Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Bombardment With Trojans


  • This topic is locked This topic is locked
2 replies to this topic

#1 sharkinfestedwaters

sharkinfestedwaters

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 30 August 2006 - 12:31 AM

Hi - It started Sunday. WinTasks found xpsyswin.exe and three items labeled Project1. I downloaded KillBox, Ewido, BFU and alcanshorty.bfu script, got rid of Project1, and thought I was rid of xpsyswin.exe. Came back. Problem getting worse, not better. I turned off System Restore, went into safe mode, ran Ewido and BFU again. Now my home page has been changed to MSN, and AVG keeps alerting me to new Trojans - if I don't move them to vault fast enough, I get a message that I'm offline when it looks like I'm online, and I can't reconnect.

SpyBot finds one SmitFraud registry key, but AdAware, RegClean and Ewido don't notice it. SmitFraudFix.zip doesn't fix it.

Here is HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:13:25 PM, on 8/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: WinTasks.lnk = C:\Program Files\LIUtilities\WinTasks\wintasks.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{56E01DDD-C38B-42C0-BDB0-B880551D48A2}: NameServer = 216.234.216.2 216.234.216.3
O21 - SSODL: TaskManager - {376A29EB-0F08-4B8F-B312-3839C689C315} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Help, please - sharkie

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:04 AM

Posted 06 September 2006 - 06:22 PM

sharkie,

Welcome to Bleeping Computer, your HJT log looks a little lean, did you by chance run it in Safemode??


You have Ewido installed, set it up this way, check for updates, run the scan and post the log into this this thread.
  • Once you have downloaded Ewido Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon Update then select the Update now link.
  • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
  • Under Reports
  • Select Automatically generate report after every scan
  • Un-Select Only if threats were found
  • Close Ewido Anti-Spyware <-- Do not run the scan yet.
Open HJT Scan Only, close your browser and all open windows, check this and click on Fix Checked

O21 - SSODL: TaskManager - {376A29EB-0F08-4B8F-B312-3839C689C315} - (no file)




Boot your computer into Safemode
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to SAFEMODE
  • Then press the Enter on your Keyboard
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:
  • Launch Ewido-Anti-Spyware by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
  • If you have any infections you will prompted, then select Apply all actions
  • Next select the Reports icon at the top.
  • Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
  • make sure to remember where you saved that file, this is important
  • Close Ewido
Reboot normally and run this cleaner

Please download ATF Cleaner by Atribune.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Post the Ewido report and a new HJT log please.

ken :thumbsup:

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:04 AM

Posted 05 October 2006 - 07:39 PM

This topic is closed due to lack of response, if you need it reopened, PM a moderator.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users