Hi,
Avast told me that a trojan horse had been detected.
I put it in my chest. Since then every time I turn on the
computer the avast tells me another trojan horse has been found
and I put that too in my chest. I now have 8. It’s in the c drive
in the documents folder each time. I do not know much about computers.
I am unsure of what to do. Can someone please give me advice and also
could you tell me how to restart the computer while deactivating my
system restore? I do not know how to de-activate my system restore
and that seems like something all of you keep recommending so I’d like
to do that. Also, for how long do I keep these things in the chest? What
is the purpose of the chest? Why shouldn’t I just delete them? I’d appreciate
any help you can give me! I’m (obviously) a novice and unsure of what to do! Thanks
so much!
What Operating System are you using ? is it up to date ?
What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
There is a possibility that there are other elements to this infection that are responsible for its return.
What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
- Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
If a virus is replicant (coming and coming again), you should:
-
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
-
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
-
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
-
It will be good if you download, install, update and run the programs posted by David: AVG Antispyware, SUPERantispyware, Spyware Terminator and/or a-squared.
-
Use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Hi! Thank you for your help! Unfortunately this
virus is terrible and it’s not going away! I have a Windows XP operating system. I have downloaded AVG, Window Cleaner, Super Anti Spyware, Spyware Terminator and Spy Blaster. I turned off system restore and did a boot time scan with Avast. When the desktop came up after the boot scan was finished, I got another warning from Avast that a trojan horse had been found.
The Trojan Horse:
Original File Name: tmp1D.tmp
Original Folder: c:\Docume 1\Ariadn 1\Locals 1.…
Size of file: 26624
…
Virus Description: Win32:Small-gen [Trj]
I don’t know how to find out any more info about it. I can’t seem to get the whole name-I can only get Locals 1.…
I do not think I have any firewall. Do you know of a freeware I can download?
Thank you very much for your help! Do you have any more advice? Thank you very,
very much!!!
Did you install, update and run them?
Try Comodo (http://www.personalfirewall.comodo.com/)
Expand the column headings and you will see all the text/path.
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
Again, what Operating System are you using ? is it up to date ?
If windows XP and at least SP1 it has a firewall of sorts which you can enable, Control Panel, Windows Firewall.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware. There are others, Comodo, PCTools Firewall Plus, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml
Also see http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php later set of results
It could be a Vundo varient. A HiJackThis log could shed some light.
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Hi Again! Thank you so much for helping!!!
I found a solution! Nothing seemed to work until…
I downloaded:
Dr Web Cure It
Here is the link:
http://download.drweb.com/
It caught it right away! It identified it as a trojan horse and
cured it.
Also, I went into my control panel and turned my system’s
firewall on. For some reason when I downloaded comodo
my internet would no longer work so I had to remove that program.
That’s really good freeware that drwebcureit. Thanks for all your
help guys! It’s really appreciated!
No problem, glad we could help.
Welcome to the forums.
Did DrWeb Cure It detect the same file or did it find a different file, the one responsible for the restoration of the one detected by avast ?
Oh MY GOD! I think the trojan has now morphed into something worse!!! I did another boot scan of the avast after using the dr cure it and the avast found a trojan. It is called Win32:CTX. So, I put that in the chest. While I am using the internet now, every five minutes or so, internet explorer says:
Internet Explorer has encountered a problem and needs to close… I think the dr web cure it found a different file, I should have written it down! It was not small-gen2 however and it just said it was a trojan horse. I thought it was the one like you said, DavidR, that was responsible for the restoration. Oh Geez!
So, I here is the hijack this log, does it tell you anything? What should I do next? Can you help me?
Logfile of HijackThis v1.99.1
Scan saved at 12:20:05 PM, on 5/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM..\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKCU..\Run: [spc_w] “C:\Program Files\JUSearch\hcm.exe” -w
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
What is helpful to us is the file name and location of any detections, the malware name in isolation isn’t too helpful.
You appear to have a number of Symantec remnants, Symantec/Norton Internet Security Suite. What have you still got installed of this ?
When you eventually get clean you would be well advised to get XP up to date, SP1 is old and has many vulnerabilities that are being exploited, which have been patched by MS.
Although not a related issue the Dell MyWay is considered by some to be adware.
O8 - Extra context menu item: Crawler Search - tbr:iemenu (considered nasty)
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
Other than that I see nothing obvious, so it may something that is stealthed.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.
- BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip also see http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx or http://www.pandasoftware.com/.
- AVG ANTI-ROOTKIT - AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.
As DavidR said you have much left over form Norton Internet Security Suite. Running this with avast! can only lead to conflicts, so you should choose one program and remove the other. There is a specialized tool to remove remants of Norton but for now just use Add/Remvoe programs until we get things under control.
After removal and reboot, download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
Then rename hijackthis.exe to hijackwhat.exe and post a new log using the renamed file.
A false positive Win32:CTX detection can result from having used Panda Active Scan:
OK! Deleted Symantec and deleted crawlbar. Installed combofix. Here is that report. I’ll do hijackthis next.
2007-05-21 16:40:26 Service Pack 1
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ARIADN~1\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\drivers\fad.sys
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))
2007-05-20 18:41 d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-20 17:23 d-------- C:\DOCUME~1\ARIADN~1\DoctorWeb
2007-05-20 16:21 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-05-20 15:35 d-------- C:\DOCUME~1\ARIADN~1\APPLIC~1\Comodo
2007-05-20 15:35 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-05-20 15:31 d-------- C:\Program Files\Comodo
2007-05-20 12:40 135,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2007-05-20 12:40 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Spyware Terminator
2007-05-20 12:34 d-------- C:\Program Files\Spyware Terminator
2007-05-20 12:34 d-------- C:\DOCUME~1\ARIADN~1\APPLIC~1\Spyware Terminator
2007-05-20 12:34 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-05-20 00:42 d-------- C:\Program Files\SUPERAntiSpyware
2007-05-20 00:42 d-------- C:\DOCUME~1\ARIADN~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 00:42 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-20 00:41 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-20 00:26 d-------- C:\Program Files\IObit
2007-05-19 19:16 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-19 19:13 d—s---- C:\DOCUME~1\ARIADN~1\UserData
2007-05-19 10:53 d–h----- C:\WINDOWS\PIF
2007-05-02 16:18 182,880 --a------ C:\WINDOWS\SYSTEM32\iuengine.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-20 23:04:32 -------- d-----w C:\Program Files\Apoint
2007-05-16 20:23:51 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-05-02 20:20:44 -------- d–h–w C:\Program Files\WindowsUpdate
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-16 22:21:06 -------- d-----w C:\DOCUME~1\ARIADN~1\APPLIC~1\Real
2007-04-13 19:33:46 93,696 ----a-w C:\WINDOWS\quotes.scr
2007-04-13 19:33:46 9,216 ----a-w C:\WINDOWS\Hooksdll.dll
2007-04-10 02:41:02 -------- d-----w C:\Program Files\Common Files\NSV
2007-04-05 23:53:16 -------- d-----w C:\Program Files\Alwil Software
2007-04-04 23:49:07 -------- d-----w C:\DOCUME~1\ARIADN~1\APPLIC~1\MSN6
2007-04-04 07:49:17 -------- d-----w C:\Program Files\Juno6
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
Note empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}=C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 02:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“DwlClient”=“c:\Program Files\Common Files\Dell\EUSW\Support.exe” [2003-10-07 17:21]
“UpdateManager”=“C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” [2003-08-19 02:01]
“RealTray”=“C:\Program Files\Real\RealPlayer\RealPlay.exe” [2004-06-08 18:51]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2004-06-08 18:51]
“PRONoMgr.exe”=“C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe” [2003-05-28 18:32]
“PCMService”=“C:\Program Files\Dell\Media Experience\PCMService.exe” [2003-12-12 15:22]
“MMTray”=“C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe” [2003-10-06 11:05]
“mmtask”=“c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe” [2003-10-06 11:05]
“DVDSentry”=“C:\WINDOWS\System32\DSentry.exe” [2003-08-13 11:27]
“dla”=“C:\WINDOWS\system32\dla\tfswctrl.exe” [2004-03-15 02:04]
“Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2004-03-04 21:59]
“BCMSMMSG”=“BCMSMMSG.exe”
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-07-29 14:30]
“ATIModeChange”=“Ati2mdxx.exe” [2001-09-04 17:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
“Apoint”=“C:\Program Files\Apoint\Apoint.exe” [2004-02-02 16:32]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 11:42]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2006-10-07 08:20]
“SpywareTerminator”=“C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe” [2007-05-20 12:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“spc_w”=“C:\Program Files\JUSearch\hcm.exe” [2004-05-13 07:47]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2002-08-20 16:08]
“ctfmon.exe”=“C:\WINDOWS\System32\ctfmon.exe” [2002-08-29 06:00]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-05-01 09:29]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)
“NoResolveSearch”=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [2006-09-28 10:13]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=“C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2006-12-20 13:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll
Contents of the ‘Scheduled Tasks’ folder
2004-07-29 23:02:23 C:\WINDOWS\tasks\ISP signup reminder 1.job
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 16:45:31
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
Completion time: 2007-05-21 16:48:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-05-21 16:48
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 5:00:49 PM, on 5/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O4 - HKLM..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\Media Experience\PCMService.exe”
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKCU..\Run: [spc_w] “C:\Program Files\JUSearch\hcm.exe” -w
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
I still see Crawler! I don’t understand that!
I’m sorry but I don’t understand the next step. Should I simply go to the
hijackthis icon on my desktop and change its name to hijackthat?
Then print up the hijackthat log?
Another note: When I downloaded the combo, I got an onslaught of warnings from spyware terminator that all sorts of trojans were attacking the machine. Most of the trojans were named:
Trojan/Goldun
or a name similar to that. I don’t know what that was about. There were about 20 warnings! Maybe now my computer is host to millions of trojans!
A company named Crawler LLC owns Spyware Terminator so those crawler entries might have installed when you installed the program.
If the icon reads HijackThis.exe then yes, you can right click it and click rename. Otherwise when you right click, then click properties, then click Find Target. This will take you to the file to be renamed. Once renamed run it and post the log.
Spyware Terminator uses heuristics (before analysis) to detect malware and probably raised alarms based on ComboFixes information gathering abilities. Don’t worry, ComboFix is not malware.
That is interesting since they make a big deal about having cut ties with crawler, as it was previously listed on spyware warrior as a rogue program because of its associations/links to crawler, http://www.spywarewarrior.com/rogue_anti-spyware.htm#spyterm_note
Well, they don’t seem to hide the connection
http://www.spywareterminator.com/pc/corporate_information.aspx
maybe its that they’ve mended their ways …