thank You.

Ad-Aware SE|CWShredder|Spybot S&D|Ewido Security Suite|HijackThis 1.99.1

Please don't PM me asking for help. The forums are there for a reason.

Cloutz© 2006

#7 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 February 2006 - 10:29 PM

Thank you again the computer is working like new you do what you do well! I was also wondering for another computer that i am trying to fix, zeno search has been put on which opens up additional windows when i am surfing the net. do you know of a way to get rid of it?

#8 Cloutz

Cloutz

    The Malware Killa


  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:Montreal, Quebec
  • Local time:08:13 PM

Posted 08 February 2006 - 10:41 PM

Hi Cooley,

For your other computer problem, it would be best that you would post a HijackThis log in a new topic and either I or another staff member can pick it up. :thumbsup:

Glad I can help ;)

Nick
Posted Image Did I help? Please consider a small donation via paypal. Thank You.

Ad-Aware SE|CWShredder|Spybot S&D|Ewido Security Suite|HijackThis 1.99.1

Please don't PM me asking for help. The forums are there for a reason.

Cloutz© 2006

#9 Cloutz

Cloutz

    The Malware Killa


  • Members
  • 150 posts
  • OFFLINE
  •  
  • Location:Montreal, Quebec
  • Local time:08:13 PM

Posted 21 February 2006 - 10:04 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbsup:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Posted Image Did I help? Please consider a small donation via paypal. Thank You.

Ad-Aware SE|CWShredder|Spybot S&D|Ewido Security Suite|HijackThis 1.99.1

Please don't PM me asking for help. The forums are there for a reason.

Cloutz© 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users