Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Dec 1st, 2008, 7:58pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   How to fix Downloader.Swizzor AVG wont fix it		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: How to fix Downloader.Swizzor AVG wont fix it  (Read 1340 times)
jazza99
Newbie
*





   


Posts: 5
How to fix Downloader.Swizzor AVG wont fix it
« on: Dec 31st, 2006, 6:38pm »		 Quote Quote  Modify Modify
I cant seem to get rid of Downloader.Swizzor i have used AVG and SPySweeper but it still seems to come through here is my HJT log.
 
Logfile of HijackThis v1.99.1
Scan saved at 1:31:49 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\AnalyseIt.exe
 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [mess else] C:\DOCUME~1\KRYSTL~1.JAR\APPLIC~1\REALPL~1\modelogohide.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -  
 
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1139745509796
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
Please help someone.............. jazza
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #1 on: Jan 1st, 2007, 2:14am »		 Quote Quote  Modify Modify
Welcome to the forum jazza99  Cheesy
 
Nothing in HiJackthis log is showing up an infection.  However, this does not mean that the machine is clean.  What security program is flagging you with Swizzor and what files does it say are infected?  There are many variants of this critter.
 
Please do this and see if anything is uncovered.  
 
1.  Download/Install the trial version of TrojanHunter (I assume you do not have TH on your computer).  After you get it installed, open Trojan Scanner:
 
-  Run LiveUpdate to download the very latest rulesets.
-  Click on the Options icon on the left sidebar.  Checkmark all the scanning options.
-  Click on the Scan icon on the left sidebar.  Checkmark the hard drives you would like scanned.
-  Close TH scanner.
 
2.  Reboot your computer into SAFE MODE.
 
3.  In SAFE MODE, run a FULL SCAN with TrojanHunter and let it clean what if finds.  Please save the scan/cleaning log so that you can post it back here.  Look under FILE in the top menu bar to initiate the log save.
 
4.  Reboot your computer into Normal Mode.
 
5.  Test your computer for a rootkit by running a scan with F-Secure Blacklight.  The link below guides you to the download page for Blacklight.  Be sure to download Blacklight, not the security suite.  
 
http://www.misec.net/forum/board/FAQ/1164990581
 
6.  Run a REMOTE SCAN with Bit Defender's online scanner.  The link below guides you to Bit Defender.  You will need to use IE because an ActiveX element has to be installed by Bit Defender.  Be sure to deactivate your normal AV scanner and other realtime security scanners when doing this remote scan.  Let BD delete what it finds.
 
http://www.misec.net/forum/board/FAQ/1141894786
 
7.  Please post back here the results of the TH scan, the Bit Defender scan, and the Blacklight scan.
 
7.  Run a new HiJackthis scan and post it back here.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
jazza99
Newbie
*





   


Posts: 5
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #2 on: Jan 1st, 2007, 3:13pm »		 Quote Quote  Modify Modify
Hello i forgot to mention that the Downloader.Swizzor was coming thru AVG it would just say threat found. Anyway i did the things you suggested
 
Trojan Hunter log
 
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusOverride.zip
Not scanning password-protected file Config.ini in C:\Documents and Settings\krystle.jarred\Desktop\RegistryFixBackup\12,30,2006_22,30,53.zi p
Not scanning password-protected file Config.ini in C:\Documents and Settings\krystle.jarred\Desktop\RegistryFixBackup\12,31,2006_8,57,59.zip  
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\hijackthis.zip:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\6-12_xp_dd_ccc_wdm_enu_38463.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\atimcatw.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\blbeta.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\IE7-WindowsXP-x86-enu.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\InstallPREVX102000506.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\LimeWireWin.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\Morpheus.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\MorpheusTurboBooster_installer.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\nl_v130.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\registryfix.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\rminstall.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\sdsetup.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\SpySweeperTrialSetup3922_EN_AB.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\TrojanHunterSetup.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\uTorrent-1.6-install.exe:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
Not scanning password-protected file Morpheus.exe in C:\DOCUME~1\KRYSTL~1.JAR\LOCALS~1\Temp\Morpheus full version +Crack _ serial.zip
Unable to extract ¸ü¶à¾«²Ê.html from C:\Documents and Settings\krystle.jarred\My Documents\Morpheus Shared\Downloads\Morpheus Ultra full version +Crack _ serial 5.zip/Registry Mechanic v4.0.0.86 + crack.rar/Registry Mechanic v4.0.0.86 Final.CR.rar
Found NTFS alternate data stream: C:\Documents and Settings\krystle.jarred\My Documents\My Received Files\Registry.Mechanic.5.0.1.244.serial.zip:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
C:\pagefile.sys  Not scanned (in use by another application)
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Office\OFFICE11\Microsoft.Office.Interop.InfoPath.Xml.dll
Not scanning password-protected file Config.ini in C:\Program Files\RegistryFix\RegistryFixBackup\12,30,2006_22,15,46.zip
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__ 71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_a73fb5bc\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
C:\WINDOWS\system32\drivers\dtscsi.sys  Not scanned (in use by another application)
C:\WINDOWS\system32\drivers\sptd.sys  Not scanned (in use by another application)
C:\WINDOWS\system32\drivers\sptd7341.sys  Not scanned (in use by another application)
No trojan files found
13720 files scanned in 1386 seconds
 
F-Secure Blacklight didnt find anything at all.
 
Bit-Defender log
 
BitDefender Online Scanner - Real Time Virus Report
   
 
Generated at: Tue, Jan 02, 2007 - 09:57:47
 
-----------------------------------------------------------
 
Scan Info
     
Scanned Files
 538252
 
Infected Files
 2
     
  Virus Detected
   
   
 
GenPack:Trojan.Swizzor.DH
 1
 
Trojan.Downloader.WMA.Wimad.D
 1
 
Bit-Defender deleted these files
 
Hijack this log
 
Logfile of HijackThis v1.99.1
Scan saved at 10:05:49 AM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\krystle.jarred\My Documents\Jarreds\Setup Files new\AnalyseIt.exe
 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [mess else] C:\DOCUME~1\KRYSTL~1.JAR\APPLIC~1\REALPL~1\modelogohide.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1139745509796
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
 
 
 
IP Logged
jazza99
Newbie
*





   


Posts: 5
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #3 on: Jan 1st, 2007, 3:18pm »		 Quote Quote  Modify Modify
The file infected with Downloader.Swizzor was  
C:\Documents and settings\jarred\Local Settings\Temporary Internet Files\Content.IE5\U1UGU625\upAYB[3].int
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #4 on: Jan 1st, 2007, 11:13pm »		 Quote Quote  Modify Modify
Okay, thanks for the comeback.  Wink
 
Your new HiJackthis scan log looks clean.  I assume that the Bit Defender removals cleared up the Swizzor problem.  Is that correct?
 
Here are some items you should consider:
 
1.  Let TrojanHunter delete all of the Alternate Data Streams (ADS) that are in your system.  Here is a link that explains what ADS means.  Just run a TH scan.  When the scan is completed, click on each one of the Delete ADS Stream items, confirm, and TH will remove the ADS.
 
http://www.misec.net/forum/board/FAQ/1139255678
 
2.  The files that TH is flagging with double extensions all look valid.  You can prevent TH from flagging these by unchecking the option "Log executable files with double extensions".  TH will still scan them; it just will not log them as having double extensions.  You can read about double extensions here:
 
http://www.misec.net/forum/board/FAQ/1139255660
 
3.  Download/Install freebie program CCleaner to clean out all your temporary and junk files.  Use it routinely to clean things up.  It can be obtained from:
 
http://www.ccleaner.com
 
4.  Your Java module is significantly out of date (jre1.5.0_06).  The latest version is 1.6.0-b105 with several security fixes.  You can install the newest version by START>SETTINGS>CONTROL PANEL>JAVA>UPDATE tab.  After the new version is installed, you can remove the old version through Add or Remove Programs in the Control Panel.  Sun does not automatically remove the old version when a new version is installed.  
 
Please let us know whether AVG is now content.   Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
jazza99
Newbie
*





   


Posts: 5
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #5 on: Jan 4th, 2007, 1:32pm »		 Quote Quote  Modify Modify
hello i deleted the ads streams updated the java but downloader.swizzor still comes through avg. it comes thru in temp folder and in temporary internet files ie5 content upAYB[1].int
 
should i use another virus software?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #6 on: Jan 4th, 2007, 2:40pm »		 Quote Quote  Modify Modify
Please do the following in an effort to clean out your Temporary Internet Files and other junk temp files/folders on your system.
 
1.  Go to http://www.ccleaner.com and download/install freebie cleaning program CCleaner.  
 
2.  After you get CCleaner installed, close ALL open windows and all programs in the systray except your AV and firewall.  De-activate your realtime anti-virus program.  
 
3.  Open CCleaner and run the Cleaner component.  This will clean out all temp files/folders.  DO NOT run the Issues component as this is a registry cleaner.
 
4.  Close CCleaner and reboot your computer.
 
Is the infected file now gone from the Temporary Internet Files?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
jazza99
Newbie
*





   


Posts: 5
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #7 on: Jan 4th, 2007, 7:04pm »		 Quote Quote  Modify Modify
i used ccleaner and it did get did of the infected files but then 30 mins later avg popped up saying threat detected which was downloader.swizzor again
 
any suggestions?
IP Logged
Randy_Bell
Global Moderator
*****




TrojanHunter is the Best!

40416585 40416585   randybell_98   atmrover
WWW   Email

Gender: male
 Posts: 2883
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #8 on: Jan 4th, 2007, 9:37pm »		 Quote Quote  Modify Modify
Could this be a false positive {f.p.}?  The infected file you listed:
 
upAYB[3].int
 
- is not even an executable file.  Usually executables, or DLLs which can be executed, are flagged by anti-malware scanners.
 
on Jan 4th, 2007, 7:04pm, jazza99 wrote:
i used ccleaner and it did get did of the infected files but then 30 mins later avg popped up saying threat detected which was downloader.swizzor again any suggestions?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #9 on: Jan 4th, 2007, 10:31pm »		 Quote Quote  Modify Modify
Please submit the following file for analysis.  I cannot find any info on it so it is suspicious to me.  The file is modelogohide.exe.  The link below describes how to submit a file to Mischel Internet Security for analysis.  
 
http://www.misec.net/forum/board/FAQ/1139308293
 
I just found info on "Mess Else" which clarifies.  Please do the following.
 
1.  Submit modelogohide.exe as requested above.
 
2.  Run another HJT scan.  When the scan is completed, place a checkmark in the box next to the entry shown below.  BE SURE this is the only item checkmarked.  Then click on Fix Checked on the bottom left side of the HJT window.  Confirm that you want HJT to fix this item.  
 
O4 - HKCU\..\Run: [mess else] C:\DOCUME~1\KRYSTL~1.JAR\APPLIC~1\REALPL~1\modelogohide.exe
 
3.  After the fix is completed, close the HJT window and REBOOT your computer.
 
4.  Run CCLeaner again.  
 
5.  Run a REMOTE scan of your system using Kaspersky.  The link below will direct you to the Kaspersky site.  Be SURE to de-activate your normal realtime AV before doing the scan.  
 
http://www.misec.net/forum/board/FAQ/1141894786  
 
 
 
 
« Last Edit: Jan 4th, 2007, 10:41pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5815
Re: How to fix Downloader.Swizzor AVG wont fix it
« Reply #10 on: Jan 6th, 2007, 6:27am »		 Quote Quote  Modify Modify
It is my understanding that the latest rulesets of TH will now detect this malicious file modelogohide.exe and quarantine it.   Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register