Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe Problem


  • Please log in to reply
13 replies to this topic

#1 b bailey

b bailey

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 May 2007 - 03:34 AM

If someone could take a look at my hijackthis log, I sure would appreciate it. I've run everything that was ask before submitting, but nothing came up except some cookies and a keglogger entry, which I removed. I have to manually stop the svchost.exe from running everytime I boot up, something is not right.

Attached Files


Edited by b bailey, 30 May 2007 - 03:36 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 30 May 2007 - 06:14 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum b bailey :thumbsup:

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\perfc000.dat

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.

*NOTE*
Please do not post your replies as attachments,paste them directly into this topic,thanks.
Posted Image
Posted Image

#3 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 May 2007 - 08:39 AM

I didn't receive a log file for Avenger, it said it couldn't find the text. Here are the other log entries. I'm not getting the 100% cpu at start up now. I appreciate the help.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 30 May 2007 - 09:18 AM

[zzzx.exe - Troj/Socksrv-A is a Backdoor Trojan].
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

********************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Exit Hijackthis.

Find and delete:
C:\WINDOWS\zzzx.exe
C:\WINDOWS\5x.exe
C:\WINDOWS\475x.exe
C:\WINDOWS\ceme26.dat
C:\WINDOWS\svhoster
C:\WINDOWS\system32\ceme26.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

*******************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Post the AVG Anti Spyware report,the BitDefender Online Scanner log,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 May 2007 - 07:25 PM

I followed your instructions, my computer seems to be running well. Do you think I should go with AVG for virus protection instead of Avast!? Thanks so much for all your help, wish I could return the favor somehow. Here are your requested logs:
file of HijackThis v1.99.1
Scan saved at 5:01:52 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Banks\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F8F760-1210-434F-8E94-9CF35D2D93C3}: NameServer = 68.2.16.30,68.6.16.30
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BitDefender Online Scanner



Scan report generated at: Wed, May 30, 2007 - 16:37:59





Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;







Statistics

Time
01:24:12

Files
466482

Folders
9206

Boot Sectors
9

Archives
16194

Packed Files
43567




Results

Identified Viruses
7

Infected Files
11

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
11




Engines Info

Virus Definitions
509562

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-63BA-6AF07326D26E}\DATA.CAB=>RESOURCE1
Infected with: Trojan.Fakealert.FE

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-63BA-6AF07326D26E}\DATA.CAB=>RESOURCE1
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-63BA-6AF07326D26E}\DATA.CAB=>RESOURCE1
Deleted

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-63BA-6AF07326D26E}\DATA.CAB
Update failed

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-DAFE-ED08DD769FBE}\DATA.CAB=>RESOURCE1
Infected with: Trojan.Fakealert.FE

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-DAFE-ED08DD769FBE}\DATA.CAB=>RESOURCE1
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-DAFE-ED08DD769FBE}\DATA.CAB=>RESOURCE1
Deleted

C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Quarantine\{800183E8-0000-0000-DAFE-ED08DD769FBE}\DATA.CAB
Update failed

C:\Program Files\Google\Google Earth Pro\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Infected with: MemScan:Backdoor.Bifrose.NQ

C:\Program Files\Google\Google Earth Pro\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Disinfection failed

C:\Program Files\Google\Google Earth Pro\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Deleted

C:\Program Files\Google\Google Earth Pro\Patch.EXE=>(CAB Sfx r)
Update failed

C:\QooBox\Quarantine\C\WINDOWS\159x.exe.vir
Infected with: Trojan.Banker.Delf.XVQ

C:\QooBox\Quarantine\C\WINDOWS\159x.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\159x.exe.vir
Deleted

C:\RECYCLER\S-1-5-21-1177238915-1085031214-725345543-1004\Dc5\iexplorer.exe
Infected with: MemScan:Backdoor.Bifrose.NQ

C:\RECYCLER\S-1-5-21-1177238915-1085031214-725345543-1004\Dc5\iexplorer.exe
Disinfection failed

C:\RECYCLER\S-1-5-21-1177238915-1085031214-725345543-1004\Dc5\iexplorer.exe
Deleted

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000073.exe
Infected with: Trojan.Banker.Delf.XVQ

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000073.exe
Disinfection failed

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000073.exe
Deleted

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000307.exe
Infected with: GenPack:Trojan.Downloader.Delf.NSN

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000307.exe
Disinfection failed

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000307.exe
Deleted

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000308.exe
Infected with: Backdoor.Prorat.SP

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000308.exe
Disinfection failed

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000308.exe
Deleted

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000344.exe
Infected with: MemScan:Backdoor.Bifrose.NQ

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000344.exe
Disinfection failed

C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000344.exe
Deleted

L:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Infected with: MemScan:Backdoor.Bifrose.NQ

L:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Disinfection failed

L:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Deleted

L:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)
Update failed

M:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Infected with: MemScan:Backdoor.Bifrose.NQ

M:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Disinfection failed

M:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)=>server-nme.exe
Deleted

M:\windows software\Google Earth Professional 4.0\Crack\Patch.EXE=>(CAB Sfx r)
Update failed












AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:28:50 PM 5/30/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\perfc000.dat.vir -> Backdoor.Small.os : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\smpi1\lib06.exe.vir -> Downloader.Agent.bls : Cleaned.
C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000071.exe -> Downloader.Agent.bls : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-1085031214-725345543-1004\Dc2.exe -> Downloader.Agent.bnn : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\svchost.exe.vir -> Downloader.Delf.bld : Cleaned.
C:\RECYCLER\S-1-5-21-1177238915-1085031214-725345543-1004\Dc7.exe -> Downloader.Delf.bld : Cleaned.
C:\System Volume Information\_restore{BD586838-E73C-4702-913C-C76B25BE0C22}\RP1\A0000072.exe -> Downloader.Delf.bld : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@ecoustics-cnet.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@news.com[3].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\Banks\Cookies\banks@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

Attached Files



#6 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 30 May 2007 - 07:40 PM

I just now found out that mu cpu is very high again, this time, it is a process in task manager called NMIndexStoreSvr... running, it stopped now. What do you make of it? There is also a NGBgMonitoer.exe in there, not sure what they are. Any idea?

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 31 May 2007 - 05:38 AM

I just now found out that mu cpu is very high again, this time, it is a process in task manager called NMIndexStoreSvr... running, it stopped now. What do you make of it? There is also a NGBgMonitoer.exe in there, not sure what they are. Any idea?

nmindexstoresvr.exe is part of Nero Scout that comes with Nero CD/DVD Burning 7.
Nero Scout is a database program that catalogs all of the media files on your computer and that makes this database available to other programs in the Nero 7 product package.

nmbgmonitor.exe is a process belonging to Nero Home.
This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

Do you think I should go with AVG for virus protection instead of Avast!

Stick with Avast,you'll be fine.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


***************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Avenger
Combofix

C:\Avenger
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Edited by RichieUK, 31 May 2007 - 05:39 AM.

Posted Image
Posted Image

#8 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 05 June 2007 - 12:11 PM

I started to have keylogger and trojan downloader- ruin problems again. I think its tied in to ebay, logging in there. I tried to fix it again. Thinking of reloading, any help would be appreciated. Here's my Hijack this log. I ran spybot and spysweeper(not registered) and found no problems after running fixwareout.exe.

Logfile of HijackThis v1.99.1
Scan saved at 9:47:14 AM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Soulseek\slsk.exe
C:\Documents and

Settings\Banks\Desktop\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://news.google.com/news?ned=us
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page

= http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]

HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog

Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog

Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LXCFCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.

dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy

Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run:

[BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1}

(ewidoOnlineScan Control) -

http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7}

(LinkSys Content Update) -

http://www.linksysfix.com/netcheck/53/install/gtdownls.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{35F8F760-1210-434F-8E9

4-9CF35D2D93C3}: NameServer = 68.2.16.30,68.6.16.30
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier -

C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL

Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program

Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - -

C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program

Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero

7\Nero BackItUp\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program

Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs,

LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc. -

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#9 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 05 June 2007 - 01:23 PM

I'm having problems with a keylogger and a trojan downloader-ruin, when running spybot and spysweeper(not registered). After running fixwareout exe., I ran both of them again, nothing found. Not sure if its clean or not. Here's my Hijackthis log :

Logfile of HijackThis v1.99.1
Scan saved at 9:47:14 AM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Soulseek\slsk.exe
C:\Documents and Settings\Banks\Desktop\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/53/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F8F760-1210-434F-8E94-9CF35D2D93C3}: NameServer = 68.2.16.30,68.6.16.30
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I think my problem is from logging into ebay, password is changed now, using a different pc. Any help would be appreciated.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 05 June 2007 - 01:56 PM

Your log is clean,lets see if the following finds anything:

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.
Posted Image
Posted Image

#11 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 05 June 2007 - 10:19 PM

I have a friend who uses my computer from time to time, she does some selling on ebay. Someone tried to sell something on her site this past week. I think it was thru this computer, when I would log into my ebay, my account would come up, after clicking on the (my ebay) tab though, her site would come up. I'm on a router and I think I'll be doing most transactions on another computer.
Here's the results:

Scan History Details
Start Date: 6/6/2007 1:59:48 AM
End Date: 6/6/2007 2:43:44 AM
Total Time: 43 Min 56 Sec
Detected security risks

Cookie: Com.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\banks\cookies\banks@com[1].txt


CoolOnlineOffers.ScreenSaver Adware Bundler more information...
Details: CoolOnlineOffers.ScreenSaver is a program which delivers advertisiment on you computer depending on your surfing behaviour.
Status: Deleted

Files detected
C:\WINDOWS\ASUS_Ai_Proactive_Screensaver (E) dir\expire.scf


Trojan.Nethell Trojan more information...
Status: Deleted

Files detected
C:\WINDOWS\system32\help.txt

Thanks again for your time and knowledge.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 06 June 2007 - 05:45 AM

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

Hows your pc doing now please.
Posted Image
Posted Image

#13 b bailey

b bailey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 06 June 2007 - 07:33 AM

It seems to be running well.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 06 June 2007 - 07:45 AM

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
:thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users