Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/swizzor And Dataspam.exe Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 drdx

drdx

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 16 November 2006 - 12:28 PM

My real time AV software is CA eTrust EZ Antivirus. It keeps saying it is finding Win32/Swizzor and is removing it but something keeps generating the errors so whatever it is is still there. I have followed every tip on how to get rid of this thing with no luck. Followed all the tips on this site and ran Ad-Aware and Spybot. They got rid of some things and I rebooted. Must interject that I already had turned off the System Restore feature in Windows. Upon reboot Swizzor reared it's head again. Here is the last two instgances of what Ez logged:

2006/11/16 11:00:10.343 File infection: C:\Documents and Settings\drdx\Local Settings\Temporary Internet Files\Content.IE5\GF4LQ7KP\upAYB[1].int is Win32/Swizzor trojan. Deleted
2006/11/16 11:00:10.437 File infection: C:\DOCUME~1\drdx\LOCALS~1\Temp\289e05.exe is Win32/Swizzor trojan. Deleted
2006/11/16 11:00:10.453 File infection: C:\DOCUME~1\drdx\LOCALS~1\Temp\289e05.exe is Win32/Swizzor trojan.
2006/11/16 11:00:10.453 File infection: C:\DOCUME~1\drdx\LOCALS~1\Temp\289e05.exe is Win32/Swizzor trojan.
2006/11/16 12:00:18.968 File infection: C:\Documents and Settings\drdx\Local Settings\Temporary Internet Files\Content.IE5\GF4LQ7KP\upAYB[1].int is Win32/Swizzor trojan. Deleted
2006/11/16 12:00:20.640 File infection: C:\DOCUME~1\drdx\LOCALS~1\Temp\738f32.exe is Win32/Swizzor trojan. Deleted
2006/11/16 12:00:20.656 File infection: C:\DOCUME~1\drdx\LOCALS~1\Temp\738f32.exe is Win32/Swizzor trojan.
2006/11/16 12:00:20.656 File infection: C:\DOCUME~1\drdx\LOCALS~1\Temp\738f32.exe is Win32/Swizzor trojan.

I downloaded and ran Stinger even though it does not include Swizzor with expected results showing nothing. I haven't really noticed too many problems associated with this bugger as I use Firefox and Thunderbird trying to stay away from the IE, Outlook problems. WHen I do run IE though, I do get lots of pop-ups even though the pop-up blocker is enabled.

Also must say I found something called Dataspam.exe on the system but deleting it from the system and register seemed to work. It was in a sub directory called:

C:\Documents and Settings\All Users\Application Data\checkthisadminmess\Dataspam.exe

The only other mention of this file on the net was posted to be found in a directory called:

C:\Documents and Settings\All Users\Application Data\Gram Long Defy Extra\Dataspam.exe

These seem like bogus names generated by a random process but don't know what created them and if it had anything to do with the current Swizzor problem.

I also have ZoneAlarm and it and the Ez Av are up to date. Here is the Hijack file but I don't see anything out of the ordinary. (if anyone checks I renamed the Corel Draw register program so it would stop checking for updates. Didn't want anymore reminders to upgrade!)

Logfile of HijackThis v1.99.1
Scan saved at 12:00:46 PM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\Program Files\BitTorrent\bittorrent.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.bxe /title="CorelDRAW Graphics Suite 12" /date=111006 serial=DR12WEX-8562127-SQD lang=EN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [settings owns] C:\DOCUME~1\drdx\APPLIC~1\PROGRA~1\manager bows.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

:thumbsup: Help!

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 PM

Posted 16 November 2006 - 06:42 PM

Hello,

Go to start > controlpanel > software > add/remove programs and uninstall Zone Media

Reboot your computer afterwards.. important.

After reboot, * Open notepad and copy and paste next in it:

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
cd\
cd %appdata%
dir /x >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /x >> %systemdrive%\look.txt
dir %Windir%\tasks /a:h >> C:\look.txt
start notepad %systemdrive%\look.txt


Save this as look.bat , choose to save it as *all files and place it on your desktop.
This is how the batch must look afterwards: Posted Image
In case you still are unsure how to create a reg file, take a look here with screenshots.
Doubleclick look.bat and post the content of the txtfile you get in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 drdx

drdx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 16 November 2006 - 11:36 PM

Here is the results of look.bat:

Volume in drive C is SQ003982P01
Volume Serial Number is 606A-9EA4

Directory of C:\Documents and Settings\drdx\Application Data

11/16/2006 06:30 PM <DIR> BITTOR~2 .bittorrent
11/30/2005 06:19 PM <DIR> Adobe
06/04/2006 06:33 PM <DIR> AdobeUM
05/07/2006 04:42 PM <DIR> AOL
06/27/2006 12:22 PM <DIR> APPLEC~1 Apple Computer
11/29/2005 05:25 PM <DIR> ATI
11/12/2006 09:47 PM <DIR> BITTOR~1 BitTorrent
06/27/2006 06:36 PM <DIR> Corel
05/09/2006 10:03 PM <DIR> FUJIFILM
06/10/2006 12:22 PM 54,840 GDIPFO~1.DAT GDIPFONTCACHEV1.DAT
06/18/2006 11:32 PM <DIR> Google
10/31/2006 10:25 PM <DIR> Help
11/04/2005 09:30 PM <DIR> IDENTI~1 Identities
05/06/2006 10:03 PM <DIR> INTERV~1 InterVideo
11/04/2005 11:05 PM <DIR> Intuit
11/16/2006 09:45 AM <DIR> Lavasoft
05/08/2006 04:45 PM <DIR> Logitech
05/06/2006 09:19 PM <DIR> MACROM~1 Macromedia
05/06/2006 09:32 PM <DIR> Mozilla
10/01/2006 01:47 PM <DIR> NETPUM~1 NetPumper
05/31/2006 06:50 PM 66 PHOTOS~1.TXT photoshow_deluxe_setup.txt
11/16/2006 11:18 PM <DIR> PROGRA~1 ProgramChinMail
10/25/2006 11:12 PM <DIR> Real
11/01/2006 01:50 PM <DIR> ROADRU~1 Road Runner
07/03/2006 01:19 PM <DIR> SEVENZ~1 Seven Zip
05/31/2006 06:50 PM <DIR> SIMPLE~1 Simple Star
06/25/2006 10:13 AM <DIR> Sonic
07/16/2006 06:05 PM <DIR> STOIK
05/31/2006 10:19 PM <DIR> Sun
05/06/2006 09:32 PM <DIR> Talkback
05/06/2006 09:32 PM <DIR> THUNDE~1 Thunderbird
05/07/2006 11:03 PM <DIR> toshiba
11/04/2005 11:10 PM <DIR> YOU'VE~1 You've Got Pictures Screensaver
2 File(s) 54,906 bytes
31 Dir(s) 41,959,575,552 bytes free
Volume in drive C is SQ003982P01
Volume Serial Number is 606A-9EA4

Directory of C:\Documents and Settings\All Users\Application Data

11/04/2005 11:03 PM <DIR> Adobe
05/07/2006 04:58 PM <DIR> AOL
10/01/2006 02:22 PM <DIR> APPLEC~1 Apple Computer
07/15/2006 01:31 PM <DIR> INSTAL~1 InstallShield
11/04/2005 11:05 PM <DIR> Intuit
11/04/2005 11:11 PM <DIR> McAfee.com
11/04/2005 11:09 PM <DIR> PURENE~1 Pure Networks
07/02/2006 03:46 PM 1,755 QTSBAN~1 QTSBandwidthCache
11/04/2005 11:10 PM <DIR> QUICKT~1 QuickTime
10/19/2006 10:49 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
11/04/2005 11:09 PM <DIR> VIEWPO~1 Viewpoint
06/29/2006 03:49 PM <DIR> WINDOW~1 Windows Genuine Advantage
05/08/2006 11:37 PM <DIR> Yahoo
1 File(s) 1,755 bytes
12 Dir(s) 41,959,575,552 bytes free
Volume in drive C is SQ003982P01
Volume Serial Number is 606A-9EA4

Directory of C:\WINDOWS\tasks

Here is the latest hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:59 PM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Multi-Edit Lite 9.10\MeLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.bxe /title="CorelDRAW Graphics Suite 12" /date=111006 serial=DR12WEX-8562127-SQD lang=EN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Thanks for the help! :thumbsup:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 PM

Posted 17 November 2006 - 02:23 AM

Hello,

The reason why you got infected is because you have Netpumper installed. Netpumper is bundled with this Swizzor/lop crap you are dealing with.. That's why I strongly recommend you uninstall Netpumper.

Reboot after uninstalling.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
<== it is a bad idea to let p2p programs startup with windows
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe <= same reason as my previous remark.

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next folders:

C:\Documents and Settings\drdx\Application Data\ProgramChinMail

C:\Documents and Settings\drdx\Application Data\NetPumper

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 drdx

drdx
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 17 November 2006 - 12:51 PM

:thumbsup: Thanks! Actually I was not getting anymore EZ AV warnings about Win/32Swizzor after the previous post. The directories for NetPumper were leftover from a previous install of the Full Blown version that is free from banners and bundled software. The uninstall must have left some garbage behind as I also found some references to it in the registry which I deleted.

I do not use IE except in cases where a page will just not work in Firefox which is not very often but since I am a programmer I have to test new pages on it but don't use it to browse the web.

Thanks for the heads up on the Java update. Have done that and hope the system stays free of junk for a while. This is the first problem I have had in over 7 years but my son recently used my laptop and I suspect that is when this bugger got in there.

Thanks for your service as it kept me from pulling my hair out!!! :flowers:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 PM

Posted 17 November 2006 - 02:03 PM

Hello,

Yes, uninstalling Zone Media already fixes it and is able to delete the related crapfolders/files and keys it installed. However, leftovers could still be present, that's why I asked you to create the extra look.bat to look if it was removed properly... and it was. :thumbsup:

Good everything is ok now.

Glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
How to use SpywareBlaster

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:28 PM

Posted 23 November 2006 - 07:35 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users