Author Topic: Possible Spyware issues (Read 282 times)

atmywitsend · « **on:** June 10, 2006, 03:11:36 PM »

My computer has been behaving rather strangely as of late. I suspect this may be down to some spyware issues that have gone unresolved on my pc. What has highlighted this is my pc attrempting to run a file named "58f33a28.exe". Something i competly do not recognise. Fortunately i have zonealarm and was able to deny it permission to run. However, i have also had couple of virus warning through avg since this. Furthermore, my browser used to go to about:blank before closing, wheras now it appears to just close. Something small u may say but i suspect something is going on. Just dont have the pertise to id and sort it. Which is where u come in... can anyone help? Really need to get this sorted asap as have shed loads of work to do and could do without pc problems. Have just run hijackthis and here is the log it produced ... any ideas anyone? PC also appears to running somewhat slower than normal, which i know can be a warning sign.

Any help would be extremely gratefully appreciated.

thanks

Logfile of HijackThis v1.99.1
Scan saved at 20:46:54, on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Advanced System Optimizer\wallpaper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\Advanced System Optimizer\IEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] D:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Wallpaper Changer.lnk = D:\Program Files\Advanced System Optimizer\wallpaper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzzd32 - C:\WINDOWS\SYSTEM32\winzzd32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #1 on:** June 11, 2006, 09:10:31 AM »

Can you do the following please

Windows Defenders realtime protections appear to be running
They may, and probably will interfere with any fixes we try
Can you disable them till we are done here please

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
In the File name field, copy and paste the following line in bold

C:\WINDOWS\SYSTEM32\winzzd32.dll

Then click the OPEN button

Hijackthis should prompt that the file was found and you need to reboot the computer
Do so

Back in Windows

Open Ewido Anti-Malware
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the auto updater won't work
Close Ewido and manually update from this link
http://www.ewido.net/en/download/updates/

Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

When it's done
Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O20 - Winlogon Notify: winzzd32 - C:\WINDOWS\SYSTEM32\winzzd32.dll <-this entry may be followed by (file missing)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer

Come back here and post a fresh hijackthis log and the full report from Ewido's please

I would also like to check on a couple files
They may be legit, but let's make sure, I see the runkeys in the log but not the running processes
Can you do a search on your computer for the following files please
cthelper.exe
PCsync.exe
Take note of where they are found, most like in the System32 folder

Go to this link please
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the files on your hard disk

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

atmywitsend · « **Reply #2 on:** June 11, 2006, 05:03:12 PM »

Done as instructed. Many thanks for your help. Here are the logs u requested. However, when i searched for Cthelper.exe and PCsync.exe they were not found so i therefore could not run the scan and provide u with logs for these. This appears to have taken the next step to curing the problem. I await ur advice as to the next... over to you...

Many thanks for your continued assistance.

It is gratefully received and appreciated.

HIJACKTHIS LOG
------------- -----

Logfile of HijackThis v1.99.1
Scan saved at 22:57:04, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Advanced System Optimizer\wallpaper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\Advanced System Optimizer\IEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] D:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Wallpaper Changer.lnk = D:\Program Files\Advanced System Optimizer\wallpaper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A54B798-0C81-4AC5-BDBE-8BD7409B2FDB}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A54B798-0C81-4AC5-BDBE-8BD7409B2FDB}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

EWIDO ANTIMALWARE LOG
------------------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         22:18:20, 11/06/2006
+ Report-Checksum:      A112FC57

+ Scan result:

   C:\avenger\backup.zip/avenger/loadadv728.exe -> Downloader.Small.ckj : Cleaned with backup
   C:\avenger\backup.zip/avenger/security.html -> Not-A-Virus.Hoax.Win32.Renos.ci : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
   C:\Documents and Settings\Andy\Cookies\andy@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
   C:\Documents and Settings\Andy\Local Settings\Temp\cliD7.tmp -> Trojan.Agent.vg : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc10.txt -> TrackingCookie.Pointroll : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc11.txt -> TrackingCookie.Adtech : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc12.txt -> TrackingCookie.Adtech : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc13.txt -> TrackingCookie.Advertising : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc15.txt -> TrackingCookie.Doubleclick : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc17.txt -> TrackingCookie.Hotlog : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc20.txt -> TrackingCookie.Mediaplex : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc25.txt -> TrackingCookie.Liveperson : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc26.txt -> TrackingCookie.Spylog : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc28.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc29.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
   C:\RECYCLER\S-1-5-21-527237240-1390067357-839522115-1003\Dc30.txt -> TrackingCookie.Valueclick : Cleaned with backup
   C:\WINDOWS\temp\ASHeuristic\loadadv728_exe.vir -> Downloader.Small.ckj : Cleaned with backup

::Report End

guestolo · « **Reply #3 on:** June 11, 2006, 07:00:11 PM »

Let's just do a double check on those 2 files please

From the bottom of this reply box
I've combined a few files into Look.zip
Click on the link, at the download prompt
Choose SAVE rather than Open
Please download and save Look.zip to your desktop

Right click Look.zip on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Highlight "Desktop"
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

Double click on pcsync.bat
It may appear that nothing is happening
After a minute or so a text file will open, also a file called "files1.txt" will be placed on the desktop with the same information
I'll need to see it later

Do the same for cthelper.bat, this time a file called "files2.txt" will be placed on the desktop

Finally, double click on find.bat
A dos window will open>>scan>> then close
It will place a Folder on your desktop called "Files"
Open the Files folder, inside is a file called look1.txt
Open it and copy and paste back here the Whole contents please
Additionally, post the contents of look1.txt and look2.txt

TheTechGuide Forum

News:

Author Topic: Possible Spyware issues (Read 282 times)

atmywitsend

Possible Spyware issues

guestolo

Possible Spyware issues

atmywitsend

Possible Spyware issues

guestolo

Possible Spyware issues