Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 8:08pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   how do i remove downloader.swizzor???		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: how do i remove downloader.swizzor???  (Read 2887 times)
kyoichi14
Newbie
*





   


Gender: male
 Posts: 3
how do i remove downloader.swizzor???
« on: Oct 29th, 2006, 1:03pm »		 Quote Quote  Modify Modify
hi i seem to be having problem with this downloader.swizzor.8.bk. I have already scanned my pc using TH but it just keep comming. anyone who can help me with this. Thanks very much  Smiley
IP Logged
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: how do i remove downloader.swizzor???
« Reply #1 on: Oct 29th, 2006, 2:23pm »		 Quote Quote  Modify Modify
Hmmm, well I guess we might need to start with a HijackThis log.  You can get HJT from here:  http://www.majorgeeks.com/download3155.html
IP Logged
kyoichi14
Newbie
*





   


Gender: male
 Posts: 3
Re: how do i remove downloader.swizzor???
« Reply #2 on: Oct 29th, 2006, 2:28pm »		 Quote Quote  Modify Modify
thanks ill try that  Smiley
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: how do i remove downloader.swizzor???
« Reply #3 on: Oct 29th, 2006, 3:25pm »		 Quote Quote  Modify Modify
Welcome to the forum kyoichi14 !  Cheesy
 
When you download HiJackThis, please install it in its own folder on your hard drive....not on the desktop or in a temporary folder.
 
Once you get HiJackThis.exe in its own folder, please change the name of HiJackThis.exe to some other name such as AnalyzeIt.exe.  The reason for the rename is that some of malicious elements prevent HiJackThis.exe from properly displaying.  So the rename fools these types of malicious elements.
 
Then post the scan log from a HJT (AnalyzeIt.exe) scan back here so we can examine it.
« Last Edit: Oct 29th, 2006, 3:26pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
kyoichi14
Newbie
*





   


Gender: male
 Posts: 3
Re: how do i remove downloader.swizzor???
« Reply #4 on: Oct 30th, 2006, 1:20am »		 Quote Quote  Modify Modify
Sorry that it me long to reply I really need to rest and go to my class (hope you understand) Grin.
 
So here is what the log contains:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:18:11 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\mysql\bin\mysqld.exe
D:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\vsnpmi03.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\HJT\AnalyzIt.exe
 
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Free Download Manager] D:\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Flapflag] C:\DOCUME~1\tinoy\APPLIC~1\JUNKTH~1\eqstupid.exe
O4 - Startup: bday reminders.txt
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aardwolf.invalid
O17 - HKLM\Software\..\Telephony: DomainName = aardwolf.invalid
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aardwolf.invalid
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = aardwolf.invalid
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = aardwolf.invalid
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Apache2 - Unknown owner - D:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - D:\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
Thanks for you help  Wink
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: how do i remove downloader.swizzor???
« Reply #5 on: Oct 30th, 2006, 2:19am »		 Quote Quote  Modify Modify
The HJT log does show some infections.  Please do this for starters.
 
1.  Go to the link below and change some default parameters for Internet Explorer so that you can view ALL files and folders.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Submit the two files shown below to Mischel Internet Security for analysis.  The link below explains how to submit these files.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
The files are:
 
vsnpmi03.exe
eqstupid.exe
 
3.  Once you get the two above files sent out via email, please do the following:
 
-  Update Spy Sweeper to the latest rules/definitions.
-  Update TrojanHunter to the latest rulesets issued last night.
 
-  Reboot your computer into SAFE MODE.
-  Run a FULL Scan with TrojanHunter and let it quarantine what it finds.
-  Run a FULL scan with Spy Sweeper and let it quarantine what it finds.
-  After these scan are completed, reboot your computer in Normal Mode.
 
4.  Run a Remote Scan with BitDefender.  
-  The remote scan link is provided in the link below.  
-  You will need to use IE for this because BitDefender requires ActiveX.
-  Deactivate your resident anti-virus scanner while running this remote scan by Bit Defender.
 
http://www.misec.net/forum/board/FAQ/1141894786  
 
5.  Immediately reboot after completing the remote scan/cleaning by BitDefender.  Then:
 
-  Post a new HJT log
-  Post the scan results of the BitDefender scan.
 
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: how do i remove downloader.swizzor???
« Reply #6 on: Oct 30th, 2006, 3:10am »		 Quote Quote  Modify Modify
You also need to update your Java software which is significantly out of date on your system.  Several security fixes have been issued since jre1.5.0_06
 
Here is the link for the Java download.
 
http://java.com/en/download/help/5000010400.xml
 
-  You should download the offline installation of this update.
-  Close down your running programs in the lower right systray.  Disable your anti-virus program.  Be sure all browser windows are close.
-  Using Add/Remove Programs in the control panel, remove the outdated version.
-  Install the new version of Java.
-  Reboot
-  Test the installation here:
http://java.com/en/download/installed.jsp
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register