Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Very Persistent Trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 09 February 2006 - 04:19 PM

I have been trying to get rid of this Trojan for the better part of today and all of yesterday and I am at my wits end. Housecall (Trendmicro) finds this little bugger when I do a scan and it says it can remove it but it is there again when I re-scan. Spybot SD does not see it. PC Cilling (Trendmicro's free trial) does not see it. Microsoft's Antispyware sees it, says it can remove it, and it is there every time I do a new scan. This trojan downloads and installs some questionable Spyware Removal programs (SpyFalcon, SpywareStrike, etc) and it slows my comp's performance by quite a bit. You can find my HijackThisLog below. I will appreaciate any assistance you can provide to get rid of my problem. Thank You.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:31 PM, on 2/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINNT\system32\nvctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
L:\hostplus\fxp32\vh.exe
L:\HOSTPLUS\FXP32\IN-FRAMV.EXE
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\grobles\My Documents\Security\HijackThis.exe

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINNT\system32\hp26A7.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h20278.www2.h...SWebManager.CAB
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.co...snediag3028.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FF1437-16BF-49A6-B4C4-5AD70886728E}: NameServer = 10.5.5.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    Advertisements

Register to Remove


#2 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 13 February 2006 - 04:10 PM

Thanks for sending your information. We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.

If you still need help with your problem, please run Hijack This again. Scan and copy the log, then post it here, in this topic . We do need to see a current logfile.

To post, please use the Add Reply feature, so I will be notified.

Please provide a description of the problem.

Please do not edit your Hijack This log. We need to see the entire logfile, with no revisions.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 14 February 2006 - 12:25 PM

Thanks for your response Piatan.

As is mentioned previously, My problem is this Downloader.Zolob trojan that has installed itself on my comp. It slows down my comp a lot and it downloads and installs those pesky fake Spyware Removal Programs. I have run HJT just now and here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:23:47 AM, on 2/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINNT\system32\nvctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\grobles\My Documents\Security\HijackThis.exe

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINNT\system32\hpBF53.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h20278.www2.h...SWebManager.CAB
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.co...snediag3028.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FF1437-16BF-49A6-B4C4-5AD70886728E}: NameServer = 10.5.5.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thank You.

#4 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 14 February 2006 - 01:07 PM

Hi Goldmember;

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please DO NOT run it yet.

Please download, install, and update the free version of Ewido Security Suite:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Exit Ewido. DO NOT run a scan yet.
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

    Next:
    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

    Next, run Ad-aware and perform a full scan. Remove everything found.

    Now open Ewido Security Suite[list]
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.

Let us know if any problems persist.


Please use the Add Reply feature to post, so I will be notified.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#5 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 February 2006 - 02:10 PM

Sorry it took me a while to reply and do what you told me. I have been pretty busy with work and this is not helped by the fact that my comp is so slow lately. I have done what you asked and right after running the Ewido program my comp seems to be a lot faster. Panda Virus Scan says I still have problems so here are the logs you requested. I will post each log in it's own post.

First the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:03:46 PM, on 2/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\grobles\My Documents\Security\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h20278.www2.h...SWebManager.CAB
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.co...snediag3028.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FF1437-16BF-49A6-B4C4-5AD70886728E}: NameServer = 10.5.5.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#6 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 February 2006 - 02:11 PM

Next the Ewido scan report. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:45:04 AM, 2/16/2006 + Report-Checksum: BF566C30 + Scan result: C:\Documents and Settings\grobles\Local Settings\Temp\fimpjlmd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\grobles\Local Settings\Temp\gkahogmd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\grobles\Local Settings\Temp\gkbjjemd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\grobles\Local Settings\Temp\gmlmpnmd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\grobles\Local Settings\Temp\opmifkmd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\grobles\Local Settings\Temp\pallhdmd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Documents and Settings\grobles\Local Settings\Temp\phfbbimd.exe -> Trojan.Dialer.ay : Cleaned with backup C:\Program Files\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\blacklist.txt -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\ignored.lst -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\Lang -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\Lang\English.ini -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\Logs -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\msvcp71.dll -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\msvcr71.dll -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\Quarantine -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\sf.ini -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\SpyFalcon.exe -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\SpyFalcon.url -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\syg.db -> Adware.SpyFalcon : Cleaned with backup C:\Program Files\SpyFalcon\uninst.exe -> Adware.SpyFalcon : Cleaned with backup C:\WINNT\Downloaded Program Files\gdnUS2296.exe -> Downloader.Small.ayl : Cleaned with backup C:\WINNT\system32\dxmpp.dll -> Not-A-Virus.Hoax.Win32.Renos.bg : Cleaned with backup ::Report End

#7 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 February 2006 - 02:12 PM

Next the smitRem report. smitRem © log file version 2.8 by noahdfear Microsoft Windows 2000 [Version 5.00.2195] The current date is: Thu 02/16/2006 The current time is: 9:26:07.07 Running from C:\Documents and Settings\grobles\My Documents\Security\SmitRem\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP" "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ Security Toolbar ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ replmap.dll 1024 dir msvol.tlb ld****.tmp mssearchnet.exe ncompat.tlb nvctrl.exe hp***.tmp ~~~ Icons in System32 ~~~ ot.ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 424 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :)

#8 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 February 2006 - 02:14 PM

And last the Panda Scan Report even though you did not ask for it. ;-P Incident Status Location Adware:adware/securityerror Not disinfected C:\Documents and Settings\grobles\Favorites\Antivirus Test Online.url Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa15.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa17.exe Adware:adware/spywarestrike Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa2.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa24.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa2E.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa3.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa3D.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa4B.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa61.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa6B.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa7C.exe Adware:Adware/SpyFalcon Not disinfected C:\Documents and Settings\grobles\Local Settings\Temp\sa9.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\grobles\My Documents\Security\SmitRem\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\grobles\My Documents\Security\smitRem.exe[Process.exe] Let me know if I should worry about anything else. Thank You very much!

#9 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 16 February 2006 - 04:34 PM

Hi Goldmember;

Your HJT log looks good and those other scans do also. :D

Those bad files are in your Temp files, so lets clean them.

Boot into SAFE MODE:
To restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Next:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

(When finished, remember to return and place a check on "Hide protected operating system files" Click Apply and then OK.)

Then, in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\(EVERY Listed USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Then reboot into NORMAL MODE.

Then, please run the Panda scan again and post the results into this topic, along with a fresh Hijack This logfile.

They should both fit into a single post.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#10 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 17 February 2006 - 12:16 PM

Here is the HJT scan report.

Logfile of HijackThis v1.99.1
Scan saved at 9:51:22 AM, on 2/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\mobsync.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\grobles\My Documents\Security\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h20278.www2.h...SWebManager.CAB
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.co...snediag3028.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FF1437-16BF-49A6-B4C4-5AD70886728E}: NameServer = 10.5.5.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



And the Panda Scan Report.


Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\grobles\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\grobles\My Documents\Security\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\grobles\My Documents\Security\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc131.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc132.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc135.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc138.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc139.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc140.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc141.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc142.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc143.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc144.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\RECYCLER\S-1-5-21-606747145-1677128483-854245398-1003\Dc145.exe


I am running Windows 2000 Pro so I don't have a "C:\Windows\Temp" folder but I did what you requested in the "C:\WINNT\temp" folder instead. I hope that was OK. :blink:

The Panda Report still shows potentiallly unwanted items in the RECYCLER folder but I am not sure it is something worth worrying about. Let me know if I should worry about cleaning those out. My comp is back to it's usual speed at any rate. Thanks a bunch. You guys rock. :thumbup:

    Advertisements

Register to Remove


#11 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 17 February 2006 - 05:34 PM

Hi Goldmember, You're welcome. :D

Right you are, about those Temp folders, I was about to give you Windows XP.
Recycler in XP, refers to System Restore. But, since W2K doesn't have System Restore...Go ahead and clear out C:\RECYCLER. SpyFalcon is in there, and it is not disinfected.

Your Hijack This logfile looks to be clean.

If there are no continuing issues, I would recommend the following.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.

    Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
    -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing. :wavey:
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#12 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 17 February 2006 - 06:46 PM

One small problem when I went to delete the items in the RECYCLER folder. I don't have a RECYCLER folder!! :blink: Panda says I have it and that it found SpyFalcon in it but when I go look for it I can't find the folder. I ran a search for any folders named RECYCLER and came up empty. Any idea what is going on? If I don't have a folder named C:/RECYCLER why is Panda finding it? If I do have a C:/RECYCLER folder, why can't I find it? Very confused... At any rate, I will have to take this up on Monday. Time to go enjoy the weekend. Thanks.

Edited by Goldmember, 17 February 2006 - 06:48 PM.


#13 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 17 February 2006 - 08:35 PM

Hi Goldmember;
Have a look in your Recycle bin (trash). That's likely what Panda means.
Failing that, check all Temp and Temporary Internet files.
Failing that, do an All Files search in SAFE MODE for SpyFalcon. Be sure to include hidden files.

Let me know how it turns out. :scratch:
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#14 Goldmember

Goldmember

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 23 February 2006 - 03:07 PM

I finally found that darn folder. It seems I needed to uncheck the option to "Hide protected operating system files" under folder options. It finally displayed and opened the C:/RECYCLER folder and I was able to completely delete those files. Here is a new HiJackThis log and Panda Activescan log.

Logfile of HijackThis v1.99.1
Scan saved at 1:52:08 PM, on 2/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\grobles\My Documents\Security\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h20278.www2.h...SWebManager.CAB
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.co...snediag3028.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3FF1437-16BF-49A6-B4C4-5AD70886728E}: NameServer = 10.5.5.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scrmain.springcreekranch.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe




Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\grobles\My Documents\Security\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\grobles\My Documents\Security\smitRem.exe[Process.exe]


So the only thing showing up is the smitRem program and I assume this is ok. Once again, thanks for all your help. :thumbup:

Edited by Goldmember, 23 February 2006 - 03:10 PM.


#15 Piatan

Piatan

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,825 posts

Posted 23 February 2006 - 04:57 PM

Hi Goldmember;

That was my last option, to "be sure to include hidden files" in the search.
I admit it was an afterthought and much too subtle. That should serve as a reminder to me, to be clearer with directions.
Anyway, glad you located and dispatched it.

You could delete those SmitRem files, that Panda ActiveScan found, since they are no longer needed.
Be sure to first close all open Windows and browsers. :D
Next, make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode

When finished, reboot into Normal Mode and hide protected operating system files.

Your latest Hijack This logfile looks to be clean.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.

    Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
    -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing. :wavey:
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users