Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader-zq, Proxy Raser.dll And More


  • This topic is locked This topic is locked
9 replies to this topic

#1 jwh Bob

jwh Bob

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:10:44 AM

Posted 29 June 2006 - 05:05 PM

Found a red icon in the tray saying it was the "security center" and that the computer was in danger.

Could no more start MSIE nor Eudora mail client. Refused to start CWshredder and Ad-Aware.
Mcafee scan found Proxy.Agent.at and Downloader-ZQ but wasn't able to delete them.
I disabled the Internet connection and started in Safe Mode. Now at least I could open MSIE and Eudora and run CWshredder (found nothing) and Ad-Aware with, unfortunately 400 days old defintions...

SmitFraudFix found and deleted:
C:\WINDOWS\xpupdate.exe Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\kernels8.exe Deleted
C:\WINDOWS\system32\qvxgamet?.exe Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\TheMatrixHasYou.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Documents and Settings\Sabre\Application Data\Install.dat Deleted
C:\Program Files\BraveSentry\ Deleted

Installed Ewido (had to do it in Safe Mode too, if I remember well) found and cleaned Trojan.Dialer.pw

Installed Spybot and found /cleaned CoolWWWsearch, Smitfraud-C, Spy Sheriff, Alexad Related and Torpig

Now Mcafee was able to delete Downloader-ZQ, Proxy Raser.dll, Proxy.Agent.at

I can now run XP open MSIE and Eudora but not connect to the Internet although I get "local Area Connection at 100Mbps shown in the tray.

In Program Files I still have a folder BHO Plugin, the files in it show the date and time when the trouble began...

Can you see something wrong in this final HijackThis report?

Many thanks

Bob


Logfile of HijackThis v1.99.1
Scan saved at 22:30:27, on 29/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\WINDOWS\SDMan.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\SABRE\Apps\EPM\Epm.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\e1cb5eeb.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\WINDOWS\sabserv.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [e1cb5eeb.exe] C:\WINDOWS\System32\e1cb5eeb.exe
O4 - HKLM\..\Run: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKLM\..\RunServices: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [e1cb5eeb.exe] C:\Documents and Settings\Sabre\Local Settings\Application Data\e1cb5eeb.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Sabre Server.lnk = C:\WINDOWS\sabserv.exe
O4 - Global Startup: Sabre Printing Start.lnk = C:\Sabre\Sabstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sabretravelnetwork.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{55D6D269-029E-4AE6-A032-3AD3A5104690}: NameServer = 194.154.192.101,194.154.192.102
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: European Printing Module (ZpmPrint) - Sabre inc. - C:\SABRE\Apps\EPM\Epm.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:44 AM

Posted 05 July 2006 - 09:09 AM

Hi,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then I'll take a look. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:10:44 AM

Posted 05 July 2006 - 11:16 AM

The forums are really busy


You say it - they really are. I do appreciate that you're taking time for my concern. Nevertheless I hope that my problem won't take too much of your time. Meanwhile I used some of the precious information that I found in this forum to clean, so now the situation is no more too ugly.

But before I install SP2 I'd like to hear your opinion on it:

Logfile of HijackThis v1.99.1
Scan saved at 17:59:25, on 05/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\EPM\Epm.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\sabserv.exe
C:\Program Files\SpamPal\spampal.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = het Vera...
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [e1cb5eeb.exe] C:\WINDOWS\System32\e1cb5eeb.exe
O4 - HKLM\..\Run: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKLM\..\RunServices: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [e1cb5eeb.exe] C:\Documents and Settings\Sabre\Local Settings\Application Data\e1cb5eeb.exe
O4 - HKCU\..\Run: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Sabre Server.lnk = C:\WINDOWS\sabserv.exe
O4 - Global Startup: Sabre Printing Start.lnk = C:\Sabre\Sabstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sabretravelnetwork.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55D6D269-029E-4AE6-A032-3AD3A5104690}: NameServer = 194.154.192.101,194.154.192.102
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: European Printing Module (ZpmPrint) - Sabre inc. - C:\SABRE\Apps\EPM\Epm.exe

Many thanks

Bob

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:44 AM

Posted 05 July 2006 - 11:28 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [e1cb5eeb.exe] C:\WINDOWS\System32\e1cb5eeb.exe
O4 - HKLM\..\Run: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKLM\..\RunServices: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
O4 - HKCU\..\Run: [e1cb5eeb.exe] C:\Documents and Settings\Sabre\Local Settings\Application Data\e1cb5eeb.exe
O4 - HKCU\..\Run: [_zskzli[upmazof^epev50inkrwksz_] c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

[i]Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.[/i]

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\e1cb5eeb.exe
c:\windows\system32\_zskwrkni05vepe^fozampu[ilz.exe
C:\Documents and Settings\Sabre\Local Settings\Application Data\e1cb5eeb.exe

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:10:44 AM

Posted 05 July 2006 - 12:42 PM

Whoo-ee! Ride me high
That was fast!

Panda:

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sabre\Desktop\SmitfraudFix\SmitfraudFix\Process.exe


and a new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 19:37:54, on 05/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\CfgSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SDMan.EXE
C:\SABRE\Apps\EPM\Epm.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\SABRE\Apps\ATS\SSSClnt.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\sabserv.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = het Vera...
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Sabre Task Tray Icon] C:\SABRE\Sabstart.exe
O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Sabre Server.lnk = C:\WINDOWS\sabserv.exe
O4 - Global Startup: Sabre Printing Start.lnk = C:\Sabre\Sabstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sabretravelnetwork.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55D6D269-029E-4AE6-A032-3AD3A5104690}: NameServer = 194.154.192.101,194.154.192.102
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Config Service Helper (CfgSrvc) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HSSP Configuration Module (HsspConfig) - Unknown owner - C:\WINDOWS\System32\CfgSrvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: European Printing Module (ZpmPrint) - Sabre inc. - C:\SABRE\Apps\EPM\Epm.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:44 AM

Posted 05 July 2006 - 12:55 PM

Hello,

What panda flags is a false positive... process.exe is a part of smitfraudfix as you see. It's being flagged as an unwanted tool, because it's a command line tool to end running processes. But nothing wrong with it. :thumbsup:

Your hijackthislog looks clean again. How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:10:44 AM

Posted 05 July 2006 - 03:00 PM

For me it looks good too, if not to say excellent now!

Just ZoneAlarm pops up saying that it stopped traffic (?) to PC's on the network. i.e. I had to add the IP of a server into the trusted zone to work with it. From time to time it stops also traffic to other PC's on the Network ( don't know why this PC has to communicate with the others).

I thought to uninstall ZoneAlarm as soon SP2 with the Firewall is installed?

Should I just delete the process.exe in C:\WINDOWS\system32\ ?

Many thanks for your kind assistance and enjoy your evening

Bob

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:44 AM

Posted 05 July 2006 - 03:04 PM

hello,

Yes, zonealarm has problems with that. So, yes, you can uninstall zonealarm and install another firewall instead (look in my signature under firewalls for other free ones)

Well, it's up to you if you want to delete that process.exe present in your system32-folder. It won't hurt to delete it and it won't hurt you keep it :thumbsup:

Glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!
Effective October 11, 2006, Windows XP SP1 and SP1a will transition to a non-supported status. After this date, Microsoft will no longer provide any incident support options or security updates. Existing support documents, however, will continue to be available through the Microsoft Support Product Solution Center Web site.
http://support.microsoft.com/gp/lifean19

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:10:44 AM

Posted 05 July 2006 - 03:27 PM

Glad I could help. :thumbsup:


Bet I'm glad too!

Many thanks again for your efficient help and believe me I'll follow your tips (will keep me busy...)

Bob

There's no success like failure
And failure's no success at all.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:44 AM

Posted 05 July 2006 - 03:40 PM

You're welcome :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users