Another Swizzor victim. - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Dec 1^st, 2008, 8:39pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Another Swizzor victim.

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: Another Swizzor victim. (Read 1149 times)

arson
Newbie

Posts: 10

Another Swizzor victim.
« on: Jan 20^th, 2007, 3:14am »

Quote

Modify

Hello everyone I found this site while trying to search for cleaning tips for this nasty trojan download.swizzor.8.bk. I have read some posts on here and have decided to create my own post because those log files can be pretty long and to lessen the confusion I want to be seperate. Siliconman I saw your advice to the others and Im going to go step by step and do what you asked.

I have already turned off system restore and rebooted in safe mode ran AVG virus scanner spybot search and destroy and ad-aware with no luck. The files get healed but pop back up in my temp folders as random number .int files and .exe files.

Here is my Hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 2:12:27 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\AOL\1143145165\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrojanHunter 4.6\TrojanHunter.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Bozzi\Desktop\backups\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1145815313048
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

I am next going to try the TH trial version and also the black light I will be back to post my results. Thanks for all your help I hope this works

« Last Edit: Jan 20^th, 2007, 3:14am by arson »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #1 on: Jan 20^th, 2007, 4:18am »

Quote

Modify

Welcome to the forum arson � Cheesy

Glad you are in the process of running TH Trial in SAFE MODE.

Please do this too.

1. �Rename Hijackthis.exe to something like AnalyzeMe.exe or ShowItToMe.exe. �Some infections directly attack HiJackthis.exe and prevent it from showing everything. Renaming it "fools" them so the scan log will show it all. �ALSO, please be sure your browsers are closed when running the HJT scan.

2. �Download/Install CCleaner from http://www.ccleaner.com. �Run the Cleaner component to clean out junk and temp files/folders. �DO NOT run the Issues component which is a registry cleaner.

3. �Run a REMOTE Scan using Bit Defender. �The link below will guide you to Bit Defender. �BE SURE your normal anti-virus program is disabled. �You will need to use IE for this remote scan because Bit Defender requires an ActiveX download.

http://www.misec.net/forum/board/FAQ/1141894786

4. �Please post a new HJT log, the TH scan log, and the Bit Defender scan log once the above steps are executed.

ALSO I am suspicous of this file:

O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe

Please submit Downloadenc.exe to Mischel Internet Security for analysis. �The link below describes how to submit a file.

http://www.misec.net/forum/board/FAQ/1139308293

« Last Edit: Jan 20^th, 2007, 4:35am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #2 on: Jan 20^th, 2007, 4:38am »

Quote

Modify

thank you so much for the fast reply before I read your response I ran THunter here is the log from that. Swizzor was not detected but some other stuff was.

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\Documents and Settings\Bozzi\My Documents\randomz\EMULATION\sega\sega romz\KGEN98.EXE (Frenzy.100)
Warning: Executable file with double extensions found: C:\Documents and Settings\Bozzi\My Documents\randomz\hax0r3lit3\adobe after effects\Elements of Anarchy 1.1de.exe
C:\pagefile.sys Not scanned (in use by another application)
Found adware file: C:\Program Files\Program Files1\Mozilla Firefox\plugins\npzango.dll/PI3oX.exe (Adware.WinAd.120)
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Not scanned (in use by another application)
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Not scanned (in use by another application)
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\LEAD.Drawing.Imaging.Ocr\13.0.0.35__9cf889f53ea9 b907\LEAD.Drawing.Imaging.Ocr.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_ecc2eca7\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\scvhost.exe.bat
Error: Directory not found: D:\
Error: Directory not found: E:\
2 files identified
30238 files scanned in 2410 seconds

I will follow your steps and also submit that file.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #3 on: Jan 20^th, 2007, 4:47am »

Quote

Modify

Okay, thanks. I will wait for your next post with the scan results of Bit Defender and a new HJT log.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #4 on: Jan 20^th, 2007, 4:53am »

Quote

Modify

New HJT log. No browser open and renamed to analyzeME.exe

Also blacklight found ZERO issues.

Logfile of HijackThis v1.99.1
Scan saved at 3:52:11 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\AOL\1143145165\ee\aolsoftware.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Bozzi\Desktop\backups\analyzeME.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1145815313048
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

« Last Edit: Jan 20^th, 2007, 4:54am by arson »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #5 on: Jan 20^th, 2007, 5:03am »

Quote

Modify

Thus far there is nothing positively identified as a nasty critter in your HJT log. �I strongly suspect that Downloadenc.exe is an infection, however.

Please do the Bit Defender remote scan and let it clean what it finds. �Then post the BD log and a new HJT log.

« Last Edit: Jan 20^th, 2007, 5:21am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #6 on: Jan 20^th, 2007, 8:50am »

Quote

Modify

Here is the bit defender log.

BitDefender Online Scanner

Scan report generated at: Sat, Jan 20, 2007 - 07:11:04

Scan path: C:\ Grin

:\;E:\;

Statistics

Time

03:07:47

Files

937172

Folders

8627

Boot Sectors

3

Archives

4630

Packed Files

138578

Results

Identified Viruses

1

Infected Files

3

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

3

Engines Info

Virus Definitions

389964

Engine build

AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins

14

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\Bozzi\Application Data\1 Bits Dash\clock show about.exe

Infected with: Trojan.FatObfus.Gen

C:\Documents and Settings\Bozzi\Application Data\1 Bits Dash\clock show about.exe

Disinfection failed

C:\Documents and Settings\Bozzi\Application Data\1 Bits Dash\clock show about.exe

Deleted

C:\Documents and Settings\Bozzi\Application Data\1 Bits Dash\Downloadenc.exe

Infected with: Trojan.FatObfus.Gen

C:\Documents and Settings\Bozzi\Application Data\1 Bits Dash\Downloadenc.exe

Disinfection failed

C:\Documents and Settings\Bozzi\Application Data\1 Bits Dash\Downloadenc.exe

Deleted

C:\Program Files\NetPumper\ZM\minime.exe

Infected with: Trojan.FatObfus.Gen

C:\Program Files\NetPumper\ZM\minime.exe

Disinfection failed

C:\Program Files\NetPumper\ZM\minime.exe

Deleted

Do you think deleting those files should do the trick?

« Last Edit: Jan 20^th, 2007, 8:52am by arson »

IP Logged

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #7 on: Jan 20^th, 2007, 8:57am »

Quote

Modify

Downloadenc is still popping up on HJT Undecided

Here is my current HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:54:35 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1143145165\ee\aolsoftware.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\Bozzi\Desktop\backups\analyzeME.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1145815313048
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #8 on: Jan 20^th, 2007, 9:19am »

Quote

Modify

Hmmm.. at least Bit Defender identified the critters for us. � Cheesy

�These files probably are not "just deletable" and will/may take some special techniques to get rid of them. �Let's try this first.

1. �Make all your files and folders visible by following the procedure at the link below. �

http://www.misec.net/forum/board/FAQ/1139610900

2. Do a search for the files to see if they still exist. If they do exist, proceed to step 3. If they do not exist, go to my next post.

clock show about.exe
Downloadenc.exe
minime.exe

3. �Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

4. �Please then reboot your computer in Safe Mode. �

5. �Once in SAFE MODE, open the extracted SDFix folder and double click RunThis.bat to start the script.

- �Type Y to begin the cleanup process.

- �It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

- �Press any Key and it will restart the PC.

- �When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

- �Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

- �Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

Hopefully this special removal tool will clean what is bad. �If not, we have other tools that can be used. �

« Last Edit: Jan 20^th, 2007, 11:22am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #9 on: Jan 20^th, 2007, 11:13am »

Quote

Modify

Also, assuming the files are gone, you can go ahead and do this:

1. Run another HiJackthis scan.

2. When the scan is completed, place a checkmark in the box next to the following HJT line items. BE SURE these are the only items checkmarked.

O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

Then click on Fix Checked on the bottom left of the HJT window. Confirm the Fix and let HJT fix the items. Then close HJT and REBOOT your computer.

Post another HJT scan log...which should be the final one if all is cleaned out. Wink

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #10 on: Jan 20^th, 2007, 6:25pm »

Quote

Modify

okay with all files unhidden I did a search for clock show about.exe I got a hit for a clock show about.exe-20f95EE0.pf It was located in C:\WINDOWS\Prefetch. What is this .pf file? Im going to go ahead with your first post since that came up and I will report back. This virus is really starting to be annoying Im about to learn how to co-exist with the swizzor Angry

IP Logged

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #11 on: Jan 20^th, 2007, 6:47pm »

Quote

Modify

SDFix: Version 1.60

Sat 01/20/2007 - 17:30:43.49

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\system32\hook.dll - Deleted

Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:ena bled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1143145165\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1143145165\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1143145165\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1143145165\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Common Files\\AOL\\1143145165\\EE\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1143145165\\EE\\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:ena bled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Microsoft_Office_XP\MSDE2000\SQLRESLD.DLL
C:\unzipped\Microsoft_Office_XP\MSDE2000\SQLRESLD.DLL
C:\Program Files\America Online 9.0\AOLphx.exe
C:\Program Files\America Online 9.0\rbm.exe
C:\Program Files\America Online 9.0a\AOLphx.exe
C:\Program Files\America Online 9.0a\rbm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Program Files1\America Online 9.0\AOLphx.exe
C:\Program Files\Program Files1\America Online 9.0\rbm.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Bozzi\My Documents\randomz\vera HOMEWORK N STUFF\~WRL2986.tmp

Finished

IP Logged

arson
Newbie

Posts: 10

Re: Another Swizzor victim.
« Reply #12 on: Jan 20^th, 2007, 6:47pm »

Quote

Modify

Logfile of HijackThis v1.99.1
Scan saved at 5:43:25 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Common Files\AOL\1143145165\ee\aolsoftware.exe
C:\Documents and Settings\Bozzi\Desktop\backups\analyzeME.exe
C:\Program Files\America Online 9.0a\shellmon.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1145815313048
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #13 on: Jan 21^st, 2007, 12:18am »

Quote

Modify

Okay, I think we are about done. �Please do this: �

1. �Using Windows Explorer, navigate to the Prefetch folder at C:\Windows\Prefetch and open the Prefetch folder. �Remove/delete everything that is in the Prefetch folder. �DO NOT delete the folder. �Close Windows Explorer. �Empty your recycle bin. The Prefetch will get automatically rebuilt by Windows as you use programs. The prefetch folder is used to help speed up the loading of programs; XP will load programs it thinks you need before you ask for them yourself.

2. �Run another HiJackthis scan. �

3. �When the scan is completed, place a checkmark in the box next to the following HJT line items. �BE SURE these are the only items checkmarked.

O4 - HKCU\..\Run: [errorbeep] C:\DOCUME~1\Bozzi\APPLIC~1\1BITSD~1\Downloadenc.exe �

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) �

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) �

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

Then click on Fix Checked on the bottom left of the HJT window. �Confirm the Fix and let HJT fix the items. �Then close HJT and REBOOT your computer.

4. �Run another HJT scan and post the log back here.

5. �Please go into the C:\SDFIX folder and see if you find hook.dll which was backed up and removed by SDFIX. �Please submit this file to Mischel Internet Security for analysis. �The link below explains how to submit.

http://www.misec.net/forum/board/FAQ/1139308293

Then you can delete the C:\SDFIX folder if you want.

Does your computer appear to be running okay? �Are you getting any error messages that you cannot explain? �

« Last Edit: Jan 21^st, 2007, 12:21am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Another Swizzor victim.
« Reply #14 on: Jan 21^st, 2007, 2:09am »

Quote

Modify

Arson

Here are some recommendations for your system.

1. Your System Restore folder is probably tainted with malicious items that were found on your system. Please clean out this folder by following the instructions at the link below.

http://www.misec.net/forum/board/FAQ/1139255588

2. Your Java plug-in is out-of-date. The latest version is 1.6.0.-b105. To upgrade, go START>SETTINGS>CONTROL PANEL>JAVA>UPDATE tab. This will lead you to the new version. Once you have the new version installed, use Add/Remove Programs in the Control to remove the old version.

3. Install freebie SpywareBlaster which will protect you from thousands of malicious elements. This program requires no memory resources because it adds its protection by implementing kill bits in the system registry. This program can be obtained from:

http://www.javacoolsoftware.com/spywareblaster.html

4. Keep CCleaner on your system and run it routinely to clean out your junk/temp files and folders. I normally run it 3-4 times a day if I'm doing a lot of Internet work.

5. From the TrojanHunter scan log, it appears that you have some Windows Update uninstaller directories on your system. If you open the Windows folder using Windows Explorer, these are the blue folders that look like $NtUninstallKB835732$. These allow you to uninstall updates/hotfixes that Windows has installed via Windows Update. Odds are that you will not want to uninstall these hotfixes and these uninstaller are just consuming space on your hard drive. Personally, I delete these folders within 5-7 days after the updates once I see that everything is working okay.

CCleaner has an option that will remove all these uninstaller folders for you automatically.

- Open CCleaner
- Under the Windows tab, checkmark Advanced.
- Under Advanced, checkmark "Hotfix Uninstallers"
- Under Advanced, checkmark "Old Prefetch Data" (This will cleanup the prefetch folder each time your run CCleaner.)
- Run the Cleaner component.
- Then under Advanced, uncheck "Hotfix Uninstallers" so that CCleaner will not remove future update uninstallers until you want it to.
- Close CCleaner.

6. I recommend that you update Internet Explorer from IE6 to IE7. This new Internet Explorer 7 provides greater security features on your system. Info about it can be viewed at the link below.

http://www.microsoft.com/windows/ie/default.mspx?mg_ID=10010

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register