2 replies to this topic

[sub_stud]

I have recently detected several spyware, adware, trojan horses, etc running on my computer. I am running XP. I have previously been running the old Microsoft spyware beta program, but now have swithc to microsoft defender.
Unable to completely wipe spyware with Microsoft Defender, I then installed Spybot.
I was still getting reccuring detects, almost immediately after cleaning, unable to permantly clean programs such as Spyfalcon, vcodec, zolob, etc.
I followed the recommendations of similar threads and ran Ad-Aware, smitRem, ewido anti-malware, panda (to check), and hijackThis. The following are log files from these tests.
After running these cleaning programs in safe mode, it appears most of the troubling programs have been removed, but Microsoft Defender is coming up with lesser detections (but this may have been interfearance since I had several anti-spyware programs running at the same time).
When I ran Panda's Active Scan, it came up with 10 detects (again had simultaneous spyware programs running at that time).
Pls review logs to see if there is anything else I can do.

Attached Files

•  smitfiles.txt   3.67K   65 downloads
•  Activescan_panda.txt   8.99K   89 downloads
•  Scan_report_20060318.txt.txt   77.63K   94 downloads
•  hijackthis.txt   8.26K   72 downloads

[CalamityJane]

Wow, great job on the pre-cleaning.

I'm going to paste in these reports for easier reading and then come back and review them, after which I can post a reply of steps to take. :)

(This one is minus the cookies - not important. And minus the System Volume Information Folder stuff - we'll clear that last, it is your backups in System Restore)
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:04:54 PM, 3/18/2006
+ Report-Checksum: C7524423

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-515967899-1532298954-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup

C:\Documents and Settings\Cynthia\My Documents\akcademiks\tattoopalace.exe -> Dialer.Intexdial : Cleaned with backup

C:\Program Files\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\msvcr71.dll -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\msvcp71.dll -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\blacklist.txt -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\syg.db -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Lang -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Lang\English.ini -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Logs -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\Quarantine -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\sf.ini -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\ignored.lst -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\SpyFalcon.url -> Adware.SpyFalcon : Cleaned with backup
C:\Program Files\SpyFalcon\uninst.exe -> Adware.SpyFalcon : Cleaned with backup

::Report End
......................................................
Panda Scan (minus the cookies)
Incident Status Location

Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\dfrgsrv.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\David Alldridge\Local Settings\Temporary Internet Files\Content.IE5\IDWFU1U5\adopt[1].html
Potentially unwanted tool:application/spyfalcon Not disinfected C:\Documents and Settings\David Alldridge\Start Menu\SpyFalcon 2.0.lnk
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\David Alldridge\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\David Alldridge\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[Process.exe]
.................................................
smitRem ? log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 03/18/2006
The current time is: 9:57:34.64

Running from
C:\Documents and Settings\David Alldridge\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
msvol.tlb
ncompat.tlb
nvctrl.exe
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org
Killing PID 936 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"="Prestige Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}\InProcServer32]
@="C:\WINDOWS\system32\ginuerep.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)
.................................................................................
Logfile of HijackThis v1.99.1
Scan saved at 3:33:48 PM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\NovaStor\NovaBackup\7\NSENGINE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\NovaStor\NovaBackup\7\NbkCtrl.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHENG.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David Alldridge\Desktop\iexplore.exe
C:\Documents and Settings\David Alldridge\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....://my.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/search?q=v2premier+home+site:v2premier.com"); (C:\Documents and Settings\David Alldridge\Application Data\Mozilla\Profiles\default\r37hn8km.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\David Alldridge\Application Data\Mozilla\Profiles\default\r37hn8km.slt\prefs.js)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [NovaBackup 7.0 Tray Control] "C:\Program Files\NovaStor\NovaBackup\7\NbkCtrl.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\NovaStor\NovaBackup\7\NSENGINE.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE

[CalamityJane]

1. Delete these files and folder (if found)

C :\Windows\System32\dxmpp.dll

C:\Windows\System32\ginuerep.dll

C:\Program Files\SpyFalcon (folder)

C:\WINDOWS\system32\dfrgsrv.exe

C:\Documents and Settings\David Alldridge\Start Menu\SpyFalcon 2.0.lnk

2. Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

3. Download FixSF.reg
http://www.bleepingc...s/reg/FixSF.reg
to your desktop by right clicking on the link and then selecting Save Link As or Save File as, depending on your browser.

Double click on the FixSF.reg file that you downloaded. When it asks if you would like to merge the information, press the Yes button and then the OK button.

4. Do a scan only with HijackThis and checkmark these two entries in the list and then press *fix checked*

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

5. Go to Start > run and type in the box: cleanmgr

Wait while windows scans your system for files to delete to free up disk space

When it finishes, it will present a list. Make sure these 3 are checkmarked and then press *ok* to delete them:

Temporary Files

Temporary Internet Files

Recycle Bin

6. Reboot your computer. Scan again with Hijackthis and post a fresh log please. Also let me know if you are still seeing any problems on your end?